HASHES - Cisco Talos Investigačný tím - TeslaCrypt nie je kryptomena, ale dobre známa rodina ransomwaru

Threat Breakdown

Win.Trojan.Razy-7505643-0

Indicators of Compromise

Registry Keys	Occurrences
\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\75E0ABB6138512271C04F85FDDDE38E4B7242EFE Value Name: Blob	11
\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\SETTINGS\LEAKDIAGNOSISATTEMPTED	7
\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED Value Name: Hidden	3
\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\0748AF3992DE6E3AA7B386B7F6C08EF2.EXE	1
\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\1C3DDA8020173A5B45A7C80CFC8B0298.EXE	1
\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\0748AF3992DE6E3AA7B386B7F6C08EF2.EXE Value Name: LastDetectionTime	1
\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\B4F3AEA9F95879ABBE9B311B5AB9FC30.EXE	1
\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\2AA87EE2B7BAA7D413CC747537A867A2.EXE	1
\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\1C3DDA8020173A5B45A7C80CFC8B0298.EXE Value Name: LastDetectionTime	1
\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\EB9064AF85850CF7B3485B2A911798D7.EXE	1
\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\B4F3AEA9F95879ABBE9B311B5AB9FC30.EXE Value Name: LastDetectionTime	1
\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\2AA87EE2B7BAA7D413CC747537A867A2.EXE Value Name: LastDetectionTime	1
\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\EB9064AF85850CF7B3485B2A911798D7.EXE Value Name: LastDetectionTime	1
\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: goodsStartup key	1
\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\6035E0F59A5169E7C59129A3CDBD076E.EXE	1
\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\6035E0F59A5169E7C59129A3CDBD076E.EXE Value Name: LastDetectionTime	1
\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: goods	1
\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\0786B90DA12B29B5CC97621DCC78FA3E.EXE	1
\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\0786B90DA12B29B5CC97621DCC78FA3E.EXE Value Name: LastDetectionTime	1
\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: mrke	1

Mutexes	Occurrences
Global\14c64321-2d62-11ea-a007-00501e3ae7b5	1

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
172[.]217[.]12[.]206	10
172[.]217[.]9[.]225	7
172[.]217[.]5[.]238	6
104[.]16[.]155[.]36	3
77[.]88[.]21[.]158	3
172[.]217[.]10[.]46	1
172[.]217[.]10[.]33	1

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
smtp[.]yandex[.]com	3
whatismyipaddress[.]com	3
doc-00-6c-docs[.]googleusercontent[.]com	1
doc-0s-9s-docs[.]googleusercontent[.]com	1
doc-14-60-docs[.]googleusercontent[.]com	1
doc-0k-c8-docs[.]googleusercontent[.]com	1
doc-00-5o-docs[.]googleusercontent[.]com	1
doc-10-6c-docs[.]googleusercontent[.]com	1
doc-04-bg-docs[.]googleusercontent[.]com	1
doc-04-6c-docs[.]googleusercontent[.]com	1

Files and or directories created	Occurrences
%APPDATA%\pid.txt	3
%APPDATA%\pidloc.txt	3
%TEMP%\holdermail.txt	3
%TEMP%\holderwb.txt	3
%HOMEPATH%\desktop\product.pif	2
%TEMP%\bhv61AB.tmp	1
%TEMP%\bhv8DF6.tmp	1
%HOMEPATH%\Orkende	1
%HOMEPATH%\Orkende\Recomm.pif	1
%TEMP%\bhv5953.tmp	1

File Hashes

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella	N/A
WSA	N/A

Screenshots of Detection

AMP

ThreatGrid

---

Win.Dropper.Tofsee-7492214-1

Indicators of Compromise

Registry Keys	Occurrences
\.DEFAULT\CONTROL PANEL\BUSES	192
\.DEFAULT\CONTROL PANEL\BUSES Value Name: Config3	175
\SYSTEM\CONTROLSET001\SERVICES\ Value Name: Type	158
\SYSTEM\CONTROLSET001\SERVICES\ Value Name: Start	158
\SYSTEM\CONTROLSET001\SERVICES\ Value Name: ErrorControl	158
\SYSTEM\CONTROLSET001\SERVICES\ Value Name: DisplayName	158
\SYSTEM\CONTROLSET001\SERVICES\ Value Name: WOW64	158
\SYSTEM\CONTROLSET001\SERVICES\ Value Name: ObjectName	158
\SYSTEM\CONTROLSET001\SERVICES\ Value Name: Description	158
\SYSTEM\CONTROLSET001\SERVICES\	158
\SYSTEM\CONTROLSET001\SERVICES\ Value Name: ImagePath	68
\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\wpdjiqwl	11
\SYSTEM\CONTROLSET001\SERVICES\WPDJIQWL Value Name: Type	11
\SYSTEM\CONTROLSET001\SERVICES\WPDJIQWL Value Name: Start	11
\SYSTEM\CONTROLSET001\SERVICES\WPDJIQWL Value Name: ErrorControl	11
\SYSTEM\CONTROLSET001\SERVICES\WPDJIQWL Value Name: DisplayName	11
\SYSTEM\CONTROLSET001\SERVICES\WPDJIQWL Value Name: WOW64	11
\SYSTEM\CONTROLSET001\SERVICES\WPDJIQWL Value Name: ObjectName	11
\SYSTEM\CONTROLSET001\SERVICES\WPDJIQWL Value Name: Description	11
\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\lesyxfla	11
\SYSTEM\CONTROLSET001\SERVICES\LESYXFLA Value Name: Type	11
\SYSTEM\CONTROLSET001\SERVICES\LESYXFLA Value Name: Start	11
\SYSTEM\CONTROLSET001\SERVICES\LESYXFLA Value Name: ErrorControl	11
\SYSTEM\CONTROLSET001\SERVICES\LESYXFLA Value Name: DisplayName	11
\SYSTEM\CONTROLSET001\SERVICES\LESYXFLA Value Name: WOW64	11

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
69[.]55[.]5[.]250	192
43[.]231[.]4[.]6/31	192
85[.]114[.]134[.]88	192
239[.]255[.]255[.]250	175
46[.]4[.]52[.]109	175
46[.]28[.]66[.]2	175
78[.]31[.]67[.]23	175
188[.]165[.]238[.]150	175
93[.]179[.]69[.]109	175
176[.]9[.]114[.]177	175
192[.]0[.]47[.]59	174
172[.]217[.]12[.]164	159
74[.]125[.]192[.]26/31	140
67[.]195[.]204[.]72/30	135
168[.]95[.]5[.]116/31	134
172[.]217[.]197[.]26/31	122
172[.]217[.]10[.]67	116
216[.]146[.]35[.]35	110
212[.]227[.]15[.]40/31	104
104[.]47[.]54[.]36	102
208[.]76[.]51[.]51	101
168[.]95[.]6[.]60/30	97
98[.]136[.]96[.]92/31	95
31[.]13[.]66[.]174	93
98[.]136[.]96[.]74/31	91

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
250[.]5[.]55[.]69[.]in-addr[.]arpa	192
microsoft-com[.]mail[.]protection[.]outlook[.]com	192
schema[.]org	175
250[.]5[.]55[.]69[.]zen[.]spamhaus[.]org	175
250[.]5[.]55[.]69[.]cbl[.]abuseat[.]org	175
mta5[.]am0[.]yahoodns[.]net	175
250[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net	175
250[.]5[.]55[.]69[.]bl[.]spamcop[.]net	175
250[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org	175
whois[.]iana[.]org	174
whois[.]arin[.]net	173
coolsex-finders6[.]com	173
bestladies[.]cn	173
bestdates[.]cn	173
bestgirlsdates[.]cn	173
hotmail-com[.]olc[.]protection[.]outlook[.]com	171
eur[.]olc[.]protection[.]outlook[.]com	127
mx-eu[.]mail[.]am0[.]yahoodns[.]net	125
ipinfo[.]io	118
nam[.]olc[.]protection[.]outlook[.]com	93
mx6[.]earthlink[.]net	91
pkvw-mx[.]msg[.]pkvw[.]co[.]charter[.]net	88
charter[.]net	87
mx0[.]charter[.]net	87
msn-com[.]olc[.]protection[.]outlook[.]com	72

Files and or directories created	Occurrences
%SystemRoot%\SysWOW64\config\systemprofile	192
%SystemRoot%\SysWOW64\config\systemprofile:.repos	192
%TEMP%\.exe	188
%SystemRoot%\SysWOW64\	158
%HOMEPATH%	59
%System32%\.exe (copy)	59
%SystemRoot%\SysWOW64\wpdjiqwl	11
%SystemRoot%\SysWOW64\lesyxfla	11
%SystemRoot%\SysWOW64\mftzygmb	10
%SystemRoot%\SysWOW64\piwcbjpe	10
%SystemRoot%\SysWOW64\zsgmltzo	10
%SystemRoot%\SysWOW64\yrflksyn	10
%TEMP%\.exe	9

File Hashes

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella
WSA

Screenshots of Detection

AMP

ThreatGrid

Umbrella

---

Win.Packed.Ursnif-7489213-0

Indicators of Compromise

Registry Keys	Occurrences
\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 Value Name: Blob	18
\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\75E0ABB6138512271C04F85FDDDE38E4B7242EFE Value Name: Blob	18

Mutexes	Occurrences
Local\https://vars.hotjar.com/	18
Local\https://www.avast.com/	18

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
23[.]221[.]50[.]122	18
152[.]199[.]4[.]33	18
23[.]221[.]49[.]75	18
23[.]221[.]50[.]102	18
104[.]107[.]26[.]214	18
13[.]109[.]156[.]118	18
65[.]55[.]44[.]109	17
157[.]240[.]18[.]35	15
104[.]107[.]18[.]91	15
38[.]126[.]130[.]202	15
192[.]42[.]119[.]41	14
13[.]107[.]21[.]200	13
172[.]217[.]164[.]136	13
23[.]196[.]81[.]176	13
204[.]79[.]197[.]200	12
204[.]2[.]197[.]202	12
72[.]22[.]185[.]200/31	12
172[.]217[.]197[.]156/31	12
172[.]217[.]6[.]206	11
172[.]217[.]12[.]136	11
172[.]217[.]11[.]36	11
172[.]217[.]10[.]14	11
169[.]54[.]251[.]164	11
23[.]201[.]42[.]247	11
23[.]201[.]42[.]161	11

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
googleads[.]g[.]doubleclick[.]net	18
www[.]googletagmanager[.]com	18
www[.]google-analytics[.]com	18
stats[.]g[.]doubleclick[.]net	18
connect[.]facebook[.]net	18
www[.]googleadservices[.]com	18
ib[.]adnxs[.]com	18
avast[.]com	18
static[.]avast[.]com	18
secure[.]adnxs[.]com	18
mc[.]yandex[.]ru	18
dev[.]visualwebsiteoptimizer[.]com	18
amplifypixel[.]outbrain[.]com	18
pixel[.]mathtag[.]com	18
tr[.]outbrain[.]com	18
amplify[.]outbrain[.]com	18
ajax[.]aspnetcdn[.]com	18
img-prod-cms-rt-microsoft-com[.]akamaized[.]net	18
az725175[.]vo[.]msecnd[.]net	18
script[.]hotjar[.]com	18
static[.]hotjar[.]com	18
c[.]s-microsoft[.]com	18
assets[.]onestore[.]ms	18
a[.]tribalfusion[.]com	18
www[.]avast[.]com	18

Files and or directories created	Occurrences
%TEMP%\www2.tmp	13
%TEMP%\www3.tmp	13
%TEMP%\www4.tmp	13
%HOMEPATH%\Favorites\Links\Suggested Sites.url	13
%HOMEPATH%\Local Settings\Application Data\Microsoft\Feeds\FeedsStore.feedsdb-ms	13
%HOMEPATH%\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	13
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}	2
\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B40C43F1-F039-44D2-AEB7-87F5AF8ABC3D}\ProxyStubClsid32	2
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{06EEE834-461C-42c2-8DCF-1502B527B1F9}\Instance\PropertySetStorage	2
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1FE6762-FC48-11D0-883A-3C8B00C10000}	2
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3CCEDF7-2DE2-11D0-86F4-00A0C913F750}	1
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}	1
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A7EE7F34-3BD1-427f-9231-F941E9B7E1FE}	1
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{06EEE834-461C-42c2-8DCF-1502B527B1F9}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\14	1
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{06EEE834-461C-42c2-8DCF-1502B527B1F9}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\2	1
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6f237df9-9ddb-47ad-b218-400d54c286ad}	1
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\InProcServer32	1
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{81397204-F51A-4571-8D7B-DC030521AABD}\InprocServer32	1

File Hashes

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella
WSA

Screenshots of Detection

AMP

---

Win.Packed.ZeroAccess-7489468-1

Indicators of Compromise

Registry Keys	Occurrences
\SOFTWARE\MICROSOFT\TRACING\KMDDSP Value Name: FileTracingMask	55
\SOFTWARE\MICROSOFT\TRACING\KMDDSP Value Name: ConsoleTracingMask	55
\SOFTWARE\MICROSOFT\TRACING\KMDDSP Value Name: MaxFileSize	55
\SOFTWARE\MICROSOFT\TRACING\KMDDSP Value Name: FileDirectory	55
\SYSTEM\CONTROLSET001\SERVICES\MPSSVC Value Name: Start	55
\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC Value Name: Start	55
\SYSTEM\CONTROLSET001\SERVICES\MPSSVC Value Name: DeleteFlag	55
\SYSTEM\CONTROLSET001\SERVICES\WSCSVC Value Name: DeleteFlag	55
\SYSTEM\CONTROLSET001\SERVICES\BROWSER Value Name: Start	55
\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: Windows Defender	55
\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND Value Name: Type	55
\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND Value Name: ErrorControl	55
\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC Value Name: Type	55
\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC Value Name: ErrorControl	55
\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC Value Name: DeleteFlag	55
\SYSTEM\CONTROLSET001\SERVICES\WSCSVC Value Name: Type	55
\SYSTEM\CONTROLSET001\SERVICES\WSCSVC Value Name: ErrorControl	55
\SYSTEM\CONTROLSET001\SERVICES\MPSSVC Value Name: Type	55
\SYSTEM\CONTROLSET001\SERVICES\MPSSVC Value Name: ErrorControl	55
\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000010 Value Name: PackedCatalogItem	55
\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000009 Value Name: PackedCatalogItem	55
\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000008 Value Name: PackedCatalogItem	55
\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000007 Value Name: PackedCatalogItem	55
\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000006 Value Name: PackedCatalogItem	55
\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000005 Value Name: PackedCatalogItem	55

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
94[.]242[.]250[.]64	116
64[.]210[.]151[.]32	55
178[.]32[.]190[.]142	55
91[.]207[.]60[.]22	15
71[.]229[.]165[.]75	15
201[.]231[.]100[.]117	15
71[.]239[.]117[.]142	9
66[.]41[.]70[.]14	8
71[.]63[.]0[.]235	7
98[.]224[.]77[.]3	7
83[.]15[.]111[.]38	7
76[.]180[.]80[.]134	7
24[.]73[.]24[.]191	7
46[.]45[.]5[.]240	7
67[.]185[.]179[.]4	6
98[.]230[.]137[.]123	6
69[.]80[.]173[.]91	6
75[.]66[.]129[.]205	6
69[.]117[.]29[.]163	6
190[.]36[.]183[.]136	6
77[.]126[.]70[.]166	6
98[.]203[.]164[.]253	6
67[.]240[.]46[.]208	5
72[.]200[.]101[.]79	5
68[.]97[.]172[.]87	5

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
promos[.]fling[.]com	55

Files and or directories created	Occurrences
\@	116
\L\eexoxfxs	116
\cfg.ini	116
\systemroot\assembly\GAC_32\Desktop.ini	55
\systemroot\assembly\GAC_64\Desktop.ini	55
%System32%\LogFiles\Scm\e22a8667-f75b-4ba9-ba46-067ed4429de8	55
%SystemRoot%\assembly\GAC_32\Desktop.ini	55
%SystemRoot%\assembly\GAC_64\Desktop.ini	55
\systemroot\assembly\temp\@	55
\systemroot\assembly\temp\U	55
\systemroot\assembly\temp\cfg.ini	55
\systemroot\system32\consrv.dll	55
%System32%\consrv.dll	55
%SystemRoot%\assembly\temp\@	55
%SystemRoot%\assembly\temp\cfg.ini	55
\systemroot\system64	55

File Hashes

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella	N/A
WSA	N/A

Screenshots of Detection

AMP

---

Win.Ransomware.TeslaCrypt-7501245-1

Indicators of Compromise

Registry Keys	Occurrences
\SOFTWARE\XXXSYS	15
\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: addon_v57	15
\SOFTWARE\XXXSYS Value Name: ID	15
\Software\	15
\Software\ Value Name: data	15

Mutexes	Occurrences
z_a_skh495ldfsgjl2935345	15

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
23[.]20[.]239[.]12	15
64[.]140[.]157[.]157	15
157[.]119[.]94[.]202	15
104[.]27[.]31[.]89	9
104[.]27[.]30[.]89	6
3[.]225[.]189[.]10	5
3[.]229[.]167[.]115	4
54[.]83[.]91[.]42	3
34[.]195[.]145[.]145	2
3[.]93[.]124[.]54	1

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
en[.]wikipedia[.]org	15
www[.]torproject[.]org	15
www[.]hugedomains[.]com	15
vostorgspa[.]kz	15
p4fhmjnsdfbm4w4fdsc[.]avowvoice[.]com	15
bledisloeenergy[.]com[.]au	15
polyhedrusgroup[.]com	15
todayinbermuda[.]co	15
nn54djhfnrnm4dnjnerfsd[.]replylaten[.]at	15
www[.]buildenergyefficienthomes[.]com	15
mosaudit[.]com	15
buildenergyefficienthomes[.]com	15
akdfrefdkm45tf33fsdfsdf[.]yamenswash[.]com	15

Files and or directories created	Occurrences
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I0ZU5JT.txt	15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I478AKJ.txt	15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I4FI238.txt	15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I4FKVBH.txt	15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I4QK3KJ.txt	15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I5QX7W9.txt	15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I77RW1L.txt	15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I7J37KF.txt	15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I9NSD58.txt	15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IANXEE8.txt	15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IC5NB1M.txt	15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$ID60W3E.txt	15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IIUTK07.txt	15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IJE160U.txt	15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IKAVPAE.txt	15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IL2NS3P.txt	15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$INKC8CM.txt	15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IP8M1EE.txt	15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IPDP9E0.txt	15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$ISIYA4I.txt	15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IV54ALI.txt	15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IWK2JPN.txt	15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IWYYKMD.txt	15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IXC3P46.txt	15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IZ7KADN.txt	15

File Hashes

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella
WSA

Screenshots of Detection

AMP

ThreatGrid

Umbrella

---

Win.Dropper.Upatre-7491797-0

Indicators of Compromise

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
93[.]185[.]4[.]90	25
104[.]20[.]17[.]242	10
98[.]214[.]11[.]253	6
66[.]196[.]61[.]218	6
98[.]246[.]210[.]27	6
81[.]90[.]175[.]7	5
216[.]16[.]93[.]250	5
76[.]84[.]81[.]120	4
217[.]168[.]210[.]122	4
84[.]246[.]161[.]47	4
85[.]135[.]104[.]170	3
24[.]148[.]217[.]188	3
81[.]93[.]205[.]251	3
81[.]93[.]205[.]218	3
62[.]204[.]250[.]26	3
173[.]248[.]31[.]1	3
87[.]249[.]142[.]189	2
98[.]209[.]75[.]164	2
194[.]228[.]203[.]19	2
24[.]220[.]92[.]193	2
176[.]36[.]251[.]208	2
109[.]86[.]226[.]85	2
95[.]143[.]141[.]50	2
68[.]55[.]59[.]145	2
188[.]255[.]239[.]34	2

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
icanhazip[.]com	25

Files and or directories created	Occurrences
%TEMP%\tywy22.txt	24
%TEMP%\tywyaven.exe	24
%TEMP%\t4930.tmp	1
%TEMP%\vimazet.exe	1

File Hashes

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella	N/A
WSA

Screenshots of Detection

AMP

ThreatGrid

---

Win.Dropper.TrickBot-7490964-0

Indicators of Compromise

Registry Keys	Occurrences
\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\PROFILELIST\S-1-5-21-2580483871-590521980-3826313501-500 Value Name: RefCount	1

Mutexes	Occurrences
Global\316D1C7871E10	22

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
181[.]113[.]28[.]146	5
188[.]120[.]254[.]68	5
195[.]123[.]220[.]178	5
198[.]23[.]209[.]201	4
104[.]20[.]17[.]242	3
119[.]252[.]165[.]75	3
78[.]24[.]223[.]88	3
188[.]165[.]62[.]34	3
164[.]68[.]120[.]60	3
69[.]195[.]159[.]158	2
190[.]214[.]13[.]2	2
5[.]2[.]70[.]145	2
185[.]213[.]20[.]246	2
185[.]141[.]27[.]190	2
185[.]177[.]59[.]163	2
216[.]239[.]38[.]21	1
200[.]21[.]51[.]38	1
200[.]127[.]121[.]99	1
181[.]129[.]104[.]139	1
18[.]213[.]79[.]189	1
45[.]125[.]1[.]34	1
23[.]20[.]220[.]174	1
45[.]137[.]151[.]198	1
5[.]182[.]210[.]109	1
51[.]89[.]115[.]124	1

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
icanhazip[.]com	3
250[.]5[.]55[.]69[.]zen[.]spamhaus[.]org	2
checkip[.]amazonaws[.]com	2
wtfismyip[.]com	2
api[.]ip[.]sb	1
ipinfo[.]io	1

Files and or directories created	Occurrences
%System32%\Tasks\System Network Extensions	22
%APPDATA%\adirecttools	22
%APPDATA%\adirecttools\data	22
%APPDATA%\adirecttools\settings.ini	22
%APPDATA%\ADIRECTTOOLS\.exe	22
%TEMP%\_appcompat.txt	21
%TEMP%\.dmp	21
%APPDATA%\adirecttools\Data\pwgrab64	1
%APPDATA%\adirecttools\data\pwgrab64_configs\dpost	1
%APPDATA%\adirecttools\69ab1bb7084669cf84cc43537b700264.exe	1
%SystemRoot%\TEMP\~DF8EC46E2629511EB8.TMP	1
%APPDATA%\adirecttools\r