Threat Round Up for December 29 - January 5

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between December 29 and January 05. As with previous round-ups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

The most prevalent threats highlighted in this round up are:

  • Doc.Downloader.Trickbot-6412300-1
    Office Macro Downloader
    This downloader was submitted to ThreatGrid more than 50 times on December 26. This office document downloads a multipayload Trickbot loader. This post-Christmas gift is not something that somebody just back from the holiday wants to open.
     
  • Doc.Dropper.Agent-6412231-0
    Office Macro Downloader
    This is an obfuscated Office Macro downloader that attempts to download a malicious payload executable. The sample was unable to download the next stage so no further analysis is available.
     
  • Doc.Macro.Necurs-6412436-0
    Downloader
    Another wave of OLE based downloaders spiked in prevalence just prior to the new year. The samples use obfuscated VBA macros to download various malware families distributed for the Necurs botnet, including Locky.
     
  • Ppt.Downloader.CVE_2017_8759-6413368-0
    Office Macro Downloader
    These PowerPoint files contain an XML, located in ppt/slides/_rels/slide1.xml.rels, with a malicious SOAP WSDL definition that leverages CVE-2017-8759. If the file is saved as a PPSX, the slideshow will automatically start on opening, triggering the malicious code.
     
  • Win.Ransomware.PolyRansom-6413978-0
    Ransomware
    PolyRansom variants continue to thrive in 2018. PolyRansom is polymorphic ransomware that spreads by infecting other executables. It gains persistence through an installed service, and run keys added to the registry. Its primary infection vectors are share network drives, removable media, and email.
     
  • Win.Trojan.Generic-6414413-0
    Trojan
    This cluster provides generic detection for the Emotet Trojan downloaded onto a targets machine. Emotet is a banking trojan that has remained relevant due to its continual evolution to by pass antivirus products.
     
  • Win.Trojan.Multi-6413508-0
    Trojan
    This trojan will potentially connect to one or more servers to receive instructions and download additional malware.
     

Threats

Doc.Downloader.Trickbot-6412300-1


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • 316D1C7871E00
  • Global\552FFA80-3393-423d-8671-7BA046BB5906
  • \BaseNamedObjects\C1A8DFE67F9832960
IP Addresses
  • 89[.]161[.]153[.]74
Domain Names
  • jas-pol[.]com[.]pl
Files and or directories created
  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\Inue8.bat
  • %AppData%\localservice\Wn-lbzpms.exe
  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\mo-r.exe
  • %AppData%\localservice\mo-r.exe
  • %TEMP%\Ecmjtqf.bat
  • %AppData%\localservice\Modules\injectDll64_configs\sinj
  • %AppData%\localservice\Modules\injectDll64_configs\dinj
  • %TEMP%\Wn-lbzpms.exe
File Hashes
  • 3e5a5c672052182d9d10b0d094f07ec67f182939556c90f66236d75d4e795cd6
  • 07a1d83e2fdce0b0383fc05e2931d3aa557e3eeeeca50762258431ecf6fc2c50

Coverage


Screenshots of Detection

AMP


ThreatGrid


Umbrella


Screenshot





Doc.Dropper.Agent-6412231-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • N/A
IP Addresses
  • N/A
Domain Names
  • weekendfakc[.]top
Files and or directories created
  • N/A
File Hashes
  • 024782b5d080879af2a7a4280d262929e85e9815b2b37e9aeb6384a26e97895e
  • 0ad1db5a012d54fe11b06cf8b8822135e5285e21ab99e7ae5c8ca1892836375b
  • 1283fc95f56f1f32dcfeb5ec042a53f6e0dbd05d49c5bbc892e389cfc5613d9a
  • 1a5257c6cd2e03848758d9541cbf4918194ff33669029a06baee9317d1a9a527
  • 211e5c8d07af1e6b61acb7af8bb1e0fefe25bee88275f2db8d53f868dc991e0e
  • 23c8026cd6414fa083f83c856c9142af5905747eabb32d0d0d839e21f941bf3e
  • 25191548ef2032df4acb687d940854f134de3aa738b69fc578e5397e95496afd
  • 28f9a67de7f6b79b4bf66da9d114c723e16d619f6787257eff856c71b1c7047f
  • 29062cd2c2d09199fc0716485e0e3a1fff880195a92c78ecd5f0e5184ac07820
  • 2b24aa417d6ab02fa9f82be1a41bc8c2e5de814057ed76074e2960d74f31d2d1

Coverage


Screenshots of Detection

AMP


ThreatGrid


Umbrella






Doc.Macro.Necurs-6412436-0


Indicators of Compromise


Registry Keys
  • <HKCU>\Software\Microsoft\Windows\CurrentVersion\RunOnce
Mutexes
  • Groove:PathMutex:tzanqCjN6dCs1QGzbKslin0UfIk=
IP Addresses
  • 98[.]124[.]252[.]145
Domain Names
  • pragmaticinquiry[.]org
Files and or directories created
  • %TEMP%\ASPNETSetup_00001.log…doc
  • \Users\Administrator\AppData\Local\Adobe\Acrobat\9.0\Updater\updater.log…doc
  • \Users\Administrator\Read___ME.html
  • %TEMP%\ASPNETSetup.log…doc
  • \Users\Administrator\AppData\Local\Adobe\Acrobat\9.0\Updater\Read___ME.html
File Hashes
  • a3f68a31db23b9c7312219990bfe27bf9bb7c158fde4200c0af7a985bd7ac97d
  • d4a8da30821df543407bcbbc25bf2a89db3d3f5c8d49fddeddaecd3b47c111ef
  • a9db16baffc0b92aacae6647952fc2d32673998fc035493d50d32bad5bceb516
  • f07f747978b7d8bed904ccadbcc49f184bc16e872f22d7b53b1030bc22ebd794
  • 9b48b6bc6ee491a2b180d6b353ae8f8da230f27a0cdfc1757c58a4819664b790
  • 0c51e3df0b09f14e04b268102afc9342c35fcc2460c645f9c8d21b2413910d32
  • 0cfdad54484cf1d4ff9be267469edefdb98e963ffabd6beeb081a208e3fca9ac
  • 1c2f0a28b5c13eb2967078d947924c9a4a5f8f845d3899986df19e8a166d3ec0
  • 241f83caf5c5a23a1d7adbeaa8c392da0edadff362f41bbb5727dc71887048c4
  • 305790984d5ffa713794c1732eea4f83f18da6926e415a490b2fc090f2c4e8dc
  • 305f855ff8d47be5cc2d57e137a436bb2e17b1783f6cc5b8302c2df56b75afd7
  • 32d85f3dded85d0375965a50991ddb7b608166f51a12b297ae981348119512da
  • 36fc2029280816810324e3be9cf3a4257f0dbb1a8b11eaffdbacdead863aaf44
  • 3abdf9d8249e3cc7507529aec80d93551f1fcd714a61861a69c059662aa39e9f
  • 495b93c1a9940e94c14063b1e52877864d54fb544a3a32e923b0530cb03c96cf
  • 4c04d8aeebdd0eb1747a9a66b10e4681328a03edcbcbd0e9921c4a74367bbd08
  • 580b05987531aa4ef4bed150bd51fdbbcad5f95abb63e8439e3d4bb07eb68598
  • 5c4d5f6d7d0a8d4e805c1341cadf76a924aa2fe6437d432d96f103c4319e84c2
  • 6e35534f8b79187dbe2fbdd1b0a21b03752a89df5981cb6fb89154eb7b34a087
  • 8f36a3ebcb2714d7f6d99d8d0672bcdf16980da788331953cba52c21fde64efb
  • 962beb562acef288c5ef09f14e366d7ff3f51a00dd28b3dc5c0e388c92d3c0a2
  • c2f482372523031b880b7a4f1909b30b5aa20304d0a691309484ad49a0c451d5
  • cab8fcbe8bce311464418e2fcd05e55353255c511e698726e009f075de82e2ea
  • ce5d33fb70fc7834d8faa7749d5cedbcb6b0958105ebe94633e2daba897612ef
  • d18256e9f4062259e941028c531c5219b63446a35c524ef00554c69de2110e98

Coverage


Screenshots of Detection

AMP


ThreatGrid


Umbrella


Screenshot





Ppt.Downloader.CVE_2017_8759-6413368-0


Indicators of Compromise


Registry Keys
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value: VRGTQ
Mutexes
  • N/A
IP Addresses
  • N/A
Domain Names
  • u[.]teknik[.]io
  • kistags[.]com
  • graceland2017[.]com
  • 0i3tenrainy[.]loan
  • goochandhousego[.]pro
  • dayi-yc[.]com
Files and or directories created
  • %ProgramFiles%\Rfjd\confighbch.exe
  • %TEMP%\dsruxkfs.0.cs
  • %TEMP%\dsruxkfs.cmdline
  • %TEMP%\dsruxkfs.err
  • %TEMP%\i02bp4bi.0.cs
  • %TEMP%\i02bp4bi.cmdline
  • %TEMP%\i02bp4bi.dll
  • %TEMP%\i02bp4bi.err
  • %TEMP%\tmp95D4.exe
  • %TEMP%\tmp970E.exe
  • %AppData%\Roaming\982PQQP9\982logrc.ini
  • %TEMP%\dsruxkfs.out
  • %TEMP%\svchost.exe
  • %AppData%\Roaming\982PQQP9\982logim.jpeg
  • %AppData%\Roaming\982PQQP9\982logrv.ini
  • %AppData%\Roaming\tmp.exe
  • %SystemRoot%\SysWOW64\com\SOAPAssembly\http100u4teknik4io0HUKzO4png.dll
  • %SystemRoot%\SysWOW64\com\SOAPAssembly\http100u4teknik4io0HUKzO4png.pdb
File Hashes
  • 22ae9fc528b63ecfe163c2b4c472e68869e049023be009ef118c59346247082d
  • 129bddde9c3cb01c69d92d9029d5da963a0dd5a72143054f9fa97471a388e9c0
  • 2d92ee55d56e96822aca748c7d69344d90a663e0db77e7ddd0ce9befa54aba98
  • 3894ba1250493f0798f9212fc20e96e8114dcc218850fef13979410dc63affba
  • 3a26d63160a43b64ee4f4adba0a5c19cb3ee6db2dc44c0ffb7b72b621548c4f8
  • 4b4efd1527b404064604707dbf7a143745d764629d6cfcc05a6c204b66238db8
  • 56b951fe25e1d0266dd49eba6b127efe63c49d71063533cee2ba3bb7eac08744
  • 56ede7ef1d1e5216231c847eead200bc8b5c5f8ef7ac8389b7dc5f069b37831d
  • 650abb87b45b41a344c677c0d6bb6a13cbe9a66785b87a0f2ff3fb378220448c
  • 72399fbb24239a2e1897132ad0e3270103c727253275009e010c74a94f36700d
  • 7b58861aab0a53cac5ac90af09723703fb47fda584fc66212ff663c52a8150a4
  • 7ed5fec1aabe2e91524a9a84d2c4f4d29a8da5777289023c40ffbcc7810b2ee8
  • 84593a125442a9541b2992a2934f4db5cbe1a87b6e5f5edd17982e677667c53f
  • 9f9217702cc1d59edc29007f745eeec78118941f3d4f99b2f664a9677867ffb6
  • b28a3bd9be8ec8d9dec980896002d84e2544acb2625e1acbbe8351d57b2b6cfc
  • c0ed86aab56032d1ba313aa6b5eaabcd687caa28937f56f23832206f81ec1271
  • c5b450ac63234f3d23ace0379486a33788187f14b47801971ad96ace76f85410

Coverage


Screenshots of Detection

AMP


ThreatGrid


Umbrella






Win.Ransomware.PolyRansom-6413978-0


Indicators of Compromise


Registry Keys
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\ZSCGIYAL
    • Value: Type
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value: FacAQkYU.exe
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\ZSCGIYAL
    • Value: Start
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\zscgIYAL
Mutexes
  • \BaseNamedObjects\mMkUAokE
  • Âë@
  • MkUUAgkc1
  • ºë@
  • poAUcoMg1
  • \BaseNamedObjects\lEwoEIAg
  • \BaseNamedObjects\sgwQgcAM0
  • ²ë@
  • fusUgwwA
  • oskQowMk
  • ¢ë@
  • \BaseNamedObjects\hYsQEUYI0
  • \BaseNamedObjects\ @
  • ªë@
IP Addresses
  • N/A
Domain Names
  • N/A
Files and or directories created
  • %SystemDrive%\Documents and Settings\All Users\Lgwg.txt
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nOowsYQI.bat
File Hashes
  • cd32c7982ceca8711ec2f6c7ad83103db41b5d2c644b9beee07c81f92efa30a5
  • 1ff90f71632162646145cd91a22fdb24683cb25e54254f9c311d54cbc633fb92
  • 377a4c54239536019cef4c3fb2ed835a0142f58d64bc0bf49063440b7700a0b7
  • aff6517827847137411d37bafc0aee2915e87b9d2494493c1723634ba1014792
  • 38c7c22fd8526dd108422befd6fd38212ef45fb30db3272d5016fa942cd2323d
  • 3ab0d96b041b994d6f32a4351120b822d39b681d2c5133f12bb507fe2fb66e19
  • ca8eb5e89426e3c6771a72cffac6998abce9ca2a6011207691e47df1738cdeb6
  • 8957b057803dd6369f877c359b96423b61129fa3f68257c272644e1d56c7c667
  • c4471377f58643e454ef33f21dc65f696567bf8700ae120caac5086f85bfeace
  • 64fac9307649854e520f733df3df40ed960650103a78b8460488319156e059cf
  • 1dd699b7fdb082c35677938f6f064e02e226033f995189889799adac08811a18
  • 9ca5fd8ee403b418f92118836171b72a334caeb94fae9b5b46d6246742bf1345
  • 78286db82473a9f1eddba51f39333a77c2b30fb582e9fe3e71d2924e060eb273
  • 7e888fabc1451dce556864690cc55e70c8236db2a7b01b8726af0a5700ebafea
  • 6f15dc426b87da591d0a2d4965558a22857e2b1c8e1e6fdfe9c36c8a4b50a99c

Coverage


Screenshots of Detection

AMP


ThreatGrid


Screenshot





Win.Trojan.Generic-6414413-0


Indicators of Compromise


Registry Keys
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value: internat.exe
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value: Microsoft Windows Manager
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
    • Value: Start
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value: Microsoft Windows Manager
  • <HKU>\Software\Microsoft\Windows\ShellNoRoam\MUICache
  • <HKU>\Software\Microsoft\Windows\CurrentVersion\Run
  • <HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
  • <HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Mutexes
  • \BaseNamedObjects\b11
  • b11
IP Addresses
  • 220[.]181[.]87[.]80
  • 69[.]49[.]96[.]16
Domain Names
  • www[.]murphysisters[.]org
Files and or directories created
  • \DAV RPC SERVICE
  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\H3T7LZRL\m[1].exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\cymycvgmtt.exe
  • ;Z:000000000000d46c\192.168.0.1\vm9-116_\DeviceConfigManager.exe
  • %AppData%\winmgr.txt
  • ;Z:000000000000d46c\192.168.0.1\vm9-116\autorun.inf
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ftoidjlwgv.exe
  • ;Z:000000000000d46c\192.168.0.1\vm9-116\DeviceConfigManager.bat
  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\H3T7LZRL\b11[1].exe
  • %WinDir%\M-5050572947025827857375865240\winmgr.exe
  • %TEMP%\phqghumeay
  • ;Z:000000000000d46c\192.168.0.1\vm9-116.lnk
  • %TEMP%\rgjqmvnkyr
  • %TEMP%\edakubnfgu
  • ;Z:000000000000d46c\192.168.0.1\vm9-116\DeviceConfigManager.vbs
  • %TEMP%\gwhroqkhwu
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\rdwpamlgaz.bat
File Hashes
  • 22bcff79015a6f2d450ff4713bc1a195f6333444e96e616fb070ccf885f790ad
  • c06da956f726a78aff82e8c2ec2ed7989f227ac560511512fd609574685f6c4f
  • e474e51a6f29b9e32702445797ef4baaa96b1e30fa3f212ae2953bbb843a559b
  • c9329790645ae7404cd3c746b9a26bcd667b6c1c45f727e504d0833d04726488
  • b95a5e8f1dc23677e9e700b44d014aeee127869e46af6a674f93d34da3c606d0
  • f3ee9f0be76f80faaa683ef580e3f018e1e0108e5b4457bad379e99dda2c627f
  • b010ae9122a8651be194c5bc3d49540d51287040f1a1f066e193835f942277a9
  • d775f05eb68ce4ef44776de0ad2b3c6181ad6a99813612a1ce3cc8b453359482
  • a3940c00bd3e8d07eb70cd23148d030a473f134a7aa19ff6b777862af6d5f8e3
  • 2104784585c92828df37feab86fcabddf3ffdb2718dfc3718ae529ad9c4956e0
  • 43d2b149b3e4fd33b03321d2bfb6980734d3725483fee21cd996f280618865d9
  • 9e7ae2436474bbad1e9ce20f8fc7a294586fde89c39b3bd2e2fd257d269ca636
  • 10c96fcbeee7e93309abc9616958ef214953f512f236ddff2db39f12a8f4a817
  • 08c9fedfcf1100f8450ad930a55a2cbf7dcc0fa88b646da2c5916ff42565c575
  • 113e003896939e85f048e528b6f50fa9e984009fe2677143c7cfaad9ee693293
  • 0d136160f510d87af7edeeb1533979a5cdc1d1511528798d5871bbb88bb1f0f4
  • 33fd94f82800a1f8551e73aebbbac4169c3c08cbe12c69e9fab52875d56c96bc
  • 1b6651d1e43c7ff8dd291d178b8bad9fbfd1bb426d49da419ee7e4a4d7912ba1
  • 1cfd3043ecc8fd7c254201fcafe6865dfdb1c0d6ccc343d0e62e1cab261fefa3
  • 201c0ca83973186aab93376147f1b60d009ef13ec827d0de5d19b483d3c0f353
  • 23db71997ed2f558e06232f600d3cc7b4e5eb58f18039923127c5b4fa7fec2f9
  • 26f1a92cb36e4caff3fccc45fba269647410fbee71cc4f4a00e5d4c282ba01f8
  • 2ab47d6d82225c62487054db91e804418060b3334531e09d96dc6d3630fa54b3
  • 34ae5c841f6e992fe09979fff521d2e8367385260cf73112e79ce656e952bbb5
  • 564ace4ef8e2c3aab367969748e02a0dee555733e9085fcc0a86b9f1b70fb7b3

Coverage


Screenshots of Detection

AMP


ThreatGrid


Umbrella






Win.Trojan.Multi-6413508-0


Indicators of Compromise


Registry Keys
  • <HKU>.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value: Logman
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
    • Value: load
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
    • Value: run
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value: ProxyServer
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value: internat.exe
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value: AutoDetect
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value: ProxyOverride
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
    • Value: DefaultConnectionSettings
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value: Session Manager
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
    • Value: lsm service
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value: ClipSrv
  • <HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
  • <HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
  • <HKU>.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CurrentVersion
  • <HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap</b>
  • <HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
  • <HKU>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Mutexes
  • N/A
IP Addresses
  • N/A
Domain Names
  • www[.]wholists[.]org
Files and or directories created
  • %System16%\lsm.exe
  • %AppData%\clipsrv.exe
  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\lsm.exe (copy)
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\APPLIC~1\MICROS~1\Windows\dllhost.exe (copy)
  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Application Data\spoolsv.exe
  • %SystemDrive%\Documents and Settings\All Users\Microsoft\RCX2.tmp
  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Application Data\RCX8.tmp
  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Application Data\spoolsv.exe (copy)
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\APPLIC~1\MICROS~1\Windows\RCX6.tmp
  • %AppData%\ieudinit.exe
  • %SystemDrive%\DOCUME~1\ALLUSE~1\clipsrv.exe
  • \TEMP\d0a08beb99882af4b1771426905ee556.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\APPLIC~1\MICROS~1\Windows\dllhost.exe
  • \Users\Administrator\AppData\Local\Microsoft\dllhst3g.exe
  • %System16%\smss.exe
  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\RCX4.tmp
  • %WinDir%\SysWOW64\drivers\ieudinit.exe
  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\lsm.exe
  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Application Data\dllhst3g.exe
  • %SystemDrive%\Documents and Settings\All Users\Microsoft\mstinit.exe (copy)
  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\esentutl.exe
  • %SystemDrive%\DOCUME~1\ALLUSE~1\clipsrv.exe (copy)
  • %SystemDrive%\Documents and Settings\All Users\Microsoft\mstinit.exe
  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Application Data\dllhst3g.exe (copy)
  • %WinDir%\spoolsv.exe (copy)
  • \Users\Administrator\AppData\Local\Microsoft\rsvp.exe
  • %WinDir%\logman.exe
  • %WinDir%\spoolsv.exe
  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\esentutl.exe (copy)
File Hashes
  • ec3075ac9775e3c41bc8227a00ef76905bbd96a62b813c99f277865ff353c5ce
  • f4b6b76dec96cc9d530dd6cb64bdd743a115a12a7b03e41f7ec737e4d80b6850
  • b1da876da56ba09770d594765727d167bf1a655247f094360e032a35d3d41461
  • b82ebd17236c41d9e457f640a2871695326ef8014ebd71b7a5f37d8b2c3a4522
  • b3f5ad44f682104d536c60832d2064f71d3261ffbf0e1555c236a36b505619d3
  • a27376262110767a28e376b723caa46d3cc50d33da60029df8e7af024ff67be9
  • f1b2bbf13bde9ce65cbe1cee7e3d86a61e0511f206ae74589329dc1fffc5f7e0
  • 17023d977e2b041c8a1994e7ae69b65e10f7097febefc9b47817dd9f7985cd52
  • e5c95545895dc13626b3f20b47fe2f0f1b5dc3915fef44c3c7a5352e95beb382
  • 6d1b40fbdcad0c96c687f661469e39b7b10a0b083a9ea3c9f6bb959c284df149
  • 7d1ae051d633a3ed3c0991aaa3ed63357804a80e67dd19ae5deab71e525947a6
  • 799e5b77de09f7971f0187b69266e45f70e0cda170c615c604806ec2444ab89a
  • 910b590e28bc72bc14c05d47a026ed56928ea8b6608f626555d955beccb719c8
  • 7d326add0d36be4543317c4d14823e2cb380f7b07bacc1f893ec86bdd0b04468
  • 5af23d9dedc83e1fe8c808fe62d858767dd95f2b9402fa785072cc7247a2e4c6
  • bf828a8f3fb1a27532aa9f3fb0383a1ce3418f7dd52cefa4264ab2e3e941e8d9

Coverage


Screenshots of Detection

AMP


ThreatGrid



Article Link: http://feedproxy.google.com/~r/feedburner/Talos/~3/td0xkcgyttQ/threat-round-up-1229-0105.html