Threat Roundup for Dec. 7 to Dec. 14

Malware News
1

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Dec. 07 and Dec. 14. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

You can find an additional JSON file here that includes the IOCs in this post, as well as all hashes associated with the cluster. That list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.

The most prevalent threats highlighted in this roundup are:

  • Doc.Malware.Dkvn-6781497-0
    Malware
    This is a trojan that drops a malicious executable and executes PowerShell commands. It can be used as a downloader or a dropper for Emotet.
     
  • Txt.Malware.Nemucod-6780827-0
    Malware
    Nemucod is a trojan that executes ransomware on a victim's computer.
     
  • Win.Virus.Parite-6780568-0
    Virus
    Parite is a polymorphic file infector. It infects executable files on the local machine and network drives.
     
  • Xls.Downloader.Jums-6779285-0
    Downloader
    Jums is a trojan that spawns a PowerShell and creates and executes a malicious executable. It collects a large of amount of system information and reaches out to a remote server after installation.
     
  • Win.Virus.Sality-6780277-0
    Virus
    Sality is a file infector that establishes a peer-to-peer botnet. Although it's been prevalent for more than a decade, we continue to see new samples that require marginal attention in order to remain consistent with detection. Once a Sality client bypasses perimeter security, its goal is to execute a downloader component capable of executing additional malware.
     
  • Doc.Malware.Powload-6775735-0
    Malware
    Powload is a malicious document that uses PowerShell to download malware. This campaign is currently distributing the Emotet malware.
     
  • PUA.Win.Trojan.Hupigon-6776762-0
    Trojan
    Hupigon is a trojan that installs itself as a backdoor on a victim's machine.
     

Threats

Doc.Malware.Dkvn-6781497-0


Indicators of Compromise


Registry Keys
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\PRINT\PRINTERS\Canon PIXMA MG2520\PrinterDriverData
Mutexes
  • Local\10MU_ACB10_S-1-5-5-0-57527
  • Local\10MU_ACBPIDS_S-1-5-5-0-57527
  • Local\WinSpl64To32Mutex_e162_0_3000
IP Addresses contacted by malware. Does not indicate maliciousness
  • 45[.]40[.]183[.]1
  • 66[.]198[.]240[.]4
  • 103[.]18[.]109[.]178
  • 192[.]169[.]140[.]162
  • 209[.]151[.]241[.]184
Domain Names contacted by malware. Does not indicate maliciousness
  • enthos[.]net
  • shofar[.]com
  • shawktech[.]com
  • thecreativeshop[.]com[.]au
  • burlingtonadvertising[.]com
Files and or directories created
  • %UserProfile%\Documents\20181212
  • %LocalAppData%\Temp\109.exe
  • %SystemDrive%\~$6889120.doc
  • %LocalAppData%\Temp\2vuqj0ws.zbs.ps1
  • %LocalAppData%\Temp\4ezh4c4j.esn.psm1
  • %LocalAppData%\Temp\CVR95F8.tmp
  • %LocalAppData%\Temp\~DF78CDE2D9B1588659.TMP
File Hashes
  • 0421be0b17b64e14118e01ec412f1721bb9079630a004ff7e846f954c2355538
  • 18bf25020d301b1b22e316d2a6909a40c8dcea59fb04057d58346bdb58a7503c
  • 24ee6e8bd38b5bef0c3db97c8cfdf03a38e442b624a1f7f731fb6e7c2989d6ea
  • 2d50cc5a4ac493e5578038e8f892f9df5e134114ed6e9840089d9f32b8f28440
  • 2ed82969c7fb23e18f1f9b0ab519124438129dc7f2530ee24604397b9c1250de
  • 3e662508b29b2ef40092655a69073c220770a8306c0b17773059e07fe1a712b3
  • 5ed274afe729b6b92cbb4446fa3f4f6130c8e20b3a903b13d7691d2006d2e72d
  • 6d34270f0aeb0fbdb270e47866413a299a1deb54e7c4dd6b785a0ca7f2e0c73a
  • 727afa31d97e874e3d2a3c11870a5b1b65ecda8905e3c97cbddb31a9fbfaf543
  • 74201328ff459bf6412c7dbbcc0866f06f7ccc2b2dc7a1c4bc429518a85fee89
  • 827c0012de03d21f84442e7dd0ea1d0a25f40b0e2982fab1695f935aaf471bd0
  • 91da45beb83ea575f50ff8d9d6dcad7d9efa437b7e337006b2cc8ed2f6d4faf2
  • ac280877daecf65f6570233d76c249caa8eaa52cb5ba31fc3e1611d45c8d0454
  • aeef6e04c09d5f051f94a5c6545cf4228670954274ab97f1c85e7c78f1e6f116
  • af8a10416ae6e32a6250cf03d8c3ba37933903accf649e9feb4f636c17ae2b54
  • c26e6b57799f13d5d8353834bd721b304a15a7bbbb238995dbf98c4a26b71be3
  • d77fdb097fb549034a72f67236bf4c744012ff71e43f37cd89e373645fc26288
  • da7ac63e1a221dba1fb4d1ee743537b985fde34ad9bbc372fcc07a184ce683a7
  • db37c4693eebc0f518bbd7e5707ec3abd4c2633e86b2ca92b9e34b21864a310b
  • dd57c3ea2596874a51b13fe84d3dc328365af06bd0f50eb328819bc970766fde
  • de2c3b81106ab89e0dd2c7d654b0a161e2227bbaafcd1b1860c387c7b67be69d
  • e2ae044f486dba0d5005295ffa9100411a6225fff6c061da69225b6c50834a69
  • e4269fcfda0fe8ef8872dbf51aec6dc9cbb18ad4eae281700be24f563164026d
  • e71d9efea3a62cc265938bac1c53aa96f8729609cabfc6df4c66d5c5e9c016fe
  • eb2bb764fb66c7c5509c7ce50ee3e0c61a675867f85ecdae78ad547b0ac72760

Coverage


Screenshots of Detection

AMP




ThreatGrid



Umbrella



Malware




Txt.Malware.Nemucod-6780827-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • 144[.]217[.]147[.]190
  • 201[.]187[.]101[.]156
  • 185[.]104[.]28[.]132
Domain Names contacted by malware. Does not indicate maliciousness
  • www[.]w3[.]org
  • api[.]w[.]org
  • gmpg[.]org
  • ikincielesyaevi[.]com
  • www[.]ikincielesyaevi[.]com
  • www[.]gulfshorecooling[.]com
  • elemaroregon[.]com
  • gpconstructie[.]be
  • cvcpdx[.]com
  • www[.]chaffinww[.]com
  • workwithcore[.]com
  • phoenixconstruction[.]com
  • www[.]laneexteriorsllc[.]com
  • autosorno[.]cl
  • cleanairtx[.]com
  • www[.]ohiostatestucco[.]com
  • www[.]teknikinc[.]com
  • GOESTOM[.]COM
  • CLARAMUSICA[.]COM
  • claramusica[.]com
  • goestom[.]com
Files and or directories created
  • \ROUTER
  • \DAV RPC SERVICE
  • \Device\Null
  • \Win32Pipes.00000370.00000001
  • \Win32Pipes.00000370.00000002
File Hashes
  • 029cfbcb0e44965e253979458652858b3eabfff38be5e7648c8b82f475233345
  • 0cb706b11174c5a7fd08e70308d1ff84447d6e65a487b146846d5150931a8970
  • 17304c0d1c57c83a58b5b1df2e6fe5b0b2a58634d1cebbd83ce8bd5533fea584
  • 215953913e52f0e071dd8244d598a7c34367d03558599f7b9c824d916f60186a
  • 2c93a65ec63e429b8e8a971dbaea069829763235daeb26a5f24adc69debbff71
  • 38848aedc1194c09d6eeb88ef04ba56aee22e0f579284a63b12d896fdb0d4831
  • 3bf5629a35700582d0abbdf8aa1c97c34c4f2fd933de6f70569d2b3103f6379e
  • 4d85b12eddc09b1cfdfd8d580ecca6d724dd66b91d8866f707aa91cb50c7fbd7
  • 5247f2722b8623e95f8d10cd79d0fbe3e96fe8f0527d3b9be480d2640f02b160
  • 52cecc5d101a881b137c07143268217dacf145dab73d50e0e8da318000f5b5e0
  • 59109d8c01b76ebe171dc28cbe37ceb393846d0ed240f54a14eb9014588c748d
  • 5c2d33368a931651ea426f3ed037185d99c7c3bb28d5430413a2c93b4f525428
  • 66b09b100ecc40609965a74c90e9553457d730bc8b4c5ee95b2f2089dd0aba3b
  • 7d9fcffa70fec088cda7c4095740599a45a710ce38a66fa9e13f0dfb7bc43b3b
  • 8afdadaa66d58e386411755871ff91858bb99016e22e67de3ce3cc63ea35c4a8
  • 918312a6b9b634f27089520d15dc15966a25bd719627962d756f370949adb152
  • af0ab34d44410fab4cfb8c24dfc0240e508de5e31a0eb567c0533344eb9c92fe
  • de5e00e84554eb352985d85146eb696be474c1f5b97a764052fc0575fec8ad13
  • e29d601569f5197e631275c5391a273058ab2aca0473dedf148177516de1e7c5
  • f40f059bad77bf7297b3783af078e8febf11650709294e69a9c198c711a87386

Coverage


Screenshots of Detection

AMP




ThreatGrid



Umbrella



Malware



Win.Virus.Parite-6780568-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • InstallLauncher_4541454E-9FFA-4246-835D-3F49EFA91F6C
  • \BaseNamedObjects\InstallLauncher_4541454E-9FFA-4246-835D-3F49EFA91F6C
IP Addresses contacted by malware. Does not indicate maliciousness
  • N/A
Domain Names contacted by malware. Does not indicate maliciousness
  • N/A
Files and or directories created
  • %LocalAppData%\Temp\ejp5C31.tmp
File Hashes
  • 03b06a1f568e2985a763c155c14c2a9c4b7b18471d91bf2164ad44350d4353d6
  • 0478b98235d5c49bc7facddce8f912a4ec2b58c33b4947922927e139b9efba1f
  • 11ec64be12c389f32640d9803deffa8f93b9457572c71f36df3fe0df4e1f6a8b
  • 17527e946bbac0ed6c69fe1b97d4d16a8d2ea20811898ee471bf0f9e4377d3e7
  • 250e929dc833074872defd3ca65b2ccf6cf9b32ed6f6cfca07a66767e48db6d4
  • 2a4b55983c456e9ea14115378397e67df37d89a28818cb3f557b8afbb3e086e3
  • 2f6a2d0728cad1403d52a3dfc6db10011fa215f6f5b8272e5c4699e1a68afaf2
  • 318722e8243edf25c73800569cc1d78c8a6f62aa382f484116c0197d3cfc6578
  • 3858721e1297e627247f17ebf44ff0502981481af3c04ebb6c76bafda0db2c6d
  • 3aea0bd31f0d86f9c5a5035828dea6e42cb0646c204bb866c71528bd1f714e7f
  • 55e263c3206ceed9776d0d0b6015cc5e7c444bed6c68a66766d34998fb744ff1
  • 5b6e1419168ecd9ead5800273b1c63fa6420455b1ac2c85be430d5e976f4a104
  • 69528927f100ff5c7b92e6898f33e94768953fceed5ffb71fce02dc6acb9ca56
  • 6efd875b023b1289020e7d2acd02526d61592f4dd5e1b35e2ca04eeae162507b
  • 78af109d92ce244c02b1530f7ae65f2c9958e34e239788caf3ee94115ad36d47
  • 8240517c639812a704d439035b22fe685b3b905bb376776c4adcc264862675e7
  • 8e170f44cd0e49ad850ffbd244ad755d1b0b7b91051308ed18c049a5e6068acc
  • 8f6c73d10c4c5f1ee2758f80bbee0e2700978b34ec74b83296ec9e3a403e81db
  • 94aad46d563c9f5a46bc1e1316d638f7e96ab4ac07b7925510644768504c9d1d
  • 9d818507ca3222b5f1f471ae1c4338de9227e95b12ac838eed1d68550019aa22
  • c1b87392cafff0a07c0dedfa59da2936a371bf2e40855c9b1a1d6bf66903ef12
  • c56b47185d4176e620a12ba8f752a67d4e264919127970f0f8bb567f5f778511
  • d9cc0b9443f5ec4f84070165ddd08d3def72662df47b52795b793725547816b3
  • dafa195b9f7cf1b3d249ccc6e40bbc181aa54878faf3411b78ccea85e4e4f255
  • e77216030291a46d69d4bdf5725dc052d16e6ed7d6485b85cfcc8c4b88bc4313

Coverage


Screenshots of Detection

AMP




ThreatGrid



Malware



Xls.Downloader.Jums-6779285-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • Global\552FFA80-3393-423d-8671-7BA046BB5906
  • Local\ZonesCacheCounterMutex
  • KYIMEShareCachedData.MutexObject.Administrator
  • KYTransactionServer.MutexObject.Administrator
IP Addresses contacted by malware. Does not indicate maliciousness
  • 192[.]185[.]16[.]22
  • 192[.]254[.]237[.]11
Domain Names contacted by malware. Does not indicate maliciousness
  • www[.]aaaplating[.]com
  • weighcase[.]co[.]uk
Files and or directories created
  • %LocalAppData%\Temp\VBE\MSForms.exd
  • %AppData%\Microsoft\Excel\XLSTART
  • %UserProfile%\Documents\20181119
  • %TEMP%\tmp907.bat
  • %LocalAppData%\Temp\tmp016.exe
  • %LocalAppData%\Temp\CVR4F0E.tmp
  • %LocalAppData%\Temp\twaibr0n.00s.ps1
File Hashes
  • 199f1eec8413168be6418ace60cfe760d858350ebef3605aa91d47338b881e0c
  • 1f444338e19212dfe5f597ceb3b55f06a8b927a342ce50d0c5ae4452d4999e80
  • 49fbb593eb1418ecbbefd3ac0529ccf1ed2ef64e20927a5e0379f99ec9fd0c9b
  • 5ac6fb69b5c55ec6419b89e22ce7fd873d11d263ae2eda9ff85e8eda10b20444
  • 644f8f3822eb0c5435ffbec711a0b2821e1fa050ca10c837a62c02a9df814d9d
  • 77f27841d4263d1ed6ba59267d78a454c9a2a3383ee3f1a2a5ddbed4e835dd06
  • 83cf5c7623bc92966e02b594bb41ab3896b1ffaae748d7cc9b4331f3f435f171
  • 9a422430a9443b77b5959847657ec411736e180b30563b5066d1ea0c7b22633e
  • 9bfd539bb55f7a7a5a8df5a0e3ecd87157ecd87675915ac01ca6ce62a3402872
  • 9dbd2fc30b9c22fb03df72eb46ea83af41449bb6054cdf8cd83e5520de633641
  • a46e400bbf7b921a5b2e131ac3c8bf10506569466ad3fff99381c411e585192d
  • a6043595251b41b336ca8bc2ccc05bc2bf2781274c1893d6943141a4bd3cf637
  • a6d95c0eac0c0b584faa37c1e21ee5baad74e227685275899a9d8c5ac2806b9d
  • be6ac030af25e2044cf8889d747fa170bcbb10a325a3f05f67194379f86375ca
  • c7c3ded9554e8ca38031ab080c1ed9d775a20ac928eaded8d24fb325d7c6be1f
  • cba2b5d0949ff517c40f74cf166b7c363dbf54bda30d4e8432f31da674a78b9c
  • e4fcc415e1f7cec20991a6e5612c7706c1187e23ecea5115fbeea824c9b06c14
  • efd04977ffd67e71dc9730268a7cee0b85ca128c0e0e3962b073494e5e9f2081
  • f495fc57c7bd8311cee17ea6dc15c953d21c5fd97147e632a509b07217855501

Coverage


Screenshots of Detection

AMP




ThreatGrid




Umbrella




Malware



Win.Virus.Sality-6780277-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • uxJLpe1m
  • wininit.exeM_320_
  • winlogon.exeM_356_
  • wudfhost.exeM_1644_
  • \BaseNamedObjects\uxJLpe1m
  • \BaseNamedObjects\csrss.exeM_528_
  • \BaseNamedObjects\services.exeM_664_
  • \BaseNamedObjects\lsass.exeM_676_
  • \BaseNamedObjects\svchost.exeM_1008_
  • \BaseNamedObjects\smss.exeM_364_
  • \BaseNamedObjects\spoolsv.exeM_1560_
  • \BaseNamedObjects\winlogon.exeM_552_
  • \BaseNamedObjects\ctfmon.exeM_204_
  • \BaseNamedObjects\svchost.exeM_912_
  • \BaseNamedObjects\userinit.exeM_1372_
  • \BaseNamedObjects\svchost.exeM_832_
  • \BaseNamedObjects\jqs.exeM_1736_
  • \BaseNamedObjects\rundll32.exeM_948_
  • \BaseNamedObjects\explorer.exeM_1456_
  • \BaseNamedObjects\svchost.exeM_1116_
  • \BaseNamedObjects\wmiprvse.exeM_440_
  • wmiprvse.exeM_776_
  • \BaseNamedObjects\wmiadap.exeM_3280_
  • \BaseNamedObjects\356677150.exeM_1408_
  • \BaseNamedObjects\wmiprvse.exeM_1688_
IP Addresses contacted by malware. Does not indicate maliciousness
  • N/A
Domain Names contacted by malware. Does not indicate maliciousness
  • N/A
Files and or directories created
  • \??\E:\autorun.inf
  • %System32%\drivers\lhlnn.sys
  • %SystemDrive%\Documents and Settings\Administrator\Cookies\administrator@cargocrystal[1].txt
  • %SystemDrive%\Documents and Settings\Administrator\Cookies\administrator@cargocrystal[2].txt
  • %SystemDrive%\Documents and Settings\Administrator\Cookies\administrator@samayer[1].txt
  • %LocalAppData%\Temp\wingqijig.exe
  • %SystemDrive%\okieu.exe
  • \??\E:\mshy.pif
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\augx.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bvwf.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ceohbt.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\cevjx.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dkgn.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\easrrv.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\gekhk.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\glya.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hpqd.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ixway.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\jbccl.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\jhrim.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\jvuj.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kdpw.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kwih.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\lmbonl.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\lpig.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ltyyd.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mqsr.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mskjgp.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mslmw.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ndcdl.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\niut.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nixbf.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nygs.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\olsit.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ospd.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pffcy.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\rfioy.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\rxoqk.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tguha.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tvuin.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\uspe.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\vkecy.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\vtba.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\vxqq.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\vylwe.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\whtfo.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winadpngm.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winasew.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winauunwn.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winbkjyy.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winbpcf.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winbusg.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\windlwd.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\windpbi.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wineeyux.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winesrg.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winfjvcgs.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winfpmye.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winiuak.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winjenpka.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winjkyn.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winkqxb.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winkrepqp.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winktee.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlbehwb.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlihxj.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlsbpg.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlxanm.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlywa.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winmtfju.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winneng.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winnjxa.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winnurxrn.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winodpm.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winohuuif.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winolmyt.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winonwqwp.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winpcpvjx.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winpdae.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winpdgmo.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winpgqpu.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winpmlm.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winpnsv.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winpuybd.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wintqckmy.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winudusnh.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winuixn.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winvcwb.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winvxxb.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winwbnx.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winwbppmo.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winydntxg.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winyksvqi.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winyqksg.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\xfkklk.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\xgvmsf.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\xmjmf.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\xwota.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\yxjkrt.exe
  • %SystemDrive%\eetdut.exe
File Hashes
  • 02e3ca0b78494efa9c54f41856fbf50478673329ea238c7786bdeb30542e5ed5
  • 034336a710468f49c1eed9d375a85d4d7f48ecc271dde830f60b428d52a94c2b
  • 0a9a606be52079bc06d34ee969313e58809c8bf4978e31101ce329b7651f564e
  • 2055ba5f6fa09c201359729adc6c0e20ad97346d698b5801b601d29a85e78c52
  • 34b3a1c08a185f7755b8fe3f741e13a6452b46766b2b564cd329c45bd45e1c76
  • 38764b867874a08bd44e8a4b78b670e7445f93af546fba0443c99f56d469a951
  • 3bd14203a0587eea25421d679fc5d7c598464e5fde6f39cf7e6a506fa86aaf5c
  • 40d8f51d911e4f4d3fa29fcd39adc9e826557727dc1ec411404d6bd09c7f8c35
  • 518b8b1dea7caf5f1c2d9b6f6ef32ba70effc2f74ebd7a902434fc66e179700e
  • 609dcb6f088836745f24a24d71b49e092196b08a9924f42e8b63b92f4c0ebe24
  • 6f8fec09c16a0f5bb60e3ec4cd1a41cb34a2eaa59d0351f5f875a83dd7ec8411
  • 76cb38ecf5c3b925e946b6da3cc78e25e0df6db48c66073a6dc33bb8bc03cb5c
  • 78784ee614b06d505879ec8454a80843416aa89869ecfb7eb059aadb14027178
  • 7d5787833d365d5a2d84c0e6135106bd6d5a49de4da86857995cf0222491c028
  • 8089f6db67efb482755dfc06ee4efe7271e685136e46a231b06bff87aca4393b
  • 9af10868ac775ec789e3b9e7475015c3ba66f9ed35aabcfe8ea323b9b1a8d7a5
  • 9fadad87f4763f5a062c0c12677b3b549f9df261484ad89cf58bb60809751e9c
  • a543f5d10445af1ce7710cc596b2b6ab0532cef51e9041b8f8c58bd36b218dd9
  • ac9ee5d47307f578e1a19a96dfb509a5063045a339ffcf1dc79f6a559f6385c3
  • c3a88516553f23807115597f99f0b8f9e8a62c68bf7ee321bf1ff6c599c3c8f1
  • c96d2cd51eff903958ccc279fa48e392e858403aead3add4b00e6e9b031d5754
  • d2da9a2988364a576679489265765e8bd5419ea66e8aea48e666a5300f2c5e6f
  • e080790b62f025fedc93b161dc061421ae47cf4785ecb1744d6da1be44f8667a
  • e1a951d34a0c35cc5a011242189ed82707d3fc40289b37470169703f269d88f4
  • e1d9701b9af405e448e57714ee762722c3ddc6306d271038c350b0cfc138cebc

Coverage


Screenshots of Detection

AMP




ThreatGrid



Umbrella



Malware



Doc.Malware.Powload-6775735-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • Global\552FFA80-3393-423d-8671-7BA046BB5906
  • Local\ZonesCacheCounterMutex
  • Local\ZonesLockedCacheCounterMutex
  • RasPbFile
  • Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2580483871-590521980-3826313501-500
  • Global\MTX_MSO_AdHoc1_S-1-5-21-2580483871-590521980-3826313501-500
  • Global\MTX_MSO_Formal1_S-1-5-21-2580483871-590521980-3826313501-500
  • Local\10MU_ACB10_S-1-5-5-0-57527
  • Local\10MU_ACBPIDS_S-1-5-5-0-57527
  • Local\WinSpl64To32Mutex_e162_0_3000
  • \BaseNamedObjects\Global\.net clr networking
IP Addresses contacted by malware. Does not indicate maliciousness
  • 199[.]188[.]200[.]110
  • 185[.]72[.]59[.]32
  • 185[.]87[.]51[.]118
  • 185[.]2[.]4[.]116
  • 177[.]185[.]194[.]161
Domain Names contacted by malware. Does not indicate maliciousness
  • www[.]w3[.]org
  • tecleweb[.]com[.]br
  • chiporestaurante[.]com
  • www[.]onecubeideas[.]com
  • onecubeideas[.]com
  • dc[.]amegt[.]com
  • fortools[.]ru
Files and or directories created
  • %WinDir%\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
  • %WinDir%\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{257D7FC1-A1F1-4741-80E5-4CCDA3324B78}.tmp
  • %AppData%\Microsoft\Templates\~$Normal.dotm
  • %AppData%\Microsoft\Word\STARTUP
  • %AppData%\Microsoft\Office\Recent\index.dat
  • \EVENTLOG
  • \ROUTER
  • %UserProfile%\Documents\20181207
  • %LocalAppData%\Temp\705.exe
  • %LocalAppData%\Temp\CVR8C5B.tmp
  • %AppData%\Microsoft\Office\Recent\355848530.doc.LNK
  • %SystemDrive%\~$5848530.doc
  • %LocalAppData%\Temp\fjzx2n2i.cc2.ps1
  • %LocalAppData%\Temp\qfrje44a.wpp.psm1
  • %LocalAppData%\Temp\~DF25D3033E1B874DBC.TMP
  • %AppData%\Microsoft\Office\Recent\37c08bc14f578f0b19f992648c113e46dc49e0ad1ddc9cd2e63dfb9242fe151c.LNK
File Hashes
  • 02c58585c45ba7f87a94eb10fda2ad3d1216dae821536c77bd1f53b5b48730cf
  • 0aac7ab733c51437873bf791b28557b12e027bf9bf1b3eafcde05388010af655
  • 0cc53d287e5df9017989526addc988b49fcd76894032458720acad7c265df9de
  • 14ab7c3501e5ea1482687558d1544698b85cd9b24b3580245a85ce0b781c03e7
  • 1af67c800700954695d42c3e124753750016b7c598c6fa2f9bcd9f85723dd1c6
  • 1bfc31debc05dc83864b01ddf300552ec6496cc0d1c25b5846fcd2a4c5da93df
  • 1e0c90f629beae558c6af53c3def9cda4bc77d06cd42131b8f969ff0da9afe25
  • 1ff1729697c956aa4270731f63686d2f6aa1e86a47d219f32058fa67be31817f
  • 21982965fc5661c509d1833f8fe9caf02d7649619b7b542d7a735abd7936a9cd
  • 21e781747a69ebeda636616b47fdd4ff871b9c672aad10f3cf95cbd55eb8b169
  • 239fea895e2a4a3bd3c3339ce48b2f330bd611d8120e0937aca1c8581e977849
  • 2759147c5b948b705943cc4dfe7932aaeb14bda833ed00a850d1ee5543bac6c3
  • 2b3064f31f52b8d33a9a7f73c1624252f4a2b615df0c99b4c70b4c617eed87fa
  • 2c97f2997575df803d28dd38636856fd0efb9fa7efaea22c526b8dc71daa9aee
  • 370c83daaa8ad3c9e1f684ac93a5c7436e86bab917f8511544792f083fd8d127
  • 37c08bc14f578f0b19f992648c113e46dc49e0ad1ddc9cd2e63dfb9242fe151c
  • 3ac2d948a193f03d6d6bbd288ab9ae2b58588567e459aecae80a66e00a291847
  • 3b958df2dedb42704c2baf7b9dff89112db8e8297a594ebe98303f9913004e9b
  • 54bf05efacb556c7ed106a9b802619b2f038d1e6b8adbcf4c8d632f8531e68be
  • 56de2fad613807e46613e7159681a962cc8c54fc6ed20c7c3e90e104cdbfeaff
  • 590cb8e2648bc9566d2709a22d33369309e32ddfcf6cf725dfce6b0efb2b51b3
  • 5a2763ea3481568a73456a2e784b6b31b32845ec08df99b3394533ecdb0f973a
  • 5f47e689fb44578d43e4c7590ce10c275f7f533c894387086bf5e0bb3a68e46d
  • 626ead7063f00752432c54dcb61975b060e306f2712fa2fb1e6f3aa4cc406e1a
  • 6714f37afcbe1d0685770f9558c40d0856e7c337f8d4c4beb7e312672adda950

Coverage


Screenshots of Detection

AMP




ThreatGrid



Umbrella




Malware



PUA.Win.Trojan.Hupigon-6776762-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • Local\MSCTF.Asm.MutexDefault1
  • \BaseNamedObjects\ISPWizard Mutex
  • ISPWizard Mutex
IP Addresses contacted by malware. Does not indicate maliciousness
  • N/A
Domain Names contacted by malware. Does not indicate maliciousness
  • N/A
Files and or directories created
  • %WinDir%\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
  • %WinDir%\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpsetup.exe
  • %System32%\rnaph.dll
  • %LocalAppData%\Temp\tmpsetup.exe
File Hashes
  • 0d72d9ee3de3e8ac191444390ba097b471e72fe6ff951b8d77f2107486f1310d
  • 174751136660fe996a57657e8ec2205ad9a5e9efe8eaa5078b714f5fb51cf9a2
  • 1edcf0b7e78dd603aaf2900a06bb8f52c38e5648df696caf14f6c39d2d23c4e9
  • 4d2719868251d27b80b746161fcb2eb78e5ce1927b10c4da5f782ccc51b619e5
  • 835a2e9ef6349c641ac1e786aae48338c88e76315a2ce4fd4c43903304984093
  • a1a60ca213175febdcc3ff1bc578053c563a6d33c40312f46f3118464e2c9b34
  • c6f5fcd39af9fe1a342d5b55b09c74c5cc29c666becdc583098e0a09883491c5
  • d84e292c72cd96b1d4755881bb7c05bc7f013910f5671c606fe66a1c56a85411
  • e1d008fcb364fa01413eb0710ec049f74e791b17ae25d8f27fe857a7ff9aa8f9
  • f094e7eea20b73e4513ed141d82eeb96c8f4ba44373483154719ef9bdef07de4

Coverage


Screenshots of Detection

AMP




ThreatGrid



Malware



Article Link: http://feedproxy.google.com/~r/feedburner/Talos/~3/A4O1YSiP_AY/threat-roundup-1207-1214.html