Security
Headlines
HeadlinesLatestCVEs

Headline

Threat Roundup for August 26 to September 2

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Aug. 26 and Sept. 2. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found herethat includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files. The most prevalent threats highlighted in this roundup are:

Threat Name    Type    Description

Win.Dropper.DarkKomet-9966191-0 Dropper DarkKomet is a freeware remote access trojan that was released by an independent software developer. It provides the same functionality you would expect from a remote access tool: keylogging, webcam access, microphone access, remote desktop, URL download, program execution, etc.
Win.Packed.AgentTesla-9966126-1 Packed AgentTesla is a Remote Access Trojan that records keystrokes and attempts to steal sensitive information from web browsers and other installed applications. Win.Virus.Xpiro-9965977-1 Virus Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks. Win.Dropper.Nanocore-9965501-0 Dropper Nanocore is a .NET remote access trojan. Its source code has been leaked several times, making it widely available. Like other RATs, it allows full control of the system, including recording video and audio, stealing passwords, downloading files and recording keystrokes. Win.Packed.Bandook-9965180-1 Packed Bandook is a remote-access trojan (RAT) written in C++ and Delphi. It provides attackers with several abilities common to RATs such as taking screenshots or file uploading, downloading or executing. Bandook is usually delivered through spear-phishing emails containing malicious attachments. Win.Ransomware.BlackMatter-9965914-0 Ransomware BlackCat ransomware, also known as "ALPHV", has quickly gained notoriety for being used in double ransom (encrypted files and stolen file disclosure) attacks against companies. It uses the combination of AES128-CTR and RSA-2048 to encrypt the files on victim’s computer. Win.Dropper.Formbook-9965920-0 Dropper Formbook is an information stealer that collects sensitive information from an infected machine by logging keystrokes, stealing saved web browser credentials, and monitoring information copied to the clipboard.

Threat Breakdown

Win.Dropper.DarkKomet-9966191-0

Indicators of Compromise

IOCs collected from dynamic analysis of 84 samples

        Registry Keys            Occurrences        
                             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST                             18        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: LanguageList                            12        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST                          
        Value Name: C:\Windows\M-50504578520758924620\winmgr.exe                            10        
             
    <HKCU>\SOFTWARE\DC3_FEXEC                             8        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: Microsoft Windows Service                            5        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: Microsoft Windows Service                            5        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST                          
        Value Name: C:\Windows\M-5050756432604649683503740\winsvc.exe                            3        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE                          
        Value Name: DoNotAllowExceptions                            2        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: MicroUpdate                            2        
             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN                             2        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\dhcpqec.dll,-100                            2        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\dhcpqec.dll,-101                            2        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\dhcpqec.dll,-103                            2        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\dhcpqec.dll,-102                            2        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\napipsec.dll,-1                            2        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\napipsec.dll,-2                            2        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\napipsec.dll,-4                            2        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\napipsec.dll,-3                            2        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\tsgqec.dll,-100                            2        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\tsgqec.dll,-101                            2        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\tsgqec.dll,-102                            2        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\tsgqec.dll,-103                            2        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\eapqec.dll,-100                            2        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\eapqec.dll,-101                            2        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\eapqec.dll,-102                            2        
                     
                
            
        Mutexes            Occurrences        
                                 
        t8            6            
                 
        DC_MUTEX-<random, matching [A-Z0-9]{7}>            5            
                 
        t10            4            
                 
        w3            3            
                 
        w2            2            
                 
        DCMIN_MUTEX-WG79R6U            2            
                 
        uxJLpe1m            1            
                 
        2562100796            1            
                 
        lol            1            
                 
        FvLQ49IlzIyLjj6m            1            
                 
        e621ca05-Mutex            1            
                 
        {D9961D0B-0106-5584-AD6D-884HSI64CNI9}            1            
                 
        {D0001D0B-0106-5584-AD6D-884HSI64CNI9}            1            
                 
        TLS            1            
                 
        yourhavebecracked            1            
                 
        crapponce            1            
                 
        CCC            1            
                 
        7QSDIYQXU3            1            
                 
        DCMIN_MUTEX-W1AEX56            1            
                 
        2CC            1            
                 
        4444            1            
                 
        5555            1            
                 
        CC02            1            
                 
        w4            1            
                 
        e2b9ef1ee9bca34ce51187acb9a0f411            1            

*See JSON for more IOCs

        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        58[.]158[.]177[.]102            3            
                 
        35[.]205[.]61[.]67            1            
                 
        198[.]49[.]23[.]144/31            1            
                 
        20[.]72[.]235[.]82            1            
                 
        20[.]81[.]111[.]85            1            
                 
        23[.]221[.]227[.]172            1            
                 
        184[.]105[.]237[.]196            1            
                 
        188[.]165[.]227[.]65            1            
                 
        140[.]228[.]29[.]110            1            
                     
                          
            
        Domain Names contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        srv50[.]ru            11            
                 
        trik[.]su            11            
                 
        trkbox[.]ru            6            
                 
        srv60[.]su            5            
                 
        srv70[.]ru            4            
                 
        wrksrv[.]ru            4            
                 
        markben390[.]no-ip[.]org            3            
                 
        avget[.]ru            2            
                 
        microsoft[.]com            1            
                 
        bermanstreetllc[.]com            1            
                 
        biggymoney01[.]no-ip[.]biz            1            
                 
        biggymoney03[.]no-ip[.]biz            1            
                 
        biggymoney2[.]no-ip[.]biz            1            
                 
        businessswitchedmylife[.]biz            1            
                 
        nobemetalkam[.]com            1            
                 
        heavensbreedonline[.]com            1            
                 
        heavensbreedonline[.]biz            1            
                 
        heavensbreedonline[.]co            1            
                 
        heavensbreedonline[.]org            1            
                 
        seadeeponline[.]com            1            
                 
        eurofreightglobalonline[.]com            1            
                 
        swrenvgloballtd[.]com            1            
                 
        mailsecuredssl[.]com            1            
                 
        ssl32bit[.]com            1            
                 
        128bitsecured[.]com            1            

*See JSON for more IOCs

        Files and or directories created            Occurrences        
                                 
        \autorun.inf            11            
                 
        \windrv.exe            11            
                 
        E:\autorun.inf            11            
                 
        E:\windrv.exe            11            
                 
        %SystemRoot%\M-50504578520758924620            10            
                 
        %SystemRoot%\M-50504578520758924620\winmgr.exe            10            
                 
        %APPDATA%\dclogs            8            
                 
        %SystemRoot%\M-5050756432604649683503740            3            
                 
        %SystemRoot%\M-5050756432604649683503740\winsvc.exe            3            
                 
        %HOMEPATH%\Documents\MSDCSC\msdcsc.exe            2            
                 
        %TEMP%\a            2            
                 
        %TEMP%\incl2            2            
                 
        %SystemRoot%\M-50507564324649683503740\winsvc.exe            2            
                 
        %TEMP%\c            2            
                 
        %TEMP%\incl1            2            
                 
        %TEMP%\<random, matching '[a-z]{3}[A-F0-9]{3,4}'>.tmp            2            
                 
        %HOMEPATH%\Y44VPhclUOy\lib\images\cursors\win32_LinkNoDrop32x32.gif            1            
                 
        %HOMEPATH%\Y44VPhclUOy\lib\images\cursors\win32_MoveDrop32x32.gif            1            
                 
        %HOMEPATH%\Y44VPhclUOy\lib\images\cursors\win32_MoveNoDrop32x32.gif            1            
                 
        %HOMEPATH%\Y44VPhclUOy\lib\jce.jar            1            
                 
        %HOMEPATH%\Y44VPhclUOy\lib\jfr.jar            1            
                 
        %HOMEPATH%\Y44VPhclUOy\lib\jfr\default.jfc            1            
                 
        %HOMEPATH%\Y44VPhclUOy\lib\jfr\profile.jfc            1            
                 
        %HOMEPATH%\Y44VPhclUOy\lib\jsse.jar            1            
                 
        %HOMEPATH%\Y44VPhclUOy\lib\jvm.hprof.txt            1            

*See JSON for more IOCs

File Hashes

             01d99de8be5d399beb94238ded93f68cecce9b05010ec2095fb88dfea30be905              01dc08a7611de9ed95addbdc484f028da8c4cc4f2f04bf007955e8e7771af2ad              0521c25b0e73636633fc888ecb616c71e37cc63cdef64d531938fb41cb5190c3              07fb7af6f5ebe683cea86ec012a0a002771d658873ea3428d989f8ecaccc2e0b              0b8d380e9ff7c2cdd17b4e95d6663d1b21db1c955b0c933d68bd66c9c8b1b74b              0ce96b476d6d0aeaa983de1cf41c4553f68156d6cbbe9d48ae852ef0e5143de7              0edde1077db95438d2598acd555a39b3c2ac432f98b60d3c77415fd650b13516              1a85cf3317d5a030ab87d02649769a6a0bfb1b342ecc46f1bc26e1f651fbb1ed              1abb5ce77ce286aac491f9363161554eb0894dfb425e4457aee3cd3fc22982e9              1dc5ac655a745dc442a017eb4fe0d86a0877726d4c84a026e8eb3dbe528953f9              234eb8f2d2c1a731eb5672006b5c449761e8536b2f6d4b40d20f54e74d631807              259941e22122288262ef81fd0d0412a9b2725a9a0d77f7c6442020b0733ebbed              2b6326b6b21207fd649683ac43062c06eace7074bbd3f726f200a8717b02c75f              2ba447c32a9cfa066bbc502772d11c9fb62404c090a9de7c83d9aa4151dbf35c              2bc2fc0088f069fb5bb5e448b106a6dc91e5177e00c443571baecac8b8afd8f9              2f6fa4f49fb85c80342285a08bd5fc0b9e3f3198f4854973824567fb131b07e0              32c9b04c79b44e5c331c6497b9c11ce942b53e9fe6d6b57211e2dac442bb4d8b              34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313              35a047096848277ecedf71875652c55466a6d1a167bb82e810591951d991c0ff              3adb310c1ed97474f55974c05a17c56a89d082eb3069592d5734f91b330a8d96              4326fb1eabf2fd7bde99777bc0283746791e7398cacdf575affe537ab33cf16f              433bedd8a7ee7e1585a93cc9076941d3d31c33c602f116e407da8bddd9db9ea6              44317a91b1c813dc8423423cc5a1130e34264f5ab8cc4b35e05da3b7eaacc3f2              483c61bf01f6404f78a83413bf011e0e86c6adae8cce6e1a622ff1ee6e95c1ee              4bb436856e6c78ebac6ef0f48a76fad96268add5dc1583a0e20b986d4532bce4              

*See JSON for more IOCs

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                                                                              
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                     N/A                                                          
             
        WSA                                                                     N/A                                                          

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Packed.AgentTesla-9966126-1

Indicators of Compromise

IOCs collected from dynamic analysis of 11 samples

        Registry Keys            Occurrences        
                             
    <HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS                             11        
             
    <HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\OQBAZG7TYHTA203\ATJMVRXU7DWVTQMOVW75                          
        Value Name: wNHJwQzhBIRVra53                            11        
             
    <HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\OQBAZG7TYHTA203                             11        
             
    <HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\OQBAZG7TYHTA203\ATJMVRXU7DWVTQMOVW75                             11        
             
    <HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\YAPCUBB9WTPSKYCICPURQGTTVZSSZFZV9XZMYAD173                             11        
             
    <HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\YAPCUBB9WTPSKYCICPURQGTTVZSSZFZV9XZMYAD173\ZMD1ZDDSRHXRHJRA7YJEA5BX8K4IU8VF0XR178                             11        
             
    <HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\TNNOKQEOKS91GA2LCMWPH6IIE51                             11        
             
    <HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\TNNOKQEOKS91GA2LCMWPH6IIE51\WZHY5EK0J8ED51                             11        
             
    <HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\YAPCUBB9WTPSKYCICPURQGTTVZSSZFZV9XZMYAD173\ZMD1ZDDSRHXRHJRA7YJEA5BX8K4IU8VF0XR178                          
        Value Name: m2shbluBdxk2hpHhWEya7LtO7ceN81                            11        
             
    <HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\WNHJWQZHBIRVRA224                             11        
             
    <HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\TNNOKQEOKS91GA2LCMWPH6IIE51\WZHY5EK0J8ED51                          
        Value Name: OqbazG7tyhTA228                            11        
             
    <HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\WNHJWQZHBIRVRA224\B753                             11        
             
    <HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\WNHJWQZHBIRVRA224\B753                          
        Value Name: YapCUbb9WtpskyCIcpUrqGtTVZssZFZv9xzmYaD128                            11        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: newApp                            4        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: newapp                            4        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM                          
        Value Name: DisableTaskMgr                            2        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM                             2        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SYSTEMRESTORE                          
        Value Name: DisableSR                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: Registry Key Name                            1        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: LanguageList                            1        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @C:\Windows\system32\DeviceCenter.dll,-2000                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: MyyyyZApp                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: services                            1        
                     
                
            
        Mutexes            Occurrences        
                                 
        Global\536fbb71-288b-11ed-9660-00151721fd34            1            
                 
        Global\5c7184b1-288b-11ed-9660-001517bb55ad            1            
                     
                         
            
        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        3[.]93[.]18[.]244            1            
                 
        3[.]217[.]248[.]28            1            
                 
        34[.]200[.]207[.]31            1            
                     
                          
            
        Domain Names contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        checkip[.]amazonaws[.]com            3            
                 
        smtp[.]tetenel[.]com            1            
                 
        mail[.]orncbbq[.]com            1            
                 
        smtp[.]ssgtoolz[.]net            1            
                     
                          
            
        Files and or directories created            Occurrences        
                                 
        %TEMP%\<random, matching '[0-9]{15}'>000_<random GUID>.db            9            
                 
        %APPDATA%\newapp            4            
                 
        %APPDATA%\newapp\newapp.exe            4            
                 
        %APPDATA%\Postbox\profiles.ini            2            
                 
        %System32%\drivers\etc\hosts            1            
                 
        %HOMEPATH%\subfolder            1            
                 
        %HOMEPATH%\subfolder\filename.exe            1            
                 
        %HOMEPATH%\subfolder\filename.vbs            1            
                 
        %APPDATA%\services            1            
                 
        %TEMP%\MyyyyZApp            1            
                 
        %TEMP%\MyyyyZApp\MyyyyZApp.exe            1            
                 
        %APPDATA%\jddbt225.sux            1            
                 
        %APPDATA%\jddbt225.sux.zip            1            
                 
        %APPDATA%\jddbt225.sux\Firefox            1            
                 
        %APPDATA%\jddbt225.sux\Firefox\Profiles            1            
                 
        %APPDATA%\jddbt225.sux\Firefox\Profiles\1lcuq8ab.default            1            
                 
        %APPDATA%\jddbt225.sux\Firefox\Profiles\1lcuq8ab.default\cookies.sqlite            1            
                 
        %APPDATA%\hqbkc1l0.fyj            1            
                 
        %APPDATA%\hqbkc1l0.fyj.zip            1            
                 
        %APPDATA%\hqbkc1l0.fyj\Firefox            1            
                 
        %APPDATA%\hqbkc1l0.fyj\Firefox\Profiles            1            
                 
        %APPDATA%\hqbkc1l0.fyj\Firefox\Profiles\1lcuq8ab.default            1            
                 
        %APPDATA%\hqbkc1l0.fyj\Firefox\Profiles\1lcuq8ab.default\cookies.sqlite            1            
                 
        %APPDATA%\services\services.exe            1            
                 
        %APPDATA%\jntv4ane.ztp            1            

*See JSON for more IOCs

File Hashes

             02876781ecf3b9c9dfa90f74ef4fb7d6bb60a35a2c09d3895dff3b6d5a1ebb8b              3030ebe65fb01ddf2cbc83340226a872a0a156d8dc3b4a6faaaef651e3d83e1c              3cc3993e6a4ebfc9cb0f9b3b0859d067648d988b77f993aea203ac80179b97d4              5e87c3c6d7b7b6bacb185a11916876fff30634d7f62e4856634b2ee9238618de              671cd596e79c90f7c37085ba263ae4d677edfee99fc3c8306b8ec6d85133e2af              8e433d9d938adaad4c710c6ea1d24aad1689eb96e33d4cc2e81120c9c4d54197              9aa8ef433012e7b4662a4e36dd41df76b5be268f7cc2073a7361467509d5256a              9ffdf9f36b00abef356517cf38d5bf881959ebbf7af9474b1bd3e673db97cd54              b62a36fa9279443fd389580f809b95a37b0de981ec7c4338826e9ee859ce4847              b91c165d0aa38b11ab8dd8d8d00a460b78302c331478cc04b60f98eddecb1356              f8ce5974e752acd2cb2e90690eb86bb5246cc736482cae4578619cc861dcaaf5              

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                     N/A                                                          
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                     N/A                                                          
             
        WSA                                                                     N/A                                                          

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Virus.Xpiro-9965977-1

Indicators of Compromise

IOCs collected from dynamic analysis of 45 samples

        Registry Keys            Occurrences        
                             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC                          
        Value Name: Start                            45        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND                          
        Value Name: Start                            45        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32                          
        Value Name: Type                            45        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64                          
        Value Name: Type                            45        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32                          
        Value Name: Type                            45        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32                          
        Value Name: Start                            45        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\MOZILLAMAINTENANCE                          
        Value Name: Type                            45        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\MOZILLAMAINTENANCE                          
        Value Name: Start                            45        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\OSE                          
        Value Name: Type                            45        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\OSE                          
        Value Name: Start                            45        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC\S-1-5-21-2580483871-590521980-3826313501-500                             45        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC\S-1-5-21-2580483871-590521980-3826313501-500                          
        Value Name: EnableNotifications                            45        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32                          
        Value Name: Start                            45        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64                          
        Value Name: Start                            45        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\MSSQLSERVER                             45        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\MSSQLSERVER\CLIENT                             45        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\MSSQLSERVER\CLIENT\DB-LIB                             45        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\MSSQLSERVER\CLIENT\SUPERSOCKETNETLIB                             45        
             
    <HKLM>\SOFTWARE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATE                          
        Value Name: AccumulatedWaitIdleTime                            45        
             
    <HKLM>\SOFTWARE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\LISTENEDSTATE                          
        Value Name: RootstoreDirty                            45        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATE                          
        Value Name: AccumulatedWaitIdleTime                            45        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\LISTENEDSTATE                          
        Value Name: RootstoreDirty                            45        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\MSSQLSERVER\CLIENT\SUPERSOCKETNETLIB                          
        Value Name: Encrypt                            45        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\MSSQLSERVER\CLIENT                          
        Value Name: SharedMemoryOn                            45        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_64                          
        Value Name: Type                            44        
                     
                
            
        Mutexes            Occurrences        
                                 
        kkq-vx_mtx62            45            
                 
        kkq-vx_mtx63            45            
                 
        kkq-vx_mtx64            45            
                 
        kkq-vx_mtx65            45            
                 
        kkq-vx_mtx66            45            
                 
        kkq-vx_mtx67            45            
                 
        kkq-vx_mtx68            45            
                 
        kkq-vx_mtx69            45            
                 
        kkq-vx_mtx70            45            
                 
        kkq-vx_mtx71            45            
                 
        kkq-vx_mtx72            45            
                 
        kkq-vx_mtx73            45            
                 
        kkq-vx_mtx74            45            
                 
        kkq-vx_mtx75            45            
                 
        kkq-vx_mtx76            45            
                 
        kkq-vx_mtx77            45            
                 
        kkq-vx_mtx78            45            
                 
        kkq-vx_mtx79            45            
                 
        kkq-vx_mtx80            45            
                 
        kkq-vx_mtx81            45            
                 
        kkq-vx_mtx82            45            
                 
        kkq-vx_mtx83            45            
                 
        kkq-vx_mtx84            45            
                 
        kkq-vx_mtx85            45            
                 
        kkq-vx_mtx86            45            

*See JSON for more IOCs

        Files and or directories created            Occurrences        
                                 
        %CommonProgramFiles%\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE            45            
                 
        %CommonProgramFiles(x86)%\microsoft shared\Source Engine\OSE.EXE            45            
                 
        %ProgramFiles(x86)%\Microsoft Office\Office14\GROOVE.EXE            45            
                 
        %ProgramFiles(x86)%\Mozilla Maintenance Service\maintenanceservice.exe            45            
                 
        %SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe            45            
                 
        %SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe            45            
                 
        %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe            45            
                 
        %SystemRoot%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe            45            
                 
        %System32%\alg.exe            45            
                 
        %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.log            45            
                 
        %SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log            45            
                 
        %SystemRoot%\SysWOW64\svchost.exe            45            
                 
        %SystemRoot%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log            45            
                 
        %SystemRoot%\SysWOW64\svchost.vir            45            
                 
        %SystemRoot%\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat            45            
                 
        %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock            45            
                 
        %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat            45            
                 
        %SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock            45            
                 
        %SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat            45            
                 
        %CommonProgramFiles(x86)%\microsoft shared\source engine\ose.vir            45            
                 
        %ProgramFiles(x86)%\microsoft office\office14\groove.vir            45            
                 
        %ProgramFiles(x86)%\mozilla maintenance service\maintenanceservice.vir            45            
                 
        %CommonProgramFiles%\microsoft shared\officesoftwareprotectionplatform\osppsvc.vir            45            
                 
        %SystemRoot%\microsoft.net\framework64\v2.0.50727\mscorsvw.vir            45            
                 
        %SystemRoot%\microsoft.net\framework64\v4.0.30319\mscorsvw.vir            45            

*See JSON for more IOCs

File Hashes

             07883b2bec4bb5804938dec4b37619c77ad9fc925b52bdd4368faa9416afdbf2              118989bae4bc156627ed91ecc03e9a9a01635f624b00dad94c801ba95da08130              127b5c9fee91c095376a75ee583bc452c269735a94a9381bd262c5cfd2163deb              150587b20269ad5520861cd61fd6eeceddd61e5e05ff27de39189542e1f6f45a              171d6d2f93370d7afd1875a1f7d0a59aef5d46a7d553df98d12855cca5d437a6              1bcb487b3582e158e38e1d76365254022f18a3033c9ca23b5da0c964ead1147a              1d2f153a4f58438ad61950c4468b95358d5aab9356f138d7b74dcadec2afdae1              22ccda550e90cbdc7b115fc3b2d082190df9935b01ea1d8c3923445c759aa477              270a4deb05747829e8a95f5718214bce934ab251f204d1828e3d2a1201caab1d              2817d1aa30164faad40ff66eea5743106219fe83b20ae96523be7691ffbf467b              2b89cd04def8bda3701849a58ebca23151b94b98db25351c7b98d0228d021db7              2d8fcc7e70b0b9721164bf886c297355030b7c7af7904898c96757c522fe051c              2ffe5d618f015af6681482a2347ccb631eb7df646d2d619c38fdb5fc70786ae3              3d61c2d8682ba543026d4a1afa98409938bc28fd09aa327e1058c8abbf9d44b8              3f11dec1f3cd0e3ef1fe0249d656394c2053ae2dd834328d82a7a5b8e7c75a88              44515f7babd049693c6941b93b09f39944caf9038e0216ecf3cdd5ec2a02bb19              4683415d7ef8a0aff6a2cba601d70a150391e59dd8dd4cdb71c6024bfffd9fd5              515cf18bdd0820d02b2233b2ff897e3e957db3d90c9b977ab3480dc4360bb749              537eb171bbe2059013f3b5335724a5da631085ca038e0e1c9082c352e9373d0f              565d18219289992baa30b55dc7d41f0eb74bd557c47305d80257aab8f2dd43f9              5de1d780d6bb9e646e53613cd36bede221b8fd79f2ebe461c075eb1c29fa596b              6e92ff9fc26469a4ab8d7e380a54192d9f3d9a8c7022797053734594b5ebfbc8              73505bcbd55074beee93cc69877a5c6fa1a52b21ef59c9935292daa776e79563              761445a4c924c9575115b2df05a6340b213b88ce4433ef81d0758ee5b794e42d              76f07678f7860611016dd78352f83e636be8686ec312ec869fc4a170249bb93a              

*See JSON for more IOCs

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                     N/A                                                          
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                     N/A                                                          
             
        WSA                                                                     N/A                                                          

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Nanocore-9965501-0

Indicators of Compromise

IOCs collected from dynamic analysis of 12 samples

        Registry Keys            Occurrences        
                             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE                          
        Value Name: Firefox                            6        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE                          
        Value Name: Google Chrome                            3        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE                          
        Value Name: Rauzvon                            2        
                     
                
            
        Mutexes            Occurrences        
                                 
        Global\{507a688d-5e7f-4ee3-978d-22cfb8649ae5}            6            
                 
        IuRNZvTk9FliRK7fos            3            
                 
        85af4115-b1eb-4cf2-a465-c0c97232a10e            2            
                     
                         
            
        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        208[.]95[.]112[.]1            3            
                 
        194[.]233[.]95[.]52            1            
                     
                          
            
        Domain Names contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        maniac[.]http80[.]info            6            
                 
        ip-api[.]com            3            
                 
        zub[.]http80[.]info            3            
                 
        salak[.]pw            2            
                 
        methodist[.]sch[.]id            1            
                     
                          
            
        Files and or directories created            Occurrences        
                                 
        %TEMP%\subfolder            9            
                 
        %APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5            6            
                 
        %APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs            6            
                 
        %APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs\Administrator            6            
                 
        %APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\run.dat            6            
                 
        %TEMP%\subfolder\firefox.exe            6            
                 
        %TEMP%\subfolder\firefox.vbs            6            
                 
        %APPDATA%\Logs            3            
                 
        %APPDATA%\Logs\08-27-2022            3            
                 
        %TEMP%\subfolder\chromee.exe            3            
                 
        %TEMP%\subfolder\chromee.vbs            3            
                 
        %TEMP%\Rezmac            2            
                 
        %TEMP%\Rezmac\reuzcms.exe            2            
                 
        %TEMP%\Rezmac\reuzcms.vbs            2            

File Hashes

             18402b2ca4fc7f307ac6df1c12224af6233b42e157d048524ff02eabc5574b3a              2ae13d3cf6ee39ceac1add91e50c25860fa9bc2a9768f1cc5e623211659b14f2              2f9bd77b89fd409ab141f02853f28979675cc109a5b0841476d23b046ffd1a1e              2fc799408a67dc0a572a65bb27b2390731a64984f60409ce054469e2a7a6a46b              374f83f762b8894f5cf1b48334e4ca74ba0664d39f0367e80e3065b138fc9643              83ed0a21ba22c6c5029a5c4d7bc520a6c01665a34d5a085baeb14299d2fb611e              8f1cf8c17179a49c27b10c2ab14b47a2f97b24dcf51483349138a2eb7e10be20              969401a830e00003b591c0123c7ded0e52ceb274b31714fb199bb1ed155a4e67              a51a1959e27231e0cfbecc2dae8144a3ddbca1721bafc8a4ff09e3dd2a6f65e2              ba08670b6879155fa420eed444e3835d2d5fa94061e87d5c27a0b0eaf8a1c847              d4624f001b7c6081a9fe97fa1385cb6ff0f78adeeb9408a4ac0bc26dd2e3925c              eac6474104a6ccaa562bc3de90adaf756c236fcc19e3d9db96047c269f664cce              

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                                                                              
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                                                                              
             
        WSA                                                                                                                              

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Packed.Bandook-9965180-1

Indicators of Compromise

IOCs collected from dynamic analysis of 14 samples

        Registry Keys            Occurrences        
                             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION                          
        Value Name: SysHelper                            14        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: LanguageList                            14        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: SysHelper                            14        
                     
                
            
        Mutexes            Occurrences        
                                 
        {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}            14            
                 
        Global\<random guid>            12            
                     
                         
            
        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        162[.]0[.]217[.]254            14            
                 
        149[.]154[.]167[.]99            12            
                 
        116[.]202[.]178[.]78            11            
                 
        211[.]53[.]230[.]67            5            
                 
        116[.]121[.]62[.]237            3            
                 
        109[.]102[.]255[.]230            2            
                 
        115[.]88[.]24[.]202            2            
                 
        210[.]182[.]29[.]70            2            
                 
        186[.]7[.]80[.]197            2            
                 
        41[.]41[.]255[.]235            1            
                 
        110[.]14[.]121[.]125            1            
                 
        222[.]236[.]49[.]124            1            
                 
        211[.]40[.]39[.]251            1            
                 
        211[.]171[.]233[.]126            1            
                 
        190[.]219[.]54[.]242            1            
                 
        195[.]158[.]3[.]162            1            
                 
        58[.]235[.]189[.]192            1            
                 
        187[.]190[.]48[.]135            1            
                 
        187[.]195[.]212[.]6            1            
                 
        189[.]164[.]252[.]207            1            
                 
        88[.]198[.]122[.]116            1            
                 
        201[.]22[.]188[.]119            1            
                     
                          
            
        Domain Names contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        api[.]2ip[.]ua            14            
                 
        rgyui[.]top            14            
                 
        acacaca[.]org            14            
                 
        t[.]me            12            
                     
                          
            
        Files and or directories created            Occurrences        
                                 
        I:\5d2860c89d774.jpg            14            
                 
        \SystemID            14            
                 
        \SystemID\PersonalID.txt            14            
                 
        %LOCALAPPDATA%\bowsakkdestx.txt            14            
                 
        %System32%\Tasks\Time Trigger Task            14            
                 
        %LOCALAPPDATA%\3856b5d6-9eb0-496c-b0d1-db92b0f6ed65            14            
                 
        %ProgramData%\freebl3.dll            12            
                 
        %ProgramData%\mozglue.dll            12            
                 
        %ProgramData%\msvcp140.dll            12            
                 
        %ProgramData%\nss3.dll            12            
                 
        %ProgramData%\softokn3.dll            12            
                 
        %ProgramData%\vcruntime140.dll            12            
                 
        %LOCALAPPDATA%\7c34bb01-5d78-49c4-8bbb-73fdc7aa1262            12            
                 
        %LOCALAPPDATA%\7c34bb01-5d78-49c4-8bbb-73fdc7aa1262\build2.exe            11            
                 
        %LOCALAPPDATA%\66848c81-aae5-4fb7-b7d5-caf7cfaf5685\build2.exe            2            
                 
        %ProgramData%\38004316577355091428719705            2            
                 
        %ProgramData%\38004316577355091428719705-shm            2            
                 
        %ProgramData%\38004316577355091428719705-wal            2            
                 
        %ProgramData%\71584480118905964190690196            1            
                 
        %LOCALAPPDATA%\3856b5d6-9eb0-496c-b0d1-db92b0f6ed65\e06bf2d61685bb0e8d57d45e278c965ea7a4fda6e9eae6a8ef9dea226f089dcd.exe            1            
                 
        %ProgramData%\74266566668491997434247038            1            
                 
        %ProgramData%\08802376146419947648049053            1            
                 
        %ProgramData%\78905701483251681848013193            1            
                 
        %ProgramData%\87138039098365190229474947            1            
                 
        %ProgramData%\11794213916832836750166526            1            

*See JSON for more IOCs

File Hashes

             01983ca201f706146be28b5533ee7d96bdf48dcb27e49859366ccb2c8ad86447              0ad916703820d701658f7a8979bad219b7785517a4d3756e9cd7f45018c88f2a              56cd4a53bf45294705a27acc356f8bc2621d48e902ef6ebc739622ae6f93ca6d              5aceb15695c7bb34d473ad77b0bd26e3c63d1b76e3ad4e9bdd5c790e16daf27a              649c98faeafe332823d7c78c2cad20f00f3e23ea85bfccc744a8ea003b58db07              71c7d15d6d1ec0964b2b5a53ff9c71377978e00b297dceb6d958d10a9d2c30a0              79e53831488d7cf38bb7d23afa49a79ff5ec83003dc5b7d061b25689af111a47              84fad9f56332fd8d21e6a4aa6e73b168a02603a8329fa084f11496484f1aeedb              8c61ec9a90c74ae499c8d62d81478addbed60084b54fdb7873edbd3fd604c3d0              a4c1acf7975cb9fa1e3c191dd6f644159e24008929d54b1fbf716523ad06508e              afc2efd52b6d261df9f8e6f45a80480f6873281980ce5accc3b64cd00b630727              c31c18f761d14cbaaff14a15cb1c15937c9d9a9910f1db2823e8b89b1fbc14e3              c3f9b1f639069bea05ced05cb4971720f6ae0bdca58ac1d3be31829513ce4d58              e06bf2d61685bb0e8d57d45e278c965ea7a4fda6e9eae6a8ef9dea226f089dcd              

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                                                                              
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                                                                              
             
        WSA                                                                                                                              

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Ransomware.BlackMatter-9965914-0

Indicators of Compromise

IOCs collected from dynamic analysis of 17 samples

        Registry Keys            Occurrences        
                             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\VSS                          
        Value Name: DeleteFlag                            17        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\VSS                          
        Value Name: Start                            17        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER                          
        Value Name: GlobalAssocChangedCounter                            16        
                     
                
            
        Mutexes            Occurrences        
                                 
        Local\SHResolveLibrary:C:/Users/Administrator/AppData/Roaming/Microsoft/Windows/Libraries/Music.library-ms            2            
                 
        Global\160e9ee717cce91f13d77a3a825f0c36            2            
                 
        Global\97dd24c9bf8e7c0cbf96f37f87229698            1            
                 
        Global\d33eaa6f804fb26ad354969330593cc2            1            
                 
        Global\87157f060adf9f831ce0dc0cb3f23616            1            
                 
        Global\894f56e5131f56d3248c4e688de24b70            1            
                 
        Global\e3bb7e34789420de468428f3c22d9d74            1            
                 
        Global\21cb1589097551b53e4b6dd91c431ec7            1            
                 
        Global\1bb52c4380360c6c5ede0e9633f41905            1            
                 
        Global\286849ac1f88a55fdd83f9a2fd92cc8c            1            
                 
        Global\911dfc525e2ca360ae05fdde5aa84df4            1            
                 
        Global\64b3e687a1e5d07fe5e0c7a162866a7b            1            
                 
        Global\ca37097bb37bda10e9e84e42619ea25e            1            
                 
        Global\f95807e1444ab674c068082d2b3a4883            1            
                 
        Global\9a70b72fa75e9f9c3e2497457d332c26            1            
                 
        Global\ea05f6895900370af4c4072c97ed86a2            1            
                 
        Global\00348b0aaf40155607fc2b57eb660ea0            1            
                     
                                       
            
        Files and or directories created            Occurrences        
                                 
        \$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-1002\desktop.ini            17            
                 
        \$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I08BO8F.xlsx            17            
                 
        \$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I11KHR4.doc            17            
                 
        \$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I5QKHLN.doc            17            
                 
        \$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I62TWBD.ppt            17            
                 
        \$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I6FZORX.doc            17            
                 
        \$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IABMX83.pdf            17            
                 
        \$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IAJ2Y6R.pdf            17            
                 
        \$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IALGTCS.xlsx            17            
                 
        \$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IAPSNOM.tsv            17            
                 
        \$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IGORSF7.xsn            17            
                 
        \$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IGTBBSA.accdb            17            
                 
        \$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IH49RPF.ppt            17            
                 
        \$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IH71GGR.ppt            17            
                 
        \$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IJKODPH.pdf            17            
                 
        \$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IJP965K.accdb            17            
                 
        \$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IKY5R3M.pdf            17            
                 
        \$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IMYCSIT.pdf            17            
                 
        \$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$ISLP722.doc            17            
                 
        \$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IXLC77A.pdf            17            
                 
        \$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IXUL2U1.doc            17            
                 
        \$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IYSR1FU.ppt            17            
                 
        \$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IZ2GMJW.XLSX            17            
                 
        \$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$R08BO8F.xlsx            17            
                 
        \$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$R11KHR4.doc            17            

*See JSON for more IOCs

File Hashes

             00d3f19ff84cddc5b0cfc9d9b053a99b493add5a9bf8ec74659ef9b3d9298de6              0400ee8269aba8f79bfd0c65f64689b06febae22a7535c9fda728a7eaa29ae0d              060bd55768e0edc037651bf50c54248e9451d57d4da795b9d8ea03829085cea1              0bfd5fbf610b76c84abbdefcdaee8c0d09c002e40f69fe86db39478931aea73a              15f56da9d9888fbad8bc428b72b4d06c736b38392ff41b94ae06c27864a9dee1              2e641dbe994f931adeff6b65fb9db481a42717454a0ea6b1e2222ba24d890fa9              333f19529de011757c299888e57b8d37801b6adbf7e2d270b71726150aeef90c              4707b114756307df755bbe231a468d02503d82947d32f9037d011075d826445e              55b45145bf1ed50d1e72c74c0743ce36e279a10e55dada004824f3eb7db5646d              80e9ee47dafde64d31cf494ecea11923f5b1646d5e8bc9d7e51999bd79334db5              95ddbeacd79ad7d944e75f55ca323a13076b756c4accefd28e206a76b3ea268b              9c25081891c1c1ff09c6bde2e8a9bed6022d6cc9edda9abdd7a771f68264bce6              a24db7475958186ec57258d44edd465b1a060b52aff714e7f261cce41d052deb              a6f7f973e63f3c2ef886a98663bd4aa08deb3ec9a4a8c60ead43ce5a9b9787f5              e4eda1e494929b5bf8a5affbbe56d8fa89e4868042cf844c9124d58c9094d77b              e5bb89bea6c854818b9b5884bf9e46e51873ccba73e73ef61ff2e63def151ce0              fe20b163358d90a39f3afc632dedd029231428474dd42c71a333b2a6d514f1e8              

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                     N/A                                                          
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                     N/A                                                          
             
        WSA                                                                     N/A                                                          

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Formbook-9965920-0

Indicators of Compromise

IOCs collected from dynamic analysis of 25 samples

        Mutexes            Occurrences        
                                 
        8-3503835SZBFHHZ            1            
                 
        S-1-5-21-2580483-1244278791147            1            
                 
        3Q694U0B59Bv9yz0            1            
                     
                                       
            
        Files and or directories created            Occurrences        
                                 
        %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\sdhoston.vbs            1            
                 
        %APPDATA%\sdhoston            1            
                 
        %APPDATA%\sdhoston\sdhoston.exe            1            
                 
        %APPDATA%\sdhoston\sdhoston.exe:ZoneIdentifier            1            

File Hashes

             01bb00216bf6742ac525cb9c6bfefefd250ab0ad14f477c2aad4146b7ea3336e              0f32a114f06e8282588d6e5e47063bcf79348d49744f0acc72b01c296be229a0              103fa3b007fc5e06fccd36f15eddc56071666c220a74ae20d851e635a0aede78              142e773ad2c9e16c377fbf9c61e93eafac2bea3d863c360c8cbd6b2d54082a51              1cfad9e7b4cff0eb8814b80f2281980982f0b2085c6247eac8cc930db08a173b              1e7afe66d3b124abf916c542d5e5fbc1b8922bc928eba5e406bca0b39f0d7019              1fb04ac0a06d4f3598c0ee3533a28b87fe2a0e7af4e13e49e76b9e13a39bc256              215ab3d9e9b4caadde378383717a29b9a52f97ffdd38ef26dd5453b896c72442              24a08963a436434d2ed1a6f82fea0e7b18ad037e6a602ca5dfbe740a11f6fbcf              2c73b7270d050779ac974267fe31ce3ca2d93d8c6a2cc2b1dccef1ef358ffd95              30c8eaf7b304700c5b3a61fa740e3ebb930b03302ad2cc3805fa38d106d302d5              33773be67a946828b9d2c89ba742fbcf71ffd03988291e243ee3744081060cc3              375b00de8de38ec7af0a4b0bef42ed556ce7d5c141c8b72389700ad34d1bd461              3af09a9a2fd53cbafcbb7925f694b8d37f1fd2d40f0f1600288021909b7c4335              3c5895384984695318ac23be4049b059aa60980d614fac5c5a88bf6b0fdb22d5              4b98da8fd57d0c095683b4d3ce85b2120ac8759c184934528105eecd3cb1971b              4ba20254c0e238f1ca4c86b1ebd13536dbd2d7d5bd248ab60e887a22bba9fc26              5a2c975aaa1ed0b722bb5f4098be703728b5419ab1d52616866962bb0fc3c520              5a2eda2ada26ec8e4794d472275294cbd1de7acdad334182798a7a6a1ff4e194              5b24d13171a030fd84cf2638a9072121b1919aa8e02a1170bd247eb3f07fde6a              5f1f6aed00db04bcc2079784d758151589dbcf3eda4394711336cb0a7f7802e4              5ffa9c9d4e5f28a60c40c42b6ccb84eb39be453f556a18cc25ca2d7e3efc80f3              67081c3564081660f61db2b0e4ec525a16bfe0250d8d7496a49bb65aaafffd24              6d00edf9e45e24712b2aa52af50be59081ebf770571a09c6001046dd77ecdc53              6ff434f03d48677e5768cc58c83aa817790fd9506376837e802eaab90a9d5975              

*See JSON for more IOCs

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                     N/A                                                          
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                     N/A                                                          
             
        WSA                                                                     N/A                                                          

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

TALOS
#sql#vulnerability#web#mac#windows#google#microsoft#amazon#js#c++#pdf#auth#chrome#firefox#ssl

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Aug. 26 and Sept. 2. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name

Type

Description

Win.Dropper.DarkKomet-9966191-0

Dropper

DarkKomet is a freeware remote access trojan that was released by an independent software developer. It provides the same functionality you would expect from a remote access tool: keylogging, webcam access, microphone access, remote desktop, URL download, program execution, etc.

Win.Packed.AgentTesla-9966126-1

Packed

AgentTesla is a Remote Access Trojan that records keystrokes and attempts to steal sensitive information from web browsers and other installed applications.

Win.Virus.Xpiro-9965977-1

Virus

Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.

Win.Dropper.Nanocore-9965501-0

Dropper

Nanocore is a .NET remote access trojan. Its source code has been leaked several times, making it widely available. Like other RATs, it allows full control of the system, including recording video and audio, stealing passwords, downloading files and recording keystrokes.

Win.Packed.Bandook-9965180-1

Packed

Bandook is a remote-access trojan (RAT) written in C++ and Delphi. It provides attackers with several abilities common to RATs such as taking screenshots or file uploading, downloading or executing. Bandook is usually delivered through spear-phishing emails containing malicious attachments.

Win.Ransomware.BlackMatter-9965914-0

Ransomware

BlackCat ransomware, also known as "ALPHV", has quickly gained notoriety for being used in double ransom (encrypted files and stolen file disclosure) attacks against companies. It uses the combination of AES128-CTR and RSA-2048 to encrypt the files on victim’s computer.

Win.Dropper.Formbook-9965920-0

Dropper

Formbook is an information stealer that collects sensitive information from an infected machine by logging keystrokes, stealing saved web browser credentials, and monitoring information copied to the clipboard.

Threat Breakdown****Win.Dropper.DarkKomet-9966191-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 84 samples

Registry Keys

Occurrences

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST

18

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: LanguageList

12

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST

        Value Name: C:\Windows\M-50504578520758924620\winmgr.exe

10

<HKCU>\SOFTWARE\DC3_FEXEC

8

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: Microsoft Windows Service

5

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: Microsoft Windows Service

5

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST

        Value Name: C:\Windows\M-5050756432604649683503740\winsvc.exe

3

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE

        Value Name: DoNotAllowExceptions

2

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: MicroUpdate

2

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN

2

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\dhcpqec.dll,-100

2

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\dhcpqec.dll,-101

2

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\dhcpqec.dll,-103

2

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\dhcpqec.dll,-102

2

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\napipsec.dll,-1

2

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\napipsec.dll,-2

2

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\napipsec.dll,-4

2

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\napipsec.dll,-3

2

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\tsgqec.dll,-100

2

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\tsgqec.dll,-101

2

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\tsgqec.dll,-102

2

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\tsgqec.dll,-103

2

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\eapqec.dll,-100

2

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\eapqec.dll,-101

2

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\eapqec.dll,-102

2

Mutexes

Occurrences

t8

6

DC_MUTEX-<random, matching [A-Z0-9]{7}>

5

t10

4

w3

3

w2

2

DCMIN_MUTEX-WG79R6U

2

uxJLpe1m

1

2562100796

1

lol

1

FvLQ49IlzIyLjj6m

1

e621ca05-Mutex

1

{D9961D0B-0106-5584-AD6D-884HSI64CNI9}

1

{D0001D0B-0106-5584-AD6D-884HSI64CNI9}

1

TLS

1

yourhavebecracked

1

crapponce

1

CCC

1

7QSDIYQXU3

1

DCMIN_MUTEX-W1AEX56

1

2CC

1

4444

1

5555

1

CC02

1

w4

1

e2b9ef1ee9bca34ce51187acb9a0f411

1

*See JSON for more IOCs

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

58[.]158[.]177[.]102

3

35[.]205[.]61[.]67

1

198[.]49[.]23[.]144/31

1

20[.]72[.]235[.]82

1

20[.]81[.]111[.]85

1

23[.]221[.]227[.]172

1

184[.]105[.]237[.]196

1

188[.]165[.]227[.]65

1

140[.]228[.]29[.]110

1

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

srv50[.]ru

11

trik[.]su

11

trkbox[.]ru

6

srv60[.]su

5

srv70[.]ru

4

wrksrv[.]ru

4

markben390[.]no-ip[.]org

3

avget[.]ru

2

microsoft[.]com

1

bermanstreetllc[.]com

1

biggymoney01[.]no-ip[.]biz

1

biggymoney03[.]no-ip[.]biz

1

biggymoney2[.]no-ip[.]biz

1

businessswitchedmylife[.]biz

1

nobemetalkam[.]com

1

heavensbreedonline[.]com

1

heavensbreedonline[.]biz

1

heavensbreedonline[.]co

1

heavensbreedonline[.]org

1

seadeeponline[.]com

1

eurofreightglobalonline[.]com

1

swrenvgloballtd[.]com

1

mailsecuredssl[.]com

1

ssl32bit[.]com

1

128bitsecured[.]com

1

*See JSON for more IOCs

Files and or directories created

Occurrences

\autorun.inf

11

\windrv.exe

11

E:\autorun.inf

11

E:\windrv.exe

11

%SystemRoot%\M-50504578520758924620

10

%SystemRoot%\M-50504578520758924620\winmgr.exe

10

%APPDATA%\dclogs

8

%SystemRoot%\M-5050756432604649683503740

3

%SystemRoot%\M-5050756432604649683503740\winsvc.exe

3

%HOMEPATH%\Documents\MSDCSC\msdcsc.exe

2

%TEMP%\a

2

%TEMP%\incl2

2

%SystemRoot%\M-50507564324649683503740\winsvc.exe

2

%TEMP%\c

2

%TEMP%\incl1

2

%TEMP%<random, matching '[a-z]{3}[A-F0-9]{3,4}’>.tmp

2

%HOMEPATH%\Y44VPhclUOy\lib\images\cursors\win32_LinkNoDrop32x32.gif

1

%HOMEPATH%\Y44VPhclUOy\lib\images\cursors\win32_MoveDrop32x32.gif

1

%HOMEPATH%\Y44VPhclUOy\lib\images\cursors\win32_MoveNoDrop32x32.gif

1

%HOMEPATH%\Y44VPhclUOy\lib\jce.jar

1

%HOMEPATH%\Y44VPhclUOy\lib\jfr.jar

1

%HOMEPATH%\Y44VPhclUOy\lib\jfr\default.jfc

1

%HOMEPATH%\Y44VPhclUOy\lib\jfr\profile.jfc

1

%HOMEPATH%\Y44VPhclUOy\lib\jsse.jar

1

%HOMEPATH%\Y44VPhclUOy\lib\jvm.hprof.txt

1

*See JSON for more IOCs

File Hashes

    01d99de8be5d399beb94238ded93f68cecce9b05010ec2095fb88dfea30be905

    01dc08a7611de9ed95addbdc484f028da8c4cc4f2f04bf007955e8e7771af2ad

    0521c25b0e73636633fc888ecb616c71e37cc63cdef64d531938fb41cb5190c3

    07fb7af6f5ebe683cea86ec012a0a002771d658873ea3428d989f8ecaccc2e0b

    0b8d380e9ff7c2cdd17b4e95d6663d1b21db1c955b0c933d68bd66c9c8b1b74b

    0ce96b476d6d0aeaa983de1cf41c4553f68156d6cbbe9d48ae852ef0e5143de7

    0edde1077db95438d2598acd555a39b3c2ac432f98b60d3c77415fd650b13516

    1a85cf3317d5a030ab87d02649769a6a0bfb1b342ecc46f1bc26e1f651fbb1ed

    1abb5ce77ce286aac491f9363161554eb0894dfb425e4457aee3cd3fc22982e9

    1dc5ac655a745dc442a017eb4fe0d86a0877726d4c84a026e8eb3dbe528953f9

    234eb8f2d2c1a731eb5672006b5c449761e8536b2f6d4b40d20f54e74d631807

    259941e22122288262ef81fd0d0412a9b2725a9a0d77f7c6442020b0733ebbed

    2b6326b6b21207fd649683ac43062c06eace7074bbd3f726f200a8717b02c75f

    2ba447c32a9cfa066bbc502772d11c9fb62404c090a9de7c83d9aa4151dbf35c

    2bc2fc0088f069fb5bb5e448b106a6dc91e5177e00c443571baecac8b8afd8f9

    2f6fa4f49fb85c80342285a08bd5fc0b9e3f3198f4854973824567fb131b07e0

    32c9b04c79b44e5c331c6497b9c11ce942b53e9fe6d6b57211e2dac442bb4d8b

    34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313

    35a047096848277ecedf71875652c55466a6d1a167bb82e810591951d991c0ff

    3adb310c1ed97474f55974c05a17c56a89d082eb3069592d5734f91b330a8d96

    4326fb1eabf2fd7bde99777bc0283746791e7398cacdf575affe537ab33cf16f

    433bedd8a7ee7e1585a93cc9076941d3d31c33c602f116e407da8bddd9db9ea6

    44317a91b1c813dc8423423cc5a1130e34264f5ab8cc4b35e05da3b7eaacc3f2

    483c61bf01f6404f78a83413bf011e0e86c6adae8cce6e1a622ff1ee6e95c1ee

    4bb436856e6c78ebac6ef0f48a76fad96268add5dc1583a0e20b986d4532bce4

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Packed.AgentTesla-9966126-1****Indicators of Compromise

  • IOCs collected from dynamic analysis of 11 samples

Registry Keys

Occurrences

<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS

11

<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\OQBAZG7TYHTA203\ATJMVRXU7DWVTQMOVW75

        Value Name: wNHJwQzhBIRVra53

11

<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\OQBAZG7TYHTA203

11

<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\OQBAZG7TYHTA203\ATJMVRXU7DWVTQMOVW75

11

<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\YAPCUBB9WTPSKYCICPURQGTTVZSSZFZV9XZMYAD173

11

<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\YAPCUBB9WTPSKYCICPURQGTTVZSSZFZV9XZMYAD173\ZMD1ZDDSRHXRHJRA7YJEA5BX8K4IU8VF0XR178

11

<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\TNNOKQEOKS91GA2LCMWPH6IIE51

11

<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\TNNOKQEOKS91GA2LCMWPH6IIE51\WZHY5EK0J8ED51

11

<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\YAPCUBB9WTPSKYCICPURQGTTVZSSZFZV9XZMYAD173\ZMD1ZDDSRHXRHJRA7YJEA5BX8K4IU8VF0XR178

        Value Name: m2shbluBdxk2hpHhWEya7LtO7ceN81

11

<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\WNHJWQZHBIRVRA224

11

<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\TNNOKQEOKS91GA2LCMWPH6IIE51\WZHY5EK0J8ED51

        Value Name: OqbazG7tyhTA228

11

<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\WNHJWQZHBIRVRA224\B753

11

<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\WNHJWQZHBIRVRA224\B753

        Value Name: YapCUbb9WtpskyCIcpUrqGtTVZssZFZv9xzmYaD128

11

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: newApp

4

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: newapp

4

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM

        Value Name: DisableTaskMgr

2

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM

2

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SYSTEMRESTORE

        Value Name: DisableSR

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: Registry Key Name

1

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: LanguageList

1

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @C:\Windows\system32\DeviceCenter.dll,-2000

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: MyyyyZApp

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: services

1

Mutexes

Occurrences

Global\536fbb71-288b-11ed-9660-00151721fd34

1

Global\5c7184b1-288b-11ed-9660-001517bb55ad

1

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

3[.]93[.]18[.]244

1

3[.]217[.]248[.]28

1

34[.]200[.]207[.]31

1

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

checkip[.]amazonaws[.]com

3

smtp[.]tetenel[.]com

1

mail[.]orncbbq[.]com

1

smtp[.]ssgtoolz[.]net

1

Files and or directories created

Occurrences

%TEMP%<random, matching '[0-9]{15}’>000_<random GUID>.db

9

%APPDATA%\newapp

4

%APPDATA%\newapp\newapp.exe

4

%APPDATA%\Postbox\profiles.ini

2

%System32%\drivers\etc\hosts

1

%HOMEPATH%\subfolder

1

%HOMEPATH%\subfolder\filename.exe

1

%HOMEPATH%\subfolder\filename.vbs

1

%APPDATA%\services

1

%TEMP%\MyyyyZApp

1

%TEMP%\MyyyyZApp\MyyyyZApp.exe

1

%APPDATA%\jddbt225.sux

1

%APPDATA%\jddbt225.sux.zip

1

%APPDATA%\jddbt225.sux\Firefox

1

%APPDATA%\jddbt225.sux\Firefox\Profiles

1

%APPDATA%\jddbt225.sux\Firefox\Profiles\1lcuq8ab.default

1

%APPDATA%\jddbt225.sux\Firefox\Profiles\1lcuq8ab.default\cookies.sqlite

1

%APPDATA%\hqbkc1l0.fyj

1

%APPDATA%\hqbkc1l0.fyj.zip

1

%APPDATA%\hqbkc1l0.fyj\Firefox

1

%APPDATA%\hqbkc1l0.fyj\Firefox\Profiles

1

%APPDATA%\hqbkc1l0.fyj\Firefox\Profiles\1lcuq8ab.default

1

%APPDATA%\hqbkc1l0.fyj\Firefox\Profiles\1lcuq8ab.default\cookies.sqlite

1

%APPDATA%\services\services.exe

1

%APPDATA%\jntv4ane.ztp

1

*See JSON for more IOCs

File Hashes

    02876781ecf3b9c9dfa90f74ef4fb7d6bb60a35a2c09d3895dff3b6d5a1ebb8b

    3030ebe65fb01ddf2cbc83340226a872a0a156d8dc3b4a6faaaef651e3d83e1c

    3cc3993e6a4ebfc9cb0f9b3b0859d067648d988b77f993aea203ac80179b97d4

    5e87c3c6d7b7b6bacb185a11916876fff30634d7f62e4856634b2ee9238618de

    671cd596e79c90f7c37085ba263ae4d677edfee99fc3c8306b8ec6d85133e2af

    8e433d9d938adaad4c710c6ea1d24aad1689eb96e33d4cc2e81120c9c4d54197

    9aa8ef433012e7b4662a4e36dd41df76b5be268f7cc2073a7361467509d5256a

    9ffdf9f36b00abef356517cf38d5bf881959ebbf7af9474b1bd3e673db97cd54

    b62a36fa9279443fd389580f809b95a37b0de981ec7c4338826e9ee859ce4847

    b91c165d0aa38b11ab8dd8d8d00a460b78302c331478cc04b60f98eddecb1356

    f8ce5974e752acd2cb2e90690eb86bb5246cc736482cae4578619cc861dcaaf5

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Virus.Xpiro-9965977-1****Indicators of Compromise

  • IOCs collected from dynamic analysis of 45 samples

Registry Keys

Occurrences

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC

        Value Name: Start

45

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND

        Value Name: Start

45

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32

        Value Name: Type

45

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64

        Value Name: Type

45

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32

        Value Name: Type

45

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32

        Value Name: Start

45

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MOZILLAMAINTENANCE

        Value Name: Type

45

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MOZILLAMAINTENANCE

        Value Name: Start

45

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\OSE

        Value Name: Type

45

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\OSE

        Value Name: Start

45

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC\S-1-5-21-2580483871-590521980-3826313501-500

45

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC\S-1-5-21-2580483871-590521980-3826313501-500

        Value Name: EnableNotifications

45

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32

        Value Name: Start

45

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64

        Value Name: Start

45

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\MSSQLSERVER

45

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\MSSQLSERVER\CLIENT

45

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\MSSQLSERVER\CLIENT\DB-LIB

45

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\MSSQLSERVER\CLIENT\SUPERSOCKETNETLIB

45

<HKLM>\SOFTWARE\MICROSOFT.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATE

        Value Name: AccumulatedWaitIdleTime

45

<HKLM>\SOFTWARE\MICROSOFT.NETFRAMEWORK\V2.0.50727\NGENSERVICE\LISTENEDSTATE

        Value Name: RootstoreDirty

45

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATE

        Value Name: AccumulatedWaitIdleTime

45

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT.NETFRAMEWORK\V2.0.50727\NGENSERVICE\LISTENEDSTATE

        Value Name: RootstoreDirty

45

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\MSSQLSERVER\CLIENT\SUPERSOCKETNETLIB

        Value Name: Encrypt

45

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\MSSQLSERVER\CLIENT

        Value Name: SharedMemoryOn

45

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_64

        Value Name: Type

44

Mutexes

Occurrences

kkq-vx_mtx62

45

kkq-vx_mtx63

45

kkq-vx_mtx64

45

kkq-vx_mtx65

45

kkq-vx_mtx66

45

kkq-vx_mtx67

45

kkq-vx_mtx68

45

kkq-vx_mtx69

45

kkq-vx_mtx70

45

kkq-vx_mtx71

45

kkq-vx_mtx72

45

kkq-vx_mtx73

45

kkq-vx_mtx74

45

kkq-vx_mtx75

45

kkq-vx_mtx76

45

kkq-vx_mtx77

45

kkq-vx_mtx78

45

kkq-vx_mtx79

45

kkq-vx_mtx80

45

kkq-vx_mtx81

45

kkq-vx_mtx82

45

kkq-vx_mtx83

45

kkq-vx_mtx84

45

kkq-vx_mtx85

45

kkq-vx_mtx86

45

*See JSON for more IOCs

Files and or directories created

Occurrences

%CommonProgramFiles%\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

45

%CommonProgramFiles(x86)%\microsoft shared\Source Engine\OSE.EXE

45

%ProgramFiles(x86)%\Microsoft Office\Office14\GROOVE.EXE

45

%ProgramFiles(x86)%\Mozilla Maintenance Service\maintenanceservice.exe

45

%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

45

%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

45

%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

45

%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

45

%System32%\alg.exe

45

%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

45

%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

45

%SystemRoot%\SysWOW64\svchost.exe

45

%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

45

%SystemRoot%\SysWOW64\svchost.vir

45

%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat

45

%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock

45

%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat

45

%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock

45

%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat

45

%CommonProgramFiles(x86)%\microsoft shared\source engine\ose.vir

45

%ProgramFiles(x86)%\microsoft office\office14\groove.vir

45

%ProgramFiles(x86)%\mozilla maintenance service\maintenanceservice.vir

45

%CommonProgramFiles%\microsoft shared\officesoftwareprotectionplatform\osppsvc.vir

45

%SystemRoot%\microsoft.net\framework64\v2.0.50727\mscorsvw.vir

45

%SystemRoot%\microsoft.net\framework64\v4.0.30319\mscorsvw.vir

45

*See JSON for more IOCs

File Hashes

    07883b2bec4bb5804938dec4b37619c77ad9fc925b52bdd4368faa9416afdbf2

    118989bae4bc156627ed91ecc03e9a9a01635f624b00dad94c801ba95da08130

    127b5c9fee91c095376a75ee583bc452c269735a94a9381bd262c5cfd2163deb

    150587b20269ad5520861cd61fd6eeceddd61e5e05ff27de39189542e1f6f45a

    171d6d2f93370d7afd1875a1f7d0a59aef5d46a7d553df98d12855cca5d437a6

    1bcb487b3582e158e38e1d76365254022f18a3033c9ca23b5da0c964ead1147a

    1d2f153a4f58438ad61950c4468b95358d5aab9356f138d7b74dcadec2afdae1

    22ccda550e90cbdc7b115fc3b2d082190df9935b01ea1d8c3923445c759aa477

    270a4deb05747829e8a95f5718214bce934ab251f204d1828e3d2a1201caab1d

    2817d1aa30164faad40ff66eea5743106219fe83b20ae96523be7691ffbf467b

    2b89cd04def8bda3701849a58ebca23151b94b98db25351c7b98d0228d021db7

    2d8fcc7e70b0b9721164bf886c297355030b7c7af7904898c96757c522fe051c

    2ffe5d618f015af6681482a2347ccb631eb7df646d2d619c38fdb5fc70786ae3

    3d61c2d8682ba543026d4a1afa98409938bc28fd09aa327e1058c8abbf9d44b8

    3f11dec1f3cd0e3ef1fe0249d656394c2053ae2dd834328d82a7a5b8e7c75a88

    44515f7babd049693c6941b93b09f39944caf9038e0216ecf3cdd5ec2a02bb19

    4683415d7ef8a0aff6a2cba601d70a150391e59dd8dd4cdb71c6024bfffd9fd5

    515cf18bdd0820d02b2233b2ff897e3e957db3d90c9b977ab3480dc4360bb749

    537eb171bbe2059013f3b5335724a5da631085ca038e0e1c9082c352e9373d0f

    565d18219289992baa30b55dc7d41f0eb74bd557c47305d80257aab8f2dd43f9

    5de1d780d6bb9e646e53613cd36bede221b8fd79f2ebe461c075eb1c29fa596b

    6e92ff9fc26469a4ab8d7e380a54192d9f3d9a8c7022797053734594b5ebfbc8

    73505bcbd55074beee93cc69877a5c6fa1a52b21ef59c9935292daa776e79563

    761445a4c924c9575115b2df05a6340b213b88ce4433ef81d0758ee5b794e42d

    76f07678f7860611016dd78352f83e636be8686ec312ec869fc4a170249bb93a

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Nanocore-9965501-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 12 samples

Registry Keys

Occurrences

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE

        Value Name: Firefox

6

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE

        Value Name: Google Chrome

3

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE

        Value Name: Rauzvon

2

Mutexes

Occurrences

Global{507a688d-5e7f-4ee3-978d-22cfb8649ae5}

6

IuRNZvTk9FliRK7fos

3

85af4115-b1eb-4cf2-a465-c0c97232a10e

2

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

208[.]95[.]112[.]1

3

194[.]233[.]95[.]52

1

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

maniac[.]http80[.]info

6

ip-api[.]com

3

zub[.]http80[.]info

3

salak[.]pw

2

methodist[.]sch[.]id

1

Files and or directories created

Occurrences

%TEMP%\subfolder

9

%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5

6

%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs

6

%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs\Administrator

6

%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\run.dat

6

%TEMP%\subfolder\firefox.exe

6

%TEMP%\subfolder\firefox.vbs

6

%APPDATA%\Logs

3

%APPDATA%\Logs\08-27-2022

3

%TEMP%\subfolder\chromee.exe

3

%TEMP%\subfolder\chromee.vbs

3

%TEMP%\Rezmac

2

%TEMP%\Rezmac\reuzcms.exe

2

%TEMP%\Rezmac\reuzcms.vbs

2

File Hashes

    18402b2ca4fc7f307ac6df1c12224af6233b42e157d048524ff02eabc5574b3a

    2ae13d3cf6ee39ceac1add91e50c25860fa9bc2a9768f1cc5e623211659b14f2

    2f9bd77b89fd409ab141f02853f28979675cc109a5b0841476d23b046ffd1a1e

    2fc799408a67dc0a572a65bb27b2390731a64984f60409ce054469e2a7a6a46b

    374f83f762b8894f5cf1b48334e4ca74ba0664d39f0367e80e3065b138fc9643

    83ed0a21ba22c6c5029a5c4d7bc520a6c01665a34d5a085baeb14299d2fb611e

    8f1cf8c17179a49c27b10c2ab14b47a2f97b24dcf51483349138a2eb7e10be20

    969401a830e00003b591c0123c7ded0e52ceb274b31714fb199bb1ed155a4e67

    a51a1959e27231e0cfbecc2dae8144a3ddbca1721bafc8a4ff09e3dd2a6f65e2

    ba08670b6879155fa420eed444e3835d2d5fa94061e87d5c27a0b0eaf8a1c847

    d4624f001b7c6081a9fe97fa1385cb6ff0f78adeeb9408a4ac0bc26dd2e3925c

    eac6474104a6ccaa562bc3de90adaf756c236fcc19e3d9db96047c269f664cce

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

WSA

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Packed.Bandook-9965180-1****Indicators of Compromise

  • IOCs collected from dynamic analysis of 14 samples

Registry Keys

Occurrences

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION

        Value Name: SysHelper

14

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: LanguageList

14

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: SysHelper

14

Mutexes

Occurrences

{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}

14

Global<random guid>

12

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

162[.]0[.]217[.]254

14

149[.]154[.]167[.]99

12

116[.]202[.]178[.]78

11

211[.]53[.]230[.]67

5

116[.]121[.]62[.]237

3

109[.]102[.]255[.]230

2

115[.]88[.]24[.]202

2

210[.]182[.]29[.]70

2

186[.]7[.]80[.]197

2

41[.]41[.]255[.]235

1

110[.]14[.]121[.]125

1

222[.]236[.]49[.]124

1

211[.]40[.]39[.]251

1

211[.]171[.]233[.]126

1

190[.]219[.]54[.]242

1

195[.]158[.]3[.]162

1

58[.]235[.]189[.]192

1

187[.]190[.]48[.]135

1

187[.]195[.]212[.]6

1

189[.]164[.]252[.]207

1

88[.]198[.]122[.]116

1

201[.]22[.]188[.]119

1

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

api[.]2ip[.]ua

14

rgyui[.]top

14

acacaca[.]org

14

t[.]me

12

Files and or directories created

Occurrences

I:\5d2860c89d774.jpg

14

\SystemID

14

\SystemID\PersonalID.txt

14

%LOCALAPPDATA%\bowsakkdestx.txt

14

%System32%\Tasks\Time Trigger Task

14

%LOCALAPPDATA%\3856b5d6-9eb0-496c-b0d1-db92b0f6ed65

14

%ProgramData%\freebl3.dll

12

%ProgramData%\mozglue.dll

12

%ProgramData%\msvcp140.dll

12

%ProgramData%\nss3.dll

12

%ProgramData%\softokn3.dll

12

%ProgramData%\vcruntime140.dll

12

%LOCALAPPDATA%\7c34bb01-5d78-49c4-8bbb-73fdc7aa1262

12

%LOCALAPPDATA%\7c34bb01-5d78-49c4-8bbb-73fdc7aa1262\build2.exe

11

%LOCALAPPDATA%\66848c81-aae5-4fb7-b7d5-caf7cfaf5685\build2.exe

2

%ProgramData%\38004316577355091428719705

2

%ProgramData%\38004316577355091428719705-shm

2

%ProgramData%\38004316577355091428719705-wal

2

%ProgramData%\71584480118905964190690196

1

%LOCALAPPDATA%\3856b5d6-9eb0-496c-b0d1-db92b0f6ed65\e06bf2d61685bb0e8d57d45e278c965ea7a4fda6e9eae6a8ef9dea226f089dcd.exe

1

%ProgramData%\74266566668491997434247038

1

%ProgramData%\08802376146419947648049053

1

%ProgramData%\78905701483251681848013193

1

%ProgramData%\87138039098365190229474947

1

%ProgramData%\11794213916832836750166526

1

*See JSON for more IOCs

File Hashes

    01983ca201f706146be28b5533ee7d96bdf48dcb27e49859366ccb2c8ad86447

    0ad916703820d701658f7a8979bad219b7785517a4d3756e9cd7f45018c88f2a

    56cd4a53bf45294705a27acc356f8bc2621d48e902ef6ebc739622ae6f93ca6d

    5aceb15695c7bb34d473ad77b0bd26e3c63d1b76e3ad4e9bdd5c790e16daf27a

    649c98faeafe332823d7c78c2cad20f00f3e23ea85bfccc744a8ea003b58db07

    71c7d15d6d1ec0964b2b5a53ff9c71377978e00b297dceb6d958d10a9d2c30a0

    79e53831488d7cf38bb7d23afa49a79ff5ec83003dc5b7d061b25689af111a47

    84fad9f56332fd8d21e6a4aa6e73b168a02603a8329fa084f11496484f1aeedb

    8c61ec9a90c74ae499c8d62d81478addbed60084b54fdb7873edbd3fd604c3d0

    a4c1acf7975cb9fa1e3c191dd6f644159e24008929d54b1fbf716523ad06508e

    afc2efd52b6d261df9f8e6f45a80480f6873281980ce5accc3b64cd00b630727

    c31c18f761d14cbaaff14a15cb1c15937c9d9a9910f1db2823e8b89b1fbc14e3

    c3f9b1f639069bea05ced05cb4971720f6ae0bdca58ac1d3be31829513ce4d58

    e06bf2d61685bb0e8d57d45e278c965ea7a4fda6e9eae6a8ef9dea226f089dcd

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

WSA

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Ransomware.BlackMatter-9965914-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 17 samples

Registry Keys

Occurrences

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VSS

        Value Name: DeleteFlag

17

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VSS

        Value Name: Start

17

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER

        Value Name: GlobalAssocChangedCounter

16

Mutexes

Occurrences

Local\SHResolveLibrary:C:/Users/Administrator/AppData/Roaming/Microsoft/Windows/Libraries/Music.library-ms

2

Global\160e9ee717cce91f13d77a3a825f0c36

2

Global\97dd24c9bf8e7c0cbf96f37f87229698

1

Global\d33eaa6f804fb26ad354969330593cc2

1

Global\87157f060adf9f831ce0dc0cb3f23616

1

Global\894f56e5131f56d3248c4e688de24b70

1

Global\e3bb7e34789420de468428f3c22d9d74

1

Global\21cb1589097551b53e4b6dd91c431ec7

1

Global\1bb52c4380360c6c5ede0e9633f41905

1

Global\286849ac1f88a55fdd83f9a2fd92cc8c

1

Global\911dfc525e2ca360ae05fdde5aa84df4

1

Global\64b3e687a1e5d07fe5e0c7a162866a7b

1

Global\ca37097bb37bda10e9e84e42619ea25e

1

Global\f95807e1444ab674c068082d2b3a4883

1

Global\9a70b72fa75e9f9c3e2497457d332c26

1

Global\ea05f6895900370af4c4072c97ed86a2

1

Global\00348b0aaf40155607fc2b57eb660ea0

1

Files and or directories created

Occurrences

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-1002\desktop.ini

17

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$I08BO8F.xlsx

17

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$I11KHR4.doc

17

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$I5QKHLN.doc

17

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$I62TWBD.ppt

17

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$I6FZORX.doc

17

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IABMX83.pdf

17

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IAJ2Y6R.pdf

17

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IALGTCS.xlsx

17

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IAPSNOM.tsv

17

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IGORSF7.xsn

17

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IGTBBSA.accdb

17

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IH49RPF.ppt

17

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IH71GGR.ppt

17

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IJKODPH.pdf

17

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IJP965K.accdb

17

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IKY5R3M.pdf

17

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IMYCSIT.pdf

17

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$ISLP722.doc

17

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IXLC77A.pdf

17

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IXUL2U1.doc

17

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IYSR1FU.ppt

17

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IZ2GMJW.XLSX

17

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$R08BO8F.xlsx

17

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$R11KHR4.doc

17

*See JSON for more IOCs

File Hashes

    00d3f19ff84cddc5b0cfc9d9b053a99b493add5a9bf8ec74659ef9b3d9298de6

    0400ee8269aba8f79bfd0c65f64689b06febae22a7535c9fda728a7eaa29ae0d

    060bd55768e0edc037651bf50c54248e9451d57d4da795b9d8ea03829085cea1

    0bfd5fbf610b76c84abbdefcdaee8c0d09c002e40f69fe86db39478931aea73a

    15f56da9d9888fbad8bc428b72b4d06c736b38392ff41b94ae06c27864a9dee1

    2e641dbe994f931adeff6b65fb9db481a42717454a0ea6b1e2222ba24d890fa9

    333f19529de011757c299888e57b8d37801b6adbf7e2d270b71726150aeef90c

    4707b114756307df755bbe231a468d02503d82947d32f9037d011075d826445e

    55b45145bf1ed50d1e72c74c0743ce36e279a10e55dada004824f3eb7db5646d

    80e9ee47dafde64d31cf494ecea11923f5b1646d5e8bc9d7e51999bd79334db5

    95ddbeacd79ad7d944e75f55ca323a13076b756c4accefd28e206a76b3ea268b

    9c25081891c1c1ff09c6bde2e8a9bed6022d6cc9edda9abdd7a771f68264bce6

    a24db7475958186ec57258d44edd465b1a060b52aff714e7f261cce41d052deb

    a6f7f973e63f3c2ef886a98663bd4aa08deb3ec9a4a8c60ead43ce5a9b9787f5

    e4eda1e494929b5bf8a5affbbe56d8fa89e4868042cf844c9124d58c9094d77b

    e5bb89bea6c854818b9b5884bf9e46e51873ccba73e73ef61ff2e63def151ce0

    fe20b163358d90a39f3afc632dedd029231428474dd42c71a333b2a6d514f1e8

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Formbook-9965920-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples

Mutexes

Occurrences

8-3503835SZBFHHZ

1

S-1-5-21-2580483-1244278791147

1

3Q694U0B59Bv9yz0

1

Files and or directories created

Occurrences

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\sdhoston.vbs

1

%APPDATA%\sdhoston

1

%APPDATA%\sdhoston\sdhoston.exe

1

%APPDATA%\sdhoston\sdhoston.exe:ZoneIdentifier

1

File Hashes

    01bb00216bf6742ac525cb9c6bfefefd250ab0ad14f477c2aad4146b7ea3336e

    0f32a114f06e8282588d6e5e47063bcf79348d49744f0acc72b01c296be229a0

    103fa3b007fc5e06fccd36f15eddc56071666c220a74ae20d851e635a0aede78

    142e773ad2c9e16c377fbf9c61e93eafac2bea3d863c360c8cbd6b2d54082a51

    1cfad9e7b4cff0eb8814b80f2281980982f0b2085c6247eac8cc930db08a173b

    1e7afe66d3b124abf916c542d5e5fbc1b8922bc928eba5e406bca0b39f0d7019

    1fb04ac0a06d4f3598c0ee3533a28b87fe2a0e7af4e13e49e76b9e13a39bc256

    215ab3d9e9b4caadde378383717a29b9a52f97ffdd38ef26dd5453b896c72442

    24a08963a436434d2ed1a6f82fea0e7b18ad037e6a602ca5dfbe740a11f6fbcf

    2c73b7270d050779ac974267fe31ce3ca2d93d8c6a2cc2b1dccef1ef358ffd95

    30c8eaf7b304700c5b3a61fa740e3ebb930b03302ad2cc3805fa38d106d302d5

    33773be67a946828b9d2c89ba742fbcf71ffd03988291e243ee3744081060cc3

    375b00de8de38ec7af0a4b0bef42ed556ce7d5c141c8b72389700ad34d1bd461

    3af09a9a2fd53cbafcbb7925f694b8d37f1fd2d40f0f1600288021909b7c4335

    3c5895384984695318ac23be4049b059aa60980d614fac5c5a88bf6b0fdb22d5

    4b98da8fd57d0c095683b4d3ce85b2120ac8759c184934528105eecd3cb1971b

    4ba20254c0e238f1ca4c86b1ebd13536dbd2d7d5bd248ab60e887a22bba9fc26

    5a2c975aaa1ed0b722bb5f4098be703728b5419ab1d52616866962bb0fc3c520

    5a2eda2ada26ec8e4794d472275294cbd1de7acdad334182798a7a6a1ff4e194

    5b24d13171a030fd84cf2638a9072121b1919aa8e02a1170bd247eb3f07fde6a

    5f1f6aed00db04bcc2079784d758151589dbcf3eda4394711336cb0a7f7802e4

    5ffa9c9d4e5f28a60c40c42b6ccb84eb39be453f556a18cc25ca2d7e3efc80f3

    67081c3564081660f61db2b0e4ec525a16bfe0250d8d7496a49bb65aaafffd24

    6d00edf9e45e24712b2aa52af50be59081ebf770571a09c6001046dd77ecdc53

    6ff434f03d48677e5768cc58c83aa817790fd9506376837e802eaab90a9d5975

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

TALOS: Latest News

New PXA Stealer targets government and education sectors for sensitive information