Threat Breakdown
Win.Trojan.Razy-7505643-0
Indicators of Compromise
Registry Keys | Occurrences |
\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\75E0ABB6138512271C04F85FDDDE38E4B7242EFE Value Name: Blob |
11 |
\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\SETTINGS\LEAKDIAGNOSISATTEMPTED |
7 |
\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED Value Name: Hidden |
3 |
\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\0748AF3992DE6E3AA7B386B7F6C08EF2.EXE |
1 |
\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\1C3DDA8020173A5B45A7C80CFC8B0298.EXE |
1 |
\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\0748AF3992DE6E3AA7B386B7F6C08EF2.EXE Value Name: LastDetectionTime |
1 |
\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\B4F3AEA9F95879ABBE9B311B5AB9FC30.EXE |
1 |
\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\2AA87EE2B7BAA7D413CC747537A867A2.EXE |
1 |
\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\1C3DDA8020173A5B45A7C80CFC8B0298.EXE Value Name: LastDetectionTime |
1 |
\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\EB9064AF85850CF7B3485B2A911798D7.EXE |
1 |
\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\B4F3AEA9F95879ABBE9B311B5AB9FC30.EXE Value Name: LastDetectionTime |
1 |
\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\2AA87EE2B7BAA7D413CC747537A867A2.EXE Value Name: LastDetectionTime |
1 |
\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\EB9064AF85850CF7B3485B2A911798D7.EXE Value Name: LastDetectionTime |
1 |
\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: goodsStartup key |
1 |
\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\6035E0F59A5169E7C59129A3CDBD076E.EXE |
1 |
\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\6035E0F59A5169E7C59129A3CDBD076E.EXE Value Name: LastDetectionTime |
1 |
\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: goods |
1 |
\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\0786B90DA12B29B5CC97621DCC78FA3E.EXE |
1 |
\SOFTWARE\MICROSOFT\RADAR\HEAPLEAKDETECTION\DIAGNOSEDAPPLICATIONS\0786B90DA12B29B5CC97621DCC78FA3E.EXE Value Name: LastDetectionTime |
1 |
\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: mrke |
1 |
Mutexes | Occurrences |
Global\14c64321-2d62-11ea-a007-00501e3ae7b5 |
1 |
IP Addresses contacted by malware. Does not indicate maliciousness | Occurrences |
172[.]217[.]12[.]206 |
10 |
172[.]217[.]9[.]225 |
7 |
172[.]217[.]5[.]238 |
6 |
104[.]16[.]155[.]36 |
3 |
77[.]88[.]21[.]158 |
3 |
172[.]217[.]10[.]46 |
1 |
172[.]217[.]10[.]33 |
1 |
Domain Names contacted by malware. Does not indicate maliciousness | Occurrences |
smtp[.]yandex[.]com |
3 |
whatismyipaddress[.]com |
3 |
doc-00-6c-docs[.]googleusercontent[.]com |
1 |
doc-0s-9s-docs[.]googleusercontent[.]com |
1 |
doc-14-60-docs[.]googleusercontent[.]com |
1 |
doc-0k-c8-docs[.]googleusercontent[.]com |
1 |
doc-00-5o-docs[.]googleusercontent[.]com |
1 |
doc-10-6c-docs[.]googleusercontent[.]com |
1 |
doc-04-bg-docs[.]googleusercontent[.]com |
1 |
doc-04-6c-docs[.]googleusercontent[.]com |
1 |
Files and or directories created | Occurrences |
%APPDATA%\pid.txt |
3 |
%APPDATA%\pidloc.txt |
3 |
%TEMP%\holdermail.txt |
3 |
%TEMP%\holderwb.txt |
3 |
%HOMEPATH%\desktop\product.pif |
2 |
%TEMP%\bhv61AB.tmp |
1 |
%TEMP%\bhv8DF6.tmp |
1 |
%HOMEPATH%\Orkende |
1 |
%HOMEPATH%\Orkende\Recomm.pif |
1 |
%TEMP%\bhv5953.tmp |
1 |
File Hashes
3031363a67eca33c68892ed7529803bbaa926a6f371204eeaa8ca205501d8cac 34b978969d994134de71dd45996dc5d10516e534e23a2abb8537a1c548ac1c93 51e97032af43de44947d564ee43a9b43278312873caaa4bbd7d3e4f7ec00eb89 58962a9133651591f2d4df22589d1cdd4f7cee175f70c7d47c5a854a5264ec98 5be87b343f2d3af80883ed4deb795c0ae8f7e0ae4ba08a6bbac5b3e4659d0341 6bd1baae5ba600ff4ece4523e53bf9818bcc381a56664e3104c1c317d6f5a3bc 6dfdb201ddd46c8f2ded273f3c8ed6c5beca63196b5428fe388f59faaac79597 731aa2659852eb9b98d573b3f59436b49c15492d8df94e18da5a8f4c41f48fbe 79acdd5ea559b2e7e29fa6b47ca1053e11dbaadf540fc2b140aca89d1539d17e 8fa302841d886e0198c96d76d93399f5905844f424b255e6707a74ea610c55ce cdaef1b003e82f8994dd616103781125fca98ec097ee79830c2262f41158237a
Coverage
Product | Protection |
AMP |
|
Cloudlock |
N/A |
CWS |
|
Email Security |
|
Network Security |
N/A |
Stealthwatch |
N/A |
Stealthwatch Cloud |
N/A |
Threat Grid |
|
Umbrella |
N/A |
WSA |
N/A |
Screenshots of Detection
AMP
ThreatGrid
Win.Dropper.Tofsee-7492214-1
Indicators of Compromise
Registry Keys | Occurrences |
\.DEFAULT\CONTROL PANEL\BUSES |
192 |
\.DEFAULT\CONTROL PANEL\BUSES Value Name: Config3 |
175 |
\SYSTEM\CONTROLSET001\SERVICES\ Value Name: Type |
158 |
\SYSTEM\CONTROLSET001\SERVICES\ Value Name: Start |
158 |
\SYSTEM\CONTROLSET001\SERVICES\ Value Name: ErrorControl |
158 |
\SYSTEM\CONTROLSET001\SERVICES\ Value Name: DisplayName |
158 |
\SYSTEM\CONTROLSET001\SERVICES\ Value Name: WOW64 |
158 |
\SYSTEM\CONTROLSET001\SERVICES\ Value Name: ObjectName |
158 |
\SYSTEM\CONTROLSET001\SERVICES\ Value Name: Description |
158 |
\SYSTEM\CONTROLSET001\SERVICES\ |
158 |
\SYSTEM\CONTROLSET001\SERVICES\ Value Name: ImagePath |
68 |
\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\wpdjiqwl |
11 |
\SYSTEM\CONTROLSET001\SERVICES\WPDJIQWL Value Name: Type |
11 |
\SYSTEM\CONTROLSET001\SERVICES\WPDJIQWL Value Name: Start |
11 |
\SYSTEM\CONTROLSET001\SERVICES\WPDJIQWL Value Name: ErrorControl |
11 |
\SYSTEM\CONTROLSET001\SERVICES\WPDJIQWL Value Name: DisplayName |
11 |
\SYSTEM\CONTROLSET001\SERVICES\WPDJIQWL Value Name: WOW64 |
11 |
\SYSTEM\CONTROLSET001\SERVICES\WPDJIQWL Value Name: ObjectName |
11 |
\SYSTEM\CONTROLSET001\SERVICES\WPDJIQWL Value Name: Description |
11 |
\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\lesyxfla |
11 |
\SYSTEM\CONTROLSET001\SERVICES\LESYXFLA Value Name: Type |
11 |
\SYSTEM\CONTROLSET001\SERVICES\LESYXFLA Value Name: Start |
11 |
\SYSTEM\CONTROLSET001\SERVICES\LESYXFLA Value Name: ErrorControl |
11 |
\SYSTEM\CONTROLSET001\SERVICES\LESYXFLA Value Name: DisplayName |
11 |
\SYSTEM\CONTROLSET001\SERVICES\LESYXFLA Value Name: WOW64 |
11 |
IP Addresses contacted by malware. Does not indicate maliciousness | Occurrences |
69[.]55[.]5[.]250 |
192 |
43[.]231[.]4[.]6/31 |
192 |
85[.]114[.]134[.]88 |
192 |
239[.]255[.]255[.]250 |
175 |
46[.]4[.]52[.]109 |
175 |
46[.]28[.]66[.]2 |
175 |
78[.]31[.]67[.]23 |
175 |
188[.]165[.]238[.]150 |
175 |
93[.]179[.]69[.]109 |
175 |
176[.]9[.]114[.]177 |
175 |
192[.]0[.]47[.]59 |
174 |
172[.]217[.]12[.]164 |
159 |
74[.]125[.]192[.]26/31 |
140 |
67[.]195[.]204[.]72/30 |
135 |
168[.]95[.]5[.]116/31 |
134 |
172[.]217[.]197[.]26/31 |
122 |
172[.]217[.]10[.]67 |
116 |
216[.]146[.]35[.]35 |
110 |
212[.]227[.]15[.]40/31 |
104 |
104[.]47[.]54[.]36 |
102 |
208[.]76[.]51[.]51 |
101 |
168[.]95[.]6[.]60/30 |
97 |
98[.]136[.]96[.]92/31 |
95 |
31[.]13[.]66[.]174 |
93 |
98[.]136[.]96[.]74/31 |
91 |
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness | Occurrences |
250[.]5[.]55[.]69[.]in-addr[.]arpa |
192 |
microsoft-com[.]mail[.]protection[.]outlook[.]com |
192 |
schema[.]org |
175 |
250[.]5[.]55[.]69[.]zen[.]spamhaus[.]org |
175 |
250[.]5[.]55[.]69[.]cbl[.]abuseat[.]org |
175 |
mta5[.]am0[.]yahoodns[.]net |
175 |
250[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net |
175 |
250[.]5[.]55[.]69[.]bl[.]spamcop[.]net |
175 |
250[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org |
175 |
whois[.]iana[.]org |
174 |
whois[.]arin[.]net |
173 |
coolsex-finders6[.]com |
173 |
bestladies[.]cn |
173 |
bestdates[.]cn |
173 |
bestgirlsdates[.]cn |
173 |
hotmail-com[.]olc[.]protection[.]outlook[.]com |
171 |
eur[.]olc[.]protection[.]outlook[.]com |
127 |
mx-eu[.]mail[.]am0[.]yahoodns[.]net |
125 |
ipinfo[.]io |
118 |
nam[.]olc[.]protection[.]outlook[.]com |
93 |
mx6[.]earthlink[.]net |
91 |
pkvw-mx[.]msg[.]pkvw[.]co[.]charter[.]net |
88 |
charter[.]net |
87 |
mx0[.]charter[.]net |
87 |
msn-com[.]olc[.]protection[.]outlook[.]com |
72 |
*See JSON for more IOCs
Files and or directories created | Occurrences |
%SystemRoot%\SysWOW64\config\systemprofile |
192 |
%SystemRoot%\SysWOW64\config\systemprofile:.repos |
192 |
%TEMP%\.exe |
188 |
%SystemRoot%\SysWOW64\ |
158 |
%HOMEPATH% |
59 |
%System32%\.exe (copy) |
59 |
%SystemRoot%\SysWOW64\wpdjiqwl |
11 |
%SystemRoot%\SysWOW64\lesyxfla |
11 |
%SystemRoot%\SysWOW64\mftzygmb |
10 |
%SystemRoot%\SysWOW64\piwcbjpe |
10 |
%SystemRoot%\SysWOW64\zsgmltzo |
10 |
%SystemRoot%\SysWOW64\yrflksyn |
10 |
%TEMP%\.exe |
9 |
File Hashes
03dfa2a7b5722d6fa2f2f85287c8bea67b2ae1c8be2d9de90b33c2b4dd3c0f42 07314be6c87366f215030d7a2af42440f8a2a187e782ad975a476a84aa389fe1 0862506904a93aba08781be3d9b5189c8cc01bc5fd86d9a4881bd114449502b7 088fe0b34e1db5b9010adb26a2380aa6faf53165f9e2d7d986fd0bc6be614f9e 0ad21f45614d3112c1201ff8a5b3fe702b4943e39ab9d8bc4f38362565c373d5 0b2c1eebcd3f136c556a8568541d589f691dbe6fb450fa708e9774f4ca72fb67 10d2a79f8c199a6ce16b0e3fd4a911524cc2ece755daf67c04f0d3118dfb3498 11e2d71f1dab632b58c9ab60a48c51854d59df47456a97ff9ef59c72b607229c 136e082449131aae0a3e28c21c99aaef24a9d1709cae71daee0e154bf2b45d9f 144d2f639c9dafd40f48b72980609cb018ca83a360b7e24fede6023e0e742397 16f778581e678fdd5e21442d3d55bcc4415271ac94ed0d31c2efd40c772f26ec 1733e36d0e55b369c97e387fa74da22462fbf1858b09befb5de125d9523e3d41 1756a1f4ce0593f80b857ed9a654c656dac96d3405a566dc38737e0a79bc194d 188389b2163b98dbb96edf4000496dacc062f2a6ae2dd021a3f49742d36a2e0b 189f32c3d78e9b129d62bb4e40b3693da216cc371018d5ce4ef2356a94ca4f6e 18f25a4e071f993b9ceac935a3814d7667e42c46d22ea9e8ccd7c4a3f0087f7b 1a747af4f485eb3c8c475c9dcd9cac9d7fe279f3f45777d793572c4927e07ffa 1af4c3359d224c2ad2006db3c9786afdeeb90404ab91ec7c63467092264e2183 1c1d1c939fd6d3e6a77c2fa342f2c39433eea8f9d3c749ecee42e287734bd330 1c69825459d03fb13956e1a0f40e485731fbe96e48efe1abc765db537fec77ba 1d3aecb8b67bd70634fbffcf15b5e21ef0ee95627d296e78caf3f07842820d9a 1d9d2d4000df6baadc93db56dbdc783c9db35a047be86bed8d4bfaacb33b6a9c 1f42ceba5e533e7aeb5395e1db11ef780b02e44c8cde237394b663b816da69b4 1ff0ce00b3cc5e3223e31501e16302b44ae24981b4b61f3500bdba2f671a057f 20f52e7aa1ee2e27dffcb75eb1e207681dbe2f72d44b0f4d2f66498102d8cf8e
*See JSON for more IOCs
Coverage
Product | Protection |
AMP |
|
Cloudlock |
N/A |
CWS |
|
Email Security |
|
Network Security |
|
Stealthwatch |
N/A |
Stealthwatch Cloud |
N/A |
Threat Grid |
|
Umbrella |
|
WSA |
|
Screenshots of Detection
AMP
ThreatGrid
Umbrella
Win.Packed.Ursnif-7489213-0
Indicators of Compromise
Registry Keys | Occurrences |
\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 Value Name: Blob |
18 |
\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\75E0ABB6138512271C04F85FDDDE38E4B7242EFE Value Name: Blob |
18 |
Mutexes | Occurrences |
Local\https://vars.hotjar.com/ |
18 |
Local\https://www.avast.com/ |
18 |
IP Addresses contacted by malware. Does not indicate maliciousness | Occurrences |
23[.]221[.]50[.]122 |
18 |
152[.]199[.]4[.]33 |
18 |
23[.]221[.]49[.]75 |
18 |
23[.]221[.]50[.]102 |
18 |
104[.]107[.]26[.]214 |
18 |
13[.]109[.]156[.]118 |
18 |
65[.]55[.]44[.]109 |
17 |
157[.]240[.]18[.]35 |
15 |
104[.]107[.]18[.]91 |
15 |
38[.]126[.]130[.]202 |
15 |
192[.]42[.]119[.]41 |
14 |
13[.]107[.]21[.]200 |
13 |
172[.]217[.]164[.]136 |
13 |
23[.]196[.]81[.]176 |
13 |
204[.]79[.]197[.]200 |
12 |
204[.]2[.]197[.]202 |
12 |
72[.]22[.]185[.]200/31 |
12 |
172[.]217[.]197[.]156/31 |
12 |
172[.]217[.]6[.]206 |
11 |
172[.]217[.]12[.]136 |
11 |
172[.]217[.]11[.]36 |
11 |
172[.]217[.]10[.]14 |
11 |
169[.]54[.]251[.]164 |
11 |
23[.]201[.]42[.]247 |
11 |
23[.]201[.]42[.]161 |
11 |
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness | Occurrences |
googleads[.]g[.]doubleclick[.]net |
18 |
www[.]googletagmanager[.]com |
18 |
www[.]google-analytics[.]com |
18 |
stats[.]g[.]doubleclick[.]net |
18 |
connect[.]facebook[.]net |
18 |
www[.]googleadservices[.]com |
18 |
ib[.]adnxs[.]com |
18 |
avast[.]com |
18 |
static[.]avast[.]com |
18 |
secure[.]adnxs[.]com |
18 |
mc[.]yandex[.]ru |
18 |
dev[.]visualwebsiteoptimizer[.]com |
18 |
amplifypixel[.]outbrain[.]com |
18 |
pixel[.]mathtag[.]com |
18 |
tr[.]outbrain[.]com |
18 |
amplify[.]outbrain[.]com |
18 |
ajax[.]aspnetcdn[.]com |
18 |
img-prod-cms-rt-microsoft-com[.]akamaized[.]net |
18 |
az725175[.]vo[.]msecnd[.]net |
18 |
script[.]hotjar[.]com |
18 |
static[.]hotjar[.]com |
18 |
c[.]s-microsoft[.]com |
18 |
assets[.]onestore[.]ms |
18 |
a[.]tribalfusion[.]com |
18 |
www[.]avast[.]com |
18 |
*See JSON for more IOCs
Files and or directories created | Occurrences |
%TEMP%\www2.tmp |
13 |
%TEMP%\www3.tmp |
13 |
%TEMP%\www4.tmp |
13 |
%HOMEPATH%\Favorites\Links\Suggested Sites.url |
13 |
%HOMEPATH%\Local Settings\Application Data\Microsoft\Feeds\FeedsStore.feedsdb-ms |
13 |
%HOMEPATH%\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms |
13 |
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA} |
2 |
\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B40C43F1-F039-44D2-AEB7-87F5AF8ABC3D}\ProxyStubClsid32 |
2 |
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{06EEE834-461C-42c2-8DCF-1502B527B1F9}\Instance\PropertySetStorage |
2 |
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D1FE6762-FC48-11D0-883A-3C8B00C10000} |
2 |
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3CCEDF7-2DE2-11D0-86F4-00A0C913F750} |
1 |
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046} |
1 |
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A7EE7F34-3BD1-427f-9231-F941E9B7E1FE} |
1 |
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{06EEE834-461C-42c2-8DCF-1502B527B1F9}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\14 |
1 |
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{06EEE834-461C-42c2-8DCF-1502B527B1F9}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\2 |
1 |
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6f237df9-9ddb-47ad-b218-400d54c286ad} |
1 |
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\InProcServer32 |
1 |
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{81397204-F51A-4571-8D7B-DC030521AABD}\InprocServer32 |
1 |
File Hashes
0ad051eb62410a3fe8d776a69f29a46fe609ea59c2adfe061811dc9ace3e40e9 17cfe796a3b8017bf83d2c302ec9507317abac0191cdf835d2d0d1a75d33b991 18b5f4e21612aadfed4e72cdef1356009fb1614535b62a4e39463f8cea9ace03 2013ff55ccdd16e36eccebe50b0587b6f2f37e333442be1552b50c41cbfe48d4 241ab82dccad5b9670c445509841c6aebf69de45815c3d9951f15be158b8ece5 270f970f0cfda8e8c61a73b2aab71fd51755ad911b8173f5aac4cdb5961ba8a5 3016c699d4c8c7affedc18f5cb4aadb30676a9c3081dee913b43b84737949708 31a02187883766f2eec0edc6479b8cd793c8e8eec658fe56b33581a76d9953f8 365acef54f3733520717314466c86aa978cbf08c37d1f9f0a90bbbea42b3f8f3 5ba3ea5868ddef74a57fff2c5ded68f17b08458876881161a7af9eb32438779d 5c486b96a5f273819baa9a010700f088ce3f707c87088a50e699ee6dedd0b117 611e95e1a1a352d6cb1a6106b0e69565b065de6d68dbe5c41d49c2ebfa637dd6 7a8b53746144a903954535791ef7c5038834af3cd1eec8c0dae8b28f609859bf 7fd6f59c5c23ea12adf5975e56730a52558799ae7a330ef40e552a4353a8d6e3 8220634b1969f5a06e3b5adff2dbae0356608a91e5162fccdd247f1571a2a4b2 9a20d2755608e7cf98a090f30b166779318f0a08747631fccc9393de15ed33cc 9b6503731468ce3922f5aec73e22a81489ddcf6124d86eeb2fc05cb7c2f4527f b062f5f376af3972c8386343b27fb1e5947afb66c5c0741cced2d317f5261158 b2c7bc0dece9bed221c3fe88b9dce2313b036b9a3f5982b5bfa91961efb7bdaf bb8d733fa6ca4ef01d8b44d098902e781359cdd36a4418538a504082b3b95fe6 cecc5dd05c51a6740730b775dc4af3d579b498880de7899b272d6225fb96cb44 e6bd801ae1e976ff76409d2b28d00d15f50e5819c3c5bbc54eb4ac9752f87435
Coverage
Product | Protection |
AMP |
|
Cloudlock |
N/A |
CWS |
|
Email Security |
|
Network Security |
|
Stealthwatch |
N/A |
Stealthwatch Cloud |
N/A |
Threat Grid |
|
Umbrella |
|
WSA |
|
Screenshots of Detection
AMP
Win.Packed.ZeroAccess-7489468-1
Indicators of Compromise
Registry Keys | Occurrences |
\SOFTWARE\MICROSOFT\TRACING\KMDDSP Value Name: FileTracingMask |
55 |
\SOFTWARE\MICROSOFT\TRACING\KMDDSP Value Name: ConsoleTracingMask |
55 |
\SOFTWARE\MICROSOFT\TRACING\KMDDSP Value Name: MaxFileSize |
55 |
\SOFTWARE\MICROSOFT\TRACING\KMDDSP Value Name: FileDirectory |
55 |
\SYSTEM\CONTROLSET001\SERVICES\MPSSVC Value Name: Start |
55 |
\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC Value Name: Start |
55 |
\SYSTEM\CONTROLSET001\SERVICES\MPSSVC Value Name: DeleteFlag |
55 |
\SYSTEM\CONTROLSET001\SERVICES\WSCSVC Value Name: DeleteFlag |
55 |
\SYSTEM\CONTROLSET001\SERVICES\BROWSER Value Name: Start |
55 |
\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: Windows Defender |
55 |
\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND Value Name: Type |
55 |
\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND Value Name: ErrorControl |
55 |
\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC Value Name: Type |
55 |
\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC Value Name: ErrorControl |
55 |
\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC Value Name: DeleteFlag |
55 |
\SYSTEM\CONTROLSET001\SERVICES\WSCSVC Value Name: Type |
55 |
\SYSTEM\CONTROLSET001\SERVICES\WSCSVC Value Name: ErrorControl |
55 |
\SYSTEM\CONTROLSET001\SERVICES\MPSSVC Value Name: Type |
55 |
\SYSTEM\CONTROLSET001\SERVICES\MPSSVC Value Name: ErrorControl |
55 |
\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000010 Value Name: PackedCatalogItem |
55 |
\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000009 Value Name: PackedCatalogItem |
55 |
\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000008 Value Name: PackedCatalogItem |
55 |
\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000007 Value Name: PackedCatalogItem |
55 |
\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000006 Value Name: PackedCatalogItem |
55 |
\SYSTEM\CONTROLSET001\SERVICES\WINSOCK2\PARAMETERS\PROTOCOL_CATALOG9\CATALOG_ENTRIES\000000000005 Value Name: PackedCatalogItem |
55 |
IP Addresses contacted by malware. Does not indicate maliciousness | Occurrences |
94[.]242[.]250[.]64 |
116 |
64[.]210[.]151[.]32 |
55 |
178[.]32[.]190[.]142 |
55 |
91[.]207[.]60[.]22 |
15 |
71[.]229[.]165[.]75 |
15 |
201[.]231[.]100[.]117 |
15 |
71[.]239[.]117[.]142 |
9 |
66[.]41[.]70[.]14 |
8 |
71[.]63[.]0[.]235 |
7 |
98[.]224[.]77[.]3 |
7 |
83[.]15[.]111[.]38 |
7 |
76[.]180[.]80[.]134 |
7 |
24[.]73[.]24[.]191 |
7 |
46[.]45[.]5[.]240 |
7 |
67[.]185[.]179[.]4 |
6 |
98[.]230[.]137[.]123 |
6 |
69[.]80[.]173[.]91 |
6 |
75[.]66[.]129[.]205 |
6 |
69[.]117[.]29[.]163 |
6 |
190[.]36[.]183[.]136 |
6 |
77[.]126[.]70[.]166 |
6 |
98[.]203[.]164[.]253 |
6 |
67[.]240[.]46[.]208 |
5 |
72[.]200[.]101[.]79 |
5 |
68[.]97[.]172[.]87 |
5 |
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness | Occurrences |
promos[.]fling[.]com |
55 |
Files and or directories created | Occurrences |
\@ |
116 |
\L\eexoxfxs |
116 |
\cfg.ini |
116 |
\systemroot\assembly\GAC_32\Desktop.ini |
55 |
\systemroot\assembly\GAC_64\Desktop.ini |
55 |
%System32%\LogFiles\Scm\e22a8667-f75b-4ba9-ba46-067ed4429de8 |
55 |
%SystemRoot%\assembly\GAC_32\Desktop.ini |
55 |
%SystemRoot%\assembly\GAC_64\Desktop.ini |
55 |
\systemroot\assembly\temp\@ |
55 |
\systemroot\assembly\temp\U |
55 |
\systemroot\assembly\temp\cfg.ini |
55 |
\systemroot\system32\consrv.dll |
55 |
%System32%\consrv.dll |
55 |
%SystemRoot%\assembly\temp\@ |
55 |
%SystemRoot%\assembly\temp\cfg.ini |
55 |
\systemroot\system64 |
55 |
File Hashes
024be6e3a83461f6084ade9ef26da705de0e7eeceebbd55ca5289a7396dcf280 02a6714aebbfef68f0528f10414a2fd8a8338243e05992d0c28d68383e1dc1a1 05597af5ff2dd97b20b7c57e4c3cd48cae1a4d2c7cd1c4ac920a6f1185a65900 0712314c985a7cc479d0cbcdcf06c886ba2d7fc79d89cf4efc56a137235eb379 0808ec44505b3130a5dde6e81c75f473f44a288d1134fff680394534283fce87 08b18f2eb8b1fb422adfb52d482f9d9bb3f4a24d18f89a186ed2865181f6b551 0b675bae551f40fe43934915324927652e35fa3089dcc911345478fc96338a3c 0d6aea5357e88970db6f5c226a2a888e1c7f1c5f20146087952612c06d064b4e 15d09a26dec6c151966a24bfebd38fb67c8397a06c3bf1702eb4702a871a9e2c 1744dd32bcf9cd45cfec1f4334de1df340129a555e12f73c740e02f7fe7b469c 1ac467786827d37bc69e30617fa2b14fa8903f68f73022e727caa634379490b2 1c9dc1eb7cb0191101faa393854592a440d6df736f07a767138df22c1f809c8d 1d34f5231571a20d3229e850bb786f6148dab477ca4a0169a0af3acf2d2ce71d 243ccb0ec0007367fc4e21dea982be68d6f32e6cdcafbd11e10768cb912a914b 2460096ab6403840c5de8a19dc1706cf2dc416cc9e3ab701275853d66eb7e142 24ec81e3c8a7247c0fa2292906afccc1d47b81412cfaf021dc22be067530e944 2b275de3b1d0f2786c58f17a0d2607a47dade5151046f255eea2f9da20a03c9c 311c8b6b2d2150fff040363e23fdca221be64cae3ad34d9b3dfacd396ed48fc6 330719fd8491c5abc9fd90c7e27310cb72d331222c5caaf4671525d48e4b1026 35ba7b85dd5146c275b74b7b09ef62985ba9db0d1e1f2771b6990d53ed965d52 37240db16c496c45552715904b84ce5cc2c1e01ebbcf519a7e0bee4cc73f08bd 39bf409ea1d861dfed811fa6c0aee2767aff44d96fffb4f3e552db1add1ed7fc 3b3d6c01a983c835152e169e092be6193bce78c22b41cda5e573e5330235aac6 3e6c74185843c930a9b5ea041a5a3eef7d9ae80a31e3a67e0c235b5090e64afb 3fcf02116eab251a35b6a9dba981edb13ba59701f0b52ca1521fd2dbff350477
*See JSON for more IOCs
Coverage
Product | Protection |
AMP |
|
Cloudlock |
N/A |
CWS |
|
Email Security |
|
Network Security |
N/A |
Stealthwatch |
N/A |
Stealthwatch Cloud |
N/A |
Threat Grid |
|
Umbrella |
N/A |
WSA |
N/A |
Screenshots of Detection
AMP
Win.Ransomware.TeslaCrypt-7501245-1
Indicators of Compromise
Registry Keys | Occurrences |
\SOFTWARE\XXXSYS |
15 |
\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: addon_v57 |
15 |
\SOFTWARE\XXXSYS Value Name: ID |
15 |
\Software\ |
15 |
\Software\ Value Name: data |
15 |
Mutexes | Occurrences |
z_a_skh495ldfsgjl2935345 |
15 |
IP Addresses contacted by malware. Does not indicate maliciousness | Occurrences |
23[.]20[.]239[.]12 |
15 |
64[.]140[.]157[.]157 |
15 |
157[.]119[.]94[.]202 |
15 |
104[.]27[.]31[.]89 |
9 |
104[.]27[.]30[.]89 |
6 |
3[.]225[.]189[.]10 |
5 |
3[.]229[.]167[.]115 |
4 |
54[.]83[.]91[.]42 |
3 |
34[.]195[.]145[.]145 |
2 |
3[.]93[.]124[.]54 |
1 |
Domain Names contacted by malware. Does not indicate maliciousness | Occurrences |
en[.]wikipedia[.]org |
15 |
www[.]torproject[.]org |
15 |
www[.]hugedomains[.]com |
15 |
vostorgspa[.]kz |
15 |
p4fhmjnsdfbm4w4fdsc[.]avowvoice[.]com |
15 |
bledisloeenergy[.]com[.]au |
15 |
polyhedrusgroup[.]com |
15 |
todayinbermuda[.]co |
15 |
nn54djhfnrnm4dnjnerfsd[.]replylaten[.]at |
15 |
www[.]buildenergyefficienthomes[.]com |
15 |
mosaudit[.]com |
15 |
buildenergyefficienthomes[.]com |
15 |
akdfrefdkm45tf33fsdfsdf[.]yamenswash[.]com |
15 |
Files and or directories created | Occurrences |
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I0ZU5JT.txt |
15 |
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I478AKJ.txt |
15 |
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I4FI238.txt |
15 |
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I4FKVBH.txt |
15 |
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I4QK3KJ.txt |
15 |
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I5QX7W9.txt |
15 |
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I77RW1L.txt |
15 |
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I7J37KF.txt |
15 |
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I9NSD58.txt |
15 |
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IANXEE8.txt |
15 |
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IC5NB1M.txt |
15 |
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$ID60W3E.txt |
15 |
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IIUTK07.txt |
15 |
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IJE160U.txt |
15 |
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IKAVPAE.txt |
15 |
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IL2NS3P.txt |
15 |
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$INKC8CM.txt |
15 |
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IP8M1EE.txt |
15 |
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IPDP9E0.txt |
15 |
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$ISIYA4I.txt |
15 |
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IV54ALI.txt |
15 |
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IWK2JPN.txt |
15 |
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IWYYKMD.txt |
15 |
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IXC3P46.txt |
15 |
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IZ7KADN.txt |
15 |
*See JSON for more IOCs
File Hashes
00de6704e49ec7e8b570b95410704c0d3d81c727c688d06afe68e4f8f4e4b8e6 079ab9339f5b1ccf429dbf4426350c311adc6bdeeb3a003970d052088dcdaabf 4b7a8b7ffac89faa52034d12821a9e20bfd987adcdcbdba29d6daaca44ef9325 6352e2794884e3c090f6ec14ec8c870fdc6d4cde61f518c44ed5bae2916e67c8 69a0539a87e7a9fe382cf4c504c3d02bf6ee4cd6a5e20098ed619da8975480ee 70311b0da413a17ed6c5f300adcd7757301346300693823ba4e1e7845901c1b8 7f1a0f921a5132b1329dbdbfadc83eec6568ad151d1c33da89a4aaf0a5e5c0c2 a7ba5bb407c401764b9af3e22b005962431d5446f1c8ba468ab71a7ed1033299 b8dd6020265dc28fa74d1708e2238cc227791dace690699db22cbb3ba6c1d64c bd9a8d8d2c8e1d426959e7022ecd26b7001998aba2617e13deac573d16208916 c7a8125f64e0c8d4133263f901855d1ef0ecea2e083c10782e4cfbbe8b334e79 dca1535c72840c4a47886ee0e23437fc560a4fea29c9c62f63a58726d21a565b e010d87d8cb503b316a2dc3e064b99178b7040a213251ce49e58fd0d23c6cef5 eb6259dd5f1ed9540edc3e0e9944e08145b9514320cd65c26612b32b92fa6885 f347dc8de7cefff44e6127fcfd035c08d31439a6f4951dd92549bdd6400b60aa
Coverage
Product | Protection |
AMP |
|
Cloudlock |
N/A |
CWS |
|
Email Security |
|
Network Security |
|
Stealthwatch |
N/A |
Stealthwatch Cloud |
N/A |
Threat Grid |
|
Umbrella |
|
WSA |
|
Screenshots of Detection
AMP
ThreatGrid
Umbrella
Win.Dropper.Upatre-7491797-0
Indicators of Compromise
IP Addresses contacted by malware. Does not indicate maliciousness | Occurrences |
93[.]185[.]4[.]90 |
25 |
104[.]20[.]17[.]242 |
10 |
98[.]214[.]11[.]253 |
6 |
66[.]196[.]61[.]218 |
6 |
98[.]246[.]210[.]27 |
6 |
81[.]90[.]175[.]7 |
5 |
216[.]16[.]93[.]250 |
5 |
76[.]84[.]81[.]120 |
4 |
217[.]168[.]210[.]122 |
4 |
84[.]246[.]161[.]47 |
4 |
85[.]135[.]104[.]170 |
3 |
24[.]148[.]217[.]188 |
3 |
81[.]93[.]205[.]251 |
3 |
81[.]93[.]205[.]218 |
3 |
62[.]204[.]250[.]26 |
3 |
173[.]248[.]31[.]1 |
3 |
87[.]249[.]142[.]189 |
2 |
98[.]209[.]75[.]164 |
2 |
194[.]228[.]203[.]19 |
2 |
24[.]220[.]92[.]193 |
2 |
176[.]36[.]251[.]208 |
2 |
109[.]86[.]226[.]85 |
2 |
95[.]143[.]141[.]50 |
2 |
68[.]55[.]59[.]145 |
2 |
188[.]255[.]239[.]34 |
2 |
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness | Occurrences |
icanhazip[.]com |
25 |
Files and or directories created | Occurrences |
%TEMP%\tywy22.txt |
24 |
%TEMP%\tywyaven.exe |
24 |
%TEMP%\t4930.tmp |
1 |
%TEMP%\vimazet.exe |
1 |
File Hashes
01152de6c7c348fa9716c3d760744689eb85386303593e6100f6532bd3fc2cb3 01cb3cbad05c3b0b186b604f32cb00a3ceced74ead26affe5b4fb1867d48be01 02f4933753d850d1774b56cbd35c994b6b7dd9b971fd45c34f5677f90b281b6a 062720c82d1bef7558b0a4675b9539a23afddf252ede24b5d54edfba2a758ca5 06f92e4b684161224f68388d8d4ca35d113682fadeb2e100072dfa8d43413101 09589d82d2f9460fe3d33b726794d41a93b672dbaed8e5f397350b7714649cd7 09f38837949bbee74dd5da5fce7a92d7f21168f7e43345bbd19f5cbfde8f6f69 0c45c58eab16df4d5bff14dad957f91d5785a09836560bc3bd681c27e012b1b8 0d774c5ac17521abec32a11e81317fed5f7c163d82ec7f9e1065c86834458cfe 0d90667089d17e2924b00e5207a357156e9076dfa3dab3f2e7dc5737135053a9 0e36b813e84b27ff1c1b770fffbf4175c7c39bbe499804c9c27565ed4a9518fa 0fa25c7c007f337ab5ba699a2611c47ff41a8ba74cb83fa1ffde097e7408f8ed 10c863059e4910501e1deea44279a5402e93796098230511c65be09f8f47eb82 1356d0345699b8766d5c8de5d61cb47fd63dc3f42fe2280a2c413a8d7f97c1c8 13f7895a32eb09a5016a408819dce9c95a4149888ad708c0232e0659e2ca06e3 14178c54d283e6579242e90df7c4dae8af71ff4594c834e3cc7a275588f561b7 14e727de9a56e79b9dcaf48cc9751d4cb447f16d839d705c628640857d0e6e13 1535d470effa0af601719b9ef64e615f321e4db52ee4b7bb05def6d501884fbc 16b232d226ca18447e1f1671538607fe5be412e935b930bcde73ff46e0b2890f 186a59f2954d3d213a26308386be80f2b503e08882324ab559490330700fc24a 1d2374db5ee92385e49fbaef9ef694361877cdffa4b51d8fd8d37e6272dfad57 1e1bdd6ddb3c256c79024eccdb2de6b0861a2a86e13f3f03cf1f378e2cdc9d36 1fcbef293371203729eca2c9491641a03b2330c9be11b438f84db0e996e5b78c 2119922518bc437c7d5fd7d7205929089a9ed9333cdff97bb214808f37e86dd7 211bdc6613fc3e691ac70d215a8a9edd5f0ebb85bb4f24d6e293fb21894a0b1b
*See JSON for more IOCs
Coverage
Product | Protection |
AMP |
|
Cloudlock |
N/A |
CWS |
|
Email Security |
|
Network Security |
|
Stealthwatch |
N/A |
Stealthwatch Cloud |
N/A |
Threat Grid |
|
Umbrella |
N/A |
WSA |
|
Screenshots of Detection
AMP
ThreatGrid
Win.Dropper.TrickBot-7490964-0
Indicators of Compromise
Registry Keys | Occurrences |
\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\PROFILELIST\S-1-5-21-2580483871-590521980-3826313501-500 Value Name: RefCount |
1 |
Mutexes | Occurrences |
Global\316D1C7871E10 |
22 |
IP Addresses contacted by malware. Does not indicate maliciousness | Occurrences |
181[.]113[.]28[.]146 |
5 |
188[.]120[.]254[.]68 |
5 |
195[.]123[.]220[.]178 |
5 |
198[.]23[.]209[.]201 |
4 |
104[.]20[.]17[.]242 |
3 |
119[.]252[.]165[.]75 |
3 |
78[.]24[.]223[.]88 |
3 |
188[.]165[.]62[.]34 |
3 |
164[.]68[.]120[.]60 |
3 |
69[.]195[.]159[.]158 |
2 |
190[.]214[.]13[.]2 |
2 |
5[.]2[.]70[.]145 |
2 |
185[.]213[.]20[.]246 |
2 |
185[.]141[.]27[.]190 |
2 |
185[.]177[.]59[.]163 |
2 |
216[.]239[.]38[.]21 |
1 |
200[.]21[.]51[.]38 |
1 |
200[.]127[.]121[.]99 |
1 |
181[.]129[.]104[.]139 |
1 |
18[.]213[.]79[.]189 |
1 |
45[.]125[.]1[.]34 |
1 |
23[.]20[.]220[.]174 |
1 |
45[.]137[.]151[.]198 |
1 |
5[.]182[.]210[.]109 |
1 |
51[.]89[.]115[.]124 |
1 |
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness | Occurrences |
icanhazip[.]com |
3 |
250[.]5[.]55[.]69[.]zen[.]spamhaus[.]org |
2 |
checkip[.]amazonaws[.]com |
2 |
wtfismyip[.]com |
2 |
api[.]ip[.]sb |
1 |
ipinfo[.]io |
1 |
Files and or directories created | Occurrences |
%System32%\Tasks\System Network Extensions |
22 |
%APPDATA%\adirecttools |
22 |
%APPDATA%\adirecttools\data |
22 |
%APPDATA%\adirecttools\settings.ini |
22 |
%APPDATA%\ADIRECTTOOLS\.exe |
22 |
%TEMP%\_appcompat.txt |
21 |
%TEMP%\.dmp |
21 |
%APPDATA%\adirecttools\Data\pwgrab64 |
1 |
%APPDATA%\adirecttools\data\pwgrab64_configs\dpost |
1 |
%APPDATA%\adirecttools\69ab1bb7084669cf84cc43537b700264.exe |
1 |
%SystemRoot%\TEMP\~DF8EC46E2629511EB8.TMP |
1 |
%APPDATA%\adirecttools\r
|