Headline
Threat Roundup for August 12 to August 19
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Aug. 12 and Aug. 19. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found herethat includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files. The most prevalent threats highlighted in this roundup are:
Threat Name Type Description
Win.Dropper.Ramnit-9964110-0 Dropper Ramnit is a banking trojan that monitors web browser activity on an infected machine and collects login information from financial websites. It could also steal browser cookies and hide from popular antivirus software. Win.Ransomware.Locky-9963624-0 Ransomware Locky is ransomware typically distributed via spam emails containing a maliciously crafted Microsoft Word document crafted to trick targets into enabling malicious macros. This family was originally released in 2016 and updated over the years with additional functionality. Win.Dropper.Shiz-9963681-0 Dropper Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information. It is commonly spread via droppers or by victims visiting a malicious site. Win.Dropper.XtremeRAT-9963701-0 Dropper XtremeRAT is a remote access trojan active since 2010 that allows the attacker eavesdrop on users and modify the running system. The source code for XtremeRAT, written in Delphi, was leaked online and has since been used by similar RATs. Win.Dropper.Nanocore-9963905-0 Dropper Nanocore is a .NET remote access trojan. Its source code has been leaked several times, making it widely available. Like other RATs, it allows full control of the system, including recording video and audio, stealing passwords, downloading files and recording keystrokes. Win.Ransomware.Cerber-9964084-0 Ransomware Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension “.cerber,” although in more recent campaigns, other file extensions are used. Win.Dropper.Dorkbot-9964085-0 Dropper Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely. Win.Worm.Kuluoz-9964104-0 Worm Kuluoz, sometimes known as “Asprox,” is a modular remote access trojan that is also known to download and execute follow-on malware, such as fake antivirus software. It often is delivered via spam emails pretending to be shipment delivery notifications or flight booking confirmations.
Threat Breakdown
Win.Dropper.Ramnit-9964110-0
Indicators of Compromise
IOCs collected from dynamic analysis of 26 samples
Mutexes Occurrences
{79345B6A-421F-2958-EA08-07396ADB9E27} 26
Global\<random guid> 26
Files and or directories created Occurrences
%TEMP%\~TMDB5A.tmp 2
%TEMP%\~TMDB99.tmp 2
%TEMP%\~TM314F.tmp 1
%TEMP%\~TM31DD.tmp 1
%TEMP%\~TMDBC8.tmp 1
%TEMP%\~TMDC25.tmp 1
%TEMP%\~TME21E.tmp 1
%TEMP%\~TMDC93.tmp 1
%TEMP%\~TME2BB.tmp 1
%TEMP%\~TME337.tmp 1
%TEMP%\~TME3A5.tmp 1
%TEMP%\~TME0D6.tmp 1
%TEMP%\~TMDBF7.tmp 1
%TEMP%\~TME164.tmp 1
%TEMP%\~TMD977.tmp 1
%TEMP%\~TMD9E5.tmp 1
%TEMP%\~TMD9C5.tmp 1
%TEMP%\~TMDA42.tmp 1
%TEMP%\~TME0F5.tmp 1
%TEMP%\~TME173.tmp 1
%TEMP%\~TMDBE8.tmp 1
%TEMP%\~TMDCC1.tmp 1
%TEMP%\~TMDF60.tmp 1
%TEMP%\~TMDD2F.tmp 1
%TEMP%\~TMDFED.tmp 1
*See JSON for more IOCs
File Hashes
03ba150882170b2cfee8c30f556c2be840697b7cc1e7dcc47594dd3bd9758c7b 0eb56bcb11905ba125c5d4e2527fa4441b03f6ce0278269498be539833b5bbe9 1368aa53291ec289ffa8bb86c5ec7c335350a10a240b88e31a3b2d1181fa785f 169b28a24d77797b1c2a61dda32b7d766d6f150bcefdf2333ca635a7b4837778 18465059a485b9f35a472b16d8fec399c795799d3dff1dab57d537e620749902 1c3bde330d7cfe197ecfab80309e463d6e6e61bdf6885d250cb0b08c5f98b767 1cd1a5d2b64aef0c352e7984ae3822c9f6d661d8907526aacd2b6321a4f7a8fd 1d548c85594dc4b83ac1c69ac82da842dc68eac75f683aed693929c728c83184 1fd5e9430201472831856a7720fee930a1555f9b134af3145f1acc5a7f712a82 250c9cf38912e781afc5b32907da411279f7b22b4b2e6b97729aad81a1e0f48a 29ca8b176e9977bf0d3bdc9f214665b89f087ba0799e9d9e22bddfecc4bb7e09 29fbd2e07f2bcdac0a69364621df335bf899787c48353f7e448e302263d0cee1 2e00b1d9d04175dd0a8101ac3222dde48833693400a9684717fddceb532ae258 315ab01236a2ccb7231731878bf7d7fb23d9c6fd9603c7df3501f453f3ec76c1 31bb435f6ce6446d3ce1c97cb80de5084d30abff6fc9711c6d0b0c191031b361 35d9d318da08e7ff963b14fcb2f73fb178374688b21a27ba872f87fb353405eb 377406362d74f2789685c3a0aa128312bf82b092f9c047a36fb1d62e22348a8d 38cd0e89eb7ab0edc2cee7f2edfa86e938a5963ed6ae3212b1c26bf2722cb75a 3921b067ddb8b3fe65e9f8c680f46d72ac52077334cfba1c8ee1192d84bb44cd 395e9fdef9e5694c3a2e8e5ecce9ced85cac141ad2a0d4851620c596ed5eb32a 3cae2eed75c901adbff0fc907433d56f5caeacafade3666eb90b39956add686c 3f72bd0dbdbbb4f9ea83fe224363dc423f8d6f88df526c69431c892938ff2360 40013e1bd081743d85e878edb53179b70546bf6c8ff3ac03f5c0fbf2f590967e 405b9a602c73ce29d1f4e5ab15bf3a5c51a8b087bf6ae7dbf064a48817d1532b 48d7d44420db0625d5d05caf04aac82f3e3daeff65f4d6b9c33cb94c3b939566
*See JSON for more IOCs
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella N/A
WSA N/A
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Ransomware.Locky-9963624-0
Indicators of Compromise
IOCs collected from dynamic analysis of 16 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}
Value Name: FaviconPath 16
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}
Value Name: Deleted 16
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES
Value Name: DefaultScope 16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VSS\DIAG\VSSAPIPUBLISHER 16
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList 16
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} 16
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\System32\intl.cpl,-1 1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\System32\intl.cpl,-2 1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\System32\hgcpl.dll,-2 1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\System32\main.cpl,-100 1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\System32\main.cpl,-101 1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\System32\main.cpl,-102 1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\System32\main.cpl,-103 1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\System32\devmgr.dll,-4 1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\System32\devmgr.dll,-5 1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\System32\icardres.dll,-4097 1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\System32\icardres.dll,-4098 1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\System32\PerfCenterCPL.dll,-2 1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\system32\appwiz.cpl,-160 1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\System32\netcenter.dll,-2 1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\System32\wpccpl.dll,-101 1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\System32\autoplay.dll,-1 1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\System32\autoplay.dll,-2 1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\System32\SyncCenter.dll,-3001 1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\System32\recovery.dll,-101 1
Mutexes Occurrences
Global\4aEa7aGa9a4aBa6a4a4aBa1a5a8a4a1a 16
Local\4aEa7aGa9a4aBa6a4a4aBa1a5a8a4a1a 16
Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!16613a8 16
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
13[.]107[.]21[.]200 10
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
www[.]bing[.]com 16
Files and or directories created Occurrences
\Users\Default\NTUSER.DAT.LOG 16
%ProgramData%\Mozilla\logs\maintenanceservice-install.log 16
%ProgramData%\Sun\Java\Java Update\jaureglist.xml 16
%ProgramData%\Microsoft\RAC\StateData\RacMetaData.dat 16
%ProgramData%\Adobe\Updater6\AdobeESDGlobalApps.xml 16
%ProgramData%\Microsoft\IlsCache\ilrcache.xml 16
%ProgramData%\Microsoft\IlsCache\imcrcache.xml 16
%ProgramData%\Microsoft\User Account Pictures\admin.dat 16
%HOMEPATH%\Desktop\lukitus.bmp 16
%HOMEPATH%\Desktop\lukitus.htm 16
\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\0PZW71P4- 16
\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\0PZW71P4-ZQ0 16
\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\0PZW71P4- 16
\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\0PZW71P4-ZQ0I-J19 16
\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\0PZW71P4- 16
\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\0PZW71P4-ZQ0I-J1 16
\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\0PZW71P4- 16
\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\0PZW71P4-ZQ0I- 16
\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\0PZW71P4- 16
\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\0PZW71P4-ZQ 16
\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\0PZW71P4- 16
\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\0PZW71P4-ZQ0 16
\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\0PZW71P4- 16
\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\0PZW71P4- 16
\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\0PZW71P4- 16
*See JSON for more IOCs
File Hashes
1afe66e4aaf044636b8bfb0e625e8182a7bb116cfa3b4673ed102094c55b8f84 1cdcb07c8a79bdb3faad6feae4b2720cec8dc8de0cfb1431502f91e8c9152e94 244f76876485ad65f57466338fee2a571057c6315ba9a9699d89ff0add323e72 3140bd4af08e8d487c04c24cb3a6977464ef6bfed46e3f54ba52175b09ceee41 37621fe42fb7154d158b82e54b8735ad876902e8f55178387254689802f8d419 56ee0ae4072920f29e35c10af707ac97bc87ba4191aca1afec235d7a5a96de10 659f0b2aa1699e98b57433d85b08f56fef032fcdce4858cfcf21bb405e784bc2 7af3b8e631e7d557b4039cca14f0f5ad2686b3dab6a81da181ab46e2518b4fcd 8d62a963beb4ac49096277d54d3d6bc78c1142ff30b600b0373256eaa6b7a73c 9be2a26538acb1111657ab79c6680d7f8bde43f5a6e51f38c674967e21d69627 c6f8e43f2db3725ea18520ff3b5370a32ef28c62fe1a82df1575c1003ac10acf ce8d65f815402e4bc06fade45b66398930ae73d6e5c9368564c87745643703dd da37a954efc572ccd4f5f43912e1b041acce412d8f4cfac31a23349adb7e43c5 ed96e3c04c7af4bb0863e2e4091e1280ced24a5f68c9712ffba34062d7a46229 f681a28f44ca9a7fe31e4fce8881aafaf125727dafd4db68280cfe6ea6f9e0e8 fdacb9b5a9551464e1bba01a3f279d247c2b3c7d0e4b5768763fcf26bb4e5837
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella N/A
WSA N/A
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Shiz-9963681-0
Indicators of Compromise
IOCs collected from dynamic analysis of 21 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT
Value Name: 67497551a 21
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: 98b68e3c 21
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: userinit 21
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: System 21
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: load 21
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: run 21
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: userinit 21
Mutexes Occurrences
Global\674972E3a 21
Global\MicrosoftSysenterGate7 21
internal_wutex_0x000004b4 21
internal_wutex_0x0000043c 21
internal_wutex_0x<random, matching [0-9a-f]{8}> 21
internal_wutex_0x000004dc 20
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
13[.]107[.]21[.]200 15
45[.]33[.]30[.]197 7
45[.]33[.]23[.]183 5
96[.]126[.]123[.]244 4
45[.]56[.]79[.]23 4
45[.]33[.]2[.]79 4
45[.]79[.]19[.]196 3
45[.]33[.]20[.]235 3
72[.]14[.]185[.]43 3
198[.]58[.]118[.]167 2
45[.]33[.]18[.]44 2
173[.]255[.]194[.]134 2
72[.]14[.]178[.]174 2
85[.]94[.]194[.]169 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
rynikulokop[.]eu 21
lyvoguraxeh[.]eu 21
xuxetiryqem[.]eu 21
puzewilurip[.]eu 21
cilynitiseg[.]eu 21
vojizitoken[.]eu 21
fogokozazit[.]eu 21
gadedozymiz[.]eu 21
masytoturen[.]eu 21
nofagoteveg[.]eu 21
jepuqoxupit[.]eu 21
qetunopifef[.]eu 21
kericoxojil[.]eu 21
ryqozapaleb[.]eu 21
lymajaxecir[.]eu 21
xubysaxywil[.]eu 21
dixonesohed[.]eu 21
marawukyqos[.]eu 21
dikuvizigiz[.]eu 21
puvutaputeb[.]eu 21
ciciqacidir[.]eu 21
ryhuneqevyv[.]eu 21
kejywajazok[.]eu 21
xudakejupok[.]eu 21
lygivejynow[.]eu 21
*See JSON for more IOCs
Files and or directories created Occurrences
%TEMP%\<random, matching [A-F0-9]{1,4}>.tmp 21
File Hashes
0ddc226c722e18199274ea9f05f0bebdfd0e871713b53e89dc094fd53fbf21fb 12fbf08de48d56346c43dfc4369e7c70c71023e7322f84991591fcde46aa5532 1b56b352ab8e26ce29fabdc5ce020e616db96b6004ee540e88fef580b16a4f78 1d65fa03284d71963c8ec3cee40b25afdc06d9f6f6404d214ca0091c0130cb53 232a41bbdda2fe1b5e7b90c7beb1136b671d127a400699b6591278c44eb828a2 3a7f6106cbe35dcd0c7f25bb6c4b1fc9c19eb348cafba007121f03e74c6d73e2 4d0d263dc8c8f69d6cbcfb13564f53d70955772552e9a4e32aa5a14851bdd1ac 4dfcf95c402c12d20034ac961076c2772f835a9aa442d7062b914a2f53f37f9b 5077b57947941ef15fb8445db7819e641fd5499067969e38f680d2cb6f6430a0 54b0b511221b0498f1c5a2eeb0e2ae633cae232cf75c13fa9eaff6f711cebef1 5b0787632726f2d55a209f853f04eea8109d87cd9630be7e8a42a384bd8cb7a5 6820579b06e8cb0e4298270a497b475baf2645430b4c62d4a3e22f4d7c7bc0ee 69b5080868bfbdc18d868318cb6be406c4cc268fe4e183e5e81f62c7e6922fd9 69e5f2613c4aad5956e83985743210ae058862c12e3d7f104537f6efd0aa1c51 7324bb74d697cb54b2acfa41ab0caab30a14e40b8628b50acdfd4d26b1dfba17 7807700902786f550ce24bb63e93e62e35527857a24f2b655467dd243c40e5d3 79c880d0a639206d2ad9a77647940b11b9200680431e98fc155410f855354be8 85b1e95b8a1be8d5a16525b879d9e8e9a7a1f491449d036f08504b9e9f118b96 91c02affdcd16a87eb278a461fdabaa021ab4d5b7987a24d162563012ba49bcc a38da3b0920e292f513272bfe95c0d5debd6e201cb63d2526fe25c6293b8ed0e d19619fd50ebefcc45deb67abe2d2aab162806fcfd41db0765c7ddf96cdb02b9
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.XtremeRAT-9963701-0
Indicators of Compromise
IOCs collected from dynamic analysis of 12 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList 9
<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'> 9
<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'>
Value Name: InstalledServer 8
<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'>
Value Name: ServerStarted 7
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: HKLM 6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: HKCU 6
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{5460C4DF-B266-909E-CB58-E32B79832EB2} 4
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{5460C4DF-B266-909E-CB58-E32B79832EB2}
Value Name: StubPath 4
<HKCU>\SOFTWARE\((MUTEX)) 3
<HKCU>\SOFTWARE\((MUTEX))
Value Name: InstalledServer 3
<HKCU>\SOFTWARE\((MUTEX))
Value Name: ServerStarted 3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: HKLX 2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: HKCL 2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS
Value Name: StubPath 2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{7OFBR713-LB7J-5G81-7WC8-161211U08C56}
Value Name: StubPath 2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{7OFBR713-LB7J-5G81-7WC8-161211U08C56} 2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\system32\DeviceCenter.dll,-2000 1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @explorer.exe,-7001 1
<HKCU>\SOFTWARE\XTREMERAT
Value Name: TDados 1
<HKCU>\SOFTWARE\SS 1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{11AKP4MN-X763-4313-1615-X6G4IX7N4S25} 1
<HKCU>\SOFTWARE\SS
Value Name: ServerStarted 1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{M0J1AY7S-64N4-SUDU-RQ0E-5HNUA5PF0MI0} 1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ss 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ss 1
Mutexes Occurrences
XTREMEUPDATE 12
<random, matching [a-zA-Z0-9]{5,9}> 9
<random, matching [a-zA-Z0-9]{5,9}>PERSIST 8
<random, matching [a-zA-Z0-9]{5,9}EXIT> 8
((Mutex)) 3
((Mutex))PERSIST 2
((Mutex))EXIT 2
STUBXTREMEINJECTED 1
ss 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
dstar[.]hopto[.]org 1
may00[.]zapto[.]org 1
Files and or directories created Occurrences
%TEMP%\x.html 10
%APPDATA%\Microsoft\Windows\<random, matching '[a-zA-Z0-9]{5,9}'>.cfg 8
%APPDATA%\Microsoft\Windows\((Mutex)).cfg 3
%SystemRoot%\InstallDir 2
%APPDATA%\InstallDir 2
%APPDATA%\InstallDir\dll.exe 2
%SystemRoot%\InstallDir\Server.exe 1
%ProgramFiles(x86)%\ISSA.exe 1
%ProgramFiles(x86)%\ss.exe 1
%APPDATA%\Microsoft\Windows\ss.cfg 1
%APPDATA%\Microsoft\Windows\ss.dat 1
%APPDATA%\Microsoft\Windows\SpUDj.dat 1
%SystemRoot%\GOOGLE.exe 1
%APPDATA%\windoy.exe 1
%SystemRoot%\SysWOW64\windoy.exe 1
%APPDATA%\soft.exe 1
%SystemRoot%\SysWOW64\soft.exe 1
%SystemRoot%\InstallDir\browse.exe 1
%SystemRoot%\SysWOW64\migc.exe 1
%APPDATA%\migc.exe 1
%SystemRoot%\CREATE.exe 1
File Hashes
00c5b7cc78f982e42062c84a8a5c1c5aaeea7276b0f00635d61e4bfdcf6ed4b2 05316395bee1b9759134e86ecf28413d197c95cc6c25bb96a3fd957adfb767fe 10f0a0f8b51964b8a3fc497040601a48fe0493a7e4010ee89e61068cc8e2d92d 33ed0e091cc5ccc71d0a9d37c4f82d73f3959ffcd55f9c2f8660e7e13f68393e 3e5302bb99e282cd9303eda70e64589529704b3c2edee6637cb040887b02f42f 593d60c61df90a5de77d5ee31815eafd3c2657f1581cdd7fe36e74f72956a7e3 62243f0a6f197f167173d12b985b2bbd4a8f98864eb4f99c77e28a9f561f4b0d 6798aa4e8218c8783acab06e700b519eb31856ac0e46c6c82f5dfbf22e13ddb5 9906c6c6ce2eb7199023bbfcff346303f08dab61f475da22fe358f0e09d083bd c11cd59cb06cf9e1a9f95e3d78300a2aa8edf94ed7964b73ccb7135a5b23a7d6 d20e8dd51f00f03a0aacfcc4989d86411e2bc6c6f0a91961f420a056a86eef07 d8df5b44e3469d7a7c0ffc4dba88d34bff093cf4453500074a54b837d50d93c6
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella N/A
WSA N/A
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Nanocore-9963905-0
Indicators of Compromise
IOCs collected from dynamic analysis of 20 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList 9
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: jVULYR 2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: AGP Manager 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: WGmLd 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ddnKQs 1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @explorer.exe,-7001 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: capsole 1
Mutexes Occurrences
8-3503835SZBFHHZ 1
NL20T01E6BXGZI09 1
fKZhNqRta 1
Global\{bbc5d79f-8cc7-4aa7-b9fa-0c15cee443cd} 1
GfAQbAoN 1
GZVlUzSZeINZ 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
149[.]154[.]167[.]220 2
208[.]91[.]199[.]224 1
208[.]91[.]198[.]143 1
208[.]91[.]199[.]223 1
205[.]134[.]234[.]70 1
107[.]182[.]129[.]128 1
162[.]0[.]229[.]41 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
api[.]telegram[.]org 2
mail[.]albacon-ojeda[.]pe 1
smtp[.]saudlunion[.]com 1
smtp[.]transmase[.]com 1
smtp[.]utt-ae[.]com 1
brightnano1[.]ddns[.]net 1
mail[.]fasttunpcbs[.]com 1
Files and or directories created Occurrences
%System32%\Tasks\Updates 6
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp 6
%System32%\drivers\etc\hosts 3
%APPDATA%\jVULYR 2
%APPDATA%\jVULYR\jVULYR.exe 2
%ProgramFiles(x86)%\AGP Manager 1
%ProgramFiles(x86)%\AGP Manager\agpmgr.exe 1
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5 1
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs 1
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs\Administrator 1
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\run.dat 1
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\task.dat 1
%System32%\Tasks\AGP Manager 1
%System32%\Tasks\AGP Manager Task 1
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\catalog.dat 1
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\settings.bin 1
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\storage.dat 1
%APPDATA%\WGmLd 1
%APPDATA%\WGmLd\WGmLd.exe 1
%APPDATA%\ddnKQs 1
%APPDATA%\ddnKQs\ddnKQs.exe 1
%APPDATA%\HFkIOmiwFQY.exe 1
%System32%\Tasks\Updates\HFkIOmiwFQY 1
%APPDATA%\h0gct1lm.mo4 1
%APPDATA%\h0gct1lm.mo4\Firefox 1
*See JSON for more IOCs
File Hashes
1f41465839f9e90dc6298156eb0f0eab361414c1dc207c22e2593e608dc6f5d5 28d4e2a68e9b5db5a71cbd94fcaa241dfd1937e99eadbddab572ff4efab999d7 2b61ef6e2d493e4eb8bd0ce74d2cf9fb7de72245ec0e76afe9198b9518f2cb40 2c04f3b128381e4f3e3687566623fd653d7a211dfdd17efd94317bebaae1b78b 35157e080e4f612ef306a1195e55ce5068844cc7daf3442d0f73c98c224d4c9d 35ad1d5553d61763b2e94c6e4d66cd5b6cba0578736f202a12c88525b9125804 420c5ccde64ea630f1223e27d1cae8b0887aca1a4e87d6f9c307011c0e266bf9 43f5c35dc913dbd764a028b5686d0a3c47bcb745c3b277b778742e22989784ca 46675d5b6e4c352b50804c760bf4ef3174a8ef93b875f1b7e0f343e22573a6c5 6b4bbd2e534c8e089691829e219ea54c8e113012f1ecb6d912a5d791c7157c2e 7605008ef9c187be6862403b9a5eef21eb271ff656db288759a50dc3785caeeb 76b3123c5245713b390b8f28fafddddef75a55199621a196124e9c55ac55d1af 878a27d70fd8b04b70298f1e102053e02faeaab461a8455fdf843262118231ad 9238603739f090fa4b311ab4c76739c1b54d21e410139c6be208025b4dd7a33f a2631bee5c6505f12449f250e56d2091a50fd25d876ad49efefeb4ea7f63e45d b863d3d875966054e0a8a19ae649a08ecf80a2be46b937c5f6d0a634cba4e465 ce88fb263d3e6a38cac9d2b4ec0f27bfc724d46b4d274fc7adb25330bae9e724 daf4c0820c45f6be84cf248504e10bfee063ea6fc8de3b397adaa6682e4bb610 e06d33553621160bf21cdc08eaecb5e977a59e6e416c37922a6d263620141a7d fa0ddfe8dd1e9509529086469444221a673fb0d16f380c968150a7a53f68b0d9
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella N/A
WSA
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Ransomware.Cerber-9964084-0
Indicators of Compromise
IOCs collected from dynamic analysis of 26 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList 26
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpqec.dll,-100 26
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpqec.dll,-101 26
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpqec.dll,-103 26
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpqec.dll,-102 26
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\napipsec.dll,-1 26
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\napipsec.dll,-2 26
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\napipsec.dll,-4 26
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\napipsec.dll,-3 26
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\tsgqec.dll,-100 26
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\tsgqec.dll,-101 26
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\tsgqec.dll,-102 26
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\tsgqec.dll,-103 26
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\eapqec.dll,-100 26
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\eapqec.dll,-101 26
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\eapqec.dll,-102 26
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\eapqec.dll,-103 26
<HKCU>\SOFTWARE\MICROSOFT\SPEECH\CURRENTUSERLEXICON\\FILES 1
<HKCU>\SOFTWARE\MICROSOFT\SPEECH\CURRENTUSERLEXICON\\FILES
Value Name: Datafile 1
Mutexes Occurrences
shell.{381828AA-8B28-3374-1B67-35680555C5EF} 26
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
178[.]128[.]255[.]179 26
149[.]202[.]64[.]0/27 26
149[.]202[.]122[.]0/27 26
149[.]202[.]248[.]0/22 26
172[.]66[.]41[.]18 15
104[.]20[.]21[.]251 11
172[.]66[.]42[.]238 11
172[.]67[.]2[.]88 8
104[.]20[.]20[.]251 7
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
api[.]blockcypher[.]com 26
bitaps[.]com 26
chain[.]so 26
btc[.]blockr[.]io 26
xxxxxxxxxxxxxxxx[.]1k1dxt[.]top 26
Files and or directories created Occurrences
%TEMP%\d19ab989 26
%TEMP%\d19ab989\4710.tmp 26
%TEMP%\d19ab989\a35f.tmp 26
%LOCALAPPDATA%\Microsoft\Office\Groove1\System\CSMIPC.dat 26
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp 26
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.bmp 26
<dir>\_READ_THIS_FILE_<random, matching [A-F0-9]{4,8}>_.hta 26
<dir>\_READ_THIS_FILE_<random, matching [A-F0-9]{4,8}>_.txt 26
<dir>\_READ_THIS_FILE_<random, matching [A-F0-9]{4,8}>_.jpeg 26
File Hashes
07d1b61970c982a009d3d3bd455b1ce6628819fbe47cf82d35b3b2d83a6b1690 097a210c11bc3b1d1768d92e0f080382f350da4116177c38bd81ecaf01bf252f 1015da0524bf981e3f7da09097e695418d2aeb20c8dfc027e927ea274c927743 1a201ba2922601f743606e4f8762e042355fb95704ae08f1e9d46539e9a9c53e 24eb2bfa038ccf1002d6c67bb35241514e265dda1e7ed5e310602e385cb942bd 2788aeb4b8ce3220bc2352ecf6f6dc6fc899934691e5f7778c160d43a654c752 2b921630e3606ceded2567dd7c2665ff59d3894e8f17b0c4c515cfcfea9281f6 2c56f82b2109c74ffc9ac8bb6a75a4fadc7b5dbc8c6e4973dc576b4f6e44b3fd 3107cfd1631d01d58fe6bcfddf6bb649286ee1e4632a2f6da9e0522e72adf66c 313a8059da3a543dc1615e4b0e08d9b6ba02b82a915811bed92ec41a6b282cd5 404b2ca147b0fd48ad897ae91ec951500eac740d3641552ed2175075eccd3d91 405cda0e472fc0c7ea7bd7f523bf1eb77c020a68f895d28d8300ecbcaf689dd7 4fae94bd1def53411ff126fcc1b5e91d25f5b42bc0792df01721217194d5cad1 5490d8d2dd89b8298b5a7b5954f30157c40e4a9e7a13e89b3678169b274190c4 614458dcdaebfaf39ac96fef19b98813852061b7f049c332d1a7d96099ec9971 661992c14354d9a884da5c0d354ec2722aa2d4bc7c6c088e9fbea1781408a48d 6660f96c1b098447cb40ac571cb3301e62dab35ed7d603a262e824c55ec0e2ba 673175cc9fc60fed6f87badae959858cc73317e497bbc63be01d412538d8cd4a 6ac22f719648c97dafca9980c3b2cc4d20c65411be0f3823eb5fbd2ad9907935 746617c675d2a770eab8c726ebc402418cebdbb8200734454baadd99caddf189 74f331f2928d6577c9d0767cbb16f5e19cdd9db4302b1f853b02de01e7797eaa 761c6d04388582f39dcb4e11253bd2e05690bee6f1f5ed960dac7b2121946e7f 763c7dd7964eaf334f7840f0b1c73340890b358f2e0892e455cb58b262828716 76578d8841dc939a7eaafb0740943988f084d18871e5e82d88a8474945c290a0 807ab02bc36e5465e67956df8cd09cd0f6baa69e99c80729eef0ef8a486da894
*See JSON for more IOCs
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella N/A
WSA
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Dorkbot-9964085-0
Indicators of Compromise
IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: Hidden 7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA 7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start 7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start 7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: ShowSuperHidden 7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Start 7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: HideSCAHealth 7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: HideSCAHealth 7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV
Value Name: Start 7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: TaskbarNoNotification 7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: TaskbarNoNotification 7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: Load 7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 1081297374 7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: 1081297374 7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 7
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Taskman 6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Shell 6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Update Manager 6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 6
<HKCU>\SOFTWARE\UAZI SOFT
Value Name: UaziVer 5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Live Installer 5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: Windows Live 5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Live 5
<HKCU>\SOFTWARE\UAZI SOFT 5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: BCSSync 5
Mutexes Occurrences
PuredairyBB9 6
PuredairyBB10 6
PuredairyBB2 6
PuredairyBB4 6
PuredairyBB8 6
PuredairyBB7 6
PuredairyBB6 6
PuredairyBB15 6
PuredairyBB14 6
PuredairyBB13 6
PuredairyBB12 6
PSPSndkvsdvd0199201 6
PuredairyBB1 6
PuredairyBB5 6
PuredairyBB3 6
PuredairyBB16 6
PuredairyBB17 6
PuredairyBB18 6
PuredairyBB22 6
PuredairyBB20 6
PuredairyBB21 6
PuredairyBB19 6
PuredairyBB29 6
PuredairyBB31 6
PuredairyBB23 6
*See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
20[.]112[.]52[.]29 7
109[.]236[.]82[.]19 6
80[.]82[.]64[.]8 6
93[.]190[.]140[.]103 6
109[.]236[.]82[.]142 6
109[.]236[.]88[.]101 6
94[.]102[.]52[.]22 6
109[.]236[.]88[.]161 6
93[.]190[.]139[.]14 6
217[.]23[.]14[.]136 6
94[.]102[.]52[.]19 6
217[.]23[.]8[.]142 6
109[.]236[.]86[.]119 6
93[.]190[.]140[.]141 6
108[.]59[.]2[.]221 6
109[.]236[.]83[.]12 6
80[.]82[.]65[.]207 6
217[.]23[.]3[.]105 6
217[.]23[.]4[.]220 6
93[.]190[.]140[.]113 6
217[.]23[.]9[.]104 6
93[.]190[.]142[.]191 6
94[.]102[.]51[.]231 6
217[.]23[.]7[.]3 6
80[.]82[.]65[.]199 6
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
microsoft[.]com 7
faumoussuperstars[.]ru 5
powerrembo[.]ru 5
europe[.]pool[.]ntp[.]org 2
go[.]microsoft[.]com 1
www[.]msn[.]com 1
north-america[.]pool[.]ntp[.]org 1
maps[.]pilenga[.]mobi 1
hostnamessimply1[.]effers[.]com 1
apps[.]audimobile[.]info 1
bootstrap4cache[.]com 1
Files and or directories created Occurrences
%APPDATA%\WindowsUpdate 11
%ProgramData%\msodtyzm.exe 7
\RECYCLER 6
\TEMP\C\UPDATE 6
%APPDATA%\WindowsUpdate\MSupdate.exe 6
%TEMP%\temp41.tmp 5
%APPDATA%\WindowsUpdate\Live.exe 5
%TEMP%\apiSoftCA 5
%APPDATA%\Windows Live 5
%APPDATA%\Windows Live\debug_cache_dump_2384394.dmp 5
%APPDATA%\Windows Live\pldufejsya.exe 5
\RECYCLER\S-1-5-21-0243556031-888888379-781862338-18611771 5
%APPDATA%\fcvifgrs 1
%APPDATA%\fcvifgrs\jisgivdt.exe 1
\RECYCLER\S-1-5-21-0243556031-888888379-781862338-1861771 1
%ProgramData%\3741550053 1
%ProgramData%\3741551629 1
%ProgramData%\3741549335 1
%ProgramData%\3741546871 1
%ProgramData%\3741543454 1
%ProgramData%\3741548555 1
%ProgramData%\3741550771 1
File Hashes
0ce367d545da1ed522fe364fdafc4bf39f1aa9aa326d0413c104132464c4b0f5 0ff57cf4b79588ba6c721f78a042e79a8c4e4eb6544dad9147c6918efc0a9bfd 1487cbb9c1025017bf767b8f9feab2bcdd9f500cd4bed79ca334c4eda4df1d71 1a15e5ebecd8f3025b89a1ee2149311bd0883bc62928092980604cecddf5718f 1c21c85c814609bc6db76824eda6333b2d26be11f8736bbb7397e97ad95c9f2e 1d0d652abf31a5b4f9ecf5ee6d201b4d31e977f6fc769a34cd34a5468e362e14 1e358ccc5c00767b2d7518ad5b34639c172a33118f691b6e989c0da4a4067781 29e771b03f40a6cd492b49826238364933a37c65bee5bf7990d711ff14d3511e 2bbac09df0fbb667c042f25c8d4810a08d6a3129a57ec70363debad39f917bd2 32ac146ea9c7899e04a57c42d48407468323b46a40462febfb0453e27466ed11 3ab978d7ba8cadbfa40ce0d1b6acb6922d6f7b2d8322f420bf03db0c44d94755 4faa3a69a429a598863c9369d0b4d572fa01b5bbf567b0d76f5a42f596430003 57d6deb95dad820da83a96f691230e6927f02bd7dc81fd22117a84ce1ff983b1 84055ce5bc4ef2bdf486e82e444e5665c73f4fe627a8734edc463b59f443bfcc 90853a92441d02881129621868f5a83d4fda693e6602a043dae622186b654a0d 90b11cecdac4d67db66c36a3f692361425eaf99c3f243c107e884091d209ee8b 94b5e03c8c149c8065dcf1a3696ca0c0801f6932e3a6b73985081dd36bb04194 9bf72ac43dcab3750686c49abbf1b0835505186a37187b6435539ea871dfd829 adbbf9cf8048f45fce2ad9fb1d681ea9334813a442d6d5b051cd11285fc71154 af69bafe28d0df36ddba5768583cf25bd5cae24b312e17f607c77294b731f0dd b478d67b97fa15e88d047c643232590d1c6c2d2179e330df5bdc78c4e56036ee b7d2ff1e59e0d30e46adf03d7a90dcc0ed83f2ff1e9b35702a70486954f1d3dd c254f12058d6367578b877c09bd219abcc583003db8d15d270ab284bad923234 caf84844a5809c4e1c513299792f95ca26a87c40dc70627e8bddf5b65775206e d401626e94cd830c3037cec51863d3315a97daf17c16f0836914a8ff8424213f
*See JSON for more IOCs
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella N/A
WSA N/A
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Worm.Kuluoz-9964104-0
Indicators of Compromise
IOCs collected from dynamic analysis of 26 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'> 26
<HKCU>\SOFTWARE\TKQJXHIR
Value Name: nnagtvkf 2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: iemwudbv 2
<HKCU>\SOFTWARE\PKBQSDOK
Value Name: wfiqbttr 2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: deiobboq 2
<HKCU>\SOFTWARE\TEFAPJXX
Value Name: hjlkqasv 2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: nmvftwdp 2
<HKCU>\SOFTWARE\ROHCSWFU
Value Name: ivxesusr 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: rskaarvw 1
<HKCU>\SOFTWARE\ONFHUPBQ
Value Name: qrlpghvv 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: dwxwetxw 1
<HKCU>\SOFTWARE\JUNLDJNI
Value Name: paxvvuef 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: buwqaweo 1
<HKCU>\SOFTWARE\QPANUOIR
Value Name: mmvjkbpj 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: lawgdaar 1
<HKCU>\SOFTWARE\IDIFICQU
Value Name: uqiuudaf 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: uaugufwr 1
<HKCU>\SOFTWARE\EPCSQSNO
Value Name: sdkgxoqv 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: nojriosh 1
<HKCU>\SOFTWARE\IIBPNATQ
Value Name: qbmgekoa 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: tabswxsd 1
<HKCU>\SOFTWARE\CHUFRWHS
Value Name: nhmwllub 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: kawalexr 1
<HKCU>\SOFTWARE\QDCTDCFM
Value Name: ietjtgir 1
<HKCU>\SOFTWARE\JUOBFMWV
Value Name: ucngtfoi 1
Mutexes Occurrences
2GVWNQJz1 26
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
91[.]196[.]126[.]16 21
88[.]198[.]25[.]17 20
173[.]203[.]113[.]44 19
178[.]33[.]162[.]8 18
176[.]31[.]106[.]226 18
74[.]50[.]60[.]116 18
198[.]24[.]142[.]66 17
Files and or directories created Occurrences
%LOCALAPPDATA%\<random, matching '[a-z]{8}'>.exe 26
File Hashes
0828aee088e7c191c463dac5a2449474da1b106da5e12b6335f61d2dd3ae320e 0ddf461f926f814d19696d3851f3673c10d69a15fa2d7cfac9552c3af9460c66 12b274776143da76ceea8cfc1b8219535bca09dea1ea6059a48e74dd6a78e80d 160999be2e3f124a106ced958bce6b6f94fbc3645895aa0129e4dedb443011d7 21245351ac8d14c31552d46c0f8ceec6d576a1abae0ab3d5131e25e9e8fefe32 23fec3f833e9a7ee790ea9cad1b205ade2036466282654b2e53f23516553b775 24e1fb11b1c63caf42bc0a9d8df57cb1c84ccb11415f01c56de128d6ceb2ea4e 2bf5a6f99c57bcaddd28a0a8dad595686b9a660843cd4037575d4abb82af8f69 32a01832f4de0f17e438fed6be9f155d9fd30056133681c7474f0114a1731a9b 35a4fe74474b4f7e7f9c777d063097e36a16f509bc3afb9579779c0504b73af4 3a3fae86a4e14a7d50b6c5bc5d78dc12745fa53d240df641e1fc311449368c85 3da619fa973717201422faf7329016a266b27b89f8a39416cac203f75f32259a 405d7737a27f0798b16f85939c3eacfcbe9e5305b4c621dd20bcaffbe994d88f 413f4fcae50cdad66f08e0e3ae083e60e18e54f890492fcd0241deb9dfe81b81 44d0507ee9143aa548ae8a03171b27633f4226abbad172a0456194a2ef2eb507 44d1449c19d3f79a3fe21e2ab9d333a1bea4156565a3106fc2203ccefa869a9b 4979dce8592c0d16bdc6228b9741ef6c315e3bb1ff34de14271fb3499cd0f139 4b7891ed58a08b45b576282afd74fe835845cd4be8c5aab467ad09136e87ec8e 4bc8eb3d2e72a44384b3d824b33a971ace9eae20998dfe8bdd2ab9b9267b5b43 4c6528d000e07485c69f1c32a95967a454fd20864a4ad2c062160d99987822ef 50c108f9fc31557d55216dfe28b9eeac15fe5f1175a089ff196e1129d6ddf593 5730f9ce8c84e6f1c153c247146ac1590fd989a73cdc9dce9d67594b33caf354 5a45837812962153f5d480918eab77093394dd41c45c610ffd142461ab433668 5e37715cc8a5d1b6c5bed437eea25da495285bb1386cf2aef2b5484fd6c30e69 5ee4adead518246dc926545a0d28e1a488f04d530c49591cc788a8e2b360ad89
*See JSON for more IOCs
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella N/A
WSA N/A
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Aug. 12 and Aug. 19. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.
The most prevalent threats highlighted in this roundup are:
Threat Name
Type
Description
Win.Dropper.Ramnit-9964110-0
Dropper
Ramnit is a banking trojan that monitors web browser activity on an infected machine and collects login information from financial websites. It could also steal browser cookies and hide from popular antivirus software.
Win.Ransomware.Locky-9963624-0
Ransomware
Locky is ransomware typically distributed via spam emails containing a maliciously crafted Microsoft Word document crafted to trick targets into enabling malicious macros. This family was originally released in 2016 and updated over the years with additional functionality.
Win.Dropper.Shiz-9963681-0
Dropper
Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information. It is commonly spread via droppers or by victims visiting a malicious site.
Win.Dropper.XtremeRAT-9963701-0
Dropper
XtremeRAT is a remote access trojan active since 2010 that allows the attacker eavesdrop on users and modify the running system. The source code for XtremeRAT, written in Delphi, was leaked online and has since been used by similar RATs.
Win.Dropper.Nanocore-9963905-0
Dropper
Nanocore is a .NET remote access trojan. Its source code has been leaked several times, making it widely available. Like other RATs, it allows full control of the system, including recording video and audio, stealing passwords, downloading files and recording keystrokes.
Win.Ransomware.Cerber-9964084-0
Ransomware
Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension “.cerber,” although in more recent campaigns, other file extensions are used.
Win.Dropper.Dorkbot-9964085-0
Dropper
Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely.
Win.Worm.Kuluoz-9964104-0
Worm
Kuluoz, sometimes known as “Asprox,” is a modular remote access trojan that is also known to download and execute follow-on malware, such as fake antivirus software. It often is delivered via spam emails pretending to be shipment delivery notifications or flight booking confirmations.
Threat Breakdown****Win.Dropper.Ramnit-9964110-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 26 samples
Mutexes
Occurrences
{79345B6A-421F-2958-EA08-07396ADB9E27}
26
Global<random guid>
26
Files and or directories created
Occurrences
%TEMP%~TMDB5A.tmp
2
%TEMP%~TMDB99.tmp
2
%TEMP%~TM314F.tmp
1
%TEMP%~TM31DD.tmp
1
%TEMP%~TMDBC8.tmp
1
%TEMP%~TMDC25.tmp
1
%TEMP%~TME21E.tmp
1
%TEMP%~TMDC93.tmp
1
%TEMP%~TME2BB.tmp
1
%TEMP%~TME337.tmp
1
%TEMP%~TME3A5.tmp
1
%TEMP%~TME0D6.tmp
1
%TEMP%~TMDBF7.tmp
1
%TEMP%~TME164.tmp
1
%TEMP%~TMD977.tmp
1
%TEMP%~TMD9E5.tmp
1
%TEMP%~TMD9C5.tmp
1
%TEMP%~TMDA42.tmp
1
%TEMP%~TME0F5.tmp
1
%TEMP%~TME173.tmp
1
%TEMP%~TMDBE8.tmp
1
%TEMP%~TMDCC1.tmp
1
%TEMP%~TMDF60.tmp
1
%TEMP%~TMDD2F.tmp
1
%TEMP%~TMDFED.tmp
1
*See JSON for more IOCs
File Hashes
03ba150882170b2cfee8c30f556c2be840697b7cc1e7dcc47594dd3bd9758c7b
0eb56bcb11905ba125c5d4e2527fa4441b03f6ce0278269498be539833b5bbe9
1368aa53291ec289ffa8bb86c5ec7c335350a10a240b88e31a3b2d1181fa785f
169b28a24d77797b1c2a61dda32b7d766d6f150bcefdf2333ca635a7b4837778
18465059a485b9f35a472b16d8fec399c795799d3dff1dab57d537e620749902
1c3bde330d7cfe197ecfab80309e463d6e6e61bdf6885d250cb0b08c5f98b767
1cd1a5d2b64aef0c352e7984ae3822c9f6d661d8907526aacd2b6321a4f7a8fd
1d548c85594dc4b83ac1c69ac82da842dc68eac75f683aed693929c728c83184
1fd5e9430201472831856a7720fee930a1555f9b134af3145f1acc5a7f712a82
250c9cf38912e781afc5b32907da411279f7b22b4b2e6b97729aad81a1e0f48a
29ca8b176e9977bf0d3bdc9f214665b89f087ba0799e9d9e22bddfecc4bb7e09
29fbd2e07f2bcdac0a69364621df335bf899787c48353f7e448e302263d0cee1
2e00b1d9d04175dd0a8101ac3222dde48833693400a9684717fddceb532ae258
315ab01236a2ccb7231731878bf7d7fb23d9c6fd9603c7df3501f453f3ec76c1
31bb435f6ce6446d3ce1c97cb80de5084d30abff6fc9711c6d0b0c191031b361
35d9d318da08e7ff963b14fcb2f73fb178374688b21a27ba872f87fb353405eb
377406362d74f2789685c3a0aa128312bf82b092f9c047a36fb1d62e22348a8d
38cd0e89eb7ab0edc2cee7f2edfa86e938a5963ed6ae3212b1c26bf2722cb75a
3921b067ddb8b3fe65e9f8c680f46d72ac52077334cfba1c8ee1192d84bb44cd
395e9fdef9e5694c3a2e8e5ecce9ced85cac141ad2a0d4851620c596ed5eb32a
3cae2eed75c901adbff0fc907433d56f5caeacafade3666eb90b39956add686c
3f72bd0dbdbbb4f9ea83fe224363dc423f8d6f88df526c69431c892938ff2360
40013e1bd081743d85e878edb53179b70546bf6c8ff3ac03f5c0fbf2f590967e
405b9a602c73ce29d1f4e5ab15bf3a5c51a8b087bf6ae7dbf064a48817d1532b
48d7d44420db0625d5d05caf04aac82f3e3daeff65f4d6b9c33cb94c3b939566
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Ransomware.Locky-9963624-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 16 samples
Registry Keys
Occurrences
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES{0633EE93-D776-472F-A0FF-E1416B8B2E3A}
Value Name: FaviconPath
16
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES{0633EE93-D776-472F-A0FF-E1416B8B2E3A}
Value Name: Deleted
16
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES
Value Name: DefaultScope
16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VSS\DIAG\VSSAPIPUBLISHER
16
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
16
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
16
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\System32\intl.cpl,-1
1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\System32\intl.cpl,-2
1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\System32\hgcpl.dll,-2
1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\System32\main.cpl,-100
1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\System32\main.cpl,-101
1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\System32\main.cpl,-102
1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\System32\main.cpl,-103
1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\System32\devmgr.dll,-4
1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\System32\devmgr.dll,-5
1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\System32\icardres.dll,-4097
1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\System32\icardres.dll,-4098
1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\System32\PerfCenterCPL.dll,-2
1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\system32\appwiz.cpl,-160
1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\System32\netcenter.dll,-2
1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\System32\wpccpl.dll,-101
1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\System32\autoplay.dll,-1
1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\System32\autoplay.dll,-2
1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\System32\SyncCenter.dll,-3001
1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\System32\recovery.dll,-101
1
Mutexes
Occurrences
Global\4aEa7aGa9a4aBa6a4a4aBa1a5a8a4a1a
16
Local\4aEa7aGa9a4aBa6a4a4aBa1a5a8a4a1a
16
Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!16613a8
16
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
13[.]107[.]21[.]200
10
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
www[.]bing[.]com
16
Files and or directories created
Occurrences
\Users\Default\NTUSER.DAT.LOG
16
%ProgramData%\Mozilla\logs\maintenanceservice-install.log
16
%ProgramData%\Sun\Java\Java Update\jaureglist.xml
16
%ProgramData%\Microsoft\RAC\StateData\RacMetaData.dat
16
%ProgramData%\Adobe\Updater6\AdobeESDGlobalApps.xml
16
%ProgramData%\Microsoft\IlsCache\ilrcache.xml
16
%ProgramData%\Microsoft\IlsCache\imcrcache.xml
16
%ProgramData%\Microsoft\User Account Pictures\admin.dat
16
%HOMEPATH%\Desktop\lukitus.bmp
16
%HOMEPATH%\Desktop\lukitus.htm
16
\MSOCache\All Users{90140000-0016-0409-0000-0000000FF1CE}-C\0PZW71P4-
16
\MSOCache\All Users{90140000-0016-0409-0000-0000000FF1CE}-C\0PZW71P4-ZQ0
16
\MSOCache\All Users{90140000-0018-0409-0000-0000000FF1CE}-C\0PZW71P4-
16
\MSOCache\All Users{90140000-0018-0409-0000-0000000FF1CE}-C\0PZW71P4-ZQ0I-J19
16
\MSOCache\All Users{90140000-0019-0409-0000-0000000FF1CE}-C\0PZW71P4-
16
\MSOCache\All Users{90140000-0019-0409-0000-0000000FF1CE}-C\0PZW71P4-ZQ0I-J1
16
\MSOCache\All Users{90140000-001A-0409-0000-0000000FF1CE}-C\0PZW71P4-
16
\MSOCache\All Users{90140000-001A-0409-0000-0000000FF1CE}-C\0PZW71P4-ZQ0I-
16
\MSOCache\All Users{90140000-001B-0409-0000-0000000FF1CE}-C\0PZW71P4-
16
\MSOCache\All Users{90140000-001B-0409-0000-0000000FF1CE}-C\0PZW71P4-ZQ
16
\MSOCache\All Users{90140000-002C-0409-0000-0000000FF1CE}-C\0PZW71P4-
16
\MSOCache\All Users{90140000-002C-0409-0000-0000000FF1CE}-C\0PZW71P4-ZQ0
16
\MSOCache\All Users{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\0PZW71P4-
16
\MSOCache\All Users{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\0PZW71P4-
16
\MSOCache\All Users{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\0PZW71P4-
16
*See JSON for more IOCs
File Hashes
1afe66e4aaf044636b8bfb0e625e8182a7bb116cfa3b4673ed102094c55b8f84
1cdcb07c8a79bdb3faad6feae4b2720cec8dc8de0cfb1431502f91e8c9152e94
244f76876485ad65f57466338fee2a571057c6315ba9a9699d89ff0add323e72
3140bd4af08e8d487c04c24cb3a6977464ef6bfed46e3f54ba52175b09ceee41
37621fe42fb7154d158b82e54b8735ad876902e8f55178387254689802f8d419
56ee0ae4072920f29e35c10af707ac97bc87ba4191aca1afec235d7a5a96de10
659f0b2aa1699e98b57433d85b08f56fef032fcdce4858cfcf21bb405e784bc2
7af3b8e631e7d557b4039cca14f0f5ad2686b3dab6a81da181ab46e2518b4fcd
8d62a963beb4ac49096277d54d3d6bc78c1142ff30b600b0373256eaa6b7a73c
9be2a26538acb1111657ab79c6680d7f8bde43f5a6e51f38c674967e21d69627
c6f8e43f2db3725ea18520ff3b5370a32ef28c62fe1a82df1575c1003ac10acf
ce8d65f815402e4bc06fade45b66398930ae73d6e5c9368564c87745643703dd
da37a954efc572ccd4f5f43912e1b041acce412d8f4cfac31a23349adb7e43c5
ed96e3c04c7af4bb0863e2e4091e1280ced24a5f68c9712ffba34062d7a46229
f681a28f44ca9a7fe31e4fce8881aafaf125727dafd4db68280cfe6ea6f9e0e8
fdacb9b5a9551464e1bba01a3f279d247c2b3c7d0e4b5768763fcf26bb4e5837
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Shiz-9963681-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 21 samples
Registry Keys
Occurrences
<HKLM>\SOFTWARE\MICROSOFT
Value Name: 67497551a
21
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: 98b68e3c
21
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: userinit
21
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: System
21
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: load
21
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: run
21
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: userinit
21
Mutexes
Occurrences
Global\674972E3a
21
Global\MicrosoftSysenterGate7
21
internal_wutex_0x000004b4
21
internal_wutex_0x0000043c
21
internal_wutex_0x<random, matching [0-9a-f]{8}>
21
internal_wutex_0x000004dc
20
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
13[.]107[.]21[.]200
15
45[.]33[.]30[.]197
7
45[.]33[.]23[.]183
5
96[.]126[.]123[.]244
4
45[.]56[.]79[.]23
4
45[.]33[.]2[.]79
4
45[.]79[.]19[.]196
3
45[.]33[.]20[.]235
3
72[.]14[.]185[.]43
3
198[.]58[.]118[.]167
2
45[.]33[.]18[.]44
2
173[.]255[.]194[.]134
2
72[.]14[.]178[.]174
2
85[.]94[.]194[.]169
1
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
rynikulokop[.]eu
21
lyvoguraxeh[.]eu
21
xuxetiryqem[.]eu
21
puzewilurip[.]eu
21
cilynitiseg[.]eu
21
vojizitoken[.]eu
21
fogokozazit[.]eu
21
gadedozymiz[.]eu
21
masytoturen[.]eu
21
nofagoteveg[.]eu
21
jepuqoxupit[.]eu
21
qetunopifef[.]eu
21
kericoxojil[.]eu
21
ryqozapaleb[.]eu
21
lymajaxecir[.]eu
21
xubysaxywil[.]eu
21
dixonesohed[.]eu
21
marawukyqos[.]eu
21
dikuvizigiz[.]eu
21
puvutaputeb[.]eu
21
ciciqacidir[.]eu
21
ryhuneqevyv[.]eu
21
kejywajazok[.]eu
21
xudakejupok[.]eu
21
lygivejynow[.]eu
21
*See JSON for more IOCs
Files and or directories created
Occurrences
%TEMP%<random, matching [A-F0-9]{1,4}>.tmp
21
File Hashes
0ddc226c722e18199274ea9f05f0bebdfd0e871713b53e89dc094fd53fbf21fb
12fbf08de48d56346c43dfc4369e7c70c71023e7322f84991591fcde46aa5532
1b56b352ab8e26ce29fabdc5ce020e616db96b6004ee540e88fef580b16a4f78
1d65fa03284d71963c8ec3cee40b25afdc06d9f6f6404d214ca0091c0130cb53
232a41bbdda2fe1b5e7b90c7beb1136b671d127a400699b6591278c44eb828a2
3a7f6106cbe35dcd0c7f25bb6c4b1fc9c19eb348cafba007121f03e74c6d73e2
4d0d263dc8c8f69d6cbcfb13564f53d70955772552e9a4e32aa5a14851bdd1ac
4dfcf95c402c12d20034ac961076c2772f835a9aa442d7062b914a2f53f37f9b
5077b57947941ef15fb8445db7819e641fd5499067969e38f680d2cb6f6430a0
54b0b511221b0498f1c5a2eeb0e2ae633cae232cf75c13fa9eaff6f711cebef1
5b0787632726f2d55a209f853f04eea8109d87cd9630be7e8a42a384bd8cb7a5
6820579b06e8cb0e4298270a497b475baf2645430b4c62d4a3e22f4d7c7bc0ee
69b5080868bfbdc18d868318cb6be406c4cc268fe4e183e5e81f62c7e6922fd9
69e5f2613c4aad5956e83985743210ae058862c12e3d7f104537f6efd0aa1c51
7324bb74d697cb54b2acfa41ab0caab30a14e40b8628b50acdfd4d26b1dfba17
7807700902786f550ce24bb63e93e62e35527857a24f2b655467dd243c40e5d3
79c880d0a639206d2ad9a77647940b11b9200680431e98fc155410f855354be8
85b1e95b8a1be8d5a16525b879d9e8e9a7a1f491449d036f08504b9e9f118b96
91c02affdcd16a87eb278a461fdabaa021ab4d5b7987a24d162563012ba49bcc
a38da3b0920e292f513272bfe95c0d5debd6e201cb63d2526fe25c6293b8ed0e
d19619fd50ebefcc45deb67abe2d2aab162806fcfd41db0765c7ddf96cdb02b9
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.XtremeRAT-9963701-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 12 samples
Registry Keys
Occurrences
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
9
<HKCU>\SOFTWARE<random, matching '[a-zA-Z0-9]{5,9}’>
9
<HKCU>\SOFTWARE<random, matching '[a-zA-Z0-9]{5,9}’>
Value Name: InstalledServer
8
<HKCU>\SOFTWARE<random, matching '[a-zA-Z0-9]{5,9}’>
Value Name: ServerStarted
7
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: HKLM
6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: HKCU
6
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS{5460C4DF-B266-909E-CB58-E32B79832EB2}
4
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS{5460C4DF-B266-909E-CB58-E32B79832EB2}
Value Name: StubPath
4
<HKCU>\SOFTWARE((MUTEX))
3
<HKCU>\SOFTWARE((MUTEX))
Value Name: InstalledServer
3
<HKCU>\SOFTWARE((MUTEX))
Value Name: ServerStarted
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: HKLX
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: HKCL
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS
Value Name: StubPath
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS{7OFBR713-LB7J-5G81-7WC8-161211U08C56}
Value Name: StubPath
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS{7OFBR713-LB7J-5G81-7WC8-161211U08C56}
2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\system32\DeviceCenter.dll,-2000
1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @explorer.exe,-7001
1
<HKCU>\SOFTWARE\XTREMERAT
Value Name: TDados
1
<HKCU>\SOFTWARE\SS
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS{11AKP4MN-X763-4313-1615-X6G4IX7N4S25}
1
<HKCU>\SOFTWARE\SS
Value Name: ServerStarted
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS{M0J1AY7S-64N4-SUDU-RQ0E-5HNUA5PF0MI0}
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ss
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ss
1
Mutexes
Occurrences
XTREMEUPDATE
12
<random, matching [a-zA-Z0-9]{5,9}>
9
<random, matching [a-zA-Z0-9]{5,9}>PERSIST
8
<random, matching [a-zA-Z0-9]{5,9}EXIT>
8
((Mutex))
3
((Mutex))PERSIST
2
((Mutex))EXIT
2
STUBXTREMEINJECTED
1
ss
1
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
dstar[.]hopto[.]org
1
may00[.]zapto[.]org
1
Files and or directories created
Occurrences
%TEMP%\x.html
10
%APPDATA%\Microsoft\Windows<random, matching '[a-zA-Z0-9]{5,9}’>.cfg
8
%APPDATA%\Microsoft\Windows((Mutex)).cfg
3
%SystemRoot%\InstallDir
2
%APPDATA%\InstallDir
2
%APPDATA%\InstallDir\dll.exe
2
%SystemRoot%\InstallDir\Server.exe
1
%ProgramFiles(x86)%\ISSA.exe
1
%ProgramFiles(x86)%\ss.exe
1
%APPDATA%\Microsoft\Windows\ss.cfg
1
%APPDATA%\Microsoft\Windows\ss.dat
1
%APPDATA%\Microsoft\Windows\SpUDj.dat
1
%SystemRoot%\GOOGLE.exe
1
%APPDATA%\windoy.exe
1
%SystemRoot%\SysWOW64\windoy.exe
1
%APPDATA%\soft.exe
1
%SystemRoot%\SysWOW64\soft.exe
1
%SystemRoot%\InstallDir\browse.exe
1
%SystemRoot%\SysWOW64\migc.exe
1
%APPDATA%\migc.exe
1
%SystemRoot%\CREATE.exe
1
File Hashes
00c5b7cc78f982e42062c84a8a5c1c5aaeea7276b0f00635d61e4bfdcf6ed4b2
05316395bee1b9759134e86ecf28413d197c95cc6c25bb96a3fd957adfb767fe
10f0a0f8b51964b8a3fc497040601a48fe0493a7e4010ee89e61068cc8e2d92d
33ed0e091cc5ccc71d0a9d37c4f82d73f3959ffcd55f9c2f8660e7e13f68393e
3e5302bb99e282cd9303eda70e64589529704b3c2edee6637cb040887b02f42f
593d60c61df90a5de77d5ee31815eafd3c2657f1581cdd7fe36e74f72956a7e3
62243f0a6f197f167173d12b985b2bbd4a8f98864eb4f99c77e28a9f561f4b0d
6798aa4e8218c8783acab06e700b519eb31856ac0e46c6c82f5dfbf22e13ddb5
9906c6c6ce2eb7199023bbfcff346303f08dab61f475da22fe358f0e09d083bd
c11cd59cb06cf9e1a9f95e3d78300a2aa8edf94ed7964b73ccb7135a5b23a7d6
d20e8dd51f00f03a0aacfcc4989d86411e2bc6c6f0a91961f420a056a86eef07
d8df5b44e3469d7a7c0ffc4dba88d34bff093cf4453500074a54b837d50d93c6
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Nanocore-9963905-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 20 samples
Registry Keys
Occurrences
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
9
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: jVULYR
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: AGP Manager
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: WGmLd
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ddnKQs
1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @explorer.exe,-7001
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: capsole
1
Mutexes
Occurrences
8-3503835SZBFHHZ
1
NL20T01E6BXGZI09
1
fKZhNqRta
1
Global{bbc5d79f-8cc7-4aa7-b9fa-0c15cee443cd}
1
GfAQbAoN
1
GZVlUzSZeINZ
1
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
149[.]154[.]167[.]220
2
208[.]91[.]199[.]224
1
208[.]91[.]198[.]143
1
208[.]91[.]199[.]223
1
205[.]134[.]234[.]70
1
107[.]182[.]129[.]128
1
162[.]0[.]229[.]41
1
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
api[.]telegram[.]org
2
mail[.]albacon-ojeda[.]pe
1
smtp[.]saudlunion[.]com
1
smtp[.]transmase[.]com
1
smtp[.]utt-ae[.]com
1
brightnano1[.]ddns[.]net
1
mail[.]fasttunpcbs[.]com
1
Files and or directories created
Occurrences
%System32%\Tasks\Updates
6
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp
6
%System32%\drivers\etc\hosts
3
%APPDATA%\jVULYR
2
%APPDATA%\jVULYR\jVULYR.exe
2
%ProgramFiles(x86)%\AGP Manager
1
%ProgramFiles(x86)%\AGP Manager\agpmgr.exe
1
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5
1
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs
1
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs\Administrator
1
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\run.dat
1
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\task.dat
1
%System32%\Tasks\AGP Manager
1
%System32%\Tasks\AGP Manager Task
1
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\catalog.dat
1
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\settings.bin
1
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\storage.dat
1
%APPDATA%\WGmLd
1
%APPDATA%\WGmLd\WGmLd.exe
1
%APPDATA%\ddnKQs
1
%APPDATA%\ddnKQs\ddnKQs.exe
1
%APPDATA%\HFkIOmiwFQY.exe
1
%System32%\Tasks\Updates\HFkIOmiwFQY
1
%APPDATA%\h0gct1lm.mo4
1
%APPDATA%\h0gct1lm.mo4\Firefox
1
*See JSON for more IOCs
File Hashes
1f41465839f9e90dc6298156eb0f0eab361414c1dc207c22e2593e608dc6f5d5
28d4e2a68e9b5db5a71cbd94fcaa241dfd1937e99eadbddab572ff4efab999d7
2b61ef6e2d493e4eb8bd0ce74d2cf9fb7de72245ec0e76afe9198b9518f2cb40
2c04f3b128381e4f3e3687566623fd653d7a211dfdd17efd94317bebaae1b78b
35157e080e4f612ef306a1195e55ce5068844cc7daf3442d0f73c98c224d4c9d
35ad1d5553d61763b2e94c6e4d66cd5b6cba0578736f202a12c88525b9125804
420c5ccde64ea630f1223e27d1cae8b0887aca1a4e87d6f9c307011c0e266bf9
43f5c35dc913dbd764a028b5686d0a3c47bcb745c3b277b778742e22989784ca
46675d5b6e4c352b50804c760bf4ef3174a8ef93b875f1b7e0f343e22573a6c5
6b4bbd2e534c8e089691829e219ea54c8e113012f1ecb6d912a5d791c7157c2e
7605008ef9c187be6862403b9a5eef21eb271ff656db288759a50dc3785caeeb
76b3123c5245713b390b8f28fafddddef75a55199621a196124e9c55ac55d1af
878a27d70fd8b04b70298f1e102053e02faeaab461a8455fdf843262118231ad
9238603739f090fa4b311ab4c76739c1b54d21e410139c6be208025b4dd7a33f
a2631bee5c6505f12449f250e56d2091a50fd25d876ad49efefeb4ea7f63e45d
b863d3d875966054e0a8a19ae649a08ecf80a2be46b937c5f6d0a634cba4e465
ce88fb263d3e6a38cac9d2b4ec0f27bfc724d46b4d274fc7adb25330bae9e724
daf4c0820c45f6be84cf248504e10bfee063ea6fc8de3b397adaa6682e4bb610
e06d33553621160bf21cdc08eaecb5e977a59e6e416c37922a6d263620141a7d
fa0ddfe8dd1e9509529086469444221a673fb0d16f380c968150a7a53f68b0d9
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Ransomware.Cerber-9964084-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 26 samples
Registry Keys
Occurrences
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
26
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpqec.dll,-100
26
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpqec.dll,-101
26
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpqec.dll,-103
26
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpqec.dll,-102
26
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\napipsec.dll,-1
26
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\napipsec.dll,-2
26
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\napipsec.dll,-4
26
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\napipsec.dll,-3
26
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\tsgqec.dll,-100
26
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\tsgqec.dll,-101
26
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\tsgqec.dll,-102
26
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\tsgqec.dll,-103
26
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\eapqec.dll,-100
26
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\eapqec.dll,-101
26
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\eapqec.dll,-102
26
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\eapqec.dll,-103
26
<HKCU>\SOFTWARE\MICROSOFT\SPEECH\CURRENTUSERLEXICON\FILES
1
<HKCU>\SOFTWARE\MICROSOFT\SPEECH\CURRENTUSERLEXICON\FILES
Value Name: Datafile
1
Mutexes
Occurrences
shell.{381828AA-8B28-3374-1B67-35680555C5EF}
26
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
178[.]128[.]255[.]179
26
149[.]202[.]64[.]0/27
26
149[.]202[.]122[.]0/27
26
149[.]202[.]248[.]0/22
26
172[.]66[.]41[.]18
15
104[.]20[.]21[.]251
11
172[.]66[.]42[.]238
11
172[.]67[.]2[.]88
8
104[.]20[.]20[.]251
7
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
api[.]blockcypher[.]com
26
bitaps[.]com
26
chain[.]so
26
btc[.]blockr[.]io
26
xxxxxxxxxxxxxxxx[.]1k1dxt[.]top
26
Files and or directories created
Occurrences
%TEMP%\d19ab989
26
%TEMP%\d19ab989\4710.tmp
26
%TEMP%\d19ab989\a35f.tmp
26
%LOCALAPPDATA%\Microsoft\Office\Groove1\System\CSMIPC.dat
26
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp
26
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.bmp
26
<dir>_READ_THIS_FILE_<random, matching [A-F0-9]{4,8}>_.hta
26
<dir>_READ_THIS_FILE_<random, matching [A-F0-9]{4,8}>_.txt
26
<dir>_READ_THIS_FILE_<random, matching [A-F0-9]{4,8}>_.jpeg
26
File Hashes
07d1b61970c982a009d3d3bd455b1ce6628819fbe47cf82d35b3b2d83a6b1690
097a210c11bc3b1d1768d92e0f080382f350da4116177c38bd81ecaf01bf252f
1015da0524bf981e3f7da09097e695418d2aeb20c8dfc027e927ea274c927743
1a201ba2922601f743606e4f8762e042355fb95704ae08f1e9d46539e9a9c53e
24eb2bfa038ccf1002d6c67bb35241514e265dda1e7ed5e310602e385cb942bd
2788aeb4b8ce3220bc2352ecf6f6dc6fc899934691e5f7778c160d43a654c752
2b921630e3606ceded2567dd7c2665ff59d3894e8f17b0c4c515cfcfea9281f6
2c56f82b2109c74ffc9ac8bb6a75a4fadc7b5dbc8c6e4973dc576b4f6e44b3fd
3107cfd1631d01d58fe6bcfddf6bb649286ee1e4632a2f6da9e0522e72adf66c
313a8059da3a543dc1615e4b0e08d9b6ba02b82a915811bed92ec41a6b282cd5
404b2ca147b0fd48ad897ae91ec951500eac740d3641552ed2175075eccd3d91
405cda0e472fc0c7ea7bd7f523bf1eb77c020a68f895d28d8300ecbcaf689dd7
4fae94bd1def53411ff126fcc1b5e91d25f5b42bc0792df01721217194d5cad1
5490d8d2dd89b8298b5a7b5954f30157c40e4a9e7a13e89b3678169b274190c4
614458dcdaebfaf39ac96fef19b98813852061b7f049c332d1a7d96099ec9971
661992c14354d9a884da5c0d354ec2722aa2d4bc7c6c088e9fbea1781408a48d
6660f96c1b098447cb40ac571cb3301e62dab35ed7d603a262e824c55ec0e2ba
673175cc9fc60fed6f87badae959858cc73317e497bbc63be01d412538d8cd4a
6ac22f719648c97dafca9980c3b2cc4d20c65411be0f3823eb5fbd2ad9907935
746617c675d2a770eab8c726ebc402418cebdbb8200734454baadd99caddf189
74f331f2928d6577c9d0767cbb16f5e19cdd9db4302b1f853b02de01e7797eaa
761c6d04388582f39dcb4e11253bd2e05690bee6f1f5ed960dac7b2121946e7f
763c7dd7964eaf334f7840f0b1c73340890b358f2e0892e455cb58b262828716
76578d8841dc939a7eaafb0740943988f084d18871e5e82d88a8474945c290a0
807ab02bc36e5465e67956df8cd09cd0f6baa69e99c80729eef0ef8a486da894
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Dorkbot-9964085-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 25 samples
Registry Keys
Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: Hidden
7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: ShowSuperHidden
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Start
7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: HideSCAHealth
7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: HideSCAHealth
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV
Value Name: Start
7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: TaskbarNoNotification
7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: TaskbarNoNotification
7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: Load
7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 1081297374
7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: 1081297374
7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
7
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Taskman
6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Shell
6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Update Manager
6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
6
<HKCU>\SOFTWARE\UAZI SOFT
Value Name: UaziVer
5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Live Installer
5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: Windows Live
5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Live
5
<HKCU>\SOFTWARE\UAZI SOFT
5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: BCSSync
5
Mutexes
Occurrences
PuredairyBB9
6
PuredairyBB10
6
PuredairyBB2
6
PuredairyBB4
6
PuredairyBB8
6
PuredairyBB7
6
PuredairyBB6
6
PuredairyBB15
6
PuredairyBB14
6
PuredairyBB13
6
PuredairyBB12
6
PSPSndkvsdvd0199201
6
PuredairyBB1
6
PuredairyBB5
6
PuredairyBB3
6
PuredairyBB16
6
PuredairyBB17
6
PuredairyBB18
6
PuredairyBB22
6
PuredairyBB20
6
PuredairyBB21
6
PuredairyBB19
6
PuredairyBB29
6
PuredairyBB31
6
PuredairyBB23
6
*See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
20[.]112[.]52[.]29
7
109[.]236[.]82[.]19
6
80[.]82[.]64[.]8
6
93[.]190[.]140[.]103
6
109[.]236[.]82[.]142
6
109[.]236[.]88[.]101
6
94[.]102[.]52[.]22
6
109[.]236[.]88[.]161
6
93[.]190[.]139[.]14
6
217[.]23[.]14[.]136
6
94[.]102[.]52[.]19
6
217[.]23[.]8[.]142
6
109[.]236[.]86[.]119
6
93[.]190[.]140[.]141
6
108[.]59[.]2[.]221
6
109[.]236[.]83[.]12
6
80[.]82[.]65[.]207
6
217[.]23[.]3[.]105
6
217[.]23[.]4[.]220
6
93[.]190[.]140[.]113
6
217[.]23[.]9[.]104
6
93[.]190[.]142[.]191
6
94[.]102[.]51[.]231
6
217[.]23[.]7[.]3
6
80[.]82[.]65[.]199
6
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
microsoft[.]com
7
faumoussuperstars[.]ru
5
powerrembo[.]ru
5
europe[.]pool[.]ntp[.]org
2
go[.]microsoft[.]com
1
www[.]msn[.]com
1
north-america[.]pool[.]ntp[.]org
1
maps[.]pilenga[.]mobi
1
hostnamessimply1[.]effers[.]com
1
apps[.]audimobile[.]info
1
bootstrap4cache[.]com
1
Files and or directories created
Occurrences
%APPDATA%\WindowsUpdate
11
%ProgramData%\msodtyzm.exe
7
\RECYCLER
6
\TEMP\C\UPDATE
6
%APPDATA%\WindowsUpdate\MSupdate.exe
6
%TEMP%\temp41.tmp
5
%APPDATA%\WindowsUpdate\Live.exe
5
%TEMP%\apiSoftCA
5
%APPDATA%\Windows Live
5
%APPDATA%\Windows Live\debug_cache_dump_2384394.dmp
5
%APPDATA%\Windows Live\pldufejsya.exe
5
\RECYCLER\S-1-5-21-0243556031-888888379-781862338-18611771
5
%APPDATA%\fcvifgrs
1
%APPDATA%\fcvifgrs\jisgivdt.exe
1
\RECYCLER\S-1-5-21-0243556031-888888379-781862338-1861771
1
%ProgramData%\3741550053
1
%ProgramData%\3741551629
1
%ProgramData%\3741549335
1
%ProgramData%\3741546871
1
%ProgramData%\3741543454
1
%ProgramData%\3741548555
1
%ProgramData%\3741550771
1
File Hashes
0ce367d545da1ed522fe364fdafc4bf39f1aa9aa326d0413c104132464c4b0f5
0ff57cf4b79588ba6c721f78a042e79a8c4e4eb6544dad9147c6918efc0a9bfd
1487cbb9c1025017bf767b8f9feab2bcdd9f500cd4bed79ca334c4eda4df1d71
1a15e5ebecd8f3025b89a1ee2149311bd0883bc62928092980604cecddf5718f
1c21c85c814609bc6db76824eda6333b2d26be11f8736bbb7397e97ad95c9f2e
1d0d652abf31a5b4f9ecf5ee6d201b4d31e977f6fc769a34cd34a5468e362e14
1e358ccc5c00767b2d7518ad5b34639c172a33118f691b6e989c0da4a4067781
29e771b03f40a6cd492b49826238364933a37c65bee5bf7990d711ff14d3511e
2bbac09df0fbb667c042f25c8d4810a08d6a3129a57ec70363debad39f917bd2
32ac146ea9c7899e04a57c42d48407468323b46a40462febfb0453e27466ed11
3ab978d7ba8cadbfa40ce0d1b6acb6922d6f7b2d8322f420bf03db0c44d94755
4faa3a69a429a598863c9369d0b4d572fa01b5bbf567b0d76f5a42f596430003
57d6deb95dad820da83a96f691230e6927f02bd7dc81fd22117a84ce1ff983b1
84055ce5bc4ef2bdf486e82e444e5665c73f4fe627a8734edc463b59f443bfcc
90853a92441d02881129621868f5a83d4fda693e6602a043dae622186b654a0d
90b11cecdac4d67db66c36a3f692361425eaf99c3f243c107e884091d209ee8b
94b5e03c8c149c8065dcf1a3696ca0c0801f6932e3a6b73985081dd36bb04194
9bf72ac43dcab3750686c49abbf1b0835505186a37187b6435539ea871dfd829
adbbf9cf8048f45fce2ad9fb1d681ea9334813a442d6d5b051cd11285fc71154
af69bafe28d0df36ddba5768583cf25bd5cae24b312e17f607c77294b731f0dd
b478d67b97fa15e88d047c643232590d1c6c2d2179e330df5bdc78c4e56036ee
b7d2ff1e59e0d30e46adf03d7a90dcc0ed83f2ff1e9b35702a70486954f1d3dd
c254f12058d6367578b877c09bd219abcc583003db8d15d270ab284bad923234
caf84844a5809c4e1c513299792f95ca26a87c40dc70627e8bddf5b65775206e
d401626e94cd830c3037cec51863d3315a97daf17c16f0836914a8ff8424213f
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Worm.Kuluoz-9964104-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 26 samples
Registry Keys
Occurrences
<HKCU>\SOFTWARE<random, matching '[a-zA-Z0-9]{5,9}’>
26
<HKCU>\SOFTWARE\TKQJXHIR
Value Name: nnagtvkf
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: iemwudbv
2
<HKCU>\SOFTWARE\PKBQSDOK
Value Name: wfiqbttr
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: deiobboq
2
<HKCU>\SOFTWARE\TEFAPJXX
Value Name: hjlkqasv
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: nmvftwdp
2
<HKCU>\SOFTWARE\ROHCSWFU
Value Name: ivxesusr
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: rskaarvw
1
<HKCU>\SOFTWARE\ONFHUPBQ
Value Name: qrlpghvv
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: dwxwetxw
1
<HKCU>\SOFTWARE\JUNLDJNI
Value Name: paxvvuef
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: buwqaweo
1
<HKCU>\SOFTWARE\QPANUOIR
Value Name: mmvjkbpj
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: lawgdaar
1
<HKCU>\SOFTWARE\IDIFICQU
Value Name: uqiuudaf
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: uaugufwr
1
<HKCU>\SOFTWARE\EPCSQSNO
Value Name: sdkgxoqv
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: nojriosh
1
<HKCU>\SOFTWARE\IIBPNATQ
Value Name: qbmgekoa
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: tabswxsd
1
<HKCU>\SOFTWARE\CHUFRWHS
Value Name: nhmwllub
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: kawalexr
1
<HKCU>\SOFTWARE\QDCTDCFM
Value Name: ietjtgir
1
<HKCU>\SOFTWARE\JUOBFMWV
Value Name: ucngtfoi
1
Mutexes
Occurrences
2GVWNQJz1
26
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
91[.]196[.]126[.]16
21
88[.]198[.]25[.]17
20
173[.]203[.]113[.]44
19
178[.]33[.]162[.]8
18
176[.]31[.]106[.]226
18
74[.]50[.]60[.]116
18
198[.]24[.]142[.]66
17
Files and or directories created
Occurrences
%LOCALAPPDATA%<random, matching '[a-z]{8}’>.exe
26
File Hashes
0828aee088e7c191c463dac5a2449474da1b106da5e12b6335f61d2dd3ae320e
0ddf461f926f814d19696d3851f3673c10d69a15fa2d7cfac9552c3af9460c66
12b274776143da76ceea8cfc1b8219535bca09dea1ea6059a48e74dd6a78e80d
160999be2e3f124a106ced958bce6b6f94fbc3645895aa0129e4dedb443011d7
21245351ac8d14c31552d46c0f8ceec6d576a1abae0ab3d5131e25e9e8fefe32
23fec3f833e9a7ee790ea9cad1b205ade2036466282654b2e53f23516553b775
24e1fb11b1c63caf42bc0a9d8df57cb1c84ccb11415f01c56de128d6ceb2ea4e
2bf5a6f99c57bcaddd28a0a8dad595686b9a660843cd4037575d4abb82af8f69
32a01832f4de0f17e438fed6be9f155d9fd30056133681c7474f0114a1731a9b
35a4fe74474b4f7e7f9c777d063097e36a16f509bc3afb9579779c0504b73af4
3a3fae86a4e14a7d50b6c5bc5d78dc12745fa53d240df641e1fc311449368c85
3da619fa973717201422faf7329016a266b27b89f8a39416cac203f75f32259a
405d7737a27f0798b16f85939c3eacfcbe9e5305b4c621dd20bcaffbe994d88f
413f4fcae50cdad66f08e0e3ae083e60e18e54f890492fcd0241deb9dfe81b81
44d0507ee9143aa548ae8a03171b27633f4226abbad172a0456194a2ef2eb507
44d1449c19d3f79a3fe21e2ab9d333a1bea4156565a3106fc2203ccefa869a9b
4979dce8592c0d16bdc6228b9741ef6c315e3bb1ff34de14271fb3499cd0f139
4b7891ed58a08b45b576282afd74fe835845cd4be8c5aab467ad09136e87ec8e
4bc8eb3d2e72a44384b3d824b33a971ace9eae20998dfe8bdd2ab9b9267b5b43
4c6528d000e07485c69f1c32a95967a454fd20864a4ad2c062160d99987822ef
50c108f9fc31557d55216dfe28b9eeac15fe5f1175a089ff196e1129d6ddf593
5730f9ce8c84e6f1c153c247146ac1590fd989a73cdc9dce9d67594b33caf354
5a45837812962153f5d480918eab77093394dd41c45c610ffd142461ab433668
5e37715cc8a5d1b6c5bed437eea25da495285bb1386cf2aef2b5484fd6c30e69
5ee4adead518246dc926545a0d28e1a488f04d530c49591cc788a8e2b360ad89
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK