Threat Roundup Sept 28 - Oct 5

Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we’ve observed this week — covering the dates between Sept. 28 and Oct. 5. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, we will summarize the threats we’ve observed by highlighting key behavioral characteristics and indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

The most prevalent threats highlighted in this roundup are:

  • Win.Malware.Gandcrab-6706045-0
    Malware
    Gandcrab is ransomware that encrypts documents, photos, databases and other important files using the file extension ".GDCB", ".CRAB" or ".KRAB". Gandcrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and Grandsoft.
     
  • Xls.Downloader.Valyria-6704496-0
    Downloader
    These variants of Valyria are malicious Excel files that contain embedded VBA macros used to distribute other malware.
     
  • Win.Dropper.Fqdq-6705253-0
    Dropper
    This dropper attempts to access the Firefox Password Manager local database, uses a temporary batch file to perform additional malicious activities and uploads files to remote servers. Additionally, it might inject code, read INI files or use Visual Basic scripts.
     
  • Win.Malware.Genkryptik-6704925-0
    Malware
    Win.Malware.Genkryptik is oftentimes a generic detection name for a Windows trojan. Some of the malicious activities that could be performed by these samples, without the user's knowledge, include: collecting system information, downloading and uploading files and dropping additional samples.
     
  • Win.Malware.Zusy-6704537-0
    Malware
    Zusy is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe". The malware attempts to trick the user into entering their login information whenever they visit a financial services website.
     
  • Win.Malware.Razy-6703914-0
    Malware
    Razy is oftentimes a generic detection name for a Windows trojan. They collect sensitive information from the infected host and encrypt the data, and send it to a command and control (C2) server. Information collected might include screenshots. The samples modify auto-execute functionality by setting/creating a value in the registry for persistence.
     
  • Doc.Malware.Emooodldr-6699885-0
    Malware
    These malicious Word documents contain embedded VBA macros, spawn new processes, drops files and remove Office resiliency keys.
     

Threats

Win.Malware.Gandcrab-6706045-0


Indicators of Compromise


Registry Keys
  • <HKCR>\LOCAL SETTINGS\MUICACHE\3E\52C64B7E
    • Value Name: LanguageList
  • <HKCU>\CONTROL PANEL\DESKTOP
    • Value Name: Wallpaper
Mutexes
  • Global\8B5BAAB9E36E4507C5F5.lock
  • Global\XlAKFoxSKGOfSGOoSFOOFNOLPE
IP Addresses contacted by malware. Does not indicate maliciousness.
  • 50[.]63[.]202[.]89
  • 93[.]125[.]99[.]121
  • 137[.]74[.]238[.]33
  • 94[.]231[.]109[.]239
  • 185[.]135[.]88[.]105
  • 146[.]66[.]72[.]87
  • 87[.]236[.]16[.]31
  • 217[.]160[.]0[.]234
  • 69[.]73[.]180[.]151
  • 104[.]31[.]77[.]95
  • 171[.]244[.]34[.]167
  • 217[.]174[.]149[.]130
  • 70[.]40[.]197[.]96
  • 223[.]26[.]62[.]72
  • 80[.]77[.]123[.]23
  • 178[.]238[.]37[.]162
  • 51[.]68[.]50[.]168
  • 104[.]28[.]30[.]160
  • 67[.]227[.]236[.]96
  • 66[.]96[.]147[.]67
  • 179[.]188[.]11[.]34
  • 89[.]252[.]187[.]72
  • 194[.]58[.]56[.]95
  • 104[.]28[.]28[.]142
  • 104[.]27[.]163[.]241
  • 213[.]186[.]33[.]186
  • 107[.]178[.]113[.]162
  • 87[.]236[.]16[.]29
  • 188[.]165[.]53[.]185
  • 173[.]247[.]242[.]133
  • 77[.]104[.]144[.]25
  • 191[.]252[.]51[.]37
  • 202[.]43[.]45[.]181
  • 192[.]163[.]234[.]40
  • 217[.]160[.]0[.]27
  • 209[.]182[.]208[.]245
  • 94[.]73[.]148[.]18
  • 45[.]33[.]91[.]79
  • 87[.]236[.]19[.]135
  • 52[.]29[.]192[.]136
  • 178[.]33[.]233[.]202
  • 92[.]53[.]96[.]201
  • 186[.]202[.]153[.]158
  • 104[.]24[.]104[.]13
  • 213[.]186[.]33[.]3
  • 188[.]64[.]184[.]90
  • 95[.]213[.]173[.]173
  • 103[.]107[.]17[.]102
  • 103[.]27[.]238[.]31
  • 50[.]87[.]58[.]165
  • 104[.]27[.]186[.]113
  • 104[.]24[.]102[.]153
  • 77[.]104[.]171[.]238
  • 194[.]154[.]192[.]67
  • 87[.]236[.]16[.]41
Domain Names contacted by malware. Does not indicate maliciousness.
  • www[.]litespeedtech[.]com
  • big-game-fishing-croatia[.]hr
  • www[.]lagouttedelixir[.]com
  • dreamhost[.]com
  • www[.]himmerlandgolf[.]dk
  • hanaglobalholding[.]com
  • top-22[.]ru
  • zaeba[.]co[.]uk
  • ispsystem[.]com
  • unnatimotors[.]in
  • www[.]macartegrise[.]eu
  • blokefeed[.]club
  • bellytobabyphotographyseattle[.]com
  • diadelorgasmo[.]cl
  • www[.]bgfc[.]hr
  • www[.]wash-wear[.]com
  • yourmine[.]ru
  • www[.]reg[.]ru
  • www[.]poketeg[.]com
  • boatshowradio[.]com
  • www[.]perfectfunnelblueprint[.]com
  • perovaphoto[.]ru
  • www[.]cakav[.]hu
  • www[.]billerimpex[.]com
  • evotech[.]lu
  • www[.]ismcrossconnect[.]com
  • help[.]dreamhost[.]com
  • www[.]fabbfoundation[.]gm
  • alem[.]be
  • cevent[.]net
  • mauricionacif[.]com
  • smbardoli[.]org
  • www[.]aco[.]dk
  • cyclevegas[.]com
  • lucides[.]co[.]uk
  • krasnaypolyana123[.]ru
  • hoteltravel2018[.]com
  • oceanlinen[.]com
  • 6chen[.]cn
  • koloritplus[.]ru
  • asl-company[.]ru
  • www[.]krishnagrp[.]com
  • test[.]theveeview[.]com
  • cdnjs[.]cloudflare[.]com
  • picusglancus[.]pl
  • bloghalm[.]eu
  • api[.]w[.]org
  • nesten[.]dk
  • simetribilisim[.]com
  • pp-panda74[.]ru
  • wpakademi[.]com
  • dna-cp[.]com
  • h5s[.]vn
  • bethel[.]com[.]ve
  • vjccons[.]com[.]vn
  • www[.]rment[.]in
  • marketisleri[.]com
  • www[.]byggekvalitet[.]dk
  • royal[.]by
  • gmpg[.]org
  • sherouk[.]com
  • tommarmores[.]com[.]br
  • graftedinn[.]us
  • www[.]mimid[.]cz
  • maxcdn[.]bootstrapcdn[.]com
  • panel[.]dreamhost[.]com
  • relectrica[.]com[.]mx
  • acbt[.]fr
  • damt7w3yoa0t2[.]cloudfront[.]net
  • topstockexpert[.]su
  • goodapd[.]website
  • www[.]n2plus[.]co[.]th
  • aurumwedding[.]ru
  • devdev[.]com[.]br
  • www[.]toflyaviacao[.]com[.]br
  • mimid[.]cz
  • nhs-foi[.]com
  • www[.]iyfipgun[.]com
  • wash-wear[.]com
Files and or directories created
  • %AppData%\Microsoft\Internet Explorer\UserData\MA3SBLRS\spid[1].xml
  • %UserProfile%\Videos\98b689db98b68e303c.lock
  • %UserProfile%\Start Menu\98b689db98b68e303c.lock
  • %UserProfile%\Start Menu\SGMNP-DECRYPT.txt
  • %UserProfile%\Videos\Sample Videos\98b689db98b68e303c.lock
  • %UserProfile%\Videos\Sample Videos\SGMNP-DECRYPT.txt
  • \??\E:\$RECYCLE.BIN\S-1-5-21-2580483871-590521980-3826313501-500\98b689db98b68e303c.lock
  • \??\E:\$RECYCLE.BIN\S-1-5-21-2580483871-590521980-3826313501-500\SGMNP-DECRYPT.txt
  • \??\E:\$RECYCLE.BIN\SGMNP-DECRYPT.txt
  • \??\E:\98b689db98b68e303c.lock
  • \??\E:\SGMNP-DECRYPT.txt
  • \MSOCache\SGMNP-DECRYPT.txt
  • \PerfLogs\Admin\SGMNP-DECRYPT.txt
  • \PerfLogs\SGMNP-DECRYPT.txt
  • \Recovery\926583e2-ef64-11e4-beed-d6738078ad98\SGMNP-DECRYPT.txt
  • \Recovery\SGMNP-DECRYPT.txt
  • \SGMNP-DECRYPT.txt
  • \TEMP\SGMNP-DECRYPT.txt
  • %UserProfile%\Videos\SGMNP-DECRYPT.txt
File Hashes
  • 211484d0deda5cb97b16b27538b7d1d2c26af6ae3aac3c888085a0e8ddf2d8bd
  • 46b702851cb5c1df0a97d1ae9e3202316d36ef2195395a9bcc3699dd1d247733
  • 4e2ba4638d01c1473f0959fae6d31636456cde0ab995fa5f3fad1efc2cb7bf0e
  • 69fd1808c32fe3209f384fba8f79df13bec479e9b081f7edcf8720f6257f7dfe
  • 8b5c1735800d8ad69b535a863f4ae1941604b3e57261961e230a26b16b4b98ec
  • 9ec54c9d6ec39c34c8e011fcb10fb2ae5334d1d0632e63a61d94b36b9f9c8a9b
  • c394e7fa3604f5ee26419a913dbfeb0988d59bbf8ed25d852ebf62a48cc1688a
  • c4a126172b27777413ee4efcd0ce8656fbef52e81c984993af3fa63d5264cc8e
  • d81aa5dbd9272f9be6e4a0def514a9284220d88f219ac6fd908ab2c942b92cdc
  • d9129786346cfa0aa07a1c82d4bcb79a977c7c8e1a052916a34b6cde4c09c006
  • e41697a99da83a32bf8a56f993123fbfaef378d5e6f61286a272536fe10b6d35
  • e50a28068fcae51a609946fad1637a5dbfbda8add88063ddb117cb8e0cfc4a74
  • e8502aa65a4da371c0e378b245374af7340b809140a5d2e3bc3bfa67a92a2bde
  • eb9347f0fbbb675ecc61beb1f2be8721871e203357b124ad9858037a641709f5
  • f77825b0388a6220521219030ad70bdb6fcd3216a590d092ec4aa22a506a17b6

Coverage


Screenshots of Detection

AMP



ThreatGrid


Umbrella


Xls.Downloader.Valyria-6704496-0


Indicators of Compromise


Registry Keys
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • Value Name: UNCAsIntranet
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • Value Name: AutoDetect
  • <HKCU>\SOFTWARE\MICROSOFT\WISP\MULTITOUCH
    • Value Name: MultiTouchEnabled
  • <HKCU>\SOFTWARE\MICROSOFT\WISP\PEN\PERSIST\0\1
    • Value Name: HidCursorName
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
    • Value Name: DeleteFlag
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
    • Value Name: Start
Mutexes
  • Local\10MU_ACB10_S-1-5-5-0-57527
  • Local\10MU_ACBPIDS_S-1-5-5-0-57527
  • Global\316D1C7871E00
  • {773F1B9A-35B9-4E95-83A0-A210F2DE3B37}-Default
IP Addresses contacted by malware. Does not indicate maliciousness.
  • 78[.]47[.]139[.]102
  • 107[.]180[.]25[.]0
  • 103[.]110[.]91[.]118
  • 89[.]163[.]224[.]250
  • 199[.]249[.]223[.]62
  • 185[.]220[.]101[.]12
  • 89[.]27[.]96[.]42
  • 208[.]113[.]131[.]196
Domain Names contacted by malware. Does not indicate maliciousness.
  • dallasmediationlawyer[.]com
  • myexternalip[.]com
Files and or directories created
  • %LocalAppData%\Temp\character.exe
  • %AppData%\mssert\chasactes.exe
  • %LocalAppData%\Temp\const_cast.bat
  • %LocalAppData%\Temp\whzxixx5.jdj.ps1
  • %LocalAppData%\Temp\xgxfy2dc.eju.psm1
  • %LocalAppData%\Temp\21iyllij.ncz.psm1
  • %LocalAppData%\Temp\erifm5li.lo3.ps1
  • %LocalAppData%\Temp\wmez5d0g.r0g.ps1
  • %LocalAppData%\Temp\gs0jrz4i.yd2.psm1
  • %LocalAppData%\Temp\qgh0kqvv.ce5.ps1
  • %LocalAppData%\Temp\tkzdlipn.odo.psm1
File Hashes
  • 0276895b76757b5b2726c1c2fbb50d98040dc2dc46aedff1e5b9709f168b4a8d
  • 0f792637a859a3c2919e1e45a9500e1bdf2b5f4e07bfc4d8b5e24cf7c8003e5e
  • 1114fd2ee387df04c4e7ed0bb6d088b220e893c8a1ee07386977c7369681e5d3
  • 1c2f39f6a608c70b16a79ed4cfb228c412852caac8a8b8bafc4e0819d038aa2c
  • 2ca6d57dcfacd0f59f8b390ccbf138b557b8e95a157a53de6fe864c5eafbcf80
  • 4682a95f9ed32657ee61b7aec758ab6bbdc17a52e2812e1372b3b2a9776cadc1
  • 655f60c338658334723310c79033b26daa207b61fd89ebaf4abbed93802c65be
  • 672aac7a017a8417608dfe687fa4023fdd1e90a7d77f6e1d9b035a070c9d9c40
  • 6ff12e83f44e19de6515c03108fccfd98abd3a70bbab1088171954a3c6113d3b
  • a407d2cfb849a1822895fb5770db7c24b707422da3a193e7d8f5d9e39bfb3896
  • ccbac43307cd046f896283deac0341351b5dc83e6be5cb2292a0c28cdfd34650
  • dafd70b7b82551b0feb905f8d466d2b02784ce6e5d5c2b8d6d00e82b27487ae0
  • dbf3533e970aacc291d0342289943605537407df18217182ca39d52a8c9f8970

Coverage


Screenshots of Detection

AMP



ThreatGrid



Umbrella

Win.Dropper.Fqdq-6705253-0


Indicators of Compromise


Registry Keys
  • <HKCR>\LOCAL SETTINGS\MUICACHE\3E\52C64B7E
    • Value Name: LanguageList
  • <HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK\{4D36E972-E325-11CE-BFC1-08002BE10318}\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}\CONNECTION
    • Value Name: PnpInstanceID
Mutexes
  • 3749282D282E1E80C56CAE5A
IP Addresses contacted by malware. Does not indicate maliciousness.
  • N/A
Domain Names contacted by malware. Does not indicate maliciousness.
  • baxishop[.]ro
Files and or directories created
  • %AppData%\D282E1\1E80C5.lck
  • %AllUsersProfile%\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\Policy.vpol
  • \PC*\MAILSLOT\NET\NETLOGON
  • \lsass
  • %AppData%\D282E1
  • \samr
File Hashes
  • 030290f026a913226735bc017a37997180f130b9ce1fdc3b990e050aea4bc39e
  • 07abd686b7cda16b61c65d82cb72f464e2ea31bb8bb165f01bbcfa693f1bd22a
  • 1258790e008879340d7cd8e6b303e25183345a05d81b6583164f0a690323405b
  • 12963b31f9719d9333f6cbdb46426c32179bba4a31976b094d192588eb4439ff
  • 2627bd09fd4886f83a7ca589518523606b581ad026968f3d013e1cfb221f7811
  • 2c18a46ea35314f065b21e151d37787cfa5b7696207226ca80f7732176659ee9
  • 30a901d40309ac1e42e98ad59044e1e1f97f985ca397628e8f0deb8f67f39d1f
  • 31ef4c98208464b43dd337b92cba0cfa05d0924ebc732e0b1ee88120495f503c
  • 34f159a5b3ee64cbe520c18e9abd66be61b583dad385bbec9cadf054942827da
  • 35c1410cfb084bb4f4ef5a7c3d92c7b78ddd33849864e41f22e09f5b1c3997b2
  • 3a69eddc3ab09e947703dbfd7e279e9e6e867190c9f72f395833fe94a1b6903a
  • 4688f04b2498695705ea718ba724e9f0c04d92d09d75505f7fa1b1ad19bfe795
  • 4e79a2473921ee6132c3e73f9b4de0395ec350cb476981cf2cb19171034f9405
  • 56979370107aeffca2fa5ad915f454e33ced1a5c6518dbc01ed15689b92e83dd
  • 582f2175b65814e7558fca9ebc7e1a6f97402ce3079f43ece47fdc17c3f7324e
  • 5f83ff3b7d094547fd00dacabe669e389bdd04af09dcbc7790f29a63f797a00f
  • 6448bc9787a96f76cc6716294a204df6d1cbd6db9cc441abc78b31161529e00f
  • 7a2868174590c11d2f95794260792700a1fd567b5315702decfd1cd6611ed0d5
  • 8b7a4bc0f2ea0f3e54b0cea9fa2928ddd0a85aa80a64071985cf95301c0d5ac3
  • 9030a6efd1e15d5e78b727700863ab45b667a7c532761b3a148aa222f7e17b87
  • 946de8d2685ded47c74e4b7c9490e8961598462a87be7ca5bef22693745f7cfa
  • 951860ee7f7283a3b238cbfdb6e161c09fcb6a2b7975bb142412c442fd2590fd
  • 95b99dd7dd7814724287c89e2435aa65cc82e91c5aabd453be1a0532d50bd936
  • 96397b26ba4ee4244704c2cadd71c3d3d4c12e988f6de1d695f3602432bd94b3
  • 9c5acd9297928707ed7e472e9316b125b55b2cd98870aaa4b4630dcd0fece734

Coverage


Screenshots of Detection

AMP



ThreatGrid

Win.Malware.Genkryptik-6704925-0


Indicators of Compromise


Registry Keys
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS
    • Value Name: DhcpNameServer
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
    • Value Name: DhcpNameServer
Mutexes
  • !IECompat!Mutex
  • !PrivacIE!SharedMem!Mutex
  • Local\VERMGMTBlockListFileMutex
  • Local\!BrowserEmulation!SharedMemory!Mutex
  • Local\URLBLOCK_DOWNLOAD_MUTEX
  • Local\URLBLOCK_HASHFILESWITCH_MUTEX
  • {5312EE61-79E3-4A24-BFE1-132B85B23C3A}
  • {66D0969A-1E86-44CF-B4EC-3806DDDA3B5D}
  • IsoScope_1e0_ConnHashTable<480>_HashTable_Mutex
  • IsoScope_1e0_IESQMMUTEX_0_303
  • IsoScope_1e0_IESQMMUTEX_0_331
  • IsoScope_1e0_IESQMMUTEX_0_274
  • Local\URLBLOCK_FILEMAPSWITCH_MUTEX_480
  • IsoScope_708_ConnHashTable<1800>_HashTable_Mutex
  • IsoScope_708_IESQMMUTEX_0_303
  • IsoScope_708_IESQMMUTEX_0_331
  • Local\URLBLOCK_FILEMAPSWITCH_MUTEX_1800
  • IsoScope_708_IESQMMUTEX_0_274
  • IsoScope_4b4_IESQMMUTEX_0_274
  • IsoScope_f8_IESQMMUTEX_0_274
  • IsoScope_20c_ConnHashTable<524>_HashTable_Mutex
  • IsoScope_20c_IESQMMUTEX_0_303
  • IsoScope_20c_IESQMMUTEX_0_331
  • IsoScope_4b4_ConnHashTable<1204>_HashTable_Mutex
  • IsoScope_4b4_IESQMMUTEX_0_303
  • IsoScope_4b4_IESQMMUTEX_0_331
  • IsoScope_20c_IESQMMUTEX_0_274
  • Local\URLBLOCK_FILEMAPSWITCH_MUTEX_524
  • IsoScope_f8_ConnHashTable<248>_HashTable_Mutex
  • IsoScope_f8_IESQMMUTEX_0_303
  • IsoScope_f8_IESQMMUTEX_0_331
  • Local\URLBLOCK_FILEMAPSWITCH_MUTEX_248
  • IsoScope_6e4_IESQMMUTEX_0_274
  • IsoScope_6e4_ConnHashTable<1764>_HashTable_Mutex
  • IsoScope_6e4_IESQMMUTEX_0_303
  • IsoScope_6e4_IESQMMUTEX_0_331
  • Local\URLBLOCK_FILEMAPSWITCH_MUTEX_1764
  • IsoScope_4e8_IESQMMUTEX_0_274
  • IsoScope_4e8_ConnHashTable<1256>_HashTable_Mutex
  • IsoScope_4e8_IESQMMUTEX_0_303
  • IsoScope_4e8_IESQMMUTEX_0_331
  • Local\URLBLOCK_FILEMAPSWITCH_MUTEX_1256
IP Addresses contacted by malware. Does not indicate maliciousness
  • 13[.]107[.]21[.]200
Domain Names contacted by malware. Does not indicate maliciousness
  • ryiwuehwskosuqhs[.]com
  • goldenmemb[.]website
  • dolikulooospo[.]fun
Files and or directories created
  • %LocalAppData%Low\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
  • %LocalAppData%\Microsoft\Windows\WebCache\V01tmp.log
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\dnserror[1]
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\httpErrorPagesScripts[1]
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\errorPageStrings[1]
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\httpErrorPagesScripts[1]
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\NewErrorPageTemplate[1]
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\errorPageStrings[1]
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\NewErrorPageTemplate[1]
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\dnserror[1]
  • %LocalAppData%\Microsoft\Windows\WebCache\V010000F.log
  • %LocalAppData%\Temp\~DF4B1ABF6D6A9DC6E3.TMP
  • %LocalAppData%\Temp\~DF88BBAB8557CDD7E3.TMP
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\errorPageStrings[1]
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\suggestions[2].en-US
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\NewErrorPageTemplate[1]
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\dnserror[1]
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\favicon[2].ico
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\favicon[1].png
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\favicon[2].png
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\views[1]
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\favicon[1].ico
  • %LocalAppData%\Temp\~DFDEB0FC636A1346E9.TMP
  • %LocalAppData%\Temp\~DFEBFBFB87C6F7EC1B.TMP
  • %LocalAppData%\Temp\~DFFC172A87F8554CB4.TMP
  • %LocalAppData%\Temp\~DF81A97BC70E347BD0.TMP
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\httpErrorPagesScripts[1]
  • %LocalAppData%\Temp\~DF8AA772D245BBB59D.TMP
  • %LocalAppData%\Temp\~DF90B11BDCE6092786.TMP
  • %LocalAppData%\Temp\~DF9FFAF3D7E7318657.TMP
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\NewErrorPageTemplate[1]
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\httpErrorPagesScripts[1]
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\NewErrorPageTemplate[2]
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\dnserror[2]
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\errorPageStrings[1]
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\errorPageStrings[2]
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\httpErrorPagesScripts[2]
  • %LocalAppData%\Temp\~DF5DDD3B43947F7CEA.TMP
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\dnserror[1]
  • %LocalAppData%\Temp\~DFB15BBE1A2AFF7D7E.TMP
  • %LocalAppData%\Temp\~DF1D30A03829232972.TMP
  • %LocalAppData%\Temp\~DF38E2C66D6383AD19.TMP
  • %LocalAppData%\Temp\~DFCE77235CFE7E5202.TMP
File Hashes
  • 060707050140235807d6e6ac6933fa26cf0c230d68f574b880e99a699bdf506a
  • 088a6e8da14dbeab941702b1515b85486544dffc83885112b95997257f8d32d5
  • 0dfc771e0fbdf05facc54643341dfce97b745efe13867b01049bc977624d14b2
  • 0e21eb1c5f15689329bc6d46d78eb7d0f4eccc6fb8da4f41d17e6205ae7a847b
  • 0f71ba5f0fbba5d9810a4f816c5ebe1d545c4c65b34c180c769c2cd3467b0737
  • 130649d3f09197d1c2e895cc06fd9ecd6feb2e663562a6b99d95ae4ce66eddb8
  • 139ac3f5d2e5351c0edcd0edb384d0a75e482e8007724f181c7a4204f5895ad9
  • 13c3313b910f18431ea183b00632deacd266561a73bcf837f4b46f1f73b31bcd
  • 24b6c693551ed33b55d7ce6baae96dcca9e3cb55e9b94637d5ba59edc109d402
  • 27cec90ae8c84a79dd2ebb2928152bdea1b07cab3b2f1ad98ed8fb3f17cc339b
  • 28b54e5cf1be89766c177bc7f4c8692abec0bb4bdf299a59709d10120f7bc205
  • 29b845365404070e98840dcd74eb3c23919b0990b14bd0905b0921220f8b4bb9
  • 2c3fad4307c0739c336e50ec670b61d00029d2a2be260676419f883835ce8818
  • 337ad107eb3e1fc497af4b3f6006e12ae74a55d6535f28a67c9b231807e15f24
  • 3394d5ec6ba4c548289008cbfea8238318af52d51e8e2110b5060635425db74c
  • 378a4e27208c7fee9c7ac33d11d8872db902fe5242aceabba11343bf11a95155
  • 3a136b2b6df645c3e6b3c0febb821a5dda5bcb4bd35f674fb33aa10684b58004
  • 3c4e171d1f0b29b6f40f8bdf6af0c1161b092591c453c66734f4c6f54a0ac36f
  • 3ec415b8f411c2004892c7dedcd25e4683d0f0fded754c8b9a0f784f087dddcf
  • 420c05993a014331992918e89dda914851c0e31a2e196446309e3da07dc0c31a
  • 43d9e51c98400b09bc499f0e2857e2b797254167c29c9d2234f6506d7cf7f98e
  • 4ae9179659e2ba267b87478ea0f48c6c1caba252b4d2bcdfdc4b6ba873028d87
  • 542b5b23123a0a71d79181adeda4edfff6b91cdaf0068aafc55ee03bdc928ab5
  • 5bbc6d14ed5d408d0c7bb115853dff092c236517223c14b92c709a7ffa2c5742
  • 5cc63a68be8b7ea9feca940e7b038ebca417f421a0b70c17d3e6ebfca4212e16

Coverage


Screenshots of Detection

AMP



ThreatGrid



Umbrella

Win.Malware.Zusy-6704537-0


Indicators of Compromise


Registry Keys
  • <HKCR>\LOCAL SETTINGS\MUICACHE\3E\52C64B7E
    • Value Name: LanguageList
  • <HKLM>\System\CurrentControlSet\Services\Tcpip\Parameters
  • <HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK\{4D36E972-E325-11CE-BFC1-08002BE10318}\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}\CONNECTION
    • Value Name: PnpInstanceID
  • <HKCU>\Software\Microsoft\RAS AutoDial
Mutexes
  • DBWinMutex
  • NtHack
IP Addresses contacted by malware. Does not indicate maliciousness
  • 139[.]196[.]204[.]190
Domain Names contacted by malware. Does not indicate maliciousness
  • www[.]bilibili[.]com
  • wpa[.]qq[.]com
  • bbs[.]nt47[.]com
  • www[.]nt47[.]com
Files and or directories created
  • N/A
File Hashes
  • 00b657fa1270930f868fcd06c38af4b1514baa727c0db576e50340cc2f1c49dc
  • 0f6f850198e9afb8ddfe5552dad5ae6151c3cdf41f5ed8964a1e46ce62ea0d2b
  • 1bf8402a3da8797a130c528ff38fcca42403a5e878943d8dbaec420433c55edf
  • 2c0996f013b00833a28d1612acc545a66264b613e7127738ccf3536ddb04501c
  • 41cd6b708c56e1bad9b185ab09de02efd1f57d7c6691a9910d00b18489e59ec7
  • 4733b5c290c00ca10bc72c248d6a014c6bf5fe21b92592b941cfdd8ac6870610
  • 55099d0d5b7f5f677e431ebaf4c9a71877ab7b10887cb027ac78540ba1631779
  • 680e98f78b16e05b2f55e1432f8553341cfd02ece47cedca652a04e1f4c901cf
  • 6f496ef1284e79d93693374672e416d46b55c6590f8ab7737303b12f7316c2dd
  • 9085e78cbbf63b30c42a4801cee1b67fa41f4c4308d0f163c3d39d7f76c00bf8
  • 98e0df2e9cf8ba02d05cdc1bdea0cccc861855197f2a009f4a8fed152770b499
  • c19b9d8770e3619d832401aa7bc385bbf7e239d0397febbb441621efbb539f72
  • cca199364abfb50ec1dd467035fd2c637056abac9f8351393111dcdce8243e38
  • d346a3d9a4be88b2e6fe2b78b391efa47d4de3c9acb23aeb31c0b0e1868d9817
  • da9e5e6a5379284ca1b4e9be680bbecdcbca2378d8d8ae9e76e5601ba4fd9dcc
  • eba22d087a40a79daa58a95e6337f53cf98885400019ad9e8417bb4ce2f2c8ea

Coverage


Screenshots of Detection

AMP



ThreatGrid

Win.Malware.Razy-6703914-0


Indicators of Compromise


Registry Keys
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value Name: internat.exe
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value Name: system
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{4LW407K6-M06A-64Y6-80K0-13CK6KK8U041}
    • Value Name: StubPath
Mutexes
  • -
IP Addresses contacted by malware. Does not indicate maliciousness
  • 217[.]12[.]210[.]23
  • 82[.]205[.]63[.]221
Domain Names contacted by malware. Does not indicate maliciousness
  • extreme33[.]dns1[.]us
  • mdformo[.]ddns[.]net
  • mdformo1[.]ddns[.]net
Files and or directories created
  • N/A
File Hashes
  • 00e3f5ffeb38495cefce0f1c9522743764adf1ee6ce51b91c9c4726726562a12
  • 01a7bdfdc6502db6bd237fcbc64596d8f76052e942c2c87e897f1ae786b7cac2
  • 02c5fa1012b9cf0d46801cadcc4fe6814b4f75d50104e948031d00ff3ca7b93c
  • 035f91568ca2bad43ce3fde98a2ae0418821e5f558c62b919c786c3b07bc0fe2
  • 03970d185025e7e226c704b5bcd13de89730677345d3d57081d07895966567d4
  • 052862be7afd84bbd167be8b83918d828608b35e1423600571747e67e66dbd16
  • 055865fb005e3969e6d9e7feba2e81a8bedbe3048bf2a9cd3a9fbfe8ea6076e5
  • 063e213ee0ecae95132a3cea557203b782de3c63b753fbd405ed670e83fbf573
  • 07912d5cd0bf4ef89355a76c1fc36497e90333111b127dcf07d76cbc8ab76838
  • 081fbe8f1c01676f9765ff7742b5d348433e2fd073136355100fe9f054140e6a
  • 08627d7fbb6313bcdd42ac88152b71f4700dadf0446fb985b269c614bdd3f9af
  • 08c257d2e5938dc6539b463ba0689982b79c112c8ad0aaf1be247726622ea487
  • 092b86ef5f0e69ac5e1d554304189d289f27534fa4c7835ad4137f380a25979b
  • 09c9b81d40f3c97876eaad0f29d7e9694c58c9a9cc4dc38b167611ecfbda3d75
  • 0a032738a8ffc58b6cdce62ef209b247e008f597b6955d87da71e1654da970ef
  • 0a77d603959b51f81cd2b3b27342be0fa4248586ba0121779f1a9959fd701d11
  • 0aa93c8240a9c593d6a8d5c226d4f0b7ac033cef70b39524281c52d92a97fb0a
  • 0afde5386ca8587bca67577727f02c3e71b883b7b5fc72e25a0d542f6c5819c8
  • 0d794619980f35738bd57712d170542d6d8ff58248d21529754a0881c0b139a4
  • 0f4fc18209bbb1d979cb504b807142e1a24aa8ee831e33ce8825a5bd350096fa
  • 0ffca4c710e5af160e813f686181131c963123caaeeea9762f86296822b8c883
  • 10427e9a0ee1b4e3d349d61839e1f09cb86b2a68d23e41933127dd5ce2da0134
  • 1343648c8b4748294191cfdca4b4881a57cee96db4051530c514e7c56e1152e3
  • 1495bb27a646d27162b28bce50ebf25abc5182e7417ced315f1b93060f7e99a0
  • 17983b493cd46b604ef3846516da1cda1628ec855b896be8b54a9558ae83058c

Coverage


Screenshots of Detection

AMP



ThreatGrid



Umbrella


Doc.Malware.Emooodldr-6699885-0


Indicators of Compromise


Registry Keys
  • <HKCR>\LOCAL SETTINGS\MUICACHE\3E\52C64B7E
    • Value Name: LanguageList
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\PRINT\PRINTERS\Canon PIXMA MG2520\PrinterDriverData
Mutexes
  • Global\552FFA80-3393-423d-8671-7BA046BB5906
  • Local\ZonesCacheCounterMutex
  • Local\ZonesLockedCacheCounterMutex
  • Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2580483871-590521980-3826313501-500
  • Global\MTX_MSO_AdHoc1_S-1-5-21-2580483871-590521980-3826313501-500
  • Global\MTX_MSO_Formal1_S-1-5-21-2580483871-590521980-3826313501-500
  • Local\10MU_ACB10_S-1-5-5-0-57527
  • Local\10MU_ACBPIDS_S-1-5-5-0-57527
  • Local\WinSpl64To32Mutex_e162_0_3000
  • Local\MSCTF.Asm.MutexDefault1
IP Addresses contacted by malware. Does not indicate maliciousness.
  • N/A
Domain Names contacted by malware. Does not indicate maliciousness.
  • q0fpkblizxfe1l[.]com
Files and or directories created
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B106E8EE-597B-49CA-A6A4-5BA8ABCC8F6A}.tmp
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{43E9ADDD-30D5-47E4-98B0-7E3A5536CACC}.tmp
  • %UserProfile%\Documents\20180928
  • %UserProfile%\924.exe
  • %SystemDrive%\TEMP\~$8241024f69edc258237f01170ea088fd5064c5908267e943f97bc9e2a6ea1d.doc
  • %LocalAppData%\Temp\CVR41E8.tmp
  • %LocalAppData%\Temp\~DFD053DCDB50AFFE51.TMP
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{0EF83731-611B-4C55-980D-4D5CFC5BF353}.tmp
  • %AppData%\Microsoft\Office\Recent\5f8241024f69edc258237f01170ea088fd5064c5908267e943f97bc9e2a6ea1d.LNK
  • \TEMP\~$8241024f69edc258237f01170ea088fd5064c5908267e943f97bc9e2a6ea1d.doc
  • %LocalAppData%\Temp\bdmwft0z.slp.ps1
  • %LocalAppData%\Temp\tjkn23yi.53a.psm1
  • %UserProfile%\Documents\20180928\PowerShell_transcript.PC.ceUgAgR5.20180928074741.txt
File Hashes
  • 06f0ec25e8b014b407402207afa8b6c0db494ad270d910534399c2137204e81b
  • 0a8d4f2ac74485345284950b158da4be071633f33b0c7b9fa18d1f3e4d28732e
  • 292b28d2f08fbd08ee8f1c2ed6f765b08c883031c0fae8dd84480ba0e1ca940d
  • 3371fc7b0cf2d389571002c3ca26c9268edc373b79486e47bd6c349120f560c2
  • 33d078881456e3b930c480803902fa28142b17c8550f3932e7cf4a1df0eb9213
  • 567fe3794a9eec27697ae0634861d284279261880887f60a7374c6cbe63b7674
  • 5f8241024f69edc258237f01170ea088fd5064c5908267e943f97bc9e2a6ea1d
  • 91f0264ea76628c6b8825f358cd9cb8e1255604108fc059e0ac283d49c0dd852
  • 933f5c822937fdec9325d1c99c5e0a5fda92296ef7c51ce7cd2dfc72bbe95b82
  • cf8f98b1adf802ed2b24345161a38c4cfa499b36f17b0466a1da74edce84ba4b
  • e469ba3bad870a5e7596035f69f2ba4cbb849cbdf9a8019890ccdea02c60e4d6
  • f368d4a10770c42316d9c1024a0894b85048020526be03b2e824165b5b66e978
  • f88ef62f2342f4d1105cfe85395b735efd3f0308b79551944983ce245d425510

Coverage


Screenshots of Detection

AMP



ThreatGrid



Umbrella


Tags: ,,
Share: Email, ReBlog, Twitter, Facebook, Pinterest, Google+
Newer Post: Newer Post
Older Post: Older Post
Date:
Edit this post

Discussion

Powered by Manual Template
Name

.NET 0-day 0day ACDSee Adobe advisory adwind AMP Android Antenna House antivirus apple APT arbitrary code execution Attribution Automation Bahamut BASS beers with talos bitcoin Bitvote Black Hat botnet Brazil BRKSEC-2010 CASC chrome cisco Cisco Live Cisco Security Clam AV ClamAV Cobalt group code injection command injection conferences Coverage cryptocurrency cryptomining CSV CTA CVE-2016-8610 CVE-2017-0199 cve-2017-11882 CVE-2017-5638 CVE-2018-3857 CVE-2018-3858 CVE-2018-3859 CVE-2018-3860 CVE-2018-3870 CVE-2018-3871 CVE-2018-8506 cybercrime dark cloud DDE Decryptor Def Con detection dispute DOC DoS Excel Exploit exploit kits RTF fast flux Flash formbook Foscam Foxit Fuzzing gandcrab google GoScanSSH gozi gplayed GravityRAT Group123 Hangul healthcare HWP Hyland IcedID ICS IDA Pro IMAP incident response India inesap infostealer intel iOS IoT iot malware iPhone IR isfb jRAT JScript kernel mode KevDroid Korea Linux macros MalDoc Malware Malware Analysis Malware Research MDM meltdown meraki Microsoft Microsoft Patch Tuesday Middle East miners mining mobile device management monero Moxa ms tuesday natus NavRAT new router malware NordVPN North Korea nvidia Office office router attack Olympic Destoryer Olympic Destroyer Olympics opsec password stealer patch tuesday PDF phishing PhotoLine PLC podcast pony Powershell privilege escalation ProntoVPN PTEX PubNub PubNubRAT py2exe Pyeongchang pyrebox python Qatar ransomware RAT remcos remote access tool remote code execution research research spotlight reven ReversingLabs Rocke Rockwell Automation ROKRAT rootkit rtf ruby ryptoShuffler samsam samsung Scriptlets security updates sennoma signatures SimpleDirect Media Layer smartthings Smoke Loader Snort Snort Rules Sony South Korea spam spectre spyeye stealer steam struts support Talos TALOS-2017-0507 talosintelligence.com telegrab telegram Tetrane Thanatos ThanatosDecryptor threat intelligence Threat Research Threat Research Summit Threat Round-up Threat Roundup ThreatGrid threats TIFF trickbot trojan TTRS Umbrella ursnif VBScript VMI vpn filter attack VPNFiler VPNFilter VPNFilter malware vuln dev vulndev vulnerabilities Vulnerability vulnerability analysis Vulnerability Report Vulnerability Research vulnerability spotlight vulnerabillity vulnerable routers Whitepaper Windows WindowsCodecs.dll wipers xamarin XSS
false
ltr
item
materialize material: Threat Roundup Sept 28 - Oct 5
Threat Roundup Sept 28 - Oct 5
https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNUvUf8OpJA9Ip0go9_cYNtquRsC9Cdjg83_chjZkDMg7gc5PpIBMywLkf-XFBITIbVg5Io68KHApEZnb4N5oSe_CcMMZ7QCsBkkh5RyaeDxJSO-LBmyF_eBzpHnc_q6XrmYg7cpThUyGQ/s640/threat_roundup_logo.png
https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNUvUf8OpJA9Ip0go9_cYNtquRsC9Cdjg83_chjZkDMg7gc5PpIBMywLkf-XFBITIbVg5Io68KHApEZnb4N5oSe_CcMMZ7QCsBkkh5RyaeDxJSO-LBmyF_eBzpHnc_q6XrmYg7cpThUyGQ/s72-c/threat_roundup_logo.png
materialize material
https://materialize-material.blogspot.com/2018/10/threat-roundup-sept-28-oct-5.html
https://materialize-material.blogspot.com/
http://materialize-material.blogspot.com/
http://materialize-material.blogspot.com/2018/10/threat-roundup-sept-28-oct-5.html
true
1816414542238562206
UTF-8
Not found any posts Not found any related posts VIEW ALL Readmore Reply Cancel reply Delete By Home PAGES POSTS View All RECOMMENDED FOR YOU Tag ARCHIVE SEARCH ALL POSTS Not found any post match with your request Back Home Contents See also related Sunday Monday Tuesday Wednesday Thursday Friday Saturday Sun Mon Tue Wed Thu Fri Sat January February March April May June July August September October November December Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec just now 1 minute ago $$1$$ minutes ago 1 hour ago $$1$$ hours ago Yesterday $$1$$ days ago $$1$$ weeks ago more than 5 weeks ago Followers Follow THIS CONTENT IS PREMIUM Please share to unlock Copy All Code Select All Code All codes were copied to your clipboard Can not copy the codes / texts, please press [CTRL]+[C] (or CMD+C with Mac) to copy