#PowerShell v4
Explore tagged Tumblr posts
Visit Tumblr Blog
Explore Tumblr blogs with no restrictions, modern design and the best experience.
Last Seen Tumblr Blogs
Fun Fact
Tumblr Inc. is funded by 13 investors.
Text
Adobe cs6 keygen download
#ADOBE CS6 KEYGEN DOWNLOAD HOW TO#
#ADOBE CS6 KEYGEN DOWNLOAD SERIAL NUMBERS#
#ADOBE CS6 KEYGEN DOWNLOAD SERIAL NUMBER#
#ADOBE CS6 KEYGEN DOWNLOAD MANUAL#
Opt in to automatically report crashes to Linksys and contribute to improving the Wi-Fi experience.
#ADOBE CS6 KEYGEN DOWNLOAD SERIAL NUMBER#
Because Please message us if you need a specific Serial Number and Model Number for an item. In MySonicWall Web page (Serial Number)Log into your account in The Add Device dialog window appears. For Windows, use Hyper Terminal or VanDyke CRT/SecureCRT. … See the serial number lookup by researchers often may receive an ad for established in the machine and easily create solutions and. 2 NOTE TO WINDOWS VISTA USERS: By default the TFTP Client is disabled and you SHALL NOT PROCEED UNLESS YOU HAVE ENABLED IT. As an example, if Linksys sold 100 EA2700 routers in one day from their website, every one of those devices would have "EA2700" somewhere on them and they would look identical to the naked eye. In this example, the model number of the device is WRT54G ver 6. 0 / A6210 Check for firmware updates and view details about your router, including model name and number, serial number, firmware version, and more.
#ADOBE CS6 KEYGEN DOWNLOAD HOW TO#
Select a product category below to know how to find the model, mac address, and the serial number of your linksys device.
#ADOBE CS6 KEYGEN DOWNLOAD MANUAL#
freeload Wrt54g Manual Guideyou still have trouble finding your version number, see the. Click the Serial Number Validation Tool link within the Field Notice to access the tool. 5 or 6 router to try this on, you're on your own. > Mac address and Serial Number" nothing about how! You haven't said if you want it visually or electrically yet. SOLVED: How to Find Computer Serial Number Without A Sticker Published by Ian Matthews on OctoOctoIf you need the serial number from your computer and you, don’t have a sticker, the sticker is too hard to get to, or you just want to do some cool IT stuff, start a CMD (command window) and type: The serial number is: 01-22-2019 07:58 AM. For any Linksys employees following up on my review, my case number is 10623121. 2005 Activation may also include a cd key, serial number, keygen or crack.
#ADOBE CS6 KEYGEN DOWNLOAD SERIAL NUMBERS#
Hardware companies embed serial numbers in the devices they produce, whereas software companies will assign a serial number (or product/license key) to a specific user. It is a device hardware serial number and it is unique. Support Model Lookup Model Number/Serial Number. Or a one-time password to allow a key exchange. The serial number of your Apple device is its unique identifier, much like a person has a Social Security number. Linksys WRT AC Series Introduction The Linksys WRT AC series is a set of high performance, multi-core, 802. What you need to do now is to submit this onto a remote computer and get the serial reported back to you. number on your Linksys product, the device is version 1. You also can manually report specific issues to Linksys. If you can tie the MAC address to the IP from the machine and it is on you can submit some powershell code onto that machine and retrieve the serial nrs. There's a fairly easy way to derive the manufacture date if you happen to know the serial number. A serial number allows the manufacturer to identify a product and get additional information about it, for replacement, or … Forum discussion: I have a new WRE54G in a sealed package. Find Serial Number notice: Babyz serial number, Babyz all version keygen, Babyz activation key, crack - may give false results or no results in search terms. This tool will provide results only for current CRHF implantable IPG, ICD and CRT devices and leads. I'm using Tomato, which says it works with Linksys WRT54GS V1 through V4. Woodsman 3rd Series Huntsman S Master Colt Custom Shop Limited Edition 1 of 400. Select the name of the device from the device drop down. Cisco device serial number explanation - Spiceworks.
0 notes
Text
PoshC2 A proxy aware C2 framework used to aid penetration testers with red teaming,...
PoshC2 A proxy aware C2 framework used to aid penetration testers with red teaming, post-exploitation and lateral movement. PoshC2 is primarily written in Python3 and follows a modular format to enable users to add their own modules and tools, allowing an extendible and flexible C2 framework. Out-of-the-box PoshC2 comes PowerShell/C# and Python2/Python3 implants with payloads written in PowerShell v2 and v4, C++ and C# source code, a variety of executables, DLLs and raw shellcode in addition to a Python2/Python3 payload. These enable C2 functionality on a wide range of devices and operating systems, including Windows, *nix and OSX. https://github.com/nettitude/PoshC2 Documentation: https://poshc2.readthedocs.io/en/latest/ @HackGit
GitHub - nettitude/PoshC2: A proxy aware C2 framework used to aid red teamers with post-exploitation and lateral movement. - GitHub A proxy aware C2 framework used to aid red teamers with post-exploitation and lateral movement. - GitHub - nettitude/PoshC2: A proxy aware C2 framework used to aid red teamers with post-exploitatio...
0 notes
Text
Check the dot net version with Regedit/Powershell command
Check the ,NET version with Regedit / Powershell command ChecK .Net Version with Regedit Open the Regedit in Windows Server.Go to the location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDPDrag more check V4 –> FULL –> Open 1033 –> on Right window you will see Release number.Then match release number with following table. releaseKey >= 528040 for version “4.8 or…
View On WordPress
0 notes
Conversation
6 Best New Features in Windows Server 2016
Computing
Nano Server
With a much smaller footprint than the Windows Server graphical user interface, Nano Server can be managed remotely and easily ported across servers and data centers.
It has tighter security, better resource use, and is made to need fewer updates and have faster reboots.
Nano Server is also optimized for the cloud and designed to run born-in-the-cloud apps and containers.
Containers
Containers allow users to isolate apps in a way that’s easy to administer, giving software developers making applications better virtualization capabilities.
By providing an isolated operating environment, Containers allow applications to be run without affecting, or being affected by systems. They also give improved speeds, simpler software development and IT operations (DevOps), and better flexibility for developing apps.
Windows Server 2016 offers two types of Containers for server instances:
Windows Server Containers: share a kernel with the container host and all containers running on the host, and are made for low-trust workloads
Hyper-V Containers: run each container in a highly-optimized virtual machine, in a massively stepped-up containerized server instance, the container host kernel is not shared with Hyper-V containers and is designed for high-trust workloads
Shielded Virtual Machines (VMs)
hielded VMs give virtual machines a more secure environment with similar security capabilities to physical machines. This helps protect data from being stolen or tampered with by malware or admins on a Hyper-V host.
The Host Guardian Service, used to configure guarded hosts and run shielded VMs, gives users better control over Hyper-V VM access. Key Protection means a Hyper-V host can’t decrypt or power a Shielded VM without the Host Guardian Service affirming it. Attestation services, in turn, validate Hyper-V hosts’ identity and configuration.
Active Directory Environments
ADFS v4
The new version of Active Directory Federation Services supports “hybrid conditional access” with OpenID Connect-based and multi-factor authentication.
ADFS improves sign-in experiences, gives secure access to applications using the latest protocols, allows control policies to be more easily configured and can detect if a device is not compliant with security policies.
Administration
PowerShell 5.1
New PowerShell features include improved security and usability, giving users more control over managing their Windows-based environments. PowerShell can be run locally on Nano Server, and remoting commands have VM parameters that can be sent directly into a Hyper-V hosts VM.
Storage
Storage Spaces Direct
Storage Spaces Direct allows administrators more flexible disk storage options by using servers with local storage and allowing use of new disk devices that couldn’t previously be used with clustered Storage Spaces using shared disks.
These are just some of the key new features in Windows Server 2016. The tables below give you a fuller list of the different services and features available in Windows Server 2016’s three different editions:
0 notes
Text
Techshort: IP Addresses with PowerShell
Techshort: IP Addresses with PowerShell
Quick PowerShell Tip!
To list all of the IP addresses, both v4 and v6 on your local system, along with the associated interface name issue the following command:
Get-NetIPAddress | Select IPAddress, InterfaceAlias | Out-GridView
What you get from the above command is a grid view output which can be copied and pasted into a document.
View On WordPress
0 notes
Text
27 de mayo, 2020
Internacional
Malware comrat utiliza gmail para recibir comandos y filtrar datos
Investigadores de ciberseguridad descubrieron hoy una nueva versión avanzada de la puerta trasera ComRAT, una de las puertas traseras conocidas más antiguas utilizadas por el grupo Turla APT, que aprovecha la interfaz web de Gmail para recibir comandos de manera encubierta y filtrar datos confidenciales. Turla , también conocida como Snake, ha estado activa durante más de una década con una larga historia de campañas de abrevadero y phishing contra embajadas y organizaciones militares al menos desde 2004. En los últimos años, se dice que Turla estuvo detrás del compromiso de las Fuerzas Armadas francesas en 2018 y el Ministerio de Relaciones Exteriores de Austria a principios este año.
E.@. Las versiones más nuevas de la puerta trasera de ComRAT han abandonado el Agente. El mecanismo de infección de la memoria USB de BTZ a favor de inyectarse en cada proceso de la máquina infectada y ejecutar su carga principal en "explorer.exe".
El ComRAT v4 (o "Chinch" de los autores del malware), como se llama al nuevo sucesor, usa una base de código completamente nueva y es mucho más complejo que sus variantes anteriores, según ESET. La firma dijo que la primera muestra conocida del malware se detectó en abril de 2017.
ComRAT generalmente se instala a través de PowerStallion , una puerta trasera PowerShell liviana utilizada por Turla para instalar otras puertas traseras. Además, el cargador PowerShell inyecta un módulo llamado ComRAT orchestrator en el navegador web, que emplea dos canales diferentes, un modo heredado y un modo de correo electrónico, para recibir comandos de un servidor C2 y filtrar información a los operadores. El uso principal de ComRAT es descubrir, robar y filtrar documentos confidenciales", dijeron los investigadores. "En un caso, sus operadores incluso desplegaron un ejecutable .NET para interactuar con la base de datos central MS SQL Server de la víctima que contiene los documentos de la organización.
Fuente
0 notes
Text
Original Post from Talos Security Author:
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between April 26 and May 03. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net. For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.
The most prevalent threats highlighted in this roundup are:
Win.Malware.Shadowbrokers-6958490-0 Malware Uiwix uses ETERNALBLUE and DOUBLEPULSAR to install ransomware on the infected system. Encrypted file names include “UIWIX” as part of the file extension. Unlike the well-known WannaCry ransomware, Uiwix doesn’t “worm itself.” It only installs itself on the system.
Win.Malware.Fareit-6958493-0 Malware The Fareit trojan is primarily an information stealer that downloads and installs other malware.
Win.Malware.Ursnif-6957672-0 Malware Ursnif is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits.
Win.Ransomware.Cerber-6957317-0 Ransomware Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension “.cerber.”
Win.Dropper.Nymaim-6956636-0 Dropper Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control (C2) domains to connect to additional payloads.
Win.Dropper.Qakbot-6956539-0 Dropper Qakbot, aka Qbot, has been around for since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.
Win.Malware.Tovkater-6956309-0 Malware This malware is able to download and upload files, inject malicious code and install additional malware.
Doc.Downloader.Powload-6956274-0 Downloader Powload is a malicious document that uses PowerShell to download malware. This campaign is currently distributing Emotet malware.
Win.Dropper.Kovter-6956146-0 Dropper Kovter is known for its fileless persistence mechanism. This family of malware creates several malicious registry entries which store its malicious code. Kovter is capable of reinfecting a system even if the file system has been cleaned of the infection. Kovter has been used in the past to spread ransomware and click-fraud malware.
Win.Trojan.Razy-6956092-0 Trojan Razy is oftentimes a generic detection name for a Windows trojan. This cluster of samples contains encrypted code in the resources section that could be injected to a legitimate process.
Threats
Win.Malware.Shadowbrokers-6958490-0
Indicators of Compromise
Registry Keys Occurrences {32DE27EC-AB30-11E8-A007-00501E3AE7B5}DEFAULTOBJECTSTOREOBJECTTABLEABCINDEXESFileIdIndex-{3f37ba64-ef5c-11e4-bb8d-806e6f6e6963} 19 {32DE27EC-AB30-11E8-A007-00501E3AE7B5}DEFAULTOBJECTSTOREOBJECTTABLEAB7 Value Name: _FileId_ 19 {32DE27EC-AB30-11E8-A007-00501E3AE7B5}DEFAULTOBJECTSTOREOBJECTTABLEAB7INDEXESFILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963} Value Name: 100000000928D 19 {32DE27EC-AB30-11E8-A007-00501E3AE7B5}DEFAULTOBJECTSTOREOBJECTTABLEAB7 Value Name: AeFileID 19 {32DE27EC-AB30-11E8-A007-00501E3AE7B5}DEFAULTOBJECTSTOREOBJECTTABLEAB8 Value Name: _FileId_ 19 {32DE27EC-AB30-11E8-A007-00501E3AE7B5}DEFAULTOBJECTSTOREOBJECTTABLEAB8INDEXESFILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963} Value Name: 1000000009511 19 {32DE27EC-AB30-11E8-A007-00501E3AE7B5}DEFAULTOBJECTSTOREOBJECTTABLEAB8 Value Name: AeFileID 19 {32DE27EC-AB30-11E8-A007-00501E3AE7B5}DEFAULTOBJECTSTOREOBJECTTABLEAB9 Value Name: _FileId_ 19 {32DE27EC-AB30-11E8-A007-00501E3AE7B5}DEFAULTOBJECTSTOREOBJECTTABLEAB9INDEXESFILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963} Value Name: 1000000009362 19 {32DE27EC-AB30-11E8-A007-00501E3AE7B5}DEFAULTOBJECTSTOREOBJECTTABLEAB9 Value Name: AeFileID 19 {32DE27EC-AB30-11E8-A007-00501E3AE7B5}DEFAULTOBJECTSTOREOBJECTTABLEABA Value Name: _ObjectId_ 19 {32DE27EC-AB30-11E8-A007-00501E3AE7B5}DEFAULTOBJECTSTOREOBJECTTABLEABA Value Name: _FileId_ 19 {32DE27EC-AB30-11E8-A007-00501E3AE7B5}DEFAULTOBJECTSTOREOBJECTTABLEABA Value Name: _Usn_ 19 {32DE27EC-AB30-11E8-A007-00501E3AE7B5}DEFAULTOBJECTSTOREOBJECTTABLEABA Value Name: _UsnJournalId_ 19 {32DE27EC-AB30-11E8-A007-00501E3AE7B5}DEFAULTOBJECTSTOREOBJECTTABLEABAINDEXESFILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963} Value Name: 1000000009363 19 {32DE27EC-AB30-11E8-A007-00501E3AE7B5}DEFAULTOBJECTSTOREOBJECTTABLEABA Value Name: AeFileID 19 {32DE27EC-AB30-11E8-A007-00501E3AE7B5}DEFAULTOBJECTSTOREOBJECTTABLEABA Value Name: AeProgramID 19 {32DE27EC-AB30-11E8-A007-00501E3AE7B5}DEFAULTOBJECTSTOREOBJECTTABLEABB Value Name: _ObjectId_ 19 {32DE27EC-AB30-11E8-A007-00501E3AE7B5}DEFAULTOBJECTSTOREOBJECTTABLEABB Value Name: _FileId_ 19 {32DE27EC-AB30-11E8-A007-00501E3AE7B5}DEFAULTOBJECTSTOREOBJECTTABLEABB Value Name: _Usn_ 19 {32DE27EC-AB30-11E8-A007-00501E3AE7B5}DEFAULTOBJECTSTOREOBJECTTABLEABB Value Name: _UsnJournalId_ 19 {32DE27EC-AB30-11E8-A007-00501E3AE7B5}DEFAULTOBJECTSTOREOBJECTTABLEABBINDEXESFILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963} Value Name: 10000000095D4 19 {32DE27EC-AB30-11E8-A007-00501E3AE7B5}DEFAULTOBJECTSTOREOBJECTTABLEABB Value Name: AeFileID 19 {32DE27EC-AB30-11E8-A007-00501E3AE7B5}DEFAULTOBJECTSTOREOBJECTTABLEABB Value Name: AeProgramID 19 {32DE27EC-AB30-11E8-A007-00501E3AE7B5}DEFAULTOBJECTSTOREOBJECTTABLEABC Value Name: _ObjectId_ 19
Mutexes Occurrences Global2f6e8021-6b52-11e9-a007-00501e3ae7b5 1 Global2f7cc861-6b52-11e9-a007-00501e3ae7b5 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 69[.]55[.]1[.]146 18 69[.]55[.]1[.]100 18 69[.]55[.]4[.]196 18 69[.]55[.]2[.]201 18 69[.]55[.]4[.]155 18 69[.]55[.]2[.]131 18 69[.]55[.]4[.]179 18 69[.]55[.]4[.]178 18 69[.]55[.]2[.]130 18 69[.]55[.]4[.]217 18 69[.]55[.]1[.]36 18 69[.]55[.]1[.]37 18 69[.]55[.]4[.]171 18 69[.]55[.]4[.]170 18 69[.]55[.]4[.]173 18 69[.]55[.]4[.]172 18 69[.]55[.]1[.]30 18 69[.]55[.]4[.]174 18 69[.]55[.]4[.]177 18 69[.]55[.]4[.]176 18 69[.]55[.]5[.]75 18 69[.]55[.]5[.]74 18 69[.]55[.]5[.]79 18 69[.]55[.]5[.]78 18 69[.]55[.]5[.]81 18 See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences v4[.]ipv6-test[.]com 11 sex[.]kuai-go[.]com 4 ilo[.]brenz[.]pl 1 teetah[.]com 1 thmqyo[.]com 1 iadaef[.]com 1 yvyqyr[.]com 1 yyhhwt[.]com 1 yoiupy[.]com 1 abvyoh[.]com 1 evoyci[.]com 1 nzooyn[.]com 1 niulzo[.]com 1 meadgz[.]com 1 yxpwly[.]com 1 cberyk[.]com 1 xuvvie[.]com 1 nfgesv[.]com 1 rjodmz[.]com 1 ygjuju[.]com 1 iauany[.]com 1 zopkpn[.]com 1 ubnuov[.]com 1 kroqzu[.]com 1 uxmaie[.]com 1 See JSON for more IOCs
Files and or directories created Occurrences %SystemRoot%FontsMysql 21 %SystemRoot%FontsMysqlbat.bat 21 %SystemRoot%FontsMysqlDoublepulsar.dll 20 %SystemRoot%FontsMysqlDoublepulsar2.dll 20 %SystemRoot%FontsMysqlEter.exe 20 %SystemRoot%FontsMysqlEter.xml 20 %SystemRoot%FontsMysqlEternalblue.dll 20 %SystemRoot%FontsMysqlEternalblue2.dll 20 %SystemRoot%FontsMysqlNansHou.dll 20 %SystemRoot%FontsMysqlcmd.bat 20 %SystemRoot%FontsMysqlcnli-1.dll 20 %SystemRoot%FontsMysqlcoli-0.dll 20 %SystemRoot%FontsMysqlcrli-0.dll 20 %SystemRoot%FontsMysqldmgd-4.dll 20 %SystemRoot%FontsMysqlexma-1.dll 20 %SystemRoot%FontsMysqlfile.txt 20 %SystemRoot%FontsMysqllibeay32.dll 20 %SystemRoot%FontsMysqllibxml2.dll 20 %SystemRoot%FontsMysqlloab.bat 20 %SystemRoot%FontsMysqlload.bat 20 %SystemRoot%FontsMysqlmance.exe 20 %SystemRoot%FontsMysqlmance.xml 20 %SystemRoot%FontsMysqlnei.bat 20 %SystemRoot%FontsMysqlp.txt 20 %SystemRoot%FontsMysqlpoab.bat 20 See JSON for more IOCs
File Hashes
00e8030802e8f6b32c9e9b5167ba6854797af91947d605889b5dba3b2a29b74e
054441dbcac05960e2ba1ae81903f4ed48786be51aeb346f4c2cc1162ba1749f
0fa0b6d80e850f42f7d17681b2ff2147694053aa4680ddfcf632ee89d183a6fc
16488c72a0c92c8a72dc78ee9d52cfc4ebf8a6392d9f91f2c966fc99abe05a03
181ce9db0dea2a3a2e08860620c3015e61995a93729cb07e0b157d0e75c73343
229ab5a9502a4f9efaf6b1ae193d49cd529479e4adf0475caa80f0086dd20c31
23e3a6d9ce11a9ceef4f1a0731368a85587d612063d67fb518156fa88e20a277
5a831048eaeed5fa07ae830ebe1ac176cdffd0764a978c89228f45125a8c07c3
749cdaf3de5490da6a5c1900b415e1a10cba45d19593ca98378781d9488b6bee
77f5a8b8c3d9091b5d3f050b2ac6183a9bfb86e8fd1085e96926c513c69cbffb
811fc3535e7e4e67164d12a3a8a5d839365873b53e20f1ac3b5638cba279d0e9
96799361f9e214dcdb35d14f3b93e35736d4f5e11a25e4672989c9b436ee6cdc
a013f2631ac35d43652d5ab7fd30e71187398b5c6ede6081fa6c73fb3f0b469a
ac80e17388fbd1f59b80c411d1449ce90a4ce5ada9d6ced63dc9890bfe5249ea
c29ae0b2992a0320c5d584a7af6ff8dfc590140d0652aa22b374a8b6946a76f3
c74a2a95439224bdef39354f37ccb4ded7ce7ba071aac9d5efe505cdb7a828ac
db1b669b7daffcb3b6be5ba635afe5890d85e3f734a74e9a97c864ebb23ffd30
dc814196d52db10a9231754a3c33b58af9c995490a16c20328a954d8c1918589
e3e7c5bcb49da52952d85f30efbc86830536593e96e6b29f05f22ac14e208ce5
e6d879189c9cfe58aa9f83856eb4849caee841eb71557522c14d38bdd8bc8efe
fcad77aba9a0290e0f25b0512ceadf102aff36c955a319275b3f44565d53c383
Coverage
Screenshots of Detection
AMP
ThreatGrid
Umbrella
Win.Malware.Fareit-6958493-0
Indicators of Compromise
Registry Keys Occurrences SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN Value Name: internat.exe 4 SOFTWAREWOW6432NODEMICROSOFTWINDOWSCURRENTVERSIONRUN Value Name: AGP Manager 3 SoftwareWow6432NodeMicrosoftTracingRASAPI32 2 SoftwareWow6432NodeMicrosoftTracingRASMANCS 2 SOFTWAREWOW6432NODEMICROSOFTTRACINGRASAPI32 Value Name: EnableFileTracing 2 SOFTWAREWOW6432NODEMICROSOFTTRACINGRASAPI32 Value Name: EnableConsoleTracing 2 SOFTWAREWOW6432NODEMICROSOFTTRACINGRASAPI32 Value Name: FileTracingMask 2 SOFTWAREWOW6432NODEMICROSOFTTRACINGRASAPI32 Value Name: ConsoleTracingMask 2 SOFTWAREWOW6432NODEMICROSOFTTRACINGRASAPI32 Value Name: MaxFileSize 2 SOFTWAREWOW6432NODEMICROSOFTTRACINGRASAPI32 Value Name: FileDirectory 2 SOFTWAREWOW6432NODEMICROSOFTTRACINGRASMANCS Value Name: EnableFileTracing 2 SOFTWAREWOW6432NODEMICROSOFTTRACINGRASMANCS Value Name: EnableConsoleTracing 2 SOFTWAREWOW6432NODEMICROSOFTTRACINGRASMANCS Value Name: FileTracingMask 2 SOFTWAREWOW6432NODEMICROSOFTTRACINGRASMANCS Value Name: ConsoleTracingMask 2 SOFTWAREWOW6432NODEMICROSOFTTRACINGRASMANCS Value Name: MaxFileSize 2 SOFTWAREWOW6432NODEMICROSOFTTRACINGRASMANCS Value Name: FileDirectory 2 SoftwareMicrosoftWindows Script HostSettings 2 SOFTWAREMICROSOFTWINDOWS NTCURRENTVERSIONSCHEDULECOMPATIBILITYADAPTERSIGNATURES Value Name: AGP Manager.job 2 SOFTWAREMICROSOFTWINDOWS NTCURRENTVERSIONSCHEDULECOMPATIBILITYADAPTERSIGNATURES Value Name: AGP Manager.job.fp 2 SOFTWAREMICROSOFTWINDOWS NTCURRENTVERSIONSCHEDULETASKCACHETREEAGP MANAGER Value Name: Index 2 SOFTWAREMICROSOFTWINDOWS NTCURRENTVERSIONSCHEDULECOMPATIBILITYADAPTERSIGNATURES Value Name: AGP Manager Task.job 2 SOFTWAREMICROSOFTWINDOWS NTCURRENTVERSIONSCHEDULECOMPATIBILITYADAPTERSIGNATURES Value Name: AGP Manager Task.job.fp 2 SOFTWAREMICROSOFTWINDOWS NTCURRENTVERSIONSCHEDULETASKCACHETREEAGP MANAGER TASK Value Name: Index 2 SOFTWAREMICROSOFTWINDOWS NTCURRENTVERSIONSCHEDULETASKCACHETREEAGP MANAGER Value Name: Id 2 SOFTWAREMICROSOFTWINDOWS NTCURRENTVERSIONSCHEDULETASKCACHETREEAGP MANAGER TASK Value Name: Id 2
Mutexes Occurrences A16467FA7-343A2EC6-F2351354-B9A74ACF-1DC8406A 2 Remcos_Mutex_Inj 1 rdyboost_Perf_Library_Lock_PID_210 1 usbhub_Perf_Library_Lock_PID_210 1 .NET CLR Data_Perf_Library_Lock_PID_5b8 1 .NET CLR Networking 4.0.0.0_Perf_Library_Lock_PID_5b8 1 .NET CLR Networking_Perf_Library_Lock_PID_5b8 1 .NET Data Provider for Oracle_Perf_Library_Lock_PID_5b8 1 .NET Data Provider for SqlServer_Perf_Library_Lock_PID_5b8 1 .NET Memory Cache 4.0_Perf_Library_Lock_PID_5b8 1 .NETFramework_Perf_Library_Lock_PID_5b8 1 ASP.NET_1.1.4322_Perf_Library_Lock_PID_5b8 1 ASP.NET_4.0.30319_Perf_Library_Lock_PID_5b8 1 ASP.NET_Perf_Library_Lock_PID_5b8 1 BITS_Perf_Library_Lock_PID_5b8 1 ESENT_Perf_Library_Lock_PID_5b8 1 Lsa_Perf_Library_Lock_PID_5b8 1 MSDTC Bridge 3.0.0.0_Perf_Library_Lock_PID_5b8 1 MSDTC Bridge 4.0.0.0_Perf_Library_Lock_PID_5b8 1 MSDTC_Perf_Library_Lock_PID_5b8 1 Outlook_Perf_Library_Lock_PID_5b8 1 PerfDisk_Perf_Library_Lock_PID_5b8 1 PerfNet_Perf_Library_Lock_PID_5b8 1 PerfOS_Perf_Library_Lock_PID_5b8 1 PerfProc_Perf_Library_Lock_PID_5b8 1 See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 47[.]254[.]132[.]217 2 5[.]8[.]88[.]213 2 91[.]192[.]100[.]4 1 185[.]165[.]153[.]19 1 91[.]193[.]75[.]33 1 194[.]5[.]99[.]4 1 103[.]200[.]5[.]186 1 185[.]165[.]153[.]135 1 105[.]112[.]98[.]98 1 129[.]205[.]112[.]132 1 212[.]7[.]192[.]241 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences snooper112[.]ddns[.]net 1 harryng[.]ddns[.]net 1 popen[.]ru 1 hfgdhgjkgf[.]ru 1 rtyrtygjgf[.]ru 1 icabodgroup[.]hopto[.]org 1
Files and or directories created Occurrences %APPDATA%D19AB989-A35F-4710-83DF-7B2DB7EFE7C5 3 %APPDATA%D19AB989-A35F-4710-83DF-7B2DB7EFE7C5Logs 3 %APPDATA%D19AB989-A35F-4710-83DF-7B2DB7EFE7C5LogsAdministrator 3 %APPDATA%D19AB989-A35F-4710-83DF-7B2DB7EFE7C5run.dat 3 %ProgramFiles(x86)%AGP Manager 3 %ProgramFiles(x86)%AGP Manageragpmgr.exe 3 %System32%TasksAGP Manager 2 %APPDATA%D19AB989-A35F-4710-83DF-7B2DB7EFE7C5task.dat 2 %APPDATA%Install 2 %APPDATA%InstallHost.exe 2 %System32%TasksAGP Manager Task 2 %ProgramData%MicrosoftVaultAC658CB4-9126-49BD-B877-31EEDAB3F204Policy.vpol 1 %LOCALAPPDATA%MicrosoftVault4BF4C442-9B8A-41A0-B380-DD4A704DDB28Policy.vpol 1 %APPDATA%remcos 1 %APPDATA%remcoslogs.dat 1 %APPDATA%remcosremcos.exe 1 %System32%driversetchosts 1 %APPDATA%Screenshots 1 %TEMP%install.vbs 1 ??scsi#disk&ven_red_hat&prod_virtio#4&2556063a&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} 1 %TEMP%MyttloApp 1 %TEMP%tmpD22A.tmp 1 %TEMP%subos 1 %TEMP%tmpD4E9.tmp 1 %TEMP%subossubose.exe 1 See JSON for more IOCs
File Hashes
0758f55d7c977e33b0c64c6bdf273d1fc639440505d3f015c5d519dc6200017f
17537f41d384c9a3fe385e6ec51feacf23dcab755b26e274bddcb25ad51f3b20
3409a0970239cd2fc61b66db3c6e7c49921b2c828b59530e37dc34504ee46081
446166d1a9e7e1b7e12547510f7de7bc4c281681cce1f9f8576fce9de7b1dc05
5c0016d2122382734395929696e2d737162f797bb4e21ab1cb9af7c9429823bf
63053625336da966b1c41eae9b39dfc6dd6829be50852d657f48cf6351102955
71795cda989e98003d22a59a88951ce0c2b1dd472b5c1bea4f79f03e0f22747c
7634476cf6e1d538bbf9b5dc0b2dad3f55d78a7a0699f0aa3ec1a926867b602d
b0ab801164d28470c2e76fa775ace286b9c218eed099373ba6a6b879cb9473f4
c433ec83fd1ab4c370c218feda1fde4514573278464cff96c053479d5c6aea95
c68c68c512cd5b66fbc56df273f55bc8e9db9e5c3840dc28d905ca676029f86b
dfaf92e94e698ded2dfec6fde877118a2ed30d2709ce8c431d35ca3ce9d7f836
e6a4c246c552c5152b500443a603304bac2edbeb2925c4da2e3bf457351b66c1
f08bf06ef32de3aea50ded12434753f08c336408715fdcc7ab263cf95892bd5b
f5f336ac45dec2fa199ce54cc93035967037f7550ad9ddc89f9dfc91918d57c8
Coverage
Screenshots of Detection
AMP
ThreatGrid
Umbrella
Win.Malware.Ursnif-6957672-0
Indicators of Compromise
Registry Keys Occurrences SOFTWAREWOW6432NODEJAVASOFTJAVA WEB START1.6.0_41 Value Name: Home 19 SOFTWAREMICROSOFTINTERNET EXPLORERLOWREGISTRY Value Name: AddToFavoritesInitialSelection 19 SOFTWAREMICROSOFTINTERNET EXPLORERLOWREGISTRY Value Name: AddToFeedsInitialSelection 19 SOFTWAREMICROSOFTINTERNET EXPLORERMAINWINDOWSSEARCH Value Name: Version 19 SOFTWAREMICROSOFTINTERNET EXPLORERRECOVERYPENDINGRECOVERY Value Name: AdminActive 19 SOFTWAREMICROSOFTINTERNET EXPLOREREUPPDSP Value Name: ChangeNotice 19 SOFTWAREMICROSOFTINTERNET EXPLORERMINIE Value Name: TabBandWidth 19 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXTSETTINGS{2A541AE1-5BF6-4665-A8A3-CFA9672E4291} Value Name: NewInstallPromptCount 19 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXTSETTINGS{2A541AE1-5BF6-4665-A8A3-CFA9672E4291} Value Name: CompatBlockPromptCount 19 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXTSETTINGS{18DF081C-E8AD-4283-A596-FA578C2EBDC3} Value Name: NewInstallPromptCount 19 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXTSETTINGS{18DF081C-E8AD-4283-A596-FA578C2EBDC3} Value Name: CompatBlockPromptCount 19 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXTSETTINGS{72853161-30C5-4D22-B7F9-0BBC1D38A37E} Value Name: NewInstallPromptCount 19 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXTSETTINGS{72853161-30C5-4D22-B7F9-0BBC1D38A37E} Value Name: CompatBlockPromptCount 19 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXTSETTINGS{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} Value Name: NewInstallPromptCount 19 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXTSETTINGS{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} Value Name: CompatBlockPromptCount 19 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXTSETTINGS{B4F3A835-0E21-4959-BA22-42B3008E02FF} Value Name: NewInstallPromptCount 19 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXTSETTINGS{B4F3A835-0E21-4959-BA22-42B3008E02FF} Value Name: CompatBlockPromptCount 19 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXTSETTINGS{DBC80044-A445-435B-BC74-9C25C1C588A9} Value Name: NewInstallPromptCount 19 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONEXTSETTINGS{DBC80044-A445-435B-BC74-9C25C1C588A9} Value Name: CompatBlockPromptCount 19 SoftwareMicrosoftInternet ExplorerRecoveryActive 19 SoftwareMicrosoftCTFTIP{1188450c-fdab-47ae-80d8-c9633f71be64}LanguageProfile x00000000{63800dac-e7ca-4df9-9a5c-20765055488d} 19 SOFTWAREClassesTypeLib{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}1.1 win32 19 SoftwareMicrosoftInternet ExplorerSuggested Sites 19 SoftwareMicrosoftWindowsCurrentVersionExplorerMenuOrderFavoritesLinks 19 SoftwareMicrosoftWindowsCurrentVersionExtStats{2670000A-7350-4F3C-8081-5663EE0C6C49}iexplore 19
Mutexes Occurrences !PrivacIE!SharedMem!Mutex 19 LocalVERMGMTBlockListFileMutex 19 Local!BrowserEmulation!SharedMemory!Mutex 19 LocalURLBLOCK_DOWNLOAD_MUTEX 19 LocalURLBLOCK_HASHFILESWITCH_MUTEX 19 UpdatingNewTabPageData 19 {5312EE61-79E3-4A24-BFE1-132B85B23C3A} 19 {66D0969A-1E86-44CF-B4EC-3806DDDA3B5D} 19 {A7AAF118-DA27-71D5-1CCB-AE35102FC239} 18 Local{57025AD2-CABB-A1F8-8C7B-9E6580DFB269} 18 Local{7FD07DA6-D223-0971-D423-264D4807BAD1} 18 Local{B1443895-5CF6-0B1E-EE75-506F02798413} 18 CommunicationManager_Mutex 15 SmartScreen_AppRepSettings_Mutex 15 SmartScreen_ClientId_Mutex 15 LocalURLBLOCK_FILEMAPSWITCH_MUTEX_1760 6 {33B6645E-F685-DDC4-9817-8A614C3B5E25} 6 {9FB8F914-72AD-292E-7443-C66DE8275AF1} 4 {EF2CA93C-8275-F9B6-0493-D63D78776AC1} 3 {1FE6DE6D-F2FC-A937-F4C3-46ED68A7DA71} 3 LocalURLBLOCK_FILEMAPSWITCH_MUTEX_1916 3 {27CB7058-5ACE-F149-9C4B-2EB590AF42B9} 3 BaseNamedObjectsLocal{FCAA51DD-2B0A-8E99-95F0-8FA2992433F6} 3 BaseNamedObjectsLocal{6AE7CB31-C1EF-2C06-9B3E-8520FF528954} 3 BaseNamedObjectsLocal{72534A3F-299C-7437-43C6-6DE8275AF19C} 3 See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 204[.]79[.]197[.]200 19 185[.]193[.]141[.]60 19 208[.]67[.]222[.]222 18 194[.]147[.]35[.]95 18 13[.]107[.]21[.]200 13
Domain Names contacted by malware. Does not indicate maliciousness Occurrences vmelynaa[.]club 19 resolver1[.]opendns[.]com 18 222[.]222[.]67[.]208[.]in-addr[.]arpa 18 myip[.]opendns[.]com 18 ciemona[.]top 18 zwbaoeladiou[.]xyz 16 fqwalfredoesheridan[.]info 16
Files and or directories created Occurrences %APPDATA%MicrosoftProtectS-1-5-21-2580483871-590521980-3826313501-500Preferred 19 %LOCALAPPDATA%LowMicrosoftInternet ExplorerServicessearch_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico 19 %LOCALAPPDATA%MicrosoftWindowsWebCacheV0100008.log 19 %LOCALAPPDATA%MicrosoftWindowsWebCacheV0100009.log 19 %LOCALAPPDATA%MicrosoftWindowsWebCacheV010000A.log 19 %LOCALAPPDATA%MicrosoftWindowsWebCacheV010000B.log 19 %LOCALAPPDATA%MicrosoftWindowsWebCacheV010000D.log 19 %LOCALAPPDATA%MicrosoftWindowsWebCacheV010000F.log 19 %LOCALAPPDATA%MicrosoftWindowsHistoryHistory.IE5MSHist012018082820180829container.dat 19 %LOCALAPPDATA%MicrosoftWindowsTemporary Internet FilesContent.IE51NSKV6K6suggestions[2].en-US 19 %LOCALAPPDATA%MicrosoftWindowsTemporary Internet FilesContent.IE57V3XNPL2favicon[2].ico 19 %LOCALAPPDATA%MicrosoftWindowsTemporary Internet FilesContent.IE5SSZWDDXWviews[2] 19 %LOCALAPPDATA%MicrosoftInternet Explorerimagestoreaowwxkhimagestore.dat 19 %LOCALAPPDATA%MicrosoftWindowsTemporary Internet FilesContent.IE5SSZWDDXWfavicon[1].ico 19 %LOCALAPPDATA%MicrosoftWindowsTemporary Internet FilesContent.IE51NSKV6K6favicon[2].png 19 %LOCALAPPDATA%MicrosoftWindowsTemporary Internet FilesContent.IE56YL4T24Gviews[1] 19 %LOCALAPPDATA%MicrosoftWindowsTemporary Internet FilesContent.IE57V3XNPL2favicon[1].ico 19 %LOCALAPPDATA%MicrosoftWindowsTemporary Internet FilesContent.IE57V3XNPL2 19 %LOCALAPPDATA%MicrosoftWindowsTemporary Internet FilesContent.IE5SSZWDDXW 19 %HOMEPATH%Local SettingsTemporary Internet FilesContent.IE5C5MZMU22desktop.ini 19 %TEMP%www2.tmp 19 %TEMP%www3.tmp 19 %TEMP%www4.tmp 19 %HOMEPATH%FavoritesLinksSuggested Sites.url 19 %HOMEPATH%Local SettingsApplication DataMicrosoftFeeds{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~WebSlices~Suggested Sites~.feed-ms 19 See JSON for more IOCs
File Hashes
0870f99237954ec3b6c5d2bef78a68484ec211bdd3f98439570d6a316c8a15ee
395a5bb5a15f3d0c277835b62372c985cf718cdd2b1a5a504b5e9433c5dab8a5
44e6613a20fda10678242f331152b6377edc18a3bbece8a7546ef54fe2dbb9d2
4509bfad5dacb2f5ac43483fb991fa5bba25b90a46a1829d5d812be529dff930
5bdab30c2318e1a15917c5a5fa5a970845e473c3df7e3baf134393d9fe7dd1c5
6c29026c61c2bcf1502ffa77b56d2b41504598e6b660cb4f4aadeef547248861
8caac9f128ef6d7cd20ad6395b16fc180456eed45d86b68b49b87b4b57aa0142
8cc7ec0c3662c3e68a0063f9aa37943eb83ac6cd472a76f9f047e0fad21f9875
8df6c10dd50118b2fc7bd380d0423ad0d7a36630f2f6be81fe508eb0b7d409cb
b824f4bb9174eda6738710e1fed13a74088e2c23d8c31ce81ecde3cd03260396
c3f72c971d83fd3ac32d8bbee2d94fe78bcbde553212f3e4c3d626a8d124ccb6
d1d54cc60dfc5957d76c37218d89bf59aaa45c4cc45067af83429280463923e5
e450ad1c3dad95a579f43bf2deb9b58acc8c661e0090a162da75dd66ef608e8b
e7f7e41a55b11e5aee84f519b267c19c5943ca923b8c05d3aff99a47ab074f58
f1fc8274b0155470b6983ba68c70ea5df59196ae8b89366fc4fe922575719536
f58c95835e8a08cbef55c00ae86d03399302cdf7d500ab499f312156f275f2f9
f5e3128f71497dd5ee29c05296c3815466fd2eacc714ce914771d0ede672639c
fb7592a3c2994ba426046328c87f08574c7d367b0c75e206ddfd32cc5d7bfcd0
fb76a896e5ead6658b589c20e715fe18ffec03b9f57f895e14a0d43574de71e3
Coverage
Screenshots of Detection
AMP
ThreatGrid
Win.Ransomware.Cerber-6957317-0
Indicators of Compromise
Registry Keys Occurrences SystemCurrentControlSetServicesNapAgentShas 25 SystemCurrentControlSetServicesNapAgentQecs 25 SoftwareMicrosoftWindowsCurrentVersionExplorerStartPage2 25 SystemCurrentControlSetServicesNapAgentLocalConfig 25 SYSTEMCONTROLSET001SERVICESNAPAGENTLOCALCONFIGEnrollHcsGroups 25 SYSTEMCONTROLSET001SERVICESNAPAGENTLOCALCONFIGUI 25 SystemCurrentControlSetControlSession Manager 25 SoftwareMicrosoftWindowsShellNoRoamMUICache 25 CONTROL PANELDESKTOP Value Name: Wallpaper 25 SYSTEMCONTROLSET001CONTROLSESSION MANAGER Value Name: PendingFileRenameOperations 25 SYSTEMControlSet001ControlSession Manager 25 SOFTWAREMicrosoftSystemCertificatesCACertificates189271E573FED295A8C130EAF357A20C4A9F115E 9 SystemCurrentControlSetControlSecurityProvidersSchannel 6
Mutexes Occurrences Global3a886eb8-fe40-4d0a-b78b-9e0bcb683fb7 25 shell.{381828AA-8B28-3374-1B67-35680555C5EF} 25 BaseNamedObjectsshell.{718951EE-6DB9-E41A-53AA-8B715AE18B45} 2 BaseNamedObjectsshell.{493BC5E1-8EB5-5EFC-281D-65B759CEECC3} 2 BaseNamedObjectsshell.{B1A92788-E01E-5F0F-2EBD-8C1B64B4440E} 1 BaseNamedObjectsshell.{3B5BBD57-DC86-C667-6198-1ED86151C492} 1 BaseNamedObjectsshell.{3290A7F9-5947-C52F-A9C4-FFC568696593} 1 BaseNamedObjectsshell.{A90EDFAB-A502-430E-BDBC-2A277AABA37D} 1 BaseNamedObjectsshell.{FCDAE584-CD77-B6D4-3AF3-33D1E72CBBA2} 1 BaseNamedObjectsshell.{5ED88314-B21B-6A1E-9E28-1194C46E655A} 1 BaseNamedObjectsshell.{0382099C-AC13-59BE-3A2C-B533D776D30C} 1 BaseNamedObjectsshell.{8A1F6AB1-121B-A240-F2AC-6815C5405429} 1 BaseNamedObjectsshell.{6B956E68-ABAA-AB50-EB9F-299C556E0FC1} 1 BaseNamedObjectsshell.{D593CF55-EF38-7E41-B3D1-189932BF5ACA} 1 BaseNamedObjectsshell.{6E8CD1E8-3AA4-8152-A1AC-9DF81B4CF52F} 1 BaseNamedObjectsshell.{CA80F6A6-97F3-B746-F936-72E156EADCA1} 1 BaseNamedObjectsshell.{77337C05-6A9D-48D8-548B-5BC4EDE52644} 1 BaseNamedObjectsshell.{5F59AF38-9EAC-3B8F-A08E-700EC4307348} 1 BaseNamedObjectsshell.{1DEF893E-C150-B52C-8B2C-18DC50905097} 1 BaseNamedObjectsshell.{114716B6-D98A-FB35-E73B-ABDB1C2ECBE3} 1 BaseNamedObjectsshell.{940BFEC0-D658-3349-9964-7D4820AF7C5D} 1 BaseNamedObjectsshell.{DCA07E8B-8FF0-AAD5-5A30-43E0A4FC3355} 1 BaseNamedObjectsshell.{9F3E7036-D399-5D1C-15F0-27F90C81CEA7} 1 BaseNamedObjectsshell.{4D979936-6ECD-C1FC-8B7E-C65E6397B59E} 1 BaseNamedObjectsshell.{2981A90C-3618-499B-5205-FD704DC8D53D} 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 178[.]33[.]160[.]176 25 178[.]33[.]160[.]175 25 178[.]33[.]160[.]178 25 178[.]33[.]160[.]177 25 178[.]33[.]160[.]179 25 178[.]33[.]160[.]170 25 178[.]33[.]160[.]172 25 178[.]33[.]160[.]171 25 178[.]33[.]160[.]196 25 178[.]33[.]160[.]195 25 178[.]33[.]160[.]198 25 178[.]33[.]160[.]197 25 178[.]33[.]160[.]199 25 178[.]33[.]160[.]190 25 178[.]33[.]160[.]192 25 178[.]33[.]160[.]191 25 178[.]33[.]160[.]194 25 178[.]33[.]160[.]193 25 178[.]33[.]159[.]31 25 178[.]33[.]159[.]30 25 178[.]33[.]159[.]29 25 178[.]33[.]159[.]28 25 178[.]33[.]159[.]27 25 178[.]33[.]159[.]26 25 178[.]33[.]159[.]25 25 See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences api[.]blockcypher[.]com 25 chain[.]so 13 bitaps[.]com 13 btc[.]blockr[.]io 13 hjhqmbxyinislkkt[.]1j9r76[.]top 12 www[.]coinbase[.]com 9 p27dokhpz2n7nvgr[.]1j9r76[.]top 6 hjhqmbxyinislkkt[.]1bxzyr[.]top 3
Files and or directories created Occurrences %HOMEPATH%DocumentsOneNote NotebooksPersonalGeneral.one 25 %HOMEPATH%DocumentsOneNote NotebooksPersonalUnfiled Notes.one 25 %HOMEPATH%DocumentsOutlook FilesOutlook.pst 25 %HOMEPATH%DocumentsRILLReturn.ppt 25 %HOMEPATH%DocumentsSerialsOverview.ppt 25 %HOMEPATH%DocumentsTSR_Observations_2-14-2007.doc 25 %HOMEPATH%DocumentsVISSpring13Schedule.pdf 25 %HOMEPATH%Documentsbooklaunch_e.doc 25 %HOMEPATH%Documentsfeatureb0906.pdf 25 %HOMEPATH%Documentsgenealogy.ppt 25 %HOMEPATH%Documentsgreenpaper.doc 25 %HOMEPATH%Documentsjames_harrison_public_forum_presentation_e.doc 25 %HOMEPATH%Documentsself-guided_SoE_Tour.pdf 25 %HOMEPATH%Documentssshws_2012rev.pdf 25 %HOMEPATH%Documentstimeentrylimit.xlsx 25 %HOMEPATH%Documentsworkshopagenda10may2001_e.doc 25 %TEMP%d19ab989 25 %TEMP%d19ab9894710.tmp 25 %TEMP%d19ab989a35f.tmp 25 %LOCALAPPDATA%MicrosoftOfficeGrooveSystemCSMIPC.dat 25 DAV RPC SERVICE 25 DeviceNull 25 %APPDATA%MicrosoftOutlookOutlook.srs 25 %APPDATA%MicrosoftOutlookOutlook.xml 25 %HOMEPATH%Local SettingsApplication DataMicrosoftOfficeONetConfig21d4feba3519c30e149fdf62432f198a.xml 25 See JSON for more IOCs
File Hashes
0536d5867571e0ed9998dfe458e7cf42334a9abc67e1cbd9ea3004507f899e3c
17f6fab817ae1a1ac4478c121c3dcfed044924ba4beac8cae734cd14d453596b
212ef6edb374b8aab38ad19fa15e2e2f4674b7d2cbb024f36b9477fc71c71769
276438f97b45ccd5ff93586ae0adfa3c4e4ba92f1adc87fca607eb6d6bd17919
2b7669616638e5976b1c65b492d9e775ab668648d0b2ca5df81bcbe26b7e1123
33dcb7c8ce845f1840cb6508a67595d415227babe474eae0f3a06383eab16e63
3d5bab5798ad6d27131075732d829b90f3f37d5e63bab43b53a071c002678fce
418a712f9e44f3adba6125d9f3d7ad4a52ffef9d8ad5b485e903a984a4cd8c63
420dc43a8c9200df4138d720415304017b861b3cfddfb5de16af50099f3b0e37
436e308c38fb3872fe1a64be90eed2a86d7f9806cd163c83e83fbfd0edf3f8d8
55e8cb67e967b51aacd85258cc4c5a2d8c7c2ad48e44d6f4ecf9c0a721d4fbfe
57de16edb0bd7e590ad1adf4474b18eb968d72781f0d34f33ee51cf6ed71763e
5da318b569c3cbad701f06f4b26905c5ac95048b748481fae2552653acdeb25b
629c1b76328b10077af530bfc5526fcb5592eefd8fb0b618179a8429bf6b6259
64b193a1fcdd2d2ec2444e989ecb9283a5f7679abfc5dc3efa9a248793e0197c
6e7bc2af711eac2a82384b3738229d3b69f60f1522a0c59f781f4d6731b1f198
763b5c07061e6f306399991efd08ac8b9efb74c37ab6280c840a779fb7ca929c
77ee427b01cecdc4adcdee50b679ddab7ae6175a9ec3ec199b81cbfb3684a172
7e93d6b812b9ba8833a2f6727e35714ae301c8ab8ac9988ae540f4a993e41c05
84d4734cd55e627870c58fe07bd29895cc40726ea235de6980c1ebe73c8f838c
9d60618b662ed064573688abf10cb3eb562b46baceb864a4343e8851b2e6686e
a2dd530ea97e84d507d13eccef73f736ef1c7c2722b82c84e6d84c61f9406f9b
a6943fd03952cc9d1b7a492ca30cc75ecaefdb54e20af0fc0dcbbcc93483d031
a9efbbec61b1901e23bd5d29f2e1c34e9d0e7c41dbd216386ec52489239068fe
b0ba2997331995d24a85a7d4f586fcaaeb4e6b62de46f068d165ef0d13b172cc
See JSON for more IOCs
Coverage
Screenshots of Detection
AMP
ThreatGrid
Umbrella
Malware
Win.Dropper.Nymaim-6956636-0
Indicators of Compromise
Registry Keys Occurrences SoftwareMicrosoftGOCFK 19 SoftwareWow6432NodeMicrosoftTracingtapi3 19 SOFTWAREWOW6432NODEMICROSOFTTRACINGTAPI3 Value Name: EnableFileTracing 19 SOFTWAREWOW6432NODEMICROSOFTTRACINGTAPI3 Value Name: EnableConsoleTracing 19 SOFTWAREWOW6432NODEMICROSOFTTRACINGTAPI3 Value Name: FileTracingMask 19 SOFTWAREWOW6432NODEMICROSOFTTRACINGTAPI3 Value Name: ConsoleTracingMask 19 SOFTWAREWOW6432NODEMICROSOFTTRACINGTAPI3 Value Name: MaxFileSize 19 SOFTWAREWOW6432NODEMICROSOFTTRACINGTAPI3 Value Name: FileDirectory 19 SOFTWAREMICROSOFTGOCFK Value Name: mbijg 19 SoftwareMicrosoftFROD 18
Mutexes Occurrences Local{369514D7-C789-5986-2D19-AB81D1DD3BA1} 19 Local{D0BDC0D1-57A4-C2CF-6C93-0085B58FFA2A} 19 Local{F04311D2-A565-19AE-AB73-281BA7FE97B5} 19 Local{F6F578C7-92FE-B7B1-40CF-049F3710A368} 19 Local{306BA354-8414-ABA3-77E9-7A7F347C71F4} 19 Local{F58B5142-BC49-9662-B172-EA3D10CAA47A} 19 Local{C170B740-57D9-9B0B-7A4E-7D6ABFCDE15D} 19 Local{B888AC68-15DA-9362-2153-60CCDE3753D5} 19 Local{2DB629D3-9CAA-6933-9C2E-D40B0ACCAC9E} 19
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences N/A –
Domain Names contacted by malware. Does not indicate maliciousness Occurrences otmqa[.]in 18 nuyfyp[.]in 18 omctebl[.]pw 18 qxqdslcvhs[.]pw 18 eyhwvkyswsts[.]in 18 lqeyztwnmqw[.]pw 18 tgkddewbn[.]in 18 bibmbkjvelox[.]net 18 mpoghxb[.]net 18 zglevl[.]net 18 cixhrfbok[.]com 18 yqxpvvbvncxr[.]com 18 vhmfwvrbln[.]net 18 pyioepars[.]com 18 iwxbgsvj[.]net 18
Files and or directories created Occurrences %ProgramData%ph 19 %ProgramData%phfktiipx.ftf 19 %TEMP%gocf.ksv 19 %TEMP%fro.dfx 18 Documents and SettingsAll Userspxspil.ohu 18 %LOCALAPPDATA%7z2 5 %APPDATA%s269 5 %ProgramData%hm94p64 3 %LOCALAPPDATA%2870 3 %APPDATA%710i5v8 3 %ProgramData% 5n3 3 %ProgramData% m2 3 %ProgramData%j91z 2 %LOCALAPPDATA%9b8 2 %APPDATA%mb31 2 %ProgramData%6745h 2 %ProgramData%63h6c 2 %LOCALAPPDATA%546byxl 2 %APPDATA%k5f5 2 %APPDATA%1ok411c 1 %ProgramData%84q9q 1 %LOCALAPPDATA%6b0d19t 1 %APPDATA%9980c 1 %ProgramData%2p077d 1 %LOCALAPPDATA%ja68siv 1 See JSON for more IOCs
File Hashes
0a79d985e81449aeabc401545955323e3d9fa0951a6fabe8727370679cee362c
2d7e1dee56892ffe3fa7b85e33ef512e8017ce690a1118ad743736ba03c70c29
2f017b1f3b3d430266be3da2be7b050dad8d2bbdfe457d6d053f2ca312c90691
33c2883874a24e9abbd993f5d06b8596483d33a388b4832f7e8ed3585dab0f80
4268fb8266c18ba7392e2ac655dad69b952bcfce10a71b34a821f0ea32a02954
470dad272252de1d8631e7026ee324fa9238f722707a26f56b6377f2588a7b16
4ff4835419292e13a5d7be1fe2b3b6a000a07f733948e5865b09082e91ef364b
50bc7a1d67f67fbe4faaa7e1968addc631ee65c05dffdac6decfd021306d17c7
5814f51e35d047cfd4e2b4d76bb2b401d70a860747b7ba817fe3bb035dea1b98
68e743d3ab393a17a9120260b6e2c1a1fcea3ba32cebc06aa1970d62198f266d
7e95831b38b1a32402ba5b6251180aca1b1cad457be756612b3ffe1ebf40dce2
8b307748efc603648524dc47202a550bfcaee9a3a23da4f99802aef2e789d6cd
9260c5ea2694dd47cbe563d7d39518d4b4f1249499dcae387e2da9955723286f
a92aec525fddbe52002ba700344043cd99b8d1323728b9cc2114e64bf83c7ce3
aca7c6cb8d0edcb41b44a0f53460ee8ac3078aca97f03979da0b1d4d5dfb860b
b01ecd3e51d9efea860568d3ae336c7d3514f08bca6d3ba9c5cfd3ad069ec3fe
d618459cbcf86c6797850757003d53db2f8bcc89364bf7de806f89f1736bf1cd
d6a5f0855e7e2c8968e90159b42853361187b41d692626273807361c27bd5a37
db421df81c436e54428bcaddcb394568afcd6769e88809a2634ea678643ec811
Coverage
Screenshots of Detection
AMP
ThreatGrid
Umbrella
Win.Dropper.Qakbot-6956539-0
Indicators of Compromise
Registry Keys Occurrences SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN Value Name: internat.exe 25 SoftwareMicrosoftSystemCertificatesUserDS 25 SYSTEMCONTROLSET001SERVICESaqejpwsx 25 SYSTEMCONTROLSET001SERVICESAQEJPWSX Value Name: Type 25 SYSTEMCONTROLSET001SERVICESAQEJPWSX Value Name: Start 25 SYSTEMCONTROLSET001SERVICESAQEJPWSX Value Name: ErrorControl 25 SYSTEMCONTROLSET001SERVICESAQEJPWSX Value Name: ImagePath 25 SYSTEMCONTROLSET001SERVICESAQEJPWSX Value Name: DisplayName 25 SYSTEMCONTROLSET001SERVICESAQEJPWSX Value Name: DependOnService 25 SYSTEMCONTROLSET001SERVICESAQEJPWSX Value Name: DependOnGroup 25 SYSTEMCONTROLSET001SERVICESAQEJPWSX Value Name: WOW64 25 SYSTEMCONTROLSET001SERVICESAQEJPWSX Value Name: ObjectName 25 SOFTWAREMicrosoftSystemCertificatesDisallowedCertificates7D7F4414CCEF168ADF6BF40753B5BECD78375931 3 SOFTWAREMicrosoftSystemCertificatesDisallowedCertificates637162CC59A3A1E25956FA5FA8F60D2E1C52EAC6 3 Note that other Registry Keys are leveraged that may contain unicode characters. See JSON for more IOCs
Mutexes Occurrences Globaleqfik 25 llzeou 25 eqfika 25 Globalepieuxzk 25 Globalulnahjoi 25 Globalutjvfi 25 bzqjzpdrfpamvq 25 BaseNamedObjectsGlobaluvesyw 2 BaseNamedObjectsGlobalvqxcpp 2 BaseNamedObjectshxsgmprzlpnnqw 2 BaseNamedObjectsGlobalimyuiwlg 2 BaseNamedObjectsGlobalvtqux 2 BaseNamedObjectsimyuiwlga 2 BaseNamedObjectsyspopald 2 BaseNamedObjectsGlobalrhjga 2 BaseNamedObjectsafalya 2 BaseNamedObjectsiykps 2 BaseNamedObjectsGlobalilkcmoq 2 BaseNamedObjectsGlobalafaly 2 BaseNamedObjectsGlobaldgialgoh 2 BaseNamedObjectsGlobalyvbnyn 2 BaseNamedObjectsGlobalknpog 2 BaseNamedObjectscrcbzy 2 BaseNamedObjectsGlobalesroi 2 BaseNamedObjectsknpoga 2 See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 172[.]217[.]12[.]174 25 69[.]241[.]80[.]162 21 209[.]126[.]124[.]173 21 69[.]195[.]124[.]60 20 162[.]144[.]12[.]241 20 50[.]87[.]150[.]203 19 181[.]224[.]138[.]240 19 35[.]225[.]160[.]245 18 172[.]217[.]164[.]142 18 45[.]38[.]189[.]103 18 68[.]87[.]56[.]130 18 85[.]93[.]89[.]6 10 209[.]126[.]124[.]166 6 207[.]38[.]89[.]115 5 85[.]93[.]88[.]251 5 69[.]241[.]74[.]170 3 69[.]241[.]108[.]58 3 69[.]241[.]106[.]102 3 64[.]34[.]169[.]244 2 208[.]100[.]26[.]234 1 216[.]218[.]206[.]69 1 216[.]58[.]217[.]142 1 173[.]227[.]247[.]49 1 173[.]227[.]247[.]54 1 69[.]64[.]56[.]244 1 See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences jpfdtbmvuygvyyrebxfxy[.]info 25 hknkmwfdngcfavzhqd[.]biz 25 ywubouysdukndoakclnr[.]org 25 uwujtnymeyeqovftsc[.]org 21 kaaovcddwmwwlolecr[.]org 21 ijdlykvhnvrnauvz[.]com 21 www[.]ip-adress[.]com 21 stc-hstn-03[.]sys[.]comcast[.]net 21 boston[.]speedtest[.]comcast[.]net 21 houston[.]speedtest[.]comcast[.]net 21 sanjose[.]speedtest[.]comcast[.]net 21 jacksonville[.]speedtest[.]comcast[.]net 21 lunkduuumhmgpnoxkbcjqcex[.]org 19 hsyglhiwqfc[.]org 18 forumity[.]com 18 zebxhuvsz[.]com 18 yxssppysgteyylwwprsyyvgf[.]com 18 fcptxaleu[.]net 18 olosnxfocnlmuw[.]biz 18 cbqjxatxrumjpyvp[.]biz 18 sproccszyne[.]org 18 uschunmmotkylgsfe[.]biz 18 wgysvrmqugtimwhozoyst[.]biz 18 tkpxkpgldkuyjduoauvwoiwcg[.]org 18 cufgghfrxaujbdb[.]com 18 See JSON for more IOCs
Files and or directories created Occurrences %APPDATA%MicrosoftWindowsCookiesQA752KCC.txt 25 %APPDATA%MicrosoftWindowsCookiesQP9V2VPK.txt 25 %APPDATA%MicrosoftWindowsCookiesQTOORX9Q.txt 25 %APPDATA%MicrosoftWindowsCookiesRPE3LD3D.txt 25 %APPDATA%MicrosoftWindowsCookiesRYU7B1BB.txt 25 %APPDATA%MicrosoftWindowsCookiesRZ1EYTQG.txt 25 %APPDATA%MicrosoftWindowsCookiesSCT1A3Q5.txt 25 %APPDATA%MicrosoftWindowsCookiesSL2DQ447.txt 25 %APPDATA%MicrosoftWindowsCookiesSUA0P3GL.txt 25 %APPDATA%MicrosoftWindowsCookiesT28YM23R.txt 25 %APPDATA%MicrosoftWindowsCookiesTC61OXS2.txt 25 %APPDATA%MicrosoftWindowsCookiesTWNEP5LZ.txt 25 %APPDATA%MicrosoftWindowsCookiesTX9TW6ML.txt 25 %APPDATA%MicrosoftWindowsCookiesU5T0RELM.txt 25 %APPDATA%MicrosoftWindowsCookiesUCPG9KND.txt 25 %APPDATA%MicrosoftWindowsCookiesUD8XCJVS.txt 25 %APPDATA%MicrosoftWindowsCookiesUGY2NFKJ.txt 25 %APPDATA%MicrosoftWindowsCookiesUOVVJUXY.txt 25 %APPDATA%MicrosoftWindowsCookiesUVFN9CGJ.txt 25 %APPDATA%MicrosoftWindowsCookiesV6G9AWM4.txt 25 %APPDATA%MicrosoftWindowsCookiesVFVD9E5C.txt 25 %APPDATA%MicrosoftWindowsCookiesVK4YOOAG.txt 25 %APPDATA%MicrosoftWindowsCookiesVP01LDK3.txt 25 %APPDATA%MicrosoftWindowsCookiesVPK8RY5C.txt 25 %APPDATA%MicrosoftWindowsCookiesVYUA6F7D.txt 25 See JSON for more IOCs
File Hashes
04a19e4e2d700292ba4ce5659e97413112bd079dacdbaf8a2387e6f6559dcba3
117466b3e9dabd69d510d9e034eec875d9ca2ad9dbb8c5d123b388ac2a65ebbf
17d23f910311aeb341ee348586bb212d1cddb70152bc4d1bc31ac579693d7741
1b0573fb381b291b12cf7db4bfb6deb78e688c9c3076908e8581199169b8514a
1c0c7d00ccfb9f12299fd7df7ec2ad497cb6c8fa60b903694f2d2bf54af7c30c
278bc2f23ef0a5a79e36f1dca261bbf67f87aef637e76373061654353fc3f716
33ba38fa1bfaab98c6ba48eb2a2fb3155b51118e9ef79642418e0903e2b2e008
51390b6bde9196f7c0319c1253d08233202f6b4110b8c33557a2d2895f868769
548c5b819c109a61e1ff6bc74bd43ad2702ed44e479dd6600da3bb9d5a9ca72e
5b3cd274c3c0349f7d67238994e53e4a842a82e9e15905510a93b4d6643621e7
611f34dcdcce11b0e48779e0fcfd950437614e603673903c8b342bdd2a34ce1a
620e4f53e698c59971f4633cad4c7966f3432aeec0a6315b82a5dae8c13577c9
6f6e53de5fb48c34cce494113f04e1b32d3dd85d8071023b2dff1febb1686c7f
6fd63887adf0e0d4894d3b648e8be0d20474579f60138915b5e3e3a9761f43bc
783a7e50bddf9b5c9547a8fabc7470fabdbe4410df76148dd6c5c81dfb7e6506
7e7e09137fda05e6292d8d9646ab5bc18fd136b06aa77833819ccc46d79c4859
7e9ab6bf4ee2141f4702e0cf4348340293c429416f7676c7946e940321220375
8412cd2e7e60ac2d32bf43f350f8ce806876f54c2ed9b6d0f895179d289a1803
84e0ad1b2d1ca15e2ea16d6d57b81a63af18f664b171ad9d144e710ad2e3cb75
8786a734c5f7fccca5b87c04c5531bff6ec323a29860063c2ba31941706c83a3
914960db7ffbdd3a5a5a98b740f724c0ab9469fcbdd547561622809e5d3c6396
93ac57e8f8e341c84e25dd0c14f014d23f55e24a175b443f4cd399a086e70965
98170c08d421f79a308074befb2c4e799db06e28ce10cea9d435c5868d1e6f36
9d8dfe92711ea955120f4fdbb3b2d0cf37ff79ac74572c867c44da7d404213fa
a0903affbe9bd3176863d83a9e57808aa55a3ea8695d09dbbd2d8f3f1d22e812
See JSON for more IOCs
Coverage
Screenshots of Detection
AMP
ThreatGrid
Umbrella
Win.Malware.Tovkater-6956309-0
Indicators of Compromise
Registry Keys Occurrences SystemCurrentControlSetControlSession Manager 25 SYSTEMCONTROLSET001CONTROLSESSION MANAGER Value Name: PendingFileRenameOperations 25 SYSTEMControlSet001ControlSession Manager 25
Mutexes Occurrences N/A –
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences N/A –
Domain Names contacted by malware. Does not indicate maliciousness Occurrences caribz[.]club 10 fruitnext[.]top 9 mirraclez[.]club 5 liquidmiracle[.]top 4 SMILESAWAY[.]TOP 3 duckandbear[.]top 2 skycrimes[.]top 2 fowlerfootball[.]top 2 gratify[.]triobol[.]ru 1 shipboard[.]dicier[.]ru 1 giroboard[.]top 1 skeleton[.]walforder[.]ru 1 shadeunit[.]club 1 strangerthingz[.]club 1
Files and or directories created Occurrences imasrr13.exe 22 %TEMP%nsw2.tmpnsJSON.dll 3 %TEMP%nso74D7.tmpINetC.dll 1 %TEMP%nso74D7.tmpnsJSON.dll 1 %TEMP%nso74D7.tmpxantacla.exe 1 %TEMP%nsuC6AE.tmpINetC.dll 1 %TEMP%nsuC6AE.tmpnsJSON.dll 1 %TEMP%nsuC6AE.tmpsantacla.exe 1 %TEMP%nsj9A32.tmpINetC.dll 1 %TEMP%nsj9A32.tmpnsJSON.dll 1 %TEMP%nse1441.tmpINetC.dll 1 %TEMP%nsj9A32.tmpxantacla.exe 1 %TEMP%nse1441.tmpnsJSON.dll 1 %TEMP%nse1441.tmpsantacla.exe 1 %TEMP%nsa3ED.tmpINetC.dll 1 %TEMP%nsa3ED.tmpnsJSON.dll 1 %TEMP%nsa3ED.tmpxantacla.exe 1 %TEMP%nseEB6D.tmpINetC.dll 1 %TEMP%nseEB6D.tmpnsJSON.dll 1 %TEMP%nseEB6D.tmpxantacla.exe 1 %TEMP%nskC2A9.tmpINetC.dll 1 %TEMP%nskC2A9.tmpnsJSON.dll 1 %TEMP%nskC2A9.tmpsantacla.exe 1 %TEMP%nsp547C.tmpINetC.dll 1 %TEMP%nsp547C.tmpnsJSON.dll 1 See JSON for more IOCs
File Hashes
0b1c46b5535b4fc30fd8d813255220d3715d0bd7623e094e684af13a1c12f579
0d806734aacf391b1c304155e8f186d7c354c46d08b5f2cb70c2a6029dba2e0e
1187cf65c782ea451e0a46f8e5ea18f8133cc209d58db1c08793bb086b96df4f
21a9fb85cec099bdc2bf419b9bc07dbe6f9b1dc40b8e2853c119093706d1a3a8
2e23eb71950087f2212e0e591fa462b1706571fe55c87454de7003de4a982d95
30d525e4acb5cbd5dd5fe9508cb0cf053c4b0480ab53168e9a06e58c2e9b323b
35dae148e6507526256336e36eb9858dcf17c73f86c332582cd53af43c887f0a
368e24183133ba0c4a7fb06b255458754e6662d6be0df18f44b7304b7f1438d7
3dc644f5a69d86aeab33c6879bb508b59049d17a74cca73f15b160578ee0a358
42f86e50ca2180192d30c556d001cf8720d17094850164e811872f1c864f10cb
43150f037e396e69ff8e1e1d1da7e33614f100fba6b6133a99174a8bcc56d8c5
46e6b3d8c0cff0c9dca7ee7fae9b15c7b23865f546533ee00be0d594f6d03a40
4b0232b305a8504700570c6e177d0c1815924031908f2f2d5fe61510174804c5
52e70ec3517105cdabea6b3448d4568fbca560683e7e90070d0209ea1a002de7
5b1a72a9d50e9e41662848965957cf3b537a923f12a02d022d7e40bc76d6a59d
5f16228ceca9d4d628bcddf5da07ddd8140b19c3458ba287b5e0a9a4533929c9
626f2dbe08fcf4192f709111ca3f2ce5975cb9ac7bac7b007158b8e74070c403
62bae87f17d56c22f89ec9c41c2e3bf76139df7a4a4c710e088ec9483918cf9b
63d3a47aa0f89009ecc37199d269c8c3184d32e0632c3f1c1857dafd2aee7ae4
67b73d01d619d30bc56d0f772207df38b68a433b1050137bb93a54e746c1c34f
67ffbd39d1ebbceb4936645c822a10b6b71dc289acd026b1b4259f01c2168e8f
6c2eae55f0ff4cb79a53f932a481812c7b8c5d61ff0aadf47c4211d676cc97b4
6d0f17cdc45a3867ec8c89ae3cf9ef2264b4889fc135417857e04d8109ec62ec
7b4c241497ba6cef5a8abc35d4c795e7c8b0b3d4a292a843d14d4389ddef57b7
7dbb52a1de75d201b0565062452e81a210cc597ac4626aa95bf478562aa082cd
See JSON for more IOCs
Coverage
Screenshots of Detection
AMP
ThreatGrid
Umbrella
Doc.Downloader.Powload-6956274-0
Indicators of Compromise
Registry Keys Occurrences INTERFACE{8BD21D42-EC42-11CE-9E0D-00AA006002F3} 29 INTERFACE{8BD21D52-EC42-11CE-9E0D-00AA006002F3} 29 INTERFACE{8BD21D62-EC42-11CE-9E0D-00AA006002F3} 29 INTERFACE{7B020EC2-AF6C-11CE-9F46-00AA00574A4F} 29 INTERFACE{7B020EC7-AF6C-11CE-9F46-00AA00574A4F} 29 INTERFACE{79176FB2-B7F2-11CE-97EF-00AA006D2776} 29 INTERFACE{4C5992A5-6926-101B-9992-00000B65C6F9} 29 INTERFACE{796ED650-5FE9-11CF-8D68-00AA00BDCE1D} 29 INTERFACE{47FF8FE0-6198-11CF-8CE8-00AA006CB389} 29 INTERFACE{47FF8FE1-6198-11CF-8CE8-00AA006CB389} 29 INTERFACE{47FF8FE2-6198-11CF-8CE8-00AA006CB389} 29 INTERFACE{47FF8FE3-6198-11CF-8CE8-00AA006CB389} 29 INTERFACE{47FF8FE4-6198-11CF-8CE8-00AA006CB389} 29 INTERFACE{47FF8FE5-6198-11CF-8CE8-00AA006CB389} 29 INTERFACE{47FF8FE6-6198-11CF-8CE8-00AA006CB389} 29 INTERFACE{47FF8FE8-6198-11CF-8CE8-00AA006CB389} 29 INTERFACE{47FF8FE9-6198-11CF-8CE8-00AA006CB389} 29 INTERFACE{5CEF5613-713D-11CE-80C9-00AA00611080} 29 INTERFACE{92E11A03-7358-11CE-80CB-00AA00611080} 29 INTERFACE{04598FC9-866C-11CF-AB7C-00AA00C08FCF} 29 INTERFACE{7B020EC8-AF6C-11CE-9F46-00AA00574A4F} 29 SYSTEMCONTROLSET001SERVICESsourcebulk 29 SYSTEMCONTROLSET001SERVICESSOURCEBULK Value Name: Type 29 SYSTEMCONTROLSET001SERVICESSOURCEBULK Value Name: Start 29 SYSTEMCONTROLSET001SERVICESSOURCEBULK Value Name: ErrorControl 29
Mutexes Occurrences GlobalI98B68E3C 29 GlobalM98B68E3C 29
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 159[.]0[.]130[.]149 29 191[.]92[.]69[.]115 29 69[.]25[.]11[.]28 29 88[.]198[.]20[.]57 29 212[.]129[.]63[.]132 24 198[.]58[.]114[.]91 18 74[.]208[.]5[.]15 16 209[.]85[.]144[.]109 10 77[.]111[.]149[.]55 9 74[.]6[.]141[.]50 8 173[.]201[.]192[.]229 8 74[.]208[.]5[.]2 7 209[.]85[.]144[.]108 7 17[.]36[.]205[.]74 7 182[.]50[.]145[.]3 6 67[.]195[.]228[.]95 6 196[.]35[.]198[.]134 6 54[.]88[.]144[.]211 6 149[.]255[.]56[.]242 6 184[.]106[.]54[.]10 5 64[.]26[.]60[.]229 5 173[.]203[.]187[.]14 5 205[.]178[.]146[.]235 5 212[.]227[.]15[.]167 5 212[.]227[.]15[.]183 5 See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences ises[.]com[.]pl 29 ingenla[.]com 29 hicast[.]tn 24 smtp[.]mail[.]com 16 secure[.]emailsrvr[.]com 14 smtpout[.]secureserver[.]net 14 smtp[.]office365[.]com 13 smtp-mail[.]outlook[.]com 10 smtp[.]1und1[.]de 10 smtp[.]aol[.]com 8 smtp[.]emailsrvr[.]com 7 smtpout[.]asia[.]secureserver[.]net 6 smtp[.]1and1[.]com 6 smtp[.]rediffmailpro[.]com 6 smtp[.]comcast[.]net 6 smtp[.]263[.]net 6 spam[.]pantos[.]com 6 mail[.]longi-silicon[.]com 5 smtp[.]prodigy[.]net[.]mx 5 mail[.]huaqin[.]com 5 betmngr[.]com 5 smtp[.]yandex[.]com 4 smtp[.]zoho[.]com 4 smtp3[.]netcore[.]co[.]in 4 smtp[.]mweb[.]co[.]za 4 See JSON for more IOCs
Files and or directories created Occurrences %SystemRoot%SysWOW64configsystemprofileAppDataLocalMicrosoftWindowsTemporary Internet Filescounters.dat 29 %HOMEPATH%423.exe 29 %SystemRoot%SysWOW64version.dll 1 %SystemRoot%GlobalizationSortingsortdefault.nls 1 REGISTRYMACHINESOFTWAREClassesWord.Document.8 1 %TEMP%CVR90.tmp 1 %SystemRoot%SysWOW64sourcebulka.exe 1 %SystemRoot%SysWOW643HqWfmuWUBgMP.exe 1 %SystemRoot%Temp76D.tmp 1 %SystemRoot%SysWOW64jq9Mk4Che.exe 1
File Hashes
1e0b73c5ec4b9516709c10ec708fc295df021451f958a89144d79d99604b3664
325701284bf17203d71a9c5b4d46e4f7b651164ab92c643fe64a3e3bc2844dad
3537f5cfc0ad20b8061b67f82dc43a7ac1856391bece8158023fcc3d6699f75a
35965e3b9cff6a78e1331ed07f5e327a91301b5b023b20fb0c107bc3574b3a08
3889458cad2eccfcd7f8ec5c842dd30edec24f36a37abde0e9359dd7117524e7
3eb7c725b886abf672613a63d1c17c479f1144f1262a6c3cd66a44fe74581383
407f21c8583dbf70a0069162b9f7c0ec142b63e05d4d94ec8e4c85345bf759d9
51ee3cc17fa697ec7de8a60ea5ad2af4195de73c95401b1b17e7b9c346ed9c1a
5a33cba1e854fb298486fe6ba6ebb071e045cb698aec109561178b2a66567662
5eefdd75abcd812db0c1fe74f071dcb2c50ac7c9b73144900b9918fe8930af2b
601804d1434691765b258649f0a9c8924bb1b28b5ff0dc2bafb3039b2c78f6a3
65344e20c9e346e62bec15f369fcdbb619d64b362483feb36a6d60e3007c22db
6f5795d34e8fa33548042554f0b05b6e79e9a68783f28a196476261a0de0e068
72966d743059492c8caf5689758cdf98275e087cf5bf9d0e7914db1e4472fc05
751ccbeabee910ea022ebc97fde11d5e1c3bba9f83b6d2df09a927924eb1e60e
77ccc470c377e4a22e0091d0abd3f91cec17b6e06c0e17d8f87dbbbd735bfe0b
7bfa867554a7f1a6a891712cfdaaf519bd44bdf53e0047930890495c9655ab7e
8391f3706e60079dbdbeee083f8bda85915cc763bd683bb00270f694a031c66a
9e40d6af4d13a6d65e179c109b4676c691fbf0b2de6deb0d84625e654989fa0d
9fe28f27c0db9df3580f65069affb7f47171d910f69035ffdeeac5a545ab4ec9
a1be08364eef857af56f506b206e780c803c212b76dbac8dc17e7983d08f65ff
a50d314e9c13d667641b11c73695980d1fd4cc0020cd7f760bdbd88bf95b1c3c
a95ddd15ef6f38762fbc16ca31539aabbf15c3c10d0c103cb4c204c88bfbbadf
ac957b3a3b4e8d75ead5dabd4b70e28e27a697a719322071d66cfb796d3b28f6
b1709a55b71ba9559aa839eb5304e2fc2388ae6275771b6cbbf8f49ac3e355fa
See JSON for more IOCs
Coverage
Screenshots of Detection
AMP
ThreatGrid
Umbrella
Malware
Win.Dropper.Kovter-6956146-0
Indicators of Compromise
Registry Keys Occurrences SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN Value Name: internat.exe 25 SOFTWAREPOLICIESMICROSOFTWINDOWSWINDOWSUPDATE Value Name: DisableOSUpgrade 25 SOFTWAREPOLICIESMICROSOFTWINDOWSWINDOWSUPDATEOSUPGRADE Value Name: ReservationsAllowed 25 SOFTWAREWOW6432NODEXVYG Value Name: xedvpa 25 SOFTWAREXVYG Value Name: xedvpa 25 .8CA9D79 25 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN Value Name: vrxzdhbyv 25 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN Value Name: ssishoff 25 SOFTWAREPOLICIESMICROSOFTWINDOWSWindowsUpdate 25 SOFTWAREPOLICIESMICROSOFTWINDOWSWINDOWSUPDATEOSUpgrade 25 SOFTWARExvyg 25 SOFTWAREWOW6432NODExvyg 25 c3b616 25 C3B616shell 25 C3B616SHELLopen 25 C3B616SHELLOPENcommand 25 .8ca9d79 25 SoftwareMicrosoftInternet ExplorerMainFeatureControlFEATURE_BROWSER_EMULATION 25 SOFTWAREMicrosoftInternet ExplorerMainFeatureControlFEATURE_BROWSER_EMULATION 25 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONACTION CENTERCHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101 Value Name: CheckSetting 25 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONACTION CENTERCHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103 Value Name: CheckSetting 25 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONACTION CENTERCHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100 Value Name: CheckSetting 25 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONACTION CENTERCHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102 Value Name: CheckSetting 25 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONACTION CENTERCHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104 Value Name: CheckSetting 25 SOFTWAREXVYG Value Name: tnzok 25
Mutexes Occurrences EA4EC370D1E573DA 25 A83BAA13F950654C 25 Global7A7146875A8CDE1E 25 B3E8F6F86CDD9D8B 25 BaseNamedObjects408D8D94EC4F66FC 24 BaseNamedObjectsGlobal350160F4882D1C98 24 BaseNamedObjects 53C7D611BC8DF3A 24 BaseNamedObjectsGlobal9F84EBC0DC30D3FA 1 BaseNamedObjectsCF2F399CCFD46369 1 BaseNamedObjects8450CD062CD6D8BB 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 107[.]160[.]89[.]93 2 123[.]94[.]5[.]73 1 6[.]179[.]232[.]209 1 132[.]130[.]129[.]202 1 87[.]221[.]222[.]176 1 222[.]187[.]133[.]238 1 126[.]207[.]27[.]58 1 191[.]12[.]150[.]189 1 92[.]253[.]215[.]124 1 53[.]136[.]182[.]72 1 188[.]232[.]142[.]236 1 75[.]134[.]228[.]137 1 15[.]17[.]189[.]214 1 218[.]10[.]226[.]184 1 160[.]60[.]207[.]38 1 107[.]98[.]132[.]113 1 134[.]68[.]158[.]4 1 56[.]177[.]25[.]24 1 52[.]196[.]162[.]138 1 133[.]251[.]164[.]106 1 108[.]118[.]74[.]142 1 33[.]198[.]16[.]9 1 18[.]75[.]88[.]134 1 58[.]184[.]135[.]77 1 77[.]189[.]216[.]194 1 See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences www[.]cloudflare[.]com 1 bleez[.]com[.]br 1 lojadeunatelha[.]com[.]br 1 revenda[.]lojadeunatelha[.]com[.]br 1 easyfax[.]nrtnortheast[.]com 1 www[.]username[.]n[.]nu 1 www[.]n[.]nu 1 staticjw[.]com 1 www[.]acquia[.]com 1 network[.]acquia[.]com 1
Files and or directories created Occurrences %LOCALAPPDATA%4dd3cc519d0f.bat 25 %LOCALAPPDATA%4dd3cc8e9866.8ca9d79 25 %LOCALAPPDATA%4dd3ccd95adb.lnk 25 %APPDATA%b08d66 b3c0b.8ca9d79 25 %APPDATA%MicrosoftProtectS-1-5-21-2580483871-590521980-3826313501-500Preferred 25 %LOCALAPPDATA%4dd3cc 25 %APPDATA%b08d66 25 %APPDATA%MicrosoftWindowsStart MenuProgramsStartup91b4e5.lnk 25 %APPDATA%db7ac227.a7783 24 %HOMEPATH%Local SettingsApplication Dataf4fa97ea.lnk 24 %HOMEPATH%Local SettingsApplication Dataf4fac0ce.bat 24 %HOMEPATH%Local SettingsApplication Dataf4fad5a9.a7783 24 %HOMEPATH%Start MenuProgramsStartupd733.lnk 24 %HOMEPATH%Local SettingsTemporary Internet FilesContent.IE5C5MZMU22desktop.ini 3 %APPDATA%MicrosoftWindowsCookiesS2KTL2FI.txt 2 %APPDATA%MicrosoftProtectS-1-5-21-2580483871-590521980-3826313501-50083549e0e-3d04-434f-8fd8-6118f60c376b 2 %APPDATA%MicrosoftProtectS-1-5-21-2580483871-590521980-3826313501-50083549e0e-3d04-434f-8fd0-5619f60c376b 2 %APPDATA%MicrosoftProtectS-1-5-21-2580483871-590521980-3826313501-50083549e0e-3d04-434f-8fdf-6619f60c376b 2 %LOCALAPPDATA%MicrosoftWindowsTemporary Internet FilesContent.IE5SSZWDDXW1E8X74FH.htm 2 %APPDATA%MicrosoftProtectS-1-5-21-2580483871-590521980-3826313501-50083549e0e-3d04-434f-8fdf-5e19f60c376b 2 %APPDATA%MicrosoftWindowsCookies TSDIW0B.txt 1 %APPDATA%MicrosoftWindowsCookiesUGH0HZQB.txt 1 %APPDATA%MicrosoftWindowsCookiesZLTD4G06.txt 1 %APPDATA%MicrosoftProtectS-1-5-21-2580483871-590521980-3826313501-50083549e0e-3d04-434f-8fd2-6219f60c376b 1 %APPDATA%MicrosoftProtectS-1-5-21-2580483871-590521980-3826313501-50083549e0e-3d04-434f-8fdd-6619f60c376b 1 See JSON for more IOCs
File Hashes
0699fc68be026ed52555783f4ca395dcd68dd93898e9ee1756e0ffe9493c300a
06a3a8ebf6965042378a003857434f775a014293830a3d02d468b02b02f13329
0826313d6cdb1c85d39edf77f5faeaff0241f09a8bc6ad8ea4453cab46628dd6
2adfbe4ebd34d062e774d20d300e80ec31cdf4d59b018be2a45e644341c55f97
2e7aa46acaacad3f7e1675d3090ae7669efcffb91beb976cdf93d69782fe5453
2fbdb93de7475386719d620bd685b955ec05cca0f458579daa9932023351040b
31d170788a623341e4d6636e1dec87b9812a1967441415bcb8097d3b4a4bdfee
3337a63c7f42977759f9a961af5c7265abfe0489d68c48f90d066b40d84c0ddd
3754208c5f620f262726467daac435fbcc3a262dde1620c876b72459750fc90d
39b74f9fad057cc9603e2a7a716236c9671dc08abdf7e64c37ef2d2b53acf691
4297d27c8909c9c40b311827f40bf195ffbb6c1ee8bef5f9203465cb10cab9bc
477c74758b4c59334fcdb2051089efbe191d2cda4252aecea59b13bb93bfb101
4802c24fcb2d97233d22b26077714ca09fe47f6602586da0f96965af41adecb6
4be5d24a7846b4ef102b47c0488140194b49c145353259fc581fa0da4068d84a
4e3b31344f80b1693ee28cedb5109a9a4e522c8ef225f6087e480954fa76b3d6
5061a14b94f0794e79e4cc57a49a38c422cf30171df07282a5de10fbac455b01
50939d9ddcc87d1d2e8a3c81a7683b42beeb86471fd2e4da903f062086203d5e
58f3ac23dd98672c20e01c5963b11fba8b077031c7ac41f156a37d2306b812aa
66d2f5f39b4fbb1cab2a4c23d696add166f6dec3ae4dcba20a1c2f89b35d4b08
7199c5b3a081ae13f6b6fc457196f62ecaf3240b39b728f1255f9d3ccc86f853
812e4481d2e23732e41d4e58cd19eccbd53fceba8273ea9bbd1bcaf3da13766f
822bf74cf43fdfd74ef7edd6a4c52dc2ca32dd8a866afbdbd4ae933cd531dd6e
8580001fd28261a74f92594fe42a01012e202e3322a35004857b6881fa73ee9a
8e9f427bca537dfa11df3360b71788dc2dd70cfad927d852094f1c07e8cf2c64
94ff1192ecf870614b1f98103ade1ba1ad46153ddeb8a0c3a07a76ab4461e377
See JSON for more IOCs
Coverage
Screenshots of Detection
AMP
ThreatGrid
Win.Trojan.Razy-6956092-0
Indicators of Compromise
Registry Keys Occurrences SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN Value Name: internat.exe 25 SYSTEMCONTROLSET001SERVICESavkaxoq 19 SYSTEMCONTROLSET001SERVICESAVKAXOQ Value Name: Type 19 SYSTEMCONTROLSET001SERVICESAVKAXOQ Value Name: Start 19 SYSTEMCONTROLSET001SERVICESAVKAXOQ Value Name: ErrorControl 19 SYSTEMCONTROLSET001SERVICESAVKAXOQ Value Name: ImagePath 19 SYSTEMCONTROLSET001SERVICESAVKAXOQ Value Name: DisplayName 19 SYSTEMCONTROLSET001SERVICESAVKAXOQ Value Name: DependOnService 19 SYSTEMCONTROLSET001SERVICESAVKAXOQ Value Name: DependOnGroup 19 SYSTEMCONTROLSET001SERVICESAVKAXOQ Value Name: WOW64 19 SYSTEMCONTROLSET001SERVICESAVKAXOQ Value Name: ObjectName 19 SYSTEMCONTROLSET001SERVICESaqejpwsx 6 SYSTEMCONTROLSET001SERVICESAQEJPWSX Value Name: Type 6 SYSTEMCONTROLSET001SERVICESAQEJPWSX Value Name: Start 6 SYSTEMCONTROLSET001SERVICESAQEJPWSX Value Name: ErrorControl 6 SYSTEMCONTROLSET001SERVICESAQEJPWSX Value Name: ImagePath 6 SYSTEMCONTROLSET001SERVICESAQEJPWSX Value Name: DisplayName 6 SYSTEMCONTROLSET001SERVICESAQEJPWSX Value Name: DependOnService 6 SYSTEMCONTROLSET001SERVICESAQEJPWSX Value Name: DependOnGroup 6 SYSTEMCONTROLSET001SERVICESAQEJPWSX Value Name: WOW64 6 SYSTEMCONTROLSET001SERVICESAQEJPWSX Value Name: ObjectName 6 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN Value Name: mrldn 1 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN Value Name: ovsuw 1 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN Value Name: twgqm 1 SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN Value Name: eqlshtrx 1
Mutexes Occurrences llzeou 25 Globalamztgg 19 amztgga 19 Globaleqfik 6 eqfika 6 BaseNamedObjectseucofa 1 003c194a95c7849375590c48f1c5bc5fÐ÷XAdministra 1 02b5f67a3eba31421dc595a7efed8e0a 1 0e390dd0547334471c08c3b8b4e7ec3aÐ÷IAdministra 1 087ddce345ea3ed2fed8d02dd466026cÐ÷QAdministra 1 14a95d66f90495fcc278258097ed704aÐ÷ Administra 1 10435b4efc8049d260d4b36673f7d656Ð÷.Administra 1 1dd13f0648a70754c883c6262c3633c1Ð÷CAdministra 1 3afec20c013fca0abef646a7a6f0f5cdÐ÷dAdministra 1 385f6390936d000f4d9db3e30b117aca 1 3dede5abeacdabc758f70beef2984aca 1 3f61be1a4bcb773c48a6dc7ed4898387Ð÷:Administra 1 401b399a3aa67d42306ce7291299b7f2Ð÷6Administra 1 897b0a510174cbc4757982703e42a0ca 1 76097734f64ce5ae9b008273431fa4c8Ð÷9Administra 1 8ae8d944960e54c7a833875f71bdae62Ð÷2Administra 1 88cb1af973183aa93bf10d74440333b6Ð÷/Administra 1 BaseNamedObjects380065180a 1 BaseNamedObjectsgetnia 1 BaseNamedObjectsxabzsenoa 1 See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences N/A –
Domain Names contacted by malware. Does not indicate maliciousness Occurrences N/A –
Files and or directories created Occurrences %APPDATA%MicrosoftAmztggm 19 %APPDATA%MicrosoftAmztggmamztg.dll 19 %APPDATA%MicrosoftAmztggmamztgg.exe 19 %TEMP%~amztgg.tmp 19 %APPDATA%MicrosoftEqfikq 6 %APPDATA%MicrosoftEqfikqeqfi.dll 6 %APPDATA%MicrosoftEqfikqeqfik.exe 6 %TEMP%~eqfik.tmp 6 %APPDATA%MicrosoftIlgqylilgqy.exe 1 %APPDATA%MicrosoftDuazxlbuduazxl.dll 1 %APPDATA%MicrosoftDuazxlbuduazxlb.exe 1 %APPDATA%MicrosoftJeofzejeof.dll 1 %APPDATA%MicrosoftJeofzejeofz.exe 1 %APPDATA%MicrosoftSsfsnsssfs.dll 1 %APPDATA%MicrosoftSsfsnsssfsn.exe 1 %APPDATA%MicrosoftDcpptfmacdcpptfm.dll 1 %APPDATA%MicrosoftDcpptfmacdcpptfma.exe 1 %APPDATA%MicrosoftTaozsataoz.dll 1 %APPDATA%MicrosoftTaozsataozs.exe 1 %APPDATA%MicrosoftEucofueuco.dll 1 %APPDATA%MicrosoftEucofueucof.exe 1 %APPDATA%MicrosoftGetniegetn.dll 1 %APPDATA%MicrosoftGetniegetni.exe 1 %APPDATA%MicrosoftXabzsenoaxabzsen.dll 1 %APPDATA%MicrosoftXabzsenoaxabzseno.exe 1 See JSON for more IOCs
File Hashes
003c194a95c7849375590c48f1c5bc5fa23099976e09c997f29b22b367c1d3d2
005055ca28d6866f033aff3753a1ef7c4064b5e094eaa663953407a9b19c6a71
02b5f67a3eba31421dc595a7efed8e04834e9f0121c8bcd0186e99dba9781171
087ddce345ea3ed2fed8d02dd466026c0fc0fa5aa7749b392683311fd97a80e2
0e390dd0547334471c08c3b8b4e7ec3ad1d8fe4facabdb5df674af76c8e149d0
10435b4efc8049d260d4b36673f7d656b9fa7163d00840acd0860175e2a79f47
14a95d66f90495fcc278258097ed704aca265dd6bbb966903abe00dd7225cd11
1dd13f0648a70754c883c6262c3633c19aeffa4e3558f0f16da78fc796a76cf1
385f6390936d000f4d9db3e30b117ac382f70f4b7d1f3f4af06808e26683bf3d
3afec20c013fca0abef646a7a6f0f5cdd3826541587cfd93c25033a35e588cb2
3dede5abeacdabc758f70beef2984ac184bbec3112be97e891bb64abb2981373
3f61be1a4bcb773c48a6dc7ed489838796a6b512bc14a517a667fb28a2a8e3ee
401b399a3aa67d42306ce7291299b7f25a24345a980a7bd719c96a6834b9bf48
52c90c5917cb1c6955f68c5b03e448b976ec3f1c258eb6039c5da399b2fd41db
581d9e271871b1948191755bc99e2e9ec5346408f39613aec5c3b1e52d0449bd
649e6217744762016fadb2f7f36a654c607ad160d136714946aa6e0478dc7a87
673e3e8e62b09e39c161091ee70f046c038ba6f24f2a1da135af23bcc1701c20
69c3c4ee664fc814ef070ae902ebaa305eda6ffd23a10e5b97afe49c1300ebff
69d9d27ab1c802cd322c1b7795bda4de65cc7447982076f1e2d6873a8423d57f
6aad36b27c188e73090f3b79352750489a1dce20f5396e63b2af3e998eba0f0a
6e01014528a359c81851b2197a4656e13d87b15424dc961cc6d770e4d4c747ee
76097734f64ce5ae9b008273431fa4c81e32b05a9b8586c39b80e68ee70d0a8a
88cb1af973183aa93bf10d74440333b622206be6d0bd77322c6f8689f2cf24ec
897b0a510174cbc4757982703e42a0c14c4bdba0e6bf77db5a6f94a3c2651f3a
8ae8d944960e54c7a833875f71bdae6243e7fa380ae3fd8176b07cb7d7819508
See JSON for more IOCs
Coverage
Screenshots of Detection
AMP
ThreatGrid
Exprev
Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.
Kovter injection detected (4469) A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Madshi injection detected (3542) Madshi is a code injection framework that uses process injection to start a new thread if other methods to start a thread within a process fail. This framework is used by a number of security solutions. It is also possible for malware to use this technique.
PowerShell file-less infection detected (2488) A PowerShell command was stored in an environment variable and run. The environment variable is commonly set by a previously run script and is used as a means of evasion. This behavior is a known tactic of the Kovter and Poweliks malware families.
Process hollowing detected (541) Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Gamarue malware detected (240) Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
Dealply adware detected (221) DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Suspicious PowerShell execution detected (156) A PowerShell command has attempted to bypass execution policy to run unsigned or untrusted script content. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Installcore adware detected (65) Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
Atom Bombing code injection technique detected (65) A process created a suspicious Atom, which is indicative of a known process injection technique called Atom Bombing. Atoms are Windows identifiers that associate a string with a 16-bit integer. These Atoms are accessible across processes when placed in the global Atom table. Malware exploits this by placing shell code as a global Atom, then accessing it through an Asynchronous Process Call (APC). A target process runs the APC function, which loads and runs the shellcode. The malware family Dridex is known to use Atom Bombing, but other threats may leverage it as well.
Excessively long PowerShell command detected (57) A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
#gallery-0-5 { margin: auto; } #gallery-0-5 .gallery-item { float: left; margin-top: 10px; text-align: center; width: 33%; } #gallery-0-5 img { border: 2px solid #cfcfcf; } #gallery-0-5 .gallery-caption { margin-left: 0; } /* see gallery_shortcode() in wp-includes/media.php */
Go to Source Author: Threat Roundup for April 26 to May 3 Original Post from Talos Security Author: Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 26 and May 03.
0 notes
Link
Reverse DSC https://t.co/AWBoZkSBkV #ifh DSC is a configuration management tool that first appeared in PowerShell v4 and was refined in Po…
0 notes
Text
Welcome to Windows Server 2016
by Curtis Brown
As we approach the end of the year, Microsoft have released the latest version of their server-side flavour of their Operating System offering – Windows Server 2016. It’s been three years since the release of Windows Server 2012R2. Let’s take a look at some details in this new version.
Editions and Licensing
As featured before, we have Datacentre and Standard versions – the former is now aimed specifically for “highly virtualised datacentre and cloud environments” while the latter is intended for physical servers.
The Datacentre version’s additional features, above and beyond Standard, emphasise this cloud prioritisation:
Shielded VMs
Software defined networking
Storage Spaces Direct
Storage Replica
In addition, a Standard edition license covers you for two “Operating System Environments” (OSEs – Windows instances) or Hyper-V containers, while Datacentre is unlimited.
There are some additional variants:
Essentials replaces the old Foundation release aimed at small (25 user / 50 devices) businesses
MultiPoint Premium Server is a specific edition for Remote Desktop access and is only available to Academic licensees – The MultiPoint Premium Server role is included in Standard and Datacentre, requiring Server CALs and RDS CALs as before
Storage Server is an OEM release for Windows based storage solutions
Hyper-V 2016 – the free, Hypervisor only offering continues (remember to license your guests though…)
The big news for Datacentre and Standard is that licensing has moved to a core, rather than the socket based model (as is for all other editions). All cores on a physical host must be licensed, with a minimum license of 16 core licenses per server – with a minimum of 8 core licenses per physical processor. Core license packs are sold in 2-core packs, so a minimum purchase is basically 8 x 2-core packs.
Microsoft state that this will be priced equivalent to a 2 CPU Windows 2012R2 edition. Beware though, if you’ve purchased a new 2-socket box with a pair of Intel Xeon with a high core count, this could look quite pricey. Take a server with two Intel Xeon E5-2699 v4 — this would have 44 cores (each CPU has 22 cores), so straight away, you’re looking at 22 x 2 core licensing packs, which would be the equivalent to buying 3 CPU licenses of Windows Server 2012R2. Draw your own conclusions.
One note – if you have an existing Software Assurance agreement, moving to Core based licensing only kicks in when the agreement is renewed – you’ll be getting a minimum of 8 cores per processor and 16 cores per server licenses for each 2-processor license at renewal of the agreement.
New Toys!
So, now that the pain point of licensing is out of the way, let’s take a look at some of the new features mentioned above.
Shielded VMs
This is a security mechanism that allows administrators to provide a means to secure individual VMs. It leverages a Guardian service that stores keys which an approved Hyper-V 2016 host uses to prove its authorisation to run shielded VMs. Hyper-V 2016 uses Trusted Platform Module (TPM) and UEFI on start-up to ensure it is healthy and provides confirmation of its identity when presenting itself to the Guardian service. If all is well, the Guardian issues a certificate to the host enabling it to run the Shielded VM. The VM itself is encrypted (using BitLocker backed by vTPM) and uses a hardened VM worker process of the host that encrypts all state related content, checkpoints, replicas and migration traffic. The VM also has no console access, including VM external features such as Guest File Copy, PowerShell integration or direct administrative permission to the guest OS.
Software defined networking
Leveraging technology from Azure, Windows Server 2016 networking has gained the ability to deploy policies providing QoS, isolation, load balancing and DNS (amongst others).
This ability is provided through network virtualisation handled by VXLAN based micro-segmentation, much in the same way as VMware NSX.
All this is possible due to the implementation of a new installable Network Controller component. This manages firewalling (vSwitch port all the way to datacentre), Fabric management (IP subnets, VLANs, L2/L3 switching), network monitoring and topology discovery, L4 load balancing and RAS gateway management.
Software Defined Storage
Storage Spaces Direct leverages local storage to create a converged storage architecture, somewhat similar to VMware VSAN. Like VSAN, it’s primarily aimed at storage for virtualisation.
Resiliency to drive failures etc. is configurable by volume type, supporting mirroring (performance) and erasure coding (efficiency). Furthermore, hybrid volumes combine these techniques into a single volume with an added ability of automatic storage tiering.
Storage Replica
Storage Replica offers a built in synchronous replication solution for business continuity and DR.
Containers
Windows 2016 now provides the means to deploy applications in Containers, in keeping with the current trend towards a DevOps model. Developers can package applications and deploy as containers. Containers come in two flavours – Windows Server or Hyper-V. The difference between these is that a Windows Server container is broadly the same as a Linux one. The application itself is containerised, with its own view of the host OS. Hyper-V containers are more virtualisation driven, with the container including an operating system. This leverages hardware virtualisation, and completely isolates the container from the host OS. Windows Server Containers, being somewhat smaller and less resource intensive, scale more efficiently but Hyper-V containers are more isolated and secure.
In addition, Windows 10 Professional and Enterprise Anniversary Editions both support Containers, allowing developers to create containers on their workstations and deploy to Windows Server 2016.
Nano Servers
Nano Server is a Windows 2016 deployment option that provides the ability to deploy the smallest possible footprint Windows Server installation. It is so small that it runs headless, with no GUI etc. so taking Server Core to the next level. It’s designed specifically for Cloud workloads and specific use cases (including Containers). Being such a small install reduces the surface area and so improves security whilst reducing the patching and support overhead.
Nano isn’t selected as an installation option – deployment requires customisation of the image for a variety of reasons, not least defining device drivers as it lacks user-mode plug-play.
Closing Thoughts…
We’ve only scratched the surface of the new features of Windows Server 2016. Many of these are quite attractive, even when expanding beyond the Microsoft world. I can see Nano in particular being an interesting option in a VMware vSphere platform for application delivery, perhaps as a part of a vRealize Automation solution. Of course, time will tell how successful these new features are – network virtualisation for example will need to compete with the traditional networking player offerings by Cisco etc. as well as software solutions such as VMware NSX.
Of course, licensing is a question mark of its own which will have implications for most customers, including those running VMware vSphere. I’m looking forward to seeing how Windows Server 2016 is accepted into the marketplace and how it develops.
About the Author
Curtis Brown joined the Xtravirt consulting team in October 2012. His specialist areas include End User Compute solutions and Virtual Infrastructure design and implementation with particular strength in VDI, storage integration, backup and Disaster Recovery design/implementation. He is a VMware vExpert 2016
0 notes
Text
PowerShell: Check for user accounts running Services or Scheduled Tasks Posted To Matt Blogs IT
New Post has been published on http://mattblogsit.com/windows/powershell-check-for-user-accounts-running-services-or-scheduled-tasks
PowerShell: Check for user accounts running Services or Scheduled Tasks
Recently I worked with a client to validate that if a user account were to be disabled that it wasn’t going to break any of their currently running applications. You can be bit by an accidental miss-configuration where an end-users account is running a Windows Service or possibly at a lower level in a specific application such as SQL Server jobs. Luckily with the Power of PowerShell we can conquered the Windows Services! It is also possible to create a SQL Query, or even PowerShell scripts to query SQL, but we will not be covering that in this article.
Checking Windows Services:
The biggest concern I had was the Windows Services, it is easy enough for a junior admin to install SQL and specify their own account as the Service Account. THIS IS BAD! However with some simple PowerShell we can perform a visual inspection, or with some minor adjustments we could look for a service running with a specific user.
Get-CimInstance -ComputerName (Get-ADComputer -Filter 'OperatingSystem -like "Windows Server*"' | Select -ExpandProperty Name) -Query "SELECT Name, StartName FROM Win32_Service WHERE StartName <> 'LocalSystem'" | ? $_.StartName -notlike 'NT AUTHORITY*' -and $_.StartName -notlike 'NT SERVICE*' | Select Name, StartName, PSComputerName
In the above example we are using a parenthetical command along with the Get-CimInstance Cmdlet. The command that is executed first is the Get-ADComputer, this will required the ActiveDirectory module is available on your computer system. It uses the filter parameter to look for any computer that is running Windows Server (any version). It then passes those values to the Get-CimInstance which performs an initial WQL Query, which doesn’t allow and statements. Therefore we have to pipe it’s returned values to a where statement which will continue filtering for us. At the very end it provides me the service name, the user account running it, and the computer this service is on.
I was able to run this against the clients environment and within a few minutes we new that it was safe to disable the account.
2 notes
·
View notes
Text
August Meeting with Adam Driscoll + TechMentor Giveaway!
This week, Wednesday 8/7/13 from 3:30pm to 5pm Arizona time, Adam Driscoll is presenting to AZPOSH. I am so excited, because this is our first discussion on PowerShell V4 and what’s coming. Adam is a Microsoft PowerShell MVP and very active in the…
View Post
0 notes
Text
Original Post from Security Affairs Author: Pierluigi Paganini
The APT34 Glimpse project is maybe the most complete APT34 project known so far, the popular researcher Marco Ramilli analyzed it for us.
Indeed we might observe a File-based command and control (a quite unusual solution) structure, a VBS launcher, a PowerShell Payload and a covert channel over DNS engine. This last feature is the most appreciated characteristics attributed to APT34. But let’s move on and start a quick analysis on it.
Context:
Since at least 2014, an Iranian threat group tracked by FireEye as APT34 has conducted reconnaissance aligned with the strategic interests of Iran. The group conducts operations primarily in the Middle East, targeting financial, government, energy, chemical, telecommunications and other industries. Repeated targeting of Middle Eastern financial, energy and government organisations leads FireEye to assess that those sectors are a primary concern of APT34. The use of infrastructure tied to Iranian operations, timing and alignment with the national interests of Iran also lead FireEye to assess that APT34 acts on behalf of the Iranian government. (Source: MISP Project).
On April 19 2019 researchers at Chronicle, a security company owned by Google’s parent company, Alphabet, have examined the leaked tools, exfiltrated the past week on a Telegram channel, and confirmed that they are indeed the same ones used by the OilRig attackers. OilRig has been connected to a number of intrusions at companies and government agencies across the Middle East and Asia, including technology firms, telecom companies, and even gaming companies. Whoever is leaking the toolset also has been dumping information about the victims OilRig has targeted, as well as data identifying some of the servers the group uses in its attacks.
According to Duo, “OilRig delivered Trojans that use DNS tunneling for command and control in attacks since at least May 2016. Since May 2016, the threat group has introduced new tools using different tunneling protocols to their tool set” Robert Falcone of Palo Alto Networks’ Unit 42 research team wrote in an analysis of the group’s activities.
Today I’d like to focus my attention on the Glimpse project since, in my personal opinion, it could be considered as the “stereotype” of APT34 (with the data we ‘ve got so far).
The Glimpse Project
The package comes with a README file having as a name “Read me.txt” (note the space). The name per se is quite unusual and the content is a simple guide on how to set a nodejs server and a Windows server who would run the “stand alone” .NET (>v4) application to control infected machines. The infection start by propagating a .VBS script called “runner_.vbs” which is a simple runner of a most sophisticated powershell payload. The Powershell payload is a quite complex script acting several functions. The following image shows its “deobfuscated” main loop.
Glimpse Infection Payload Main Loop
The payload loops waiting for instructions, once a command comes from C2 it starts to perform specific actions and it answers back to C2 by requesting crafted subdomains based on variable $aa_domain_bb. One of the most important functions the payload has implemented is to drop and execute additional toolsets. Indeed this payload is mainly a delivery module with some additional controls entirely based on DNS covert channel.
The $aa_domain_bb variable contains the main domain name for which the C2 acts as authoritative Domain Name Server. While no actions are coming from C2 the infected agent would just periodically “ping” C2 by giving basic informations regarding the victim machines. For example the function aa_ping_response_bb would compose an encoded DNS message ( aa_text_response_bb ) which sends it own last IP address. At this stage we might appreciate two communication ways. The first communication channel comes from the subdomain generation for example: 59071Md8200089EC36AC95T.www.example.com while a second communication channel comes from TXT DNS record such as: control: 95 – ackNo: 0 – aid: 59071d8289 – action: M >>> 59071Md8200089EC36AC95T. Both of them are implemented to carry different informations. One of the most important function is the aa_AdrGen_bb which is the communication manager. It implements the control layer in order to send and to receive control informations such as: commands, bytes received, if the file transfer has been close, and so on and so forth. The decoded actions are stored into the variable aa_act_bb and are the following ones:
Command and Control. Env creation for new connected agents
M. If the agent is already registered to C2 this command acts like a ping, it updates basic informations to the corresponding “agent” folder. If it’s the first time the agent connects back to C2 it starts a registration section which enables, server side (command and control side) the building up of an dedicated folders and file environment. Please check the previous image: Command and Control. Env creation for new connected agents.
W. This is a TXT request to list the waiting commands (or, if you wish “kind of jobs”). The first command that is executed after the registration phase is the command tagged as 10100 having as a content: “whoami&ipconfig /all”
D. Is actually what should be executed. It takes as input the tagged task and it forwards to the requesting Agent the Base64 encoded content of the file.
0. It is not a TXT request. This request makes the authoritative DNS (the command and control) answers to the agent the requested file in the waiting folder. Answering back an A record having as data field a crafted ip (11.24.237.110) if no “actions” (fileS) are in the waiting folder the C2 answers back an A record value having as data field “24.125.” + fileNameTmp.substring(0, 2) + “.” + fileNameTmp.substring(2, 5); and time to live a random number between 0 to 360.
1. It is not a TXT request. This request makes the authoritative DNS (the command and control) answer back with the file content. It implements a multiple answering chain, according to RFC4408, to send files greater than 255 characters.
2. It is not a TXT request. This requests makes the authoritative DNS (the command and control) to receive a file from the Agent. It implements a complex multi-part chain for reconstructing partials coming from domain name requests. After sending all of the data, the Agent will issue a final DNS query with “COCTabCOCT” in the data segment. This query notifies the C2 server that the Trojan has finished sending the contents of the file.
Command and Control: COCTabCOCT end of communication
The following image shows a running example of the infection chain run on a controlled virtual environment.You might appreciate the communication layers over the requested domains. For example the following requests would carry on data in subdomain, while the answered IP gives a specific affermative/negative response.
10100*9056*****************.33333210100A[.]example[.]com
Glimpse running environment
The command and control is implemented by a standalone .NET application working through files. The backend, a nodeJS server, runs and offers Public API and and saves, requests to agents, and results from agents, directly into files named with “UID-IP” convention acting as agent ID. The panel reads those files and implements stats and actions. The following image shows the static configuration section in the C2 panel.
Command and Control Panel Hardcoded Settings
The Control Panel is mainly composed by two .NET Window components. Main Windows where the list of connected Agents is shown within additional informations such as: Agent ID, Agent IP, Agent Last Online Time and Attacker Comments. And Control Window which is called once the attacker clicks on the on a selected Agent. The event onClick spawn the following code:
controlPanel = new controlPanel(agent.id, agent.ip, agent.lastActivity); controlPanel.Show();
After its initialisation phase the control panel enables the attacker to write or to upload a list of commands or a file within commands to agents. The following image shows the controPanel function which takes commands from inputs “TextFields”, creates a new file into the waiting folder within commands. The contents of such a folder will be dropped on the selected Agent and executed.
Command and Control, controlPanel insert_command function
The controlPanel offers many additional functionalities to better control single or group of Agents. By focusing on trying to give a project date we might observe the compiled time which happens to be 9/1/2018 at 5:13:02 AM for newPanel-dbg.exe while it happens to be 9/8/2018 at 8:01:54 PM for the imported library called ToggleSwitch.dll.
With High probability we are facing a multi-modular attacking framework where on one side the DNS communication channel delivers commands to the target Agents and on the other side many control panels could be developed and attached to the DNS communication system. It would be quite obvious if you look to that framework as a developer, thus the DNS communication channel uses files to store informations and to synchronise actions and agents, so that many C2 could be adapted to use it as a communication channel. We might think that that many APT34 units would be able to reuse such a communication channel. Another interesting observation might come from trying to date that framework. A powershell Agent as been leaked on PasteBin o August 2018 (take a look here) by an anonymous user and seen, since today, from very few people (197 so far). The used command and control has been compiled the month before (July 2018). The developing technologies (.NET, nodeJS) are very different and the implementation styles differ as well. DNS Communication channel is developed in linear and more functional driven programming style, while the standalone command and control is developed using a little bit more sophisticated object oriented programming with a flavour of agent-oriented programming: the attacker considers the object agentt as an independent agent working without direct control. The attacker writes files as the medium to address the Agent behaviour.
The original post was published on the Marco Ramilli’s blog:
https://marcoramilli.com/2019/05/02/apt34-glimpse-project/
About the author: Marco Ramilli, Founder of Yoroi
I am a computer security scientist with an intensive hacking background. I do have a MD in computer engineering and a PhD on computer security from University of Bologna. During my PhD program I worked for US Government (@ National Institute of Standards and Technology, Security Division) where I did intensive researches in Malware evasion techniques and penetration testing of electronic voting systems.
I do have experience on security testing since I have been performing penetration testing on several US electronic voting systems. I’ve also been encharged of testing uVote voting system from the Italian Minister of homeland security. I met Palantir Technologies where I was introduced to the Intelligence Ecosystem. I decided to amplify my cybersecurity experiences by diving into SCADA security issues with some of the biggest industrial aglomerates in Italy. I finally decided to found Yoroi: an innovative Managed Cyber Security Service Provider developing some of the most amazing cybersecurity defence center I’ve ever experienced! Now I technically lead Yoroi defending our customers strongly believing in: Defence Belongs To Humans
Edited by Pierluigi Paganini
(Security Affairs – APT34, Glimpse project)
The post APT34: Glimpse project appeared first on Security Affairs.
#gallery-0-5 { margin: auto; } #gallery-0-5 .gallery-item { float: left; margin-top: 10px; text-align: center; width: 33%; } #gallery-0-5 img { border: 2px solid #cfcfcf; } #gallery-0-5 .gallery-caption { margin-left: 0; } /* see gallery_shortcode() in wp-includes/media.php */
Go to Source Author: Pierluigi Paganini APT34: Glimpse project Original Post from Security Affairs Author: Pierluigi Paganini The APT34 Glimpse project is maybe the most complete APT34
0 notes
Text
RT @PSPester: Pester v4 RC is available for download from PowerShell gallery. Please run it and report back! More info:… https://t.co/wyMG2opOUJ
Pester v4 RC is available for download from PowerShell gallery. Please run it and report back! More info: https://t.co/PuClaA8Yjq http://pic.twitter.com/MVrTrTSaNJ
— Pester (@PSPester) January 18, 2017
from Twitter https://twitter.com/sstranger January 19, 2017 at 07:49PM via IFTTT
0 notes
Text
Considerations When an IT Employee Leaves Posted To Matt Blogs IT
New Post has been published on http://mattblogsit.com/oob/considerations-when-an-it-employee-leaves
Considerations When an IT Employee Leaves
Recently I’ve helped clients and even off-boarded IT employees from our own team. There are quite a few considerations you must make when someone in IT leaves a company or even just moves to another team within the same company. This article is going to focus heavily on the employee leaving the company; but you will run into some of the same obstacles with them moving to a new area in the company. The “normal” HR off-boarding or cross-boarding doesn’t usually cover the amount of access that these employees have, and the IT staff themselves must make many additional considerations to make things as smooth as possible.
At a high level you have to consider the following:
How many accounts do they have?
Are these accounts tied to any applications?
Which devices use a shared password they know?
What access rosters are they on?
What knowledge will be lost when they leave?
Who is going to take over ownership of their current tasks?
Let’s dive into these questions in more depth and explore some possible solutions to them.
How many accounts do they have?
This can seem like a very straight forward question, the answer should be one. However this can vary greatly, especially for IT Employees. This is because as a best practice every IT employee should have ‘at least’ two accounts. These include their normal day-to-day account and their administrative account. You never want to log into a Server using the same credentials you log into a local workstation with.
This number will continue to rise as you factor in accounts for working with different third-party vendors and cloud solutions. For example if you are using Office 365 without Directory Sync – that’s another account. What if you use Barracuda for cloud backups – make it another! These numbers will just continue to rise.
While working at a Managed Services Provider (MSP) this number can be skewed much more in the northern direction. Off the top of my head I can think of at least 20 accounts that I have personally, and know the number is much greater than that if I put serious effort into this estimate.
Solution:
To alleviate this problem when off-boarding an employee is to document every account required for a person to be on this team. Creating a very thorough on-boarding document specific to the team will make the off-boarding of this much more simple.
Are these accounts tied to any applications?
I hope that this is always an “absolutely no” answer. The ‘good’ System Administrators out there know you should always use Service Accounts when installing new products or applications. I have ran into issues before where an AD Account password was changed, or the account was disabled and it did bring a system offline, or possibly broke a scheduled task that was running. These can be large pain points, and for the most part the only way to avoid them is by double-checking your work as the IT Administrator.
Solution:
Sadly there is no perfect solution to this, education of your IT staff is the best way to dodge this bullet. However that is not always going to catch past-mistakes. I’ve PowerShell one-liner that can scan all of the servers in your organization and Check for user accounts running Windows Services. This will give you a glimpse into where you may find issues. You also need to factor in other application specific tasks such as the Task Scheduler, or SQL Server jobs.
Which devices use a shared password they know?
Shared passwords are a terrible practice – but let’s be honest, they exist! Sometimes there is no way to avoid them. For example, if you work with a third party to manage DNS and they only have a single user account that you can use to manage DNS. Maybe you have 20 different managed switches or routers in your organization. Is it really worth the effort to create dedicated credentials on all of these devices for every IT staff member?
In the case of being an MSP this problem grows exponentially. You have to centrally manage credentials for not only your organization, but for hundreds or possibly thousands of organizations. Plus you have to make sure only the people who should access these credentials has access to them. Being a small IT shop, or an MSP you need to know what they have access to, even better way to do this is to know what they have recently accessed!
Solution:
To solve this issue I strongly encourage people use Thycotic’s Secret Server. I’ve worked with this product and it has been an amazing benefit when off-boarding an employee. You can simply run a report to see what the exiting employee has accessed and you will now know the specific passwords to target and reset.
What access rosters are they on?
This is common oversight when off-boarding an employee. You grant them access to contact the support center at the Data Center and forget about it. This cannot be the case, you must have them removed or if they wanted to be nefarious they can simply call the data center and have everything shutdown! Luckily I’ve never run into this but it is something you need to be concerned about and keep on your mind when removing access from an exiting employee.
Solution:
To alleviate this issue, again falls back on documentation of the on-boarding process specific to your team. This can be very challenging to maintain; but it is going to save your life at some point.
What knowledge will be lost when they leave?
The obvious one is that you have one less technical resource, this resource possibly had vast knowledge of different technologies that are in place in your organization such as Exchange, or Active Directory. This knowledge can be replaced, it may take time and money to find that replacement; but it is possible.
The real lost knowledge is things that may have not been documented, and I hate to admit it – but in a fast paced IT documentation tends to go to the wayside. In the perfect IT world everything is thoroughly documented such as all of the servers you have, what is installed on those servers, their network configuration, their location. On top of that how the software was installed, any modifications that have been made to the application, and any kind of “gotchas” such as never power the server off or the NIC configuration is completely lost!
Hopefully the IT person who is exiting was very good at documentation, in most cases that is not true – as very few IT people are very good at documentation. This is going to be where you have to hope it is them deciding to leave, and not them being terminated. If they are being terminated you can always pray to the god of your choice that they will be a kind human being and dump as much of their knowledge as possible into a document of some kind, or walk someone else in the IT department through what they know.
Solution:
To solve this problem is going to fall on management. It may surprise you to know *wink* *wink* but management is the biggest obstacle when working on documentation in an IT work-place. There are always demands to keep up with the latest technology, and implement the next biggest thing to improve the company’s revenue. This can be very challenging on an IT department as at a management level they are looked at as an expense that brings in no revenue at all, so the more work thrown at them the less of an expense they are.
Management needs to recognize this as the problem, and they need to allow the IT resources to factor in the thorough documentation process into their project time-lines. The first thing that is dropped when a time-line is shrunk is the documentation phase, then it will continue to be pushed off.
Who is going to take over ownership of their current tasks?
This is the biggest trick to losing an IT resource. That person most likely had 5 or more projects in the works, or lined up to work on. Let’s say they put in a two week notice, at least you have some time to perform a semi-warm hand-off of what is going on, and what still needs to be done. What if they are being terminated? This makes things much more challenging and you can be guaranteed at least one thing will slip through the cracks.
Solution:
To solve this problem you must have a centralized system for tracking issues and tracking projects. I’ve worked with multiple ticketing systems and there are flaws with every single one. If you can tell me a ticketing system that doesn’t have a single flaw, that can track user submitted issues, and track projects and their current status then I will call you a liar… then try it out. The best decision that can happen with this is to pick a solution and stick to it.
0 notes
Text
IndyPoSh and Indy VMUG PowerShell Basics v3 and v4 Posted To Matt Blogs IT
New Post has been published on http://mattblogsit.com/virtualization/indyposh-and-indy-vmug-powershell-basics-v3-and-v4
IndyPoSh and Indy VMUG PowerShell Basics v3 and v4
Hello everyone! Long time no post; more details surrounding that will be coming! Tonight I would like to share the PowerPoint I used for the IndyPoSh/Indy VMUG presentation I presented tonight! This goes very brief over PowerShell Basics for PowerShell v3 and v4.
0 notes
Text
PowerShell v4 Desired State Configuration Deep Dive Posted To Matt Blogs IT
New Post has been published on http://mattblogsit.com/windows/powershell-v4-desired-state-configuration-deep-dive
PowerShell v4 Desired State Configuration Deep Dive
During my time at Microsoft TechEd many new things were announced. My all time favorite announcement was PowerShell v4. There are many great things coming out with PowerShell v4, things that I haven’t really gotten a chance to dig into much yet. However the one of the few things I have run through would be the Desired State Configuration which I will refer to as DSC throughout this blog.
DSC is a way to manage the configuration for multiple servers utilizing a single script for the deployment. In the example I will use is managing an IIS Configuration across multiple servers. However as the DSC is developed there will be other usability options for this.
Step Outline:
The DSC requires a couple of steps. It isn’t just a single script you create and execute; but it is very close.
Create a DSC script.
Execute DSC script to create DSC file (MOF File).
Deploy and enact Desired State Configuration file to server(s)
Step 1: Creating a Desired State Configuration File
The first step, in utilizing the DSC is creating the DSC Script. This script is used to generate the DSC file which is a MOF document. To create the DSC Script you can simply open the PowerShell ISE and start writing PowerShell utilizing a couple of new keywords and identifiers.
You will notice in the below example script the keyword configuration, with a nested identifier of Node.
Configuration MattBlogsITDemo {
Node Server1 {
WindowsFeature IIS {
Ensure = “Present” Name = “Web-Server”
}
WindowsFeature ASP {
Ensure = “Present” Name = “Web-Asp-Net45″
}
Website DefaultSite {
Ensure = “Present” Name = “Default Web Site” PhysicalPath = “C:\inetpub\wwwroot” State = “Stopped” Requires = “[WindowsFeature]IIS”
}
File WebContent {
Ensure = “Present” Type = “Directory” SourcePath = “\\fileserver01\WebContent\DemoSite” DestinationPath = “D:\websites\DemoSite” Recurse = $true
}
Website DemoSite {
Ensure = “Present” Name = “DemoSite” PhysicalPath = “D:\websites\DemoSite” State = “Started” Protocol = @(“http”) BindingInfo = @(“*:80:”) Requires = “[File]WebContent”
}
}
}
Step 2: Execute DSC script to create DSC (MOF Configuration File)
Once you have finalized, or possibly updated your DSC Script you now have to generate the MOF Configuration File that is actually used to perform the deployment. When you are ready to create this file all you must do is execute the script you created in step one.
Step 3: Deploy and enact Desired State Configuration file to server(s)
Once you have setup your script, and created the MOF Configuration File all you have to do is execute a single cmdlet and it will run and deploy to 1-many servers depending on the script.
Start-DscConfiguration -ComputerName -Path MattBlogsITDemo -Credential Get-Credential
Summary:
Overall this is a fantastic new feature and will make a big difference for maintaining a standard configuration across an entire environment. You can combine this with Azure cmdlets and automate the deployment of web servers as your environment starts taking a much higher load.
Note: I used the following TechNet Article and HOL I attended at TechEd to assist in writing this.
0 notes