Threat Roundup for November 2 to November 9

TalosIntelligence

Security / TalosIntelligence 38 Views 0


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 02 and Nov. 09. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

You can find an additional JSON file here that includes the IOCs in this post, as well as all hashes associated with the cluster. That list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.

The most prevalent threats highlighted in this roundup are:

  • Doc.Malware.00536d-6741783-0
    Malware
    Doc.Malware.00536d-6741783-0 is a family of malicious documents that leverage obfuscated VBA and PowerShell scripts to download malicious binaries from the internet and infect the system. These documents use WMI techniques to launch the downloaded binaries and can deliver different types of payloads.
    &
  • Win.Malware.Nymaim-6742391-0
    Malware
    Win.Malware.Nymaim-6742391-0 is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control (C2) domains to connect to additional payloads.
    &
  • Doc.Malware.00536d-6741218-0
    Malware
    Doc.Malware.00536d-6741218-0 is the denomination of a set of malicious documents that leverage VBA and PowerShell to install malware on the system. These documents usually convince the user to enable macros that, if executed, will download and install additional malware on the system.
    &
  • Win.Trojan.Gamarue-6739927-0
    Trojan
    Win.Trojan.Gamarue-6739927-0 covers a family that, after installing itself on the system to survive after reboot, will spread itself to USB drives and modify system configuration settings to weaken its security and disable certain features, such as the task manager or the Windows shell, in order to protect itself. It can exfiltrate sensitive data and receive additional commands.
    &
  • Win.Malware.Mikey-6739644-0
    Malware
    Win.Malware.Mikey-6739644 is a trojan that installs itself on the system, collects information and communicates with a C2 server, potentially exfiltrating sensitive information. These types of threats can also receive additional commands and perform other malicious actions on the system such as installing additional malware upon request.
    &
  • Win.Worm.Brontok-6739140-0
    Worm
    Win.Worm.Brontok is an email worm that can copy itself onto USB drives. It can change system configuration to weaken its security settings, conduct distributed denial-of-service attacks, and perform other malicious actions on the infected systems.
    &
  • Win.Trojan.Autoruner-6733593-0
    Trojan
    Autorunner is in the Esfury family. Esfury is a type of worm that commonly spreads via removable drives or platforms with user interaction (e.g. emails, instant messages, web pages). When executed, Esfury modifies multiple registry keys in order to execute when certain Windows applications are opened, including security products, registry editor and task manager. Esfury may also contact a remote server to download and execute arbitrary files.
    &
  • Doc.Downloader.Emotet-6744157-1
    Downloader
    Emotet is a banking trojan that has remained relevant due to its continual evolution to bypass antivirus products.
    &

Threats

Doc.Malware.00536d-6741783-0


Indicators of Compromise


Registry Keys
  • <HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\CA
  • <HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\Disallowed
  • <HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\Root
  • <HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\TrustedPeople
  • <HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\trust
Mutexes
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • 92[.]242[.]63[.]202
Domain Names contacted by malware. Does not indicate maliciousness
  • nosenessel[.]com
Files and or directories created
  • %AppData%\Microsoft\Word\STARTUP
  • %AppData%\Microsoft\Office\Recent\349314338.doc.LNK
  • %LocalAppData%\Temp\icn3tzqs.qav.psm1
  • %LocalAppData%\Temp\lgisqtyq.v2z.ps1
  • %AppData%\1bb228b0.exe
File Hashes
  • 1e0bd69fa2c12403b9077c42ebe1bd4d997cdd3d8f1160e7fcab0e52b2965a51
  • 24b727b94bc1ef9b3d99ae6cfb0333db51321ce3646a78a20f59f2accf2b4207
  • 39a3e2237ac464b2eac90dfd103fb9829cd6dabf425c72c1043678a47161ef08
  • 5c534ae4e830cf73ddc02a19368138b60bfe0cd8ab12d1bb89106872fb735539
  • 6ac5f9318f1a4db50373f4763edd01aa85aa3e6d8637149b52deb23478acb358
  • 6cc51b903fd07d87102d0d6eb7d6614b75921a5c1210993f67d0fe21effb45a8
  • 74df3318eac202ebbe0aea03d0fa5bdfc5fcd4feeb7ffc972fbce8e69f5597e5
  • 7f96371e446f1b9ddba9fddfcc8cf0f07beb26de8a2b1783414f0cf5f4c50530
  • 893b067586eb6d303aae26addf02f5bf4bfa2bd677cd0a96b1ebc20b05c3cf38
  • 90cb72a9707af427f9dc874a44f26511ef7d9c82606783aff4d609e15f2bb441
  • 97e01b5a1cf7a4e79c383ae6fbd1314466f75c9c03c5c663193b05ec8eee4fd9
  • a5795dac579590b099f9fb41037aa8febf3b0423d64990f496a2c3698f874f04
  • ae5bdac5fd5fbd09c0cdf2940291bef19ffacc0324a5ffaa56976934fea34c6e
  • aeeaca88ec0fb0e4a6fbbf07824712100522a73c0607f416e377ad4c87045a3c
  • b85de0b45a9634af9cf3a4026af2d5e743457dc9b284c89c704b0794b2565fd2
  • bfdd22f0ff5728885bbd364316e74f544a7fcbcd487f3948aaece5ba0aae1e42
  • c971f20312204409ac651ecb7b1a3eb50034f0362e4e96fc86be2d4c4afe9c84
  • d12832f6d0c374bd6525a7ad1458f3e8808bb8fb3e1c73cdd3e23d94bf219aaf
  • d236416e4940fdbee40f8e8457ab28ba9fca779147c92475222d9d92f26923d7
  • d4b688389477443d6e8ce9963e08cea45208e54a44a43fd2eedce6a4c0d183d3
  • dc2fcd6b057c26db0218ae05928653bba568a1486490aa4d052efb5c9c80617d
  • f14c41e682010bb6ebf436d83b2e97f7f31e07aff46850e055511b49cb851f36
  • f272476efe9202bba15dbb7cf7c13ef3918391f7743fa4267d220cd103ce05a3

Coverage


Screenshots of Detection

AMP



ThreatGrid



Umbrella



Malware




Win.Malware.Nymaim-6742391-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • N/A
Domain Names contacted by malware. Does not indicate maliciousness
  • N/A
Files and or directories created
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fro.dfx
  • %SystemDrive%\Documents and Settings\All Users\pxs\pil.ohu
File Hashes
  • 079c12699c6dbd13e486a4c7db333ec114420da38acde8afe4d62219c62afd82
  • 1e12e3edeb209993fd7d5623fb10f342dca54e101ea8593348d8cc9e72e91384
  • 303f8d6644e52783c8d4ebdef5d4e720803e828529eef24607806cb6041d1adc
  • 31605081f5b8b138ff011fa6e796e6d2352160ad4a97ba07de4fbb38dd1cb41c
  • 5056a547e092c82e74a2da61a5a90eb2a7e7e551e39a3387753917bedf8c3130
  • 57e97b8dbfe3e8831b9b7bbcaef974e7d8c9422a15560453b0fde22b0fe3dc94
  • 86bd123441e1b1ed3f37938b58dbc572b844e7ba8e59506ccd41fd0d9d950628
  • 87c04d2500b70ebf0865d5ac5889f13bdc86d0a137dd1a20094a3308b52ac191
  • 899752fd8fbe560e658be72bf03a3a774b6dcb9d2d14e25da862d7edce5d9fbf
  • 8afc084c965d1c0091b61744c7cc5bd9cf5cb48195a6b04096dfe80ca118fd26
  • 91e2920a163dec32f3edd8ff50a8b545fb192ad3d75c2ee96db6ac9b01f373dd
  • a20d48b79e72d3fc229929af39560ac26504fd31d20a7b29b81a4624eda6a0b9
  • a98b56d5bd9e67da1d1052cc044af7f45cc0a6472093799466d48e6f841016db
  • ae038c14c8eb49ecd135bb667bc3f96dc38e40e6df58d8475f2298b0a5a3c69c
  • cd9fa3f18f1108d2c1fefd8f978c167de8139c66c28638bfbc799c3b7b1cfd5a
  • e694c1f807a97327fbbed467fed853c289e014d368dffacde9b8b62c2f68595f
  • ee133570f883ea59f5ddd1f71ed9c6d09b0d7291c639d33d7991fa3af9956f84
  • f359d51daf2f35ce8f2f7a0bd82b29db843caf8089cf9eff9b6d95fb503fa071
  • f751ceca4b32c1af8e890a727aa2c65c63015798b380518af8255722cdbaca5f
  • fc1edb4659342e728ad83ac651f7d0d34532ad1f184796a1bed495072655af56
  • ff3a4f6aa65acbdd0c82c80041809e019802e4f700f0b2a5748bbc40b45889be

Coverage


Screenshots of Detection

AMP



ThreatGrid



Doc.Malware.00536d-6741218-0


Indicators of Compromise


Registry Keys
  • <HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\CA
  • <HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\Disallowed
  • <HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\Root
  • <HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\TrustedPeople
  • <HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\trust
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\PRINT\PRINTERS\Canon PIXMA MG2520\PrinterDriverData
Mutexes
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • 92[.]242[.]63[.]202
  • 95[.]181[.]198[.]72
Domain Names contacted by malware. Does not indicate maliciousness
  • 222[.]222[.]67[.]208[.]in-addr[.]arpa
  • suggenesse[.]com
  • legicalpan[.]com
  • gulamicros[.]com
Files and or directories created
  • %LocalAppData%\Temp\5jootfr4.adu.ps1
  • %LocalAppData%\Temp\e2dn4nhu.cmdline
  • %LocalAppData%\Temp\uju0ohji.0.cs
  • %LocalAppData%\Temp\uju0ohji.cmdline
  • %LocalAppData%\Temp\uju0ohji.dll
  • %LocalAppData%\Temp\e2dn4nhu.dll
File Hashes
  • 2f6d9e97206c5bf4937e0d6670d164594415a8941b0ef1b1bb1e4ae0e582e816
  • 43b28f32e670fce395b4dbbc12998dac81c171f6ff8fb841be4fce90fbe741d9
  • 57b720358b65e7d57cb0d8abad9b4706271c23a14ae36cbfde7b89d23ecafa23
  • 5eabc1946ae11fe7e59e9f7ea9160b2ec7060890bb8fabdf732617bd2c2c0d47
  • 7dde66dbf159d5c9663b2ed51e834b69e47c43191a12702e0e3a5507426ad070
  • a77242cb419e6f7fa611d48ffee9e7ea181458c0969d120926610966b11a6335
  • ba9a8a1a4e15c6d94763e15a8f51f67b30a6c663ad5c610191d516db518bb139
  • e51d13605afc35735e4f46844c93780c9879608050fe909c81951e9ca08a28d3
  • e7b86602d4f64895cdacff52c443f64639aeb506b04f695775569c10b1633d3d
  • f89c4ecce06bf20400d5110573e84935af0e93149de5a0fde45dc7a9f0b1f9e4

Coverage


Screenshots of Detection

AMP



ThreatGrid




Umbrella



Malware


Win.Trojan.Gamarue-6739927-0


Indicators of Compromise


Registry Keys
  • <HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
  • <HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\
  • <HKLM>\SYSTEM\CONTROLSET001\ENUM\WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC&PROD_HARDDISK&REV_2.5+#1-0000:00:1D.7-2&0#
    • Value Name: CustomPropertyHwIdKey
  • <HKLM>\SYSTEM\CONTROLSET001\ENUM\UMB\UMB\1&841921D&0&WPDBUSENUMROOT
    • Value Name: CustomPropertyHwIdKey
  • <HKLM>\SOFTWARE\MICROSOFT\UPNP DEVICE HOST\HTTP SERVER\VROOTS\/UPNPHOST
  • <HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt
Mutexes
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • N/A
Domain Names contacted by malware. Does not indicate maliciousness
  • N/A
Files and or directories created
  • \Autorun.inf
  • %LocalAppData%\Temp\wmsetup.log
  • \??\E:\Autorun.inf
  • %LocalAppData%\Temp\NoPorn.exe
  • %LocalAppData%\Temp\mplayerc.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\NoPorn.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mplayerc.exe
File Hashes
  • 06c823cc443447348137467a2951dd2d34b4ffdcde178e6d1700394ef5e2793f
  • 0defd1806fbfbddfd772df482ca562d31e1a01ee9a5d4a5a964d6729bc6051e5
  • 2da83ddb169023cb60622ef6e297b65dce69151c803fd29d53468b5ec2c6dedf
  • 2f90ed051dc82a7d8bc389debf88284495f96f56a51e36c1a4a1e41634c28fcc
  • 3e3decd6f11025d59dbb0c0457b9e5e0353a063d53d5725a3a94836819613a1c
  • 42fd138ce68919a322202dea37bdafffefca7cf9bb91eb47591c0b6957126478
  • 44e49ebd375b57146ad486e37db18e7809d01d51c0ed55e8d8afe9c43d3a5485
  • 478ea2c130bd95ecf1763952f2f644a8b175184284f9713cc35abe0c6f6f848e
  • 4d60b0ae61b9ef56997be59f7c896f2a60e81e28d267cbcec52a75140e05aa16
  • 59751557033163959f841a10157e94f1c9fa8e5366a910644f1966a125ad9b35
  • 5ff49224ceb338b6b35b7303c68ff3df9f87099ffcec50970627a06e938f510a
  • 6b82c968572a2ab008cb8bca2816d3f7cca491c059aee6b1e7a693b10580e073
  • 84b9a43ff01d4b6be671749b56dcf724c0c4553153dfa336730f36b42fac6969
  • 884ae2b467d21f8dbf65bce26b08a6659d75004b22f1af5d7ed8e4198c2688ae
  • 89653d4159192e8df7843942f543e4a3dbf00e89dc3f957af38778202159ec85
  • 9b082ca14ca1f7f7244f1a6b93062c01a8c336bf3ef6cab707a2aada4214178b
  • bb3f180271e5b2f30e1bdb9e80c75539dc8fb06870cccf571f77cf123297d432
  • cd80fcca97cb88cb92da3d5fb396b24e102001d3efc06082e6e3dfded9f8ee0a
  • dbcf9f6802b6ab0d218e47c44113e589ecf753dc7701e695bd67e9fe057fbabc
  • dfb4bd0bdf964886571dc6dad423d5a6894683b59f6620fa2d426b8a81cad311
  • f1ac70e09fc2deabe8184133b0955841be63928bd5f07df647ba89e795701e07
  • f4b168493c04afd24a7d93d620122da9483804215f86f68cae2c532a2a5883a9
  • fd24deac9cf57d3de7884e3766ad3cc982090fed9068e0b4a02d68cbdb5b9369
  • fdd6cf898a92f3343b73400f330ee522ee8d6b947802138c7c17c6c0db82bbe1

Coverage


Screenshots of Detection

AMP



ThreatGrid



Win.Malware.Mikey-6739644-0


Indicators of Compromise


Registry Keys
  • <HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
  • <HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\CONTENT
    • Value Name: CachePrefix
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\COOKIES
    • Value Name: CachePrefix
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\HISTORY
    • Value Name: CachePrefix
Mutexes
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • N/A
Domain Names contacted by malware. Does not indicate maliciousness
  • statsrichwork[.]com
Files and or directories created
  • files\information.txt
  • files\passwords.txt
  • US_d19ab989-a35f-4710-83df-7b2db7efe7c51551795182.zip
File Hashes
  • 19e073fb9fb7811440e873ae60578b28c06b0aec9e21d730f8205c81b7ababf5
  • 201872934f7f6674af89597d1a819f79cf843578aa9928191561ebdb637a53cd
  • 243e098e78e1ff111354e231fac6b01e69f473cb10c27f2485a568316c0395df
  • 2b52ef895983a4778aaa66dd90cc8bb296ca3b96b891c087c4fcf483d5bf48c6
  • 3c66d120d27778c2a1110170ad85eed2313fcc5cf55345cdbdc283ada76a86c1
  • 42228a6bafdf985fc02536b17990299589d967ad44d22dbefdb2dbc44681741b
  • 48437e0f2c8bc5f0d3f46fec63ce26b3b66dc65610e3c97b4fa8a1b643c8e2f1
  • 4a2364a4b3e8ad43b505a616486ef537159c8b8df9fe140977c9ab6aa1bad658
  • 4f80b59c35090b1dbdf94f73770c222352555e7112bec28efb189e3b340b4c2c
  • 633bcbf980d9299324b3b0baefe80954f06e41a6f71267bfc83c8950a8932696
  • 6705cf85955113629d95a7206deb524f82ed5a3fe04666d98423b944c3ce2156
  • 6f74c88c2c04eb117c26d5283d83ac4735928bb50f76b2104be36f8101466aa3
  • 70a7d3ac821670090237f52308fb6b1ca47e032d3de9267584f59abe247e536a
  • 711c1db67575b1a795a4aeb439ada79ab8a7cc98f2c68cb0e2beacafa5d044de
  • 8f815fbcf18c1bc554756233e3fa7d326645a30809042b068ac03daef649c307
  • 911ce750a17ac1e43d53087630b1e3af416619aff2d086b89b6def0d0bfa927d
  • 95aa51bc0016bf055d53f1d663b560c97d15d19956787aecf8af7933e6765e5b
  • a3347f536bef48b877e49fce133e86b864ef657137ab73db60b62436e2aca7b2
  • bb99c43836000b751e3fa1deda851b646f02be036ad9d86a09adb7963bec7b69
  • d3edf8ca17f1b41fa96ea9b4377d5778a7965345230425730940444469ce57fb
  • da37e831e94b3f7226688cf7f201ef4c032d393ee25bd2437d826a21e08c03b4
  • dedb1d0c69521f7c47abc2e6fa925642269fd40a00ea21270b7b950cb101f7be
  • f3dd18c0de2af39bfd1dc3498de48e31668f6fdeb89065dcc9e7a81ae6c5046e
  • f980768d4d68e75b6d83cff0c80ec153a80bf700f7df3bd53fe9f06bdafda01b
  • f99b50470431b2f91b80f3acccbf179441aa24bc702d3f2ba08f4f9f2357d6c8

Coverage


Screenshots of Detection

AMP




ThreatGrid



Umbrella




Win.Worm.Brontok-6739140-0


Indicators of Compromise


Registry Keys
  • <HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\
  • <HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\
Mutexes
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • N/A
Domain Names contacted by malware. Does not indicate maliciousness
  • N/A
Files and or directories created
  • %SystemDrive%\autorun.inf
  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Application Data\WINDOWS\cute.exe
  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Application Data\WINDOWS\imoet.exe
  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Application Data\WINDOWS\lsass.exe
  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Application Data\WINDOWS\smss.exe
  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Application Data\WINDOWS\winlogon.exe
  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Application Data\smss.exe
  • %SystemDrive%\Data_Rahasia Administrator.exe
  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Application Data\winlogon.exe
  • %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Startup\Empty.pif
  • %System32%\IExplorer.exe
  • %System32%\shell.exe
  • %SystemDrive%\Tiwi_Cute.exe
  • %System32%\tiwi.scr
  • %WinDir%\tiwi.exe
  • %SystemDrive%\present.txt
  • %SystemDrive%\tiwi.exe
File Hashes
  • 005aeac3a2685665e22aac6270c7effc4718c92737ace9f6215c1f3e93adf632
  • 007cfb6540762317643054786cb91843f5f713f879ca20d2abcb63a02ab9c87f
  • 010b717c887c1f7d8a0f08d73b01f37b6d7a871e2f17ea9dc60a1bcd379b0f8b
  • 036e59256be20eeed60c1dc49f2182089bd22bbe5aef75bbfe234f9898571d96
  • 03d0d49484f05ff4461d8bcb40c42c38f72cea2c5b673e93f1329dfecb3824dd
  • 043f25f1981421906c255dd5379e878ec4c5a359c9492abd3880eaa3176a4578
  • 052f01970798eb34c728da985358f05ba47134e84c381c96cea52f7274e74d31
  • 05dbbe0b660825cd4f2453b1afcd483ee3523771bc22a743e913f5e867fa063a
  • 064e0bbb5470221d65b575e930c7b615af574f4f8395d573afbaa034ae4ffc6b
  • 06569b13aa7a18eea8a863c768fe47468e505a898a9b689c376ab3cb3f957b80
  • 0676fd79294f4ca277380e44085176012b97e5e07ab652009ce85791294a6f95
  • 068f0a2d6b99b2701ae41325851a6fa258059c535765c2eb9ba30fd94118b995
  • 0721857c17edb718c984d002fd24e754672e3d2eccaef2dcbc78f7ce0a902eac
  • 0830ddb3dd73dbdbe524db466a035a85ba2e1eff6de24738d7ab42acd4ce4da1
  • 08fabe5f7aabaa4e2f8a432f9e8287c7c80073dc05dc4fc9e8590f1bf15c25c4
  • 09600f1b158f792909a105e155bde59e24f6e46322a13b7109649d15c97689da
  • 0b70dbba443121a8aed5e4adb630737a773622ef16415034f5e1ef7af9a18d28
  • 0b7a26dd115453a5530b387338b18d05d826e5ac3174399567f03376e2e67335
  • 0c902a3a4a2a36d64351861dc4d8c2ad74a1415aff9b5f71ffc3e740a691483f
  • 0cb7d5f688faf979b0d53200b507c0ab49446e2fc798635dca699ca6bfc2cf53
  • 0dc9618e5edc34a8ada892b5c5a403eb9e64eb8e51772d35f4ee79959bccb686
  • 0e8a750df320de2ee02b70b9c27b77d835ffe4c0c57b0ec6aca73e2df78f39e3
  • 0ed1e47a487b750d9fa86743fe7d8a285292bf68169d61a0097570dffae443a9
  • 0ee895125c27f3def3a2a60a2c16b9a66e0c2752337e621ce3cf0a2d70372aeb
  • 0ff2198fa27c38bfbbaeb1e56f28696ceed254b749ee3b44d1163d41ebac534b

Coverage


Screenshots of Detection

AMP




ThreatGrid




Win.Trojan.Autoruner-6733593-0


Indicators of Compromise


Registry Keys
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WINSERVICES.EXE
    • Value Name: Debugger
Mutexes
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • 204[.]79[.]197[.]200
  • 91[.]195[.]240[.]94
  • 72[.]21[.]81[.]200
  • 23[.]79[.]219[.]185
  • 67[.]202[.]94[.]93
  • 50[.]23[.]131[.]235
  • 23[.]3[.]96[.]25
Domain Names contacted by malware. Does not indicate maliciousness
  • kz0t0g6xn457m449312vx962m32v69[.]ipcheker[.]com
  • 17d98a5d[.]akstat[.]io
  • r0u603u61y8999y[.]directorio-w[.]com
  • 4o91sy32347o7x636pk2084dk0p66z[.]ipgreat[.]com
  • 8s8908905t67uc0a75zm35c78xq0ex[.]ipcheker[.]com
  • 7r3u5sm670kplbt6w1036p7ployl36[.]ipcheker[.]com
Files and or directories created
  • \??\E:\autorun.inf
  • %UserProfile%\27F6471627473796E696D64614\winlogon.exe
  • \$RECYCLE.BIN.LNk
File Hashes
  • 00de9aefee7e84028781e5d88e23c7ac53d8a10aa97116411d43b6532112fa16
  • 01474c0dacb671b37172b985d8e96bb688f2e4f6f8975a6bdab76c3ebb6ca29a
  • 0206ba28fd335c6470736f976885f5916375e114ce442208f30aaca55525d41c
  • 027b08647ec8a4976897114dcac6810acb215dc13805edd0986d4bce04528f59
  • 02e94f61d5c4da2b4a3b8991278a77e937da0de55b2f5373f804344cae73dad8
  • 033c6325a22ddee4d621558106fd297407f31e0713c7c2314024e8cbcdc0a5b3
  • 05d0ef6586355e9255a5723ae5909602de6def71e64f3e1838211bb0d3c9de81
  • 06bdc32de83eec39c9153b7944b8abc0137e3b69c80ac02e74d6903c656915e7
  • 06e53af6c4bde93f7a9da0b90408e59b701d1ced02c5fb14fba45c7272452367
  • 082831142fe7826130b5d5ac7673d9ae8f7f56e126348283e77fc3c88f4d5b0b
  • 08617dcb9523e28efed1e47917b6f9dc6dfb534c6d0d7df0888e977099f4db71
  • 09a8a4d6b7e8d68dcbf7279923f5d8322e4d46dea86ca1da0f553bdb1f5fc222
  • 09c40f54a73303ddf1d6170f3cd06778583260e82b7dfe155a2f804346aadfc9
  • 0b032c40e0877bd1c4aeca8bf56b87d0daacc781ad2cb025cdc7c3944074e816
  • 0b979d82d329160c7f95cb8abc9ccc8e0ebb4f981ee321342e84a29ff33687f9
  • 0be8709e38625829811638c2460a8eaa993569df882f4a7263747f91bd08970a
  • 0e47b656aa6dfdc797ff650a7d1800639f7347d2af4fd0ae6520e02ff0cec9a0
  • 0eeb8d4cb796e8460ea5c283deed8788356822e6a7916c9cec496dc7cf4f3ab2
  • 101217714340fcd5d1194ac746d2b4c9d42f739f12b983ce33801d2baebb71ab
  • 11e0b16cfcd0e45c21a1fbe9b7b14bf019f3e2ceb7894eee8e458eb6a7571c34
  • 12e12efef70cc7824ea45771c844393d1e1b878a86def41acc01093249bc7e19
  • 1374cf423bc66983991c7fd3e3767aedf67094cf5a3eff6eb695112b51dc5e6a
  • 13910ca1a7fbadf757c082dde5d1724b6b46d36b9eae47d1bd968c66a67be3ba
  • 17ea3123406cb0ef21c174f4f27a89d4cbd5b61ff1359ec9b8c756b311ee0f4d
  • 183b07b0a5e93388d391deeac811b405d0cf46c66f3817efe535780a6d06c10a

Coverage


Screenshots of Detection

AMP




ThreatGrid





Doc.Downloader.Emotet-6744157-1


Indicators of Compromise


Registry Keys
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\DIMCLOUD
    • Value Name: Type
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\DIMCLOUD
    • Value Name: Start
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\DIMCLOUD
    • Value Name: ErrorControl
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\DIMCLOUD
    • Value Name: ImagePath
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\DIMCLOUD
    • Value Name: DisplayName
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\DIMCLOUD
    • Value Name: WOW64
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\DIMCLOUD
    • Value Name: ObjectName
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\dimcloud
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\DIMCLOUD
    • Value Name: Description
Mutexes
  • Global\I98B68E3C
  • Global\M98B68E3C
IP Addresses contacted by malware. Does not indicate maliciousness
  • 182[.]180[.]77[.]215
  • 45[.]59[.]204[.]133
  • 67[.]177[.]71[.]77
  • 87[.]229[.]45[.]35
Domain Names contacted by malware. Does not indicate maliciousness
  • lionhomesystem[.]hu
Files and or directories created
  • %AppData%\Microsoft\UProof\CUSTOM.DIC
  • %SystemDrive%\TEMP\~$18_11Informationen_betreffend_Transaktion.doc
  • %SystemDrive%\~$9441806.doc
  • %LocalAppData%\Temp\781.exe
  • %LocalAppData%\Temp\mq0dgaud.vrd.psm1
  • %LocalAppData%\Temp\xxlgesic.vav.ps1
  • %WinDir%\SysWOW64\dimcloudb.exe
  • %WinDir%\TEMP\9E64.tmp
  • %LocalAppData%\Temp\CVRF911.tmp
File Hashes
  • 14e4a394fa5994ce2ff8047f2bac46b385a5a6510205e4c65930c0af413c935e
  • 500a319207a744b8d20c4bccb1c0b5b4f2fafc228cf05dd6bd2cb19b02444f58
  • 53402a103a73ae604657be6e171cc017957fa1f3638fcbe976ca3af694ba0b7f
  • 6bc0481d7b339a55f6493bfba40bca7819a3799a39b5beaf09490aafed45bc24
  • 82448e012786f528fb7946640e84c6beadf34de21130a69bdc1538d4cc8cddf2
  • 8d74c083778f9511c01916d183301686ac09a7011bbfa8f744a5816dc244340a
  • 94de7534a45275daa06e0189c6bd06ca41176b3da93303b5fae677ae92cbb92d
  • a2d01ed549ffcdd8de59939e7fae64d1455309ab7b8cbbaa6aae8f626803319b
  • a692ae61c540f3138866e74cd98aab9b368fdfe36233ccc408549a69a5a2c86f
  • dca6675566e48fbab773ad8c64504b809f8323ca48a8771d0a80ad7ccea1a2de
  • eb6b88afe59ff4fe3068586f6eea31a174deb0956f9fc72df68394bb007aee05
  • ec383b84e5038f061921a2a41b27d8635465826bce5636b21ede0fe061895972
  • f3641ae9463763cac44325547c7a6aeb954e8cc09a4ddf739c8d068c443761c9
  • f49cfd859d0cde4b95fbb1cd277a2e0668ac8bdbbc5e215af7da159e108ac5cd
  • f99dd238a630895697be11c2a551a3874a315b6f5a7bf752ab06cab6eb69e7b9
  • ffe52a1f56588e88eef218987e89a4caade5125e3a4478cb38ce85ec7733e03c

Coverage


Screenshots of Detection

AMP




ThreatGrid




Umbrella



Malware




Comments