Trellix Insights: SVCReady Loader Hidden in Document Properties

Technical Articles ID: KB95854
Last Modified: 2022-08-22 09:55:09 Etc/GMT

Environment

IMPORTANT: This Knowledge Base article discusses a specific threat that is being automatically tracked by Trellix Insights technology. The content is intended for use by Trellix Insights users, but is provided for general knowledge to all customers. Contact us for more information about Trellix Insights.

Summary

Description of Campaign
A phishing campaign was identified to deliver malware via shellcode hidden in the properties section of MS Office documents. Upon opening the document, shellcode is run via a VBA AutoOpen macro that drops the SVCReady payload to the temp directory and executes. The malware then performs system checks, gathers system information, and exfiltrates the data encrypted with an RC4 algorithm to the C2 attacker over HTTP. Additional instructions and payloads may be obtained from C2, such as in an earlier investigation where the RedLine Stealer payload was delivered to the infected machine. While correlations can be made between past TA551 events and the current SVCReady campaign, no definitive attribution was made.

Our ATR team gathers and analyzes information from multiple open and closed sources before disseminating intelligence reports. This campaign was researched by HP and shared publicly.

How to use this article:

If a Threat Hunting table has been created, use the rules contained to search for malware related to this campaign.
Review the product detection table and confirm that your environment is at least on the specified content version.
To download the latest content versions, go to the Security Updates page.
Scroll down and review the "Product Countermeasures" section of this article. Consider implementing them if they are not already in place.
Review KB91836 - Countermeasures for entry vector threats.
Review KB87843 - Dynamic Application Containment rules and best practices.
Review KB82925 - Identify what rule corresponds to an Adaptive Threat Protection and Threat Intelligence Exchange event.

This Knowledge Base article discusses a specific threat that's being tracked. The list of IOCs will change over time; check Trellix Insights for the latest IOCs.

Campaign IOC

Type	Value
SHA256	FDABB1F5B7691F03B2D89FEB8B0D4E3FD036F9B4E718269CAD8741C7E4D14072
SHA256	5170461322CB1A79ABB84FEED75B7F871B6F1594562E7724C45D7BB98F97C86B
SHA256	9122092980BC0ED9C9B008C5456CC18656C41798585B8819F1D6F2620CAC3CF3
SHA256	D270E1CA349DAA668E0807BE65ECA75CC739008A39E283F922A8728C22663417
SHA256	C6C080A63DD038D11CD6E724D2DE31108CABE7B6E38F674FE8189696886582AF
SHA256	FA5747E42C4574F854CD0083B05064466E75D243DA93008B9F0DCAC5CF31F208
SHA256	D3E69A33913507C80742A2D7A59C889EFE7AA8F52BEEF8D172764E049E03EAD5
SHA256	99DF2CC2535C82B84BA23384DF290D7506242532123D8414C1CFC61967072C28
SHA256	AFA40C3157F2704ABA4838A7308B53A4853176AF86982CE2999AA4DF3AC7BB9C
SHA256	5E932751C4DEA799D69E1B4F02291DC6B06200DD4562B7AE1B6AC96693165CEA
SHA256	95E328A549247F900DA5747F7E2057DEF121D2EDA82CFD7E926A6955C797D317
SHA256	F690F484C1883571A8BBF19313025A1264D3E10F570380F7ACA3CC92135E1D2E
SHA256	235720BEC0797367013CBDC1FE9BBDDE1C5D325235920A1A3E9499485FB72DBA
SHA256	F2FADD7A8B88DA62228DAB8981638B5C9F5512A57A0441B57C2B3A29B0A96012
SHA256	65A650DD353EA767EF68CF4627436977E6D55102D699B2E8B8DE491DA5C0A5EB
SHA256	4C1DD6A893F86A150E003118148C655044D06E8300678CF6BF3CC3107B91B66C
SHA256	6C9FD23D88239D819E0B494E589B665C4E7921ED9B9DD0BBD1610D71230BCF81
SHA256	FA6F5695AC2530B486FDD6FE8096AAAF65081BC092AB874545628C61E1403919
SHA256	748352146AB86EA1A32DFED0B0D5FAC0EFC52728BCCD79476B74FB73517EFB21
SHA256	1D3217D7818E05DB29F7C4437D41EA20F75978F67BC2B4419225542B190432FB
SHA256	5B7FBEC223DEB714DC7A4037348936A27D86B061CB2120213D5A69849CC9B588
SHA256	68617985E8AB455316C18172723FBD2748DE58008714C4CB3F7C6F19D326F135
SHA256	00FD57B32A3DF737C274D2184663DE4EDC22A4E003419C1B10B262E66995EE23
SHA256	A8EED171FDCB2A872865620FC2234E0B07201D927ABCB65344846F6D4A7B75F5
SHA256	FCB325D21D1100269731553015D6D0F85143DAE2BFA6CBAF49AC6DA29F1F732E
SHA256	C86A477579188305132DAB40700D06FFF9E26B5CE627233FB9D20DA1DFC74B47
SHA256	501D971E548139153C64037D07B4E3FEA2C1735A37774531C88CFA95BA660EC3
SHA256	C362D9EEFAFB44D4116B4DFABD5945E974C8A010221705E021490EFBF34BC3A3
SHA256	134D0B10BAC1404FA1DA83C96C08E0882500819DAAD5F49E9E83C92F2A624B3E
SHA256	E09C98B677264FC0DE36A9FD99A2711455FE79699CA958938DD12B5BD2C66BAD
SHA256	391D134B792FB660426F183755AD00DBD737F521CFF1F9A12D402CD714D34645
SHA256	39C955C9E906075C11948EDD79FFC6D6FCC5B5E3AC336231F52C3B03E718371E
SHA256	74652EAE27C9F5A5C397EACC76DAF768B3E601F106E8539C7D855712AB185E40
SHA256	D8AEC5539973927EB07A23BA4DE3780D28C2DD2D6DBBC697562A44B30CD3B03F
SHA256	C24266CC16D65F0B8D72BB7DF80A6B2FFE343429A764AFB9FB0A9C20D53AB9AF
SHA256	C0795D7A7F2C5FDB7615EE5826E8453BEF832F36282D6229EC07CAF49842F4BC
SHA256	939863285773B17623F0F027FAAE8B994BF5FC1AFB182C63A026431C71CD3885
SHA256	0224B906741F248D8BCEDAEF423B58FFB1B4577EC06711293F7065B12AE71788
SHA256	9F7124303F1C957F7E02F275F3501CBAA6E0645A6D78B50617A97761DC611CFF
SHA256	F47514C680135C7D4285F2284D5621245463F55A901C38F171DCE445695AC533
SHA256	08E427C92010A8A282C894CF5A77A874E09C08E283A66F1905C131871CC4D273
SHA256	B67120F25963D36560CBB86B35E864F608536ABEF7C3377F46997D65BAD13CAA
SHA256	CA61DE1E2442C16C280EB7264D6B7F79EC92CDC10D1C202EFB028DA5F242F83A
SHA256	4A2E76B57DE10C687716A1D7A295910CC5C0D04F5D10D4F4C53AE1BDE45A251C
SHA256	50FBE350CC660361B919F5E464DA6D6170F35EF497327AE5DEFC7805E76D5568
SHA256	65E551F7093299A9A20EAF536197C19ABBDD51B95B9570EDAC4950D7C951AD92
SHA256	6E1137447376815E733C74AB67F202BE0D7C769837A0AAAC044A9B2696A8FA89
SHA256	0D55564A2BED4FF06BC8B1DAAB98E2032C39536DAA31878E16FED29BC987A4D1
SHA256	16851D915AADDF29FA2069B79D50FE3A81ECAAFD28CDE5B77CB531FE5A4E6742
DOMAIN	muelgadr.top
DOMAIN	wikidreamers.com
DOMAIN	galmerts.art
DOMAIN	marualosa.top
DOMAIN	kikipi.art
DOMAIN	kokoroklo.su
URL	http://wikidreamers.com/exe/install.exe

Minimum Content Versions

Content Type	Version
V2 DAT (VirusScan Enterprise)	10398
V3 DAT (Endpoint Security)	4850

Detection Summary

IOC	Scanner	Detection
FDABB1F5B7691F03B2D89FEB8B0D4E3FD036F9B4E718269CAD8741C7E4D14072	AVEngine V2	W97M/Downloader.dvj
	AVEngine V3	W97M/Downloader.dvj
	JTI (ATP Rules)	JTI/Suspect.1179887!cda48fc75952
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
5170461322CB1A79ABB84FEED75B7F871B6F1594562E7724C45D7BB98F97C86B	AVEngine V2	X97M/Downloader.pf
	AVEngine V3	X97M/Downloader.pf
	JTI (ATP Rules)	JTI/Suspect.196612!fc2b1836b1cf
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
9122092980BC0ED9C9B008C5456CC18656C41798585B8819F1D6F2620CAC3CF3	AVEngine V2	X97M/Downloader.pf
	AVEngine V3	X97M/Downloader.pf
	JTI (ATP Rules)	JTI/Suspect.196612!6eefce6e0b2c
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
D270E1CA349DAA668E0807BE65ECA75CC739008A39E283F922A8728C22663417	AVEngine V2	GenericRXSS-GT!47771F833216
	AVEngine V3	GenericRXSS-GT!47771F833216
	JTI (ATP Rules)	JTI/Suspect.1179887!cda48fc75952
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
C6C080A63DD038D11CD6E724D2DE31108CABE7B6E38F674FE8189696886582AF	AVEngine V2	Trojan.ud
	AVEngine V3	Trojan.ud
	JTI (ATP Rules)	JTI/Suspect.196612!d19c5e1fb2d8
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
FA5747E42C4574F854CD0083B05064466E75D243DA93008B9F0DCAC5CF31F208	AVEngine V2	GenericRXTB-MQ!C7E63E3CA83B
	AVEngine V3	GenericRXTB-MQ!C7E63E3CA83B
	JTI (ATP Rules)	JTI/Suspect.196612!85a0fa3cc64d
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
D3E69A33913507C80742A2D7A59C889EFE7AA8F52BEEF8D172764E049E03EAD5	AVEngine V2	GenericRXTB-MQ!C7E63E3CA83B
	AVEngine V3	GenericRXTB-MQ!C7E63E3CA83B
	JTI (ATP Rules)	JTI/Suspect.196612!85a0fa3cc64d
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
99DF2CC2535C82B84BA23384DF290D7506242532123D8414C1CFC61967072C28	AVEngine V2	X97M/Downloader.pf
	AVEngine V3	X97M/Downloader.pf
	JTI (ATP Rules)	JTI/Suspect.196612!fc2b1836b1cf
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
AFA40C3157F2704ABA4838A7308B53A4853176AF86982CE2999AA4DF3AC7BB9C	AVEngine V2	GenericRXTB-MQ!E6B33DDAA958
	AVEngine V3	GenericRXTB-MQ!E6B33DDAA958
	JTI (ATP Rules)	JTI/Suspect.196612!e6b33ddaa958
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
5E932751C4DEA799D69E1B4F02291DC6B06200DD4562B7AE1B6AC96693165CEA	AVEngine V2	GenericRXSS-GT!47771F833216
	AVEngine V3	GenericRXSS-GT!47771F833216
	JTI (ATP Rules)	JTI/Suspect.196612!47771f833216
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
95E328A549247F900DA5747F7E2057DEF121D2EDA82CFD7E926A6955C797D317	AVEngine V2	X97M/Downloader.pf
	AVEngine V3	X97M/Downloader.pf
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
F690F484C1883571A8BBF19313025A1264D3E10F570380F7ACA3CC92135E1D2E	AVEngine V2	GenericRXTB-MQ!E6B33DDAA958
	AVEngine V3	GenericRXTB-MQ!E6B33DDAA958
	JTI (ATP Rules)	JTI/Suspect.196612!e6b33ddaa958
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
235720BEC0797367013CBDC1FE9BBDDE1C5D325235920A1A3E9499485FB72DBA	AVEngine V2	GenericRXTF-TP!6EEB4D8CD438
	AVEngine V3	GenericRXTF-TP!6EEB4D8CD438
	JTI (ATP Rules)	JTI/Suspect.196612!6eeb4d8cd438
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
F2FADD7A8B88DA62228DAB8981638B5C9F5512A57A0441B57C2B3A29B0A96012	AVEngine V2	W97M/Downloader.dvj
	AVEngine V3	W97M/Downloader.dvj
	JTI (ATP Rules)	JTI/Suspect.196612!fc2b1836b1cf
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
65A650DD353EA767EF68CF4627436977E6D55102D699B2E8B8DE491DA5C0A5EB	AVEngine V2	X97M/Downloader.pf
	AVEngine V3	X97M/Downloader.pf
	JTI (ATP Rules)	JTI/Suspect.196612!d19c5e1fb2d8
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
4C1DD6A893F86A150E003118148C655044D06E8300678CF6BF3CC3107B91B66C	AVEngine V2	X97M/Downloader.pf
	AVEngine V3	X97M/Downloader.pf
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
6C9FD23D88239D819E0B494E589B665C4E7921ED9B9DD0BBD1610D71230BCF81	AVEngine V2	W97M/Downloader.dvj
	AVEngine V3	W97M/Downloader.dvj
	JTI (ATP Rules)	JTI/Suspect.1179887!cda48fc75952
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
FA6F5695AC2530B486FDD6FE8096AAAF65081BC092AB874545628C61E1403919	AVEngine V2	W97M/Downloader.dvj
	AVEngine V3	W97M/Downloader.dvj
	JTI (ATP Rules)	JTI/Suspect.196612!fc2b1836b1cf
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
748352146AB86EA1A32DFED0B0D5FAC0EFC52728BCCD79476B74FB73517EFB21	AVEngine V2	X97M/Downloader.pf
	AVEngine V3	X97M/Downloader.pf
	JTI (ATP Rules)	JTI/Suspect.1179887!cda48fc75952
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
1D3217D7818E05DB29F7C4437D41EA20F75978F67BC2B4419225542B190432FB	AVEngine V2	Generic agent.c
	AVEngine V3	Generic agent.c
	JTI (ATP Rules)	JTI/Suspect.196612!fc2b1836b1cf
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
5B7FBEC223DEB714DC7A4037348936A27D86B061CB2120213D5A69849CC9B588	AVEngine V2	X97M/Downloader.pf
	AVEngine V3	X97M/Downloader.pf
	JTI (ATP Rules)	JTI/Suspect.196612!fc2b1836b1cf
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
68617985E8AB455316C18172723FBD2748DE58008714C4CB3F7C6F19D326F135	AVEngine V2	W97M/Downloader.dvj
	AVEngine V3	W97M/Downloader.dvj
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
00FD57B32A3DF737C274D2184663DE4EDC22A4E003419C1B10B262E66995EE23	AVEngine V2	GenericRXTB-MQ!C7E63E3CA83B
	AVEngine V3	GenericRXTB-MQ!C7E63E3CA83B
	JTI (ATP Rules)	JTI/Suspect.196612!85a0fa3cc64d
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
A8EED171FDCB2A872865620FC2234E0B07201D927ABCB65344846F6D4A7B75F5	AVEngine V2	GenericRXTB-MQ!C7E63E3CA83B
	AVEngine V3	GenericRXTB-MQ!C7E63E3CA83B
	JTI (ATP Rules)	JTI/Suspect.196612!85a0fa3cc64d
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
FCB325D21D1100269731553015D6D0F85143DAE2BFA6CBAF49AC6DA29F1F732E	AVEngine V2	VBA/Obfuscated.b
	AVEngine V3	VBA/Obfuscated.b
	JTI (ATP Rules)	JTI/Suspect.1179887!cda48fc75952
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
C86A477579188305132DAB40700D06FFF9E26B5CE627233FB9D20DA1DFC74B47	AVEngine V2	GenericRXSS-GT!47771F833216
	AVEngine V3	GenericRXSS-GT!47771F833216
	JTI (ATP Rules)	JTI/Suspect.196612!47771f833216
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
501D971E548139153C64037D07B4E3FEA2C1735A37774531C88CFA95BA660EC3	AVEngine V2	VBA/Obfuscated.b
	AVEngine V3	VBA/Obfuscated.b
	JTI (ATP Rules)	JTI/Suspect.196612!6eefce6e0b2c
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
C362D9EEFAFB44D4116B4DFABD5945E974C8A010221705E021490EFBF34BC3A3	AVEngine V2	GenericRXTB-MQ!C7E63E3CA83B
	AVEngine V3	GenericRXTB-MQ!C7E63E3CA83B
	JTI (ATP Rules)	JTI/Suspect.196612!85a0fa3cc64d
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
134D0B10BAC1404FA1DA83C96C08E0882500819DAAD5F49E9E83C92F2A624B3E	AVEngine V2	X97M/Downloader.pf
	AVEngine V3	X97M/Downloader.pf
	JTI (ATP Rules)	JTI/Suspect.196612!fc2b1836b1cf
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
E09C98B677264FC0DE36A9FD99A2711455FE79699CA958938DD12B5BD2C66BAD	AVEngine V2	GenericRXTB-MQ!C7E63E3CA83B
	AVEngine V3	GenericRXTB-MQ!C7E63E3CA83B
	JTI (ATP Rules)	ATP/Suspect!efdb3916c2a2
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
391D134B792FB660426F183755AD00DBD737F521CFF1F9A12D402CD714D34645	AVEngine V2	W97M/Downloader.dvj
	AVEngine V3	W97M/Downloader.dvj
	JTI (ATP Rules)	JTI/Suspect.196612!d19c5e1fb2d8
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
39C955C9E906075C11948EDD79FFC6D6FCC5B5E3AC336231F52C3B03E718371E	AVEngine V2	GenericRXTF-TP!6EEFCE6E0B2C
	AVEngine V3	GenericRXTF-TP!6EEFCE6E0B2C
	JTI (ATP Rules)	JTI/Suspect.196612!6eefce6e0b2c
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
74652EAE27C9F5A5C397EACC76DAF768B3E601F106E8539C7D855712AB185E40	AVEngine V2	GenericRXTB-MQ!C7E63E3CA83B
	AVEngine V3	GenericRXTB-MQ!C7E63E3CA83B
	JTI (ATP Rules)	JTI/Suspect.196612!85a0fa3cc64d
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
D8AEC5539973927EB07A23BA4DE3780D28C2DD2D6DBBC697562A44B30CD3B03F	AVEngine V2	W97M/Downloader.dvj
	AVEngine V3	W97M/Downloader.dvj
	JTI (ATP Rules)	JTI/Suspect.196612!fc2b1836b1cf
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
C24266CC16D65F0B8D72BB7DF80A6B2FFE343429A764AFB9FB0A9C20D53AB9AF	AVEngine V2	X97M/Downloader.pf
	AVEngine V3	X97M/Downloader.pf
	JTI (ATP Rules)	JTI/Suspect.1179887!cda48fc75952
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
C0795D7A7F2C5FDB7615EE5826E8453BEF832F36282D6229EC07CAF49842F4BC	AVEngine V2	GenericRXTB-MQ!C7E63E3CA83B
	AVEngine V3	GenericRXTB-MQ!C7E63E3CA83B
	JTI (ATP Rules)	JTI/Suspect.196612!85a0fa3cc64d
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
939863285773B17623F0F027FAAE8B994BF5FC1AFB182C63A026431C71CD3885	AVEngine V2	VBA/Obfuscated.b
	AVEngine V3	VBA/Obfuscated.b
	JTI (ATP Rules)	JTI/Suspect.1179887!cda48fc75952
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
0224B906741F248D8BCEDAEF423B58FFB1B4577EC06711293F7065B12AE71788	AVEngine V2	X97M/Downloader.pf
	AVEngine V3	X97M/Downloader.pf
	JTI (ATP Rules)	JTI/Suspect.1179887
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
9F7124303F1C957F7E02F275F3501CBAA6E0645A6D78B50617A97761DC611CFF	AVEngine V2	X97M/Downloader.pf
	AVEngine V3	X97M/Downloader.pf
	JTI (ATP Rules)	JTI/Suspect.196612!fc2b1836b1cf
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
F47514C680135C7D4285F2284D5621245463F55A901C38F171DCE445695AC533	AVEngine V2	X97M/Downloader.pf
	AVEngine V3	X97M/Downloader.pf
	JTI (ATP Rules)	JTI/Suspect.196612!d19c5e1fb2d8
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
08E427C92010A8A282C894CF5A77A874E09C08E283A66F1905C131871CC4D273	AVEngine V2	GenericRXTF-TP!D19C5E1FB2D8
	AVEngine V3	GenericRXTF-TP!D19C5E1FB2D8
	JTI (ATP Rules)	JTI/Suspect.196612!d19c5e1fb2d8
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
B67120F25963D36560CBB86B35E864F608536ABEF7C3377F46997D65BAD13CAA	AVEngine V2	X97M/Downloader.pf
	AVEngine V3	X97M/Downloader.pf
	JTI (ATP Rules)	JTI/Suspect.1179887
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
CA61DE1E2442C16C280EB7264D6B7F79EC92CDC10D1C202EFB028DA5F242F83A	AVEngine V2	GenericRXTB-MQ!C7E63E3CA83B
	AVEngine V3	GenericRXTB-MQ!C7E63E3CA83B
	JTI (ATP Rules)	JTI/Suspect.196612!85a0fa3cc64d
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
4A2E76B57DE10C687716A1D7A295910CC5C0D04F5D10D4F4C53AE1BDE45A251C	AVEngine V2	GenericRXSS-GT!47771F833216
	AVEngine V3	GenericRXSS-GT!47771F833216
	JTI (ATP Rules)	JTI/Suspect.1179887
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
50FBE350CC660361B919F5E464DA6D6170F35EF497327AE5DEFC7805E76D5568	AVEngine V2	X97M/Downloader.pf
	AVEngine V3	X97M/Downloader.pf
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
65E551F7093299A9A20EAF536197C19ABBDD51B95B9570EDAC4950D7C951AD92	AVEngine V2	GenericRXSS-GT!47771F833216
	AVEngine V3	GenericRXSS-GT!47771F833216
	JTI (ATP Rules)	JTI/Suspect.196612!47771f833216
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
6E1137447376815E733C74AB67F202BE0D7C769837A0AAAC044A9B2696A8FA89	AVEngine V2	Packed-GEE!AF9B2D811B8C
	AVEngine V3	Packed-GEE!AF9B2D811B8C
	JTI (ATP Rules)	JTI/Suspect.196612!af9b2d811b8c
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
0D55564A2BED4FF06BC8B1DAAB98E2032C39536DAA31878E16FED29BC987A4D1	AVEngine V2	GenericRXTB-MQ!C7E63E3CA83B
	AVEngine V3	GenericRXTB-MQ!C7E63E3CA83B
	JTI (ATP Rules)	JTI/Suspect.196612!85a0fa3cc64d
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
16851D915AADDF29FA2069B79D50FE3A81ECAAFD28CDE5B77CB531FE5A4E6742	AVEngine V2	GenericRXTF-TP!6CD2A93C2095
	AVEngine V3	GenericRXTF-TP!6CD2A93C2095
	JTI (ATP Rules)	JTI/Suspect.1179887!cda48fc75952
	RP Static	-
	RP Dynamic	-

Minimum set of Manual Rules to improve protection to block this campaign:

IMPORTANT: Always follow best practices when you enable new rules and signatures.

When you implement new rules or signatures, always set them to Report mode first and check the alerts generated. Resolve any issues that arise and then set the rules to Block. This step mitigates against triggering false positives and allows you to refine your configuration.

For more information, see KB87843 - List of and best practices for Endpoint Security Dynamic Application Containment rules.

Endpoint Security - Advanced Threat Protection:

Rule ID: 239 Identify suspicious command parameter execution
Rule ID: 258 Detect most likely masqueraded files which can result in suspicious process launches
Rule ID: 263 Detect processes accessing suspicious URLs
Rule ID: 4 Use GTI file reputation to identify trusted or malicious files

Endpoint Security - Exploit Prevention:

Rule ID: 6143 T1003 - Attempt to Dump Password Hash from SAM Database
Rule ID: 6086 PowerShell Command Restriction - Command
Rule ID: 2844 Microsoft Word WordPerfect5 Converter Module Buffer Overflow Vulnerability
Rule ID: 6135 Unmanaged PowerShell Detected
Rule ID: 8004 Fileless Threat: Malicious PowerShell Behavior Detected
Rule ID: 6127 Suspicious LSASS Access from PowerShell
Rule ID: 6113 T1055 - Fileless Threat: Reflective Self Injection

Host Intrusion Prevention:

Rule ID: 3814 Microsoft Word Enveloping - Illegal file creation
Rule ID: 6081 PowerShell Command Restriction - NoProfile
Rule ID: 6083 PowerShell Command Restriction - NonInteractive
Rule ID: 6070 Hidden PowerShell Detected
Rule ID: 2844 Microsoft Word WordPerfect5 Converter Module Buffer Overflow Vulnerability
Rule ID: 6135 Unmanaged PowerShell Detected
Rule ID: 6113 T1055 - Fileless Threat: Reflective Self Injection

Aggressive set of Manual Rules to improve protection to block this campaign:

IMPORTANT: Always follow best practices when you enable new rules and signatures.

When you implement new rules or signatures, always set them to Report mode first and check the alerts generated. Resolve any issues that arise and then set the rules to Block. This step mitigates against triggering false positives and allows you to refine your configuration.

For more information, see KB87843 - List of and best practices for Endpoint Security Dynamic Application Containment rules.

VirusScan Enterprise - Access Protection Rules:

Prevent programs registering as a service
Prevent creation of new executable files in the Windows folder

Host Intrusion Prevention:

Rule ID: 1020 Windows Agent Shielding - File Access
Rule ID: 1148 CMD Tool Access by a Network Aware Application
Rule ID: 428 Generic Buffer Overflow
Rule ID: 6010 Generic Application Hooking Protection
Rule ID: 2265 Delay Delete File Protection
Rule ID: 6011 Generic Application Invocation Protection
Rule ID: 2806 Attempt to create a hardlink to a file
Rule ID: 412 Double File Extension Execution

Endpoint Security - Access Protection Rules:

Creating new executable files in the Windows folder

Affected Products

Trellix insights

Knowledge Center

Trellix Insights: SVCReady Loader Hidden in Document Properties

Environment

Summary

Affected Products

Title

Title

Knowledge Center

Trellix Insights: SVCReady Loader Hidden in Document Properties

Environment

Summary

Affected Products

Choose your region

Title

Title