Security
Headlines
HeadlinesLatestCVEs

Headline

Threat Roundup for August 12 to August 19

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Aug. 12 and Aug. 19. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found herethat includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files. The most prevalent threats highlighted in this roundup are:

Threat Name    Type    Description

Win.Dropper.Ramnit-9964110-0 Dropper Ramnit is a banking trojan that monitors web browser activity on an infected machine and collects login information from financial websites. It could also steal browser cookies and hide from popular antivirus software. Win.Ransomware.Locky-9963624-0 Ransomware Locky is ransomware typically distributed via spam emails containing a maliciously crafted Microsoft Word document crafted to trick targets into enabling malicious macros. This family was originally released in 2016 and updated over the years with additional functionality. Win.Dropper.Shiz-9963681-0 Dropper Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information. It is commonly spread via droppers or by victims visiting a malicious site. Win.Dropper.XtremeRAT-9963701-0 Dropper XtremeRAT is a remote access trojan active since 2010 that allows the attacker eavesdrop on users and modify the running system. The source code for XtremeRAT, written in Delphi, was leaked online and has since been used by similar RATs. Win.Dropper.Nanocore-9963905-0 Dropper Nanocore is a .NET remote access trojan. Its source code has been leaked several times, making it widely available. Like other RATs, it allows full control of the system, including recording video and audio, stealing passwords, downloading files and recording keystrokes. Win.Ransomware.Cerber-9964084-0 Ransomware Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension “.cerber,” although in more recent campaigns, other file extensions are used. Win.Dropper.Dorkbot-9964085-0 Dropper Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely. Win.Worm.Kuluoz-9964104-0 Worm Kuluoz, sometimes known as “Asprox,” is a modular remote access trojan that is also known to download and execute follow-on malware, such as fake antivirus software. It often is delivered via spam emails pretending to be shipment delivery notifications or flight booking confirmations.

Threat Breakdown

Win.Dropper.Ramnit-9964110-0

Indicators of Compromise

IOCs collected from dynamic analysis of 26 samples

        Mutexes            Occurrences        
                                 
        {79345B6A-421F-2958-EA08-07396ADB9E27}            26            
                 
        Global\<random guid>            26            
                     
                                       
            
        Files and or directories created            Occurrences        
                                 
        %TEMP%\~TMDB5A.tmp            2            
                 
        %TEMP%\~TMDB99.tmp            2            
                 
        %TEMP%\~TM314F.tmp            1            
                 
        %TEMP%\~TM31DD.tmp            1            
                 
        %TEMP%\~TMDBC8.tmp            1            
                 
        %TEMP%\~TMDC25.tmp            1            
                 
        %TEMP%\~TME21E.tmp            1            
                 
        %TEMP%\~TMDC93.tmp            1            
                 
        %TEMP%\~TME2BB.tmp            1            
                 
        %TEMP%\~TME337.tmp            1            
                 
        %TEMP%\~TME3A5.tmp            1            
                 
        %TEMP%\~TME0D6.tmp            1            
                 
        %TEMP%\~TMDBF7.tmp            1            
                 
        %TEMP%\~TME164.tmp            1            
                 
        %TEMP%\~TMD977.tmp            1            
                 
        %TEMP%\~TMD9E5.tmp            1            
                 
        %TEMP%\~TMD9C5.tmp            1            
                 
        %TEMP%\~TMDA42.tmp            1            
                 
        %TEMP%\~TME0F5.tmp            1            
                 
        %TEMP%\~TME173.tmp            1            
                 
        %TEMP%\~TMDBE8.tmp            1            
                 
        %TEMP%\~TMDCC1.tmp            1            
                 
        %TEMP%\~TMDF60.tmp            1            
                 
        %TEMP%\~TMDD2F.tmp            1            
                 
        %TEMP%\~TMDFED.tmp            1            

*See JSON for more IOCs

File Hashes

             03ba150882170b2cfee8c30f556c2be840697b7cc1e7dcc47594dd3bd9758c7b              0eb56bcb11905ba125c5d4e2527fa4441b03f6ce0278269498be539833b5bbe9              1368aa53291ec289ffa8bb86c5ec7c335350a10a240b88e31a3b2d1181fa785f              169b28a24d77797b1c2a61dda32b7d766d6f150bcefdf2333ca635a7b4837778              18465059a485b9f35a472b16d8fec399c795799d3dff1dab57d537e620749902              1c3bde330d7cfe197ecfab80309e463d6e6e61bdf6885d250cb0b08c5f98b767              1cd1a5d2b64aef0c352e7984ae3822c9f6d661d8907526aacd2b6321a4f7a8fd              1d548c85594dc4b83ac1c69ac82da842dc68eac75f683aed693929c728c83184              1fd5e9430201472831856a7720fee930a1555f9b134af3145f1acc5a7f712a82              250c9cf38912e781afc5b32907da411279f7b22b4b2e6b97729aad81a1e0f48a              29ca8b176e9977bf0d3bdc9f214665b89f087ba0799e9d9e22bddfecc4bb7e09              29fbd2e07f2bcdac0a69364621df335bf899787c48353f7e448e302263d0cee1              2e00b1d9d04175dd0a8101ac3222dde48833693400a9684717fddceb532ae258              315ab01236a2ccb7231731878bf7d7fb23d9c6fd9603c7df3501f453f3ec76c1              31bb435f6ce6446d3ce1c97cb80de5084d30abff6fc9711c6d0b0c191031b361              35d9d318da08e7ff963b14fcb2f73fb178374688b21a27ba872f87fb353405eb              377406362d74f2789685c3a0aa128312bf82b092f9c047a36fb1d62e22348a8d              38cd0e89eb7ab0edc2cee7f2edfa86e938a5963ed6ae3212b1c26bf2722cb75a              3921b067ddb8b3fe65e9f8c680f46d72ac52077334cfba1c8ee1192d84bb44cd              395e9fdef9e5694c3a2e8e5ecce9ced85cac141ad2a0d4851620c596ed5eb32a              3cae2eed75c901adbff0fc907433d56f5caeacafade3666eb90b39956add686c              3f72bd0dbdbbb4f9ea83fe224363dc423f8d6f88df526c69431c892938ff2360              40013e1bd081743d85e878edb53179b70546bf6c8ff3ac03f5c0fbf2f590967e              405b9a602c73ce29d1f4e5ab15bf3a5c51a8b087bf6ae7dbf064a48817d1532b              48d7d44420db0625d5d05caf04aac82f3e3daeff65f4d6b9c33cb94c3b939566              

*See JSON for more IOCs

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                     N/A                                                          
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                     N/A                                                          
             
        WSA                                                                     N/A                                                          

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Ransomware.Locky-9963624-0

Indicators of Compromise

IOCs collected from dynamic analysis of 16 samples

        Registry Keys            Occurrences        
                             
    <HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}                          
        Value Name: FaviconPath                            16        
             
    <HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}                          
        Value Name: Deleted                            16        
             
    <HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES                          
        Value Name: DefaultScope                            16        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\VSS\DIAG\VSSAPIPUBLISHER                             16        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: LanguageList                            16        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}                             16        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @C:\Windows\System32\intl.cpl,-1                            1        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @C:\Windows\System32\intl.cpl,-2                            1        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @C:\Windows\System32\hgcpl.dll,-2                            1        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @C:\Windows\System32\main.cpl,-100                            1        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @C:\Windows\System32\main.cpl,-101                            1        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @C:\Windows\System32\main.cpl,-102                            1        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @C:\Windows\System32\main.cpl,-103                            1        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @C:\Windows\System32\devmgr.dll,-4                            1        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @C:\Windows\System32\devmgr.dll,-5                            1        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @C:\Windows\System32\icardres.dll,-4097                            1        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @C:\Windows\System32\icardres.dll,-4098                            1        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @C:\Windows\System32\PerfCenterCPL.dll,-2                            1        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @C:\Windows\system32\appwiz.cpl,-160                            1        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @C:\Windows\System32\netcenter.dll,-2                            1        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @C:\Windows\System32\wpccpl.dll,-101                            1        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @C:\Windows\System32\autoplay.dll,-1                            1        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @C:\Windows\System32\autoplay.dll,-2                            1        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @C:\Windows\System32\SyncCenter.dll,-3001                            1        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @C:\Windows\System32\recovery.dll,-101                            1        
                     
                
            
        Mutexes            Occurrences        
                                 
        Global\4aEa7aGa9a4aBa6a4a4aBa1a5a8a4a1a            16            
                 
        Local\4aEa7aGa9a4aBa6a4a4aBa1a5a8a4a1a            16            
                 
        Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!16613a8            16            
                     
                         
            
        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        13[.]107[.]21[.]200            10            
                     
                          
            
        Domain Names contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        www[.]bing[.]com            16            
                     
                          
            
        Files and or directories created            Occurrences        
                                 
        \Users\Default\NTUSER.DAT.LOG            16            
                 
        %ProgramData%\Mozilla\logs\maintenanceservice-install.log            16            
                 
        %ProgramData%\Sun\Java\Java Update\jaureglist.xml            16            
                 
        %ProgramData%\Microsoft\RAC\StateData\RacMetaData.dat            16            
                 
        %ProgramData%\Adobe\Updater6\AdobeESDGlobalApps.xml            16            
                 
        %ProgramData%\Microsoft\IlsCache\ilrcache.xml            16            
                 
        %ProgramData%\Microsoft\IlsCache\imcrcache.xml            16            
                 
        %ProgramData%\Microsoft\User Account Pictures\admin.dat            16            
                 
        %HOMEPATH%\Desktop\lukitus.bmp            16            
                 
        %HOMEPATH%\Desktop\lukitus.htm            16            
                 
        \MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\0PZW71P4-            16            
                 
        \MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\0PZW71P4-ZQ0            16            
                 
        \MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\0PZW71P4-            16            
                 
        \MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\0PZW71P4-ZQ0I-J19            16            
                 
        \MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\0PZW71P4-            16            
                 
        \MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\0PZW71P4-ZQ0I-J1            16            
                 
        \MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\0PZW71P4-            16            
                 
        \MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\0PZW71P4-ZQ0I-            16            
                 
        \MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\0PZW71P4-            16            
                 
        \MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\0PZW71P4-ZQ            16            
                 
        \MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\0PZW71P4-            16            
                 
        \MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\0PZW71P4-ZQ0            16            
                 
        \MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\0PZW71P4-            16            
                 
        \MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\0PZW71P4-            16            
                 
        \MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\0PZW71P4-            16            

*See JSON for more IOCs

File Hashes

             1afe66e4aaf044636b8bfb0e625e8182a7bb116cfa3b4673ed102094c55b8f84              1cdcb07c8a79bdb3faad6feae4b2720cec8dc8de0cfb1431502f91e8c9152e94              244f76876485ad65f57466338fee2a571057c6315ba9a9699d89ff0add323e72              3140bd4af08e8d487c04c24cb3a6977464ef6bfed46e3f54ba52175b09ceee41              37621fe42fb7154d158b82e54b8735ad876902e8f55178387254689802f8d419              56ee0ae4072920f29e35c10af707ac97bc87ba4191aca1afec235d7a5a96de10              659f0b2aa1699e98b57433d85b08f56fef032fcdce4858cfcf21bb405e784bc2              7af3b8e631e7d557b4039cca14f0f5ad2686b3dab6a81da181ab46e2518b4fcd              8d62a963beb4ac49096277d54d3d6bc78c1142ff30b600b0373256eaa6b7a73c              9be2a26538acb1111657ab79c6680d7f8bde43f5a6e51f38c674967e21d69627              c6f8e43f2db3725ea18520ff3b5370a32ef28c62fe1a82df1575c1003ac10acf              ce8d65f815402e4bc06fade45b66398930ae73d6e5c9368564c87745643703dd              da37a954efc572ccd4f5f43912e1b041acce412d8f4cfac31a23349adb7e43c5              ed96e3c04c7af4bb0863e2e4091e1280ced24a5f68c9712ffba34062d7a46229              f681a28f44ca9a7fe31e4fce8881aafaf125727dafd4db68280cfe6ea6f9e0e8              fdacb9b5a9551464e1bba01a3f279d247c2b3c7d0e4b5768763fcf26bb4e5837              

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                     N/A                                                          
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                     N/A                                                          
             
        WSA                                                                     N/A                                                          

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Shiz-9963681-0

Indicators of Compromise

IOCs collected from dynamic analysis of 21 samples

        Registry Keys            Occurrences        
                             
    <HKLM>\SOFTWARE\MICROSOFT                          
        Value Name: 67497551a                            21        
             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON                          
        Value Name: 98b68e3c                            21        
             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON                          
        Value Name: userinit                            21        
             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON                          
        Value Name: System                            21        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS                          
        Value Name: load                            21        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS                          
        Value Name: run                            21        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: userinit                            21        
                     
                
            
        Mutexes            Occurrences        
                                 
        Global\674972E3a            21            
                 
        Global\MicrosoftSysenterGate7            21            
                 
        internal_wutex_0x000004b4            21            
                 
        internal_wutex_0x0000043c            21            
                 
        internal_wutex_0x<random, matching [0-9a-f]{8}>            21            
                 
        internal_wutex_0x000004dc            20            
                     
                         
            
        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        13[.]107[.]21[.]200            15            
                 
        45[.]33[.]30[.]197            7            
                 
        45[.]33[.]23[.]183            5            
                 
        96[.]126[.]123[.]244            4            
                 
        45[.]56[.]79[.]23            4            
                 
        45[.]33[.]2[.]79            4            
                 
        45[.]79[.]19[.]196            3            
                 
        45[.]33[.]20[.]235            3            
                 
        72[.]14[.]185[.]43            3            
                 
        198[.]58[.]118[.]167            2            
                 
        45[.]33[.]18[.]44            2            
                 
        173[.]255[.]194[.]134            2            
                 
        72[.]14[.]178[.]174            2            
                 
        85[.]94[.]194[.]169            1            
                     
                          
            
        Domain Names contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        rynikulokop[.]eu            21            
                 
        lyvoguraxeh[.]eu            21            
                 
        xuxetiryqem[.]eu            21            
                 
        puzewilurip[.]eu            21            
                 
        cilynitiseg[.]eu            21            
                 
        vojizitoken[.]eu            21            
                 
        fogokozazit[.]eu            21            
                 
        gadedozymiz[.]eu            21            
                 
        masytoturen[.]eu            21            
                 
        nofagoteveg[.]eu            21            
                 
        jepuqoxupit[.]eu            21            
                 
        qetunopifef[.]eu            21            
                 
        kericoxojil[.]eu            21            
                 
        ryqozapaleb[.]eu            21            
                 
        lymajaxecir[.]eu            21            
                 
        xubysaxywil[.]eu            21            
                 
        dixonesohed[.]eu            21            
                 
        marawukyqos[.]eu            21            
                 
        dikuvizigiz[.]eu            21            
                 
        puvutaputeb[.]eu            21            
                 
        ciciqacidir[.]eu            21            
                 
        ryhuneqevyv[.]eu            21            
                 
        kejywajazok[.]eu            21            
                 
        xudakejupok[.]eu            21            
                 
        lygivejynow[.]eu            21            

*See JSON for more IOCs

        Files and or directories created            Occurrences        
                                 
        %TEMP%\<random, matching [A-F0-9]{1,4}>.tmp            21            

File Hashes

             0ddc226c722e18199274ea9f05f0bebdfd0e871713b53e89dc094fd53fbf21fb              12fbf08de48d56346c43dfc4369e7c70c71023e7322f84991591fcde46aa5532              1b56b352ab8e26ce29fabdc5ce020e616db96b6004ee540e88fef580b16a4f78              1d65fa03284d71963c8ec3cee40b25afdc06d9f6f6404d214ca0091c0130cb53              232a41bbdda2fe1b5e7b90c7beb1136b671d127a400699b6591278c44eb828a2              3a7f6106cbe35dcd0c7f25bb6c4b1fc9c19eb348cafba007121f03e74c6d73e2              4d0d263dc8c8f69d6cbcfb13564f53d70955772552e9a4e32aa5a14851bdd1ac              4dfcf95c402c12d20034ac961076c2772f835a9aa442d7062b914a2f53f37f9b              5077b57947941ef15fb8445db7819e641fd5499067969e38f680d2cb6f6430a0              54b0b511221b0498f1c5a2eeb0e2ae633cae232cf75c13fa9eaff6f711cebef1              5b0787632726f2d55a209f853f04eea8109d87cd9630be7e8a42a384bd8cb7a5              6820579b06e8cb0e4298270a497b475baf2645430b4c62d4a3e22f4d7c7bc0ee              69b5080868bfbdc18d868318cb6be406c4cc268fe4e183e5e81f62c7e6922fd9              69e5f2613c4aad5956e83985743210ae058862c12e3d7f104537f6efd0aa1c51              7324bb74d697cb54b2acfa41ab0caab30a14e40b8628b50acdfd4d26b1dfba17              7807700902786f550ce24bb63e93e62e35527857a24f2b655467dd243c40e5d3              79c880d0a639206d2ad9a77647940b11b9200680431e98fc155410f855354be8              85b1e95b8a1be8d5a16525b879d9e8e9a7a1f491449d036f08504b9e9f118b96              91c02affdcd16a87eb278a461fdabaa021ab4d5b7987a24d162563012ba49bcc              a38da3b0920e292f513272bfe95c0d5debd6e201cb63d2526fe25c6293b8ed0e              d19619fd50ebefcc45deb67abe2d2aab162806fcfd41db0765c7ddf96cdb02b9              

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                                                                              
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                                                                              
             
        WSA                                                                                                                              

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.XtremeRAT-9963701-0

Indicators of Compromise

IOCs collected from dynamic analysis of 12 samples

        Registry Keys            Occurrences        
                             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: LanguageList                            9        
             
    <HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'>                             9        
             
    <HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'>                          
        Value Name: InstalledServer                            8        
             
    <HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'>                          
        Value Name: ServerStarted                            7        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: HKLM                            6        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: HKCU                            6        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{5460C4DF-B266-909E-CB58-E32B79832EB2}                             4        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{5460C4DF-B266-909E-CB58-E32B79832EB2}                          
        Value Name: StubPath                            4        
             
    <HKCU>\SOFTWARE\((MUTEX))                             3        
             
    <HKCU>\SOFTWARE\((MUTEX))                          
        Value Name: InstalledServer                            3        
             
    <HKCU>\SOFTWARE\((MUTEX))                          
        Value Name: ServerStarted                            3        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: HKLX                            2        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: HKCL                            2        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS                          
        Value Name: StubPath                            2        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{7OFBR713-LB7J-5G81-7WC8-161211U08C56}                          
        Value Name: StubPath                            2        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{7OFBR713-LB7J-5G81-7WC8-161211U08C56}                             2        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @C:\Windows\system32\DeviceCenter.dll,-2000                            1        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @explorer.exe,-7001                            1        
             
    <HKCU>\SOFTWARE\XTREMERAT                          
        Value Name: TDados                            1        
             
    <HKCU>\SOFTWARE\SS                             1        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{11AKP4MN-X763-4313-1615-X6G4IX7N4S25}                             1        
             
    <HKCU>\SOFTWARE\SS                          
        Value Name: ServerStarted                            1        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{M0J1AY7S-64N4-SUDU-RQ0E-5HNUA5PF0MI0}                             1        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: ss                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: ss                            1        
                     
                
            
        Mutexes            Occurrences        
                                 
        XTREMEUPDATE            12            
                 
        <random, matching [a-zA-Z0-9]{5,9}>            9            
                 
        <random, matching [a-zA-Z0-9]{5,9}>PERSIST            8            
                 
        <random, matching [a-zA-Z0-9]{5,9}EXIT>            8            
                 
        ((Mutex))            3            
                 
        ((Mutex))PERSIST            2            
                 
        ((Mutex))EXIT            2            
                 
        STUBXTREMEINJECTED            1            
                 
        ss            1            
                     
                                
            
        Domain Names contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        dstar[.]hopto[.]org            1            
                 
        may00[.]zapto[.]org            1            
                     
                          
            
        Files and or directories created            Occurrences        
                                 
        %TEMP%\x.html            10            
                 
        %APPDATA%\Microsoft\Windows\<random, matching '[a-zA-Z0-9]{5,9}'>.cfg            8            
                 
        %APPDATA%\Microsoft\Windows\((Mutex)).cfg            3            
                 
        %SystemRoot%\InstallDir            2            
                 
        %APPDATA%\InstallDir            2            
                 
        %APPDATA%\InstallDir\dll.exe            2            
                 
        %SystemRoot%\InstallDir\Server.exe            1            
                 
        %ProgramFiles(x86)%\ISSA.exe            1            
                 
        %ProgramFiles(x86)%\ss.exe            1            
                 
        %APPDATA%\Microsoft\Windows\ss.cfg            1            
                 
        %APPDATA%\Microsoft\Windows\ss.dat            1            
                 
        %APPDATA%\Microsoft\Windows\SpUDj.dat            1            
                 
        %SystemRoot%\GOOGLE.exe            1            
                 
        %APPDATA%\windoy.exe            1            
                 
        %SystemRoot%\SysWOW64\windoy.exe            1            
                 
        %APPDATA%\soft.exe            1            
                 
        %SystemRoot%\SysWOW64\soft.exe            1            
                 
        %SystemRoot%\InstallDir\browse.exe            1            
                 
        %SystemRoot%\SysWOW64\migc.exe            1            
                 
        %APPDATA%\migc.exe            1            
                 
        %SystemRoot%\CREATE.exe            1            

File Hashes

             00c5b7cc78f982e42062c84a8a5c1c5aaeea7276b0f00635d61e4bfdcf6ed4b2              05316395bee1b9759134e86ecf28413d197c95cc6c25bb96a3fd957adfb767fe              10f0a0f8b51964b8a3fc497040601a48fe0493a7e4010ee89e61068cc8e2d92d              33ed0e091cc5ccc71d0a9d37c4f82d73f3959ffcd55f9c2f8660e7e13f68393e              3e5302bb99e282cd9303eda70e64589529704b3c2edee6637cb040887b02f42f              593d60c61df90a5de77d5ee31815eafd3c2657f1581cdd7fe36e74f72956a7e3              62243f0a6f197f167173d12b985b2bbd4a8f98864eb4f99c77e28a9f561f4b0d              6798aa4e8218c8783acab06e700b519eb31856ac0e46c6c82f5dfbf22e13ddb5              9906c6c6ce2eb7199023bbfcff346303f08dab61f475da22fe358f0e09d083bd              c11cd59cb06cf9e1a9f95e3d78300a2aa8edf94ed7964b73ccb7135a5b23a7d6              d20e8dd51f00f03a0aacfcc4989d86411e2bc6c6f0a91961f420a056a86eef07              d8df5b44e3469d7a7c0ffc4dba88d34bff093cf4453500074a54b837d50d93c6              

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                     N/A                                                          
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                     N/A                                                          
             
        WSA                                                                     N/A                                                          

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Nanocore-9963905-0

Indicators of Compromise

IOCs collected from dynamic analysis of 20 samples

        Registry Keys            Occurrences        
                             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: LanguageList                            9        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: jVULYR                            2        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: AGP Manager                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: WGmLd                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: ddnKQs                            1        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @explorer.exe,-7001                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: capsole                            1        
                     
                
            
        Mutexes            Occurrences        
                                 
        8-3503835SZBFHHZ            1            
                 
        NL20T01E6BXGZI09            1            
                 
        fKZhNqRta            1            
                 
        Global\{bbc5d79f-8cc7-4aa7-b9fa-0c15cee443cd}            1            
                 
        GfAQbAoN            1            
                 
        GZVlUzSZeINZ            1            
                     
                         
            
        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        149[.]154[.]167[.]220            2            
                 
        208[.]91[.]199[.]224            1            
                 
        208[.]91[.]198[.]143            1            
                 
        208[.]91[.]199[.]223            1            
                 
        205[.]134[.]234[.]70            1            
                 
        107[.]182[.]129[.]128            1            
                 
        162[.]0[.]229[.]41            1            
                     
                          
            
        Domain Names contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        api[.]telegram[.]org            2            
                 
        mail[.]albacon-ojeda[.]pe            1            
                 
        smtp[.]saudlunion[.]com            1            
                 
        smtp[.]transmase[.]com            1            
                 
        smtp[.]utt-ae[.]com            1            
                 
        brightnano1[.]ddns[.]net            1            
                 
        mail[.]fasttunpcbs[.]com            1            
                     
                          
            
        Files and or directories created            Occurrences        
                                 
        %System32%\Tasks\Updates            6            
                 
        %TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp            6            
                 
        %System32%\drivers\etc\hosts            3            
                 
        %APPDATA%\jVULYR            2            
                 
        %APPDATA%\jVULYR\jVULYR.exe            2            
                 
        %ProgramFiles(x86)%\AGP Manager            1            
                 
        %ProgramFiles(x86)%\AGP Manager\agpmgr.exe            1            
                 
        %APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5            1            
                 
        %APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs            1            
                 
        %APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs\Administrator            1            
                 
        %APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\run.dat            1            
                 
        %APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\task.dat            1            
                 
        %System32%\Tasks\AGP Manager            1            
                 
        %System32%\Tasks\AGP Manager Task            1            
                 
        %APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\catalog.dat            1            
                 
        %APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\settings.bin            1            
                 
        %APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\storage.dat            1            
                 
        %APPDATA%\WGmLd            1            
                 
        %APPDATA%\WGmLd\WGmLd.exe            1            
                 
        %APPDATA%\ddnKQs            1            
                 
        %APPDATA%\ddnKQs\ddnKQs.exe            1            
                 
        %APPDATA%\HFkIOmiwFQY.exe            1            
                 
        %System32%\Tasks\Updates\HFkIOmiwFQY            1            
                 
        %APPDATA%\h0gct1lm.mo4            1            
                 
        %APPDATA%\h0gct1lm.mo4\Firefox            1            

*See JSON for more IOCs

File Hashes

             1f41465839f9e90dc6298156eb0f0eab361414c1dc207c22e2593e608dc6f5d5              28d4e2a68e9b5db5a71cbd94fcaa241dfd1937e99eadbddab572ff4efab999d7              2b61ef6e2d493e4eb8bd0ce74d2cf9fb7de72245ec0e76afe9198b9518f2cb40              2c04f3b128381e4f3e3687566623fd653d7a211dfdd17efd94317bebaae1b78b              35157e080e4f612ef306a1195e55ce5068844cc7daf3442d0f73c98c224d4c9d              35ad1d5553d61763b2e94c6e4d66cd5b6cba0578736f202a12c88525b9125804              420c5ccde64ea630f1223e27d1cae8b0887aca1a4e87d6f9c307011c0e266bf9              43f5c35dc913dbd764a028b5686d0a3c47bcb745c3b277b778742e22989784ca              46675d5b6e4c352b50804c760bf4ef3174a8ef93b875f1b7e0f343e22573a6c5              6b4bbd2e534c8e089691829e219ea54c8e113012f1ecb6d912a5d791c7157c2e              7605008ef9c187be6862403b9a5eef21eb271ff656db288759a50dc3785caeeb              76b3123c5245713b390b8f28fafddddef75a55199621a196124e9c55ac55d1af              878a27d70fd8b04b70298f1e102053e02faeaab461a8455fdf843262118231ad              9238603739f090fa4b311ab4c76739c1b54d21e410139c6be208025b4dd7a33f              a2631bee5c6505f12449f250e56d2091a50fd25d876ad49efefeb4ea7f63e45d              b863d3d875966054e0a8a19ae649a08ecf80a2be46b937c5f6d0a634cba4e465              ce88fb263d3e6a38cac9d2b4ec0f27bfc724d46b4d274fc7adb25330bae9e724              daf4c0820c45f6be84cf248504e10bfee063ea6fc8de3b397adaa6682e4bb610              e06d33553621160bf21cdc08eaecb5e977a59e6e416c37922a6d263620141a7d              fa0ddfe8dd1e9509529086469444221a673fb0d16f380c968150a7a53f68b0d9              

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                                                                              
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                     N/A                                                          
             
        WSA                                                                                                                              

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Ransomware.Cerber-9964084-0

Indicators of Compromise

IOCs collected from dynamic analysis of 26 samples

        Registry Keys            Occurrences        
                             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: LanguageList                            26        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\dhcpqec.dll,-100                            26        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\dhcpqec.dll,-101                            26        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\dhcpqec.dll,-103                            26        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\dhcpqec.dll,-102                            26        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\napipsec.dll,-1                            26        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\napipsec.dll,-2                            26        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\napipsec.dll,-4                            26        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\napipsec.dll,-3                            26        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\tsgqec.dll,-100                            26        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\tsgqec.dll,-101                            26        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\tsgqec.dll,-102                            26        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\tsgqec.dll,-103                            26        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\eapqec.dll,-100                            26        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\eapqec.dll,-101                            26        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\eapqec.dll,-102                            26        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\eapqec.dll,-103                            26        
             
    <HKCU>\SOFTWARE\MICROSOFT\SPEECH\CURRENTUSERLEXICON\\FILES                             1        
             
    <HKCU>\SOFTWARE\MICROSOFT\SPEECH\CURRENTUSERLEXICON\\FILES                          
        Value Name: Datafile                            1        
                     
                
            
        Mutexes            Occurrences        
                                 
        shell.{381828AA-8B28-3374-1B67-35680555C5EF}            26            
                     
                         
            
        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        178[.]128[.]255[.]179            26            
                 
        149[.]202[.]64[.]0/27            26            
                 
        149[.]202[.]122[.]0/27            26            
                 
        149[.]202[.]248[.]0/22            26            
                 
        172[.]66[.]41[.]18            15            
                 
        104[.]20[.]21[.]251            11            
                 
        172[.]66[.]42[.]238            11            
                 
        172[.]67[.]2[.]88            8            
                 
        104[.]20[.]20[.]251            7            
                     
                          
            
        Domain Names contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        api[.]blockcypher[.]com            26            
                 
        bitaps[.]com            26            
                 
        chain[.]so            26            
                 
        btc[.]blockr[.]io            26            
                 
        xxxxxxxxxxxxxxxx[.]1k1dxt[.]top            26            
                     
                          
            
        Files and or directories created            Occurrences        
                                 
        %TEMP%\d19ab989            26            
                 
        %TEMP%\d19ab989\4710.tmp            26            
                 
        %TEMP%\d19ab989\a35f.tmp            26            
                 
        %LOCALAPPDATA%\Microsoft\Office\Groove1\System\CSMIPC.dat            26            
                 
        %TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp            26            
                 
        %TEMP%\tmp<random, matching [A-F0-9]{1,4}>.bmp            26            
                 
        <dir>\_READ_THIS_FILE_<random, matching [A-F0-9]{4,8}>_.hta            26            
                 
        <dir>\_READ_THIS_FILE_<random, matching [A-F0-9]{4,8}>_.txt            26            
                 
        <dir>\_READ_THIS_FILE_<random, matching [A-F0-9]{4,8}>_.jpeg            26            

File Hashes

             07d1b61970c982a009d3d3bd455b1ce6628819fbe47cf82d35b3b2d83a6b1690              097a210c11bc3b1d1768d92e0f080382f350da4116177c38bd81ecaf01bf252f              1015da0524bf981e3f7da09097e695418d2aeb20c8dfc027e927ea274c927743              1a201ba2922601f743606e4f8762e042355fb95704ae08f1e9d46539e9a9c53e              24eb2bfa038ccf1002d6c67bb35241514e265dda1e7ed5e310602e385cb942bd              2788aeb4b8ce3220bc2352ecf6f6dc6fc899934691e5f7778c160d43a654c752              2b921630e3606ceded2567dd7c2665ff59d3894e8f17b0c4c515cfcfea9281f6              2c56f82b2109c74ffc9ac8bb6a75a4fadc7b5dbc8c6e4973dc576b4f6e44b3fd              3107cfd1631d01d58fe6bcfddf6bb649286ee1e4632a2f6da9e0522e72adf66c              313a8059da3a543dc1615e4b0e08d9b6ba02b82a915811bed92ec41a6b282cd5              404b2ca147b0fd48ad897ae91ec951500eac740d3641552ed2175075eccd3d91              405cda0e472fc0c7ea7bd7f523bf1eb77c020a68f895d28d8300ecbcaf689dd7              4fae94bd1def53411ff126fcc1b5e91d25f5b42bc0792df01721217194d5cad1              5490d8d2dd89b8298b5a7b5954f30157c40e4a9e7a13e89b3678169b274190c4              614458dcdaebfaf39ac96fef19b98813852061b7f049c332d1a7d96099ec9971              661992c14354d9a884da5c0d354ec2722aa2d4bc7c6c088e9fbea1781408a48d              6660f96c1b098447cb40ac571cb3301e62dab35ed7d603a262e824c55ec0e2ba              673175cc9fc60fed6f87badae959858cc73317e497bbc63be01d412538d8cd4a              6ac22f719648c97dafca9980c3b2cc4d20c65411be0f3823eb5fbd2ad9907935              746617c675d2a770eab8c726ebc402418cebdbb8200734454baadd99caddf189              74f331f2928d6577c9d0767cbb16f5e19cdd9db4302b1f853b02de01e7797eaa              761c6d04388582f39dcb4e11253bd2e05690bee6f1f5ed960dac7b2121946e7f              763c7dd7964eaf334f7840f0b1c73340890b358f2e0892e455cb58b262828716              76578d8841dc939a7eaafb0740943988f084d18871e5e82d88a8474945c290a0              807ab02bc36e5465e67956df8cd09cd0f6baa69e99c80729eef0ef8a486da894              

*See JSON for more IOCs

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                                                                              
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                     N/A                                                          
             
        WSA                                                                                                                              

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Dorkbot-9964085-0

Indicators of Compromise

IOCs collected from dynamic analysis of 25 samples

        Registry Keys            Occurrences        
                             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED                          
        Value Name: Hidden                            7        
             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM                          
        Value Name: EnableLUA                            7        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC                          
        Value Name: Start                            7        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND                          
        Value Name: Start                            7        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED                          
        Value Name: ShowSuperHidden                            7        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC                          
        Value Name: Start                            7        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER                          
        Value Name: HideSCAHealth                            7        
             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER                          
        Value Name: HideSCAHealth                            7        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV                          
        Value Name: Start                            7        
             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER                          
        Value Name: TaskbarNoNotification                            7        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER                          
        Value Name: TaskbarNoNotification                            7        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS                          
        Value Name: Load                            7        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: 1081297374                            7        
             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN                          
        Value Name: 1081297374                            7        
             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN                             7        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON                          
        Value Name: Taskman                            6        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON                          
        Value Name: Shell                            6        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: Windows Update Manager                            6        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN                             6        
             
    <HKCU>\SOFTWARE\UAZI SOFT                          
        Value Name: UaziVer                            5        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: Windows Live Installer                            5        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN                          
        Value Name: Windows Live                            5        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: Windows Live                            5        
             
    <HKCU>\SOFTWARE\UAZI SOFT                             5        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: BCSSync                            5        
                     
                
            
        Mutexes            Occurrences        
                                 
        PuredairyBB9            6            
                 
        PuredairyBB10            6            
                 
        PuredairyBB2            6            
                 
        PuredairyBB4            6            
                 
        PuredairyBB8            6            
                 
        PuredairyBB7            6            
                 
        PuredairyBB6            6            
                 
        PuredairyBB15            6            
                 
        PuredairyBB14            6            
                 
        PuredairyBB13            6            
                 
        PuredairyBB12            6            
                 
        PSPSndkvsdvd0199201            6            
                 
        PuredairyBB1            6            
                 
        PuredairyBB5            6            
                 
        PuredairyBB3            6            
                 
        PuredairyBB16            6            
                 
        PuredairyBB17            6            
                 
        PuredairyBB18            6            
                 
        PuredairyBB22            6            
                 
        PuredairyBB20            6            
                 
        PuredairyBB21            6            
                 
        PuredairyBB19            6            
                 
        PuredairyBB29            6            
                 
        PuredairyBB31            6            
                 
        PuredairyBB23            6            

*See JSON for more IOCs

        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        20[.]112[.]52[.]29            7            
                 
        109[.]236[.]82[.]19            6            
                 
        80[.]82[.]64[.]8            6            
                 
        93[.]190[.]140[.]103            6            
                 
        109[.]236[.]82[.]142            6            
                 
        109[.]236[.]88[.]101            6            
                 
        94[.]102[.]52[.]22            6            
                 
        109[.]236[.]88[.]161            6            
                 
        93[.]190[.]139[.]14            6            
                 
        217[.]23[.]14[.]136            6            
                 
        94[.]102[.]52[.]19            6            
                 
        217[.]23[.]8[.]142            6            
                 
        109[.]236[.]86[.]119            6            
                 
        93[.]190[.]140[.]141            6            
                 
        108[.]59[.]2[.]221            6            
                 
        109[.]236[.]83[.]12            6            
                 
        80[.]82[.]65[.]207            6            
                 
        217[.]23[.]3[.]105            6            
                 
        217[.]23[.]4[.]220            6            
                 
        93[.]190[.]140[.]113            6            
                 
        217[.]23[.]9[.]104            6            
                 
        93[.]190[.]142[.]191            6            
                 
        94[.]102[.]51[.]231            6            
                 
        217[.]23[.]7[.]3            6            
                 
        80[.]82[.]65[.]199            6            

*See JSON for more IOCs

        Domain Names contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        microsoft[.]com            7            
                 
        faumoussuperstars[.]ru            5            
                 
        powerrembo[.]ru            5            
                 
        europe[.]pool[.]ntp[.]org            2            
                 
        go[.]microsoft[.]com            1            
                 
        www[.]msn[.]com            1            
                 
        north-america[.]pool[.]ntp[.]org            1            
                 
        maps[.]pilenga[.]mobi            1            
                 
        hostnamessimply1[.]effers[.]com            1            
                 
        apps[.]audimobile[.]info            1            
                 
        bootstrap4cache[.]com            1            
                     
                          
            
        Files and or directories created            Occurrences        
                                 
        %APPDATA%\WindowsUpdate            11            
                 
        %ProgramData%\msodtyzm.exe            7            
                 
        \RECYCLER            6            
                 
        \TEMP\C\UPDATE            6            
                 
        %APPDATA%\WindowsUpdate\MSupdate.exe            6            
                 
        %TEMP%\temp41.tmp            5            
                 
        %APPDATA%\WindowsUpdate\Live.exe            5            
                 
        %TEMP%\apiSoftCA            5            
                 
        %APPDATA%\Windows Live            5            
                 
        %APPDATA%\Windows Live\debug_cache_dump_2384394.dmp            5            
                 
        %APPDATA%\Windows Live\pldufejsya.exe            5            
                 
        \RECYCLER\S-1-5-21-0243556031-888888379-781862338-18611771            5            
                 
        %APPDATA%\fcvifgrs            1            
                 
        %APPDATA%\fcvifgrs\jisgivdt.exe            1            
                 
        \RECYCLER\S-1-5-21-0243556031-888888379-781862338-1861771            1            
                 
        %ProgramData%\3741550053            1            
                 
        %ProgramData%\3741551629            1            
                 
        %ProgramData%\3741549335            1            
                 
        %ProgramData%\3741546871            1            
                 
        %ProgramData%\3741543454            1            
                 
        %ProgramData%\3741548555            1            
                 
        %ProgramData%\3741550771            1            

File Hashes

             0ce367d545da1ed522fe364fdafc4bf39f1aa9aa326d0413c104132464c4b0f5              0ff57cf4b79588ba6c721f78a042e79a8c4e4eb6544dad9147c6918efc0a9bfd              1487cbb9c1025017bf767b8f9feab2bcdd9f500cd4bed79ca334c4eda4df1d71              1a15e5ebecd8f3025b89a1ee2149311bd0883bc62928092980604cecddf5718f              1c21c85c814609bc6db76824eda6333b2d26be11f8736bbb7397e97ad95c9f2e              1d0d652abf31a5b4f9ecf5ee6d201b4d31e977f6fc769a34cd34a5468e362e14              1e358ccc5c00767b2d7518ad5b34639c172a33118f691b6e989c0da4a4067781              29e771b03f40a6cd492b49826238364933a37c65bee5bf7990d711ff14d3511e              2bbac09df0fbb667c042f25c8d4810a08d6a3129a57ec70363debad39f917bd2              32ac146ea9c7899e04a57c42d48407468323b46a40462febfb0453e27466ed11              3ab978d7ba8cadbfa40ce0d1b6acb6922d6f7b2d8322f420bf03db0c44d94755              4faa3a69a429a598863c9369d0b4d572fa01b5bbf567b0d76f5a42f596430003              57d6deb95dad820da83a96f691230e6927f02bd7dc81fd22117a84ce1ff983b1              84055ce5bc4ef2bdf486e82e444e5665c73f4fe627a8734edc463b59f443bfcc              90853a92441d02881129621868f5a83d4fda693e6602a043dae622186b654a0d              90b11cecdac4d67db66c36a3f692361425eaf99c3f243c107e884091d209ee8b              94b5e03c8c149c8065dcf1a3696ca0c0801f6932e3a6b73985081dd36bb04194              9bf72ac43dcab3750686c49abbf1b0835505186a37187b6435539ea871dfd829              adbbf9cf8048f45fce2ad9fb1d681ea9334813a442d6d5b051cd11285fc71154              af69bafe28d0df36ddba5768583cf25bd5cae24b312e17f607c77294b731f0dd              b478d67b97fa15e88d047c643232590d1c6c2d2179e330df5bdc78c4e56036ee              b7d2ff1e59e0d30e46adf03d7a90dcc0ed83f2ff1e9b35702a70486954f1d3dd              c254f12058d6367578b877c09bd219abcc583003db8d15d270ab284bad923234              caf84844a5809c4e1c513299792f95ca26a87c40dc70627e8bddf5b65775206e              d401626e94cd830c3037cec51863d3315a97daf17c16f0836914a8ff8424213f              

*See JSON for more IOCs

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                     N/A                                                          
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                     N/A                                                          
             
        WSA                                                                     N/A                                                          

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Worm.Kuluoz-9964104-0

Indicators of Compromise

IOCs collected from dynamic analysis of 26 samples

        Registry Keys            Occurrences        
                             
    <HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'>                             26        
             
    <HKCU>\SOFTWARE\TKQJXHIR                          
        Value Name: nnagtvkf                            2        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: iemwudbv                            2        
             
    <HKCU>\SOFTWARE\PKBQSDOK                          
        Value Name: wfiqbttr                            2        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: deiobboq                            2        
             
    <HKCU>\SOFTWARE\TEFAPJXX                          
        Value Name: hjlkqasv                            2        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: nmvftwdp                            2        
             
    <HKCU>\SOFTWARE\ROHCSWFU                          
        Value Name: ivxesusr                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: rskaarvw                            1        
             
    <HKCU>\SOFTWARE\ONFHUPBQ                          
        Value Name: qrlpghvv                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: dwxwetxw                            1        
             
    <HKCU>\SOFTWARE\JUNLDJNI                          
        Value Name: paxvvuef                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: buwqaweo                            1        
             
    <HKCU>\SOFTWARE\QPANUOIR                          
        Value Name: mmvjkbpj                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: lawgdaar                            1        
             
    <HKCU>\SOFTWARE\IDIFICQU                          
        Value Name: uqiuudaf                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: uaugufwr                            1        
             
    <HKCU>\SOFTWARE\EPCSQSNO                          
        Value Name: sdkgxoqv                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: nojriosh                            1        
             
    <HKCU>\SOFTWARE\IIBPNATQ                          
        Value Name: qbmgekoa                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: tabswxsd                            1        
             
    <HKCU>\SOFTWARE\CHUFRWHS                          
        Value Name: nhmwllub                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: kawalexr                            1        
             
    <HKCU>\SOFTWARE\QDCTDCFM                          
        Value Name: ietjtgir                            1        
             
    <HKCU>\SOFTWARE\JUOBFMWV                          
        Value Name: ucngtfoi                            1        
                     
                
            
        Mutexes            Occurrences        
                                 
        2GVWNQJz1            26            
                     
                         
            
        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        91[.]196[.]126[.]16            21            
                 
        88[.]198[.]25[.]17            20            
                 
        173[.]203[.]113[.]44            19            
                 
        178[.]33[.]162[.]8            18            
                 
        176[.]31[.]106[.]226            18            
                 
        74[.]50[.]60[.]116            18            
                 
        198[.]24[.]142[.]66            17            
                     
                                 
            
        Files and or directories created            Occurrences        
                                 
        %LOCALAPPDATA%\<random, matching '[a-z]{8}'>.exe            26            

File Hashes

             0828aee088e7c191c463dac5a2449474da1b106da5e12b6335f61d2dd3ae320e              0ddf461f926f814d19696d3851f3673c10d69a15fa2d7cfac9552c3af9460c66              12b274776143da76ceea8cfc1b8219535bca09dea1ea6059a48e74dd6a78e80d              160999be2e3f124a106ced958bce6b6f94fbc3645895aa0129e4dedb443011d7              21245351ac8d14c31552d46c0f8ceec6d576a1abae0ab3d5131e25e9e8fefe32              23fec3f833e9a7ee790ea9cad1b205ade2036466282654b2e53f23516553b775              24e1fb11b1c63caf42bc0a9d8df57cb1c84ccb11415f01c56de128d6ceb2ea4e              2bf5a6f99c57bcaddd28a0a8dad595686b9a660843cd4037575d4abb82af8f69              32a01832f4de0f17e438fed6be9f155d9fd30056133681c7474f0114a1731a9b              35a4fe74474b4f7e7f9c777d063097e36a16f509bc3afb9579779c0504b73af4              3a3fae86a4e14a7d50b6c5bc5d78dc12745fa53d240df641e1fc311449368c85              3da619fa973717201422faf7329016a266b27b89f8a39416cac203f75f32259a              405d7737a27f0798b16f85939c3eacfcbe9e5305b4c621dd20bcaffbe994d88f              413f4fcae50cdad66f08e0e3ae083e60e18e54f890492fcd0241deb9dfe81b81              44d0507ee9143aa548ae8a03171b27633f4226abbad172a0456194a2ef2eb507              44d1449c19d3f79a3fe21e2ab9d333a1bea4156565a3106fc2203ccefa869a9b              4979dce8592c0d16bdc6228b9741ef6c315e3bb1ff34de14271fb3499cd0f139              4b7891ed58a08b45b576282afd74fe835845cd4be8c5aab467ad09136e87ec8e              4bc8eb3d2e72a44384b3d824b33a971ace9eae20998dfe8bdd2ab9b9267b5b43              4c6528d000e07485c69f1c32a95967a454fd20864a4ad2c062160d99987822ef              50c108f9fc31557d55216dfe28b9eeac15fe5f1175a089ff196e1129d6ddf593              5730f9ce8c84e6f1c153c247146ac1590fd989a73cdc9dce9d67594b33caf354              5a45837812962153f5d480918eab77093394dd41c45c610ffd142461ab433668              5e37715cc8a5d1b6c5bed437eea25da495285bb1386cf2aef2b5484fd6c30e69              5ee4adead518246dc926545a0d28e1a488f04d530c49591cc788a8e2b360ad89              

*See JSON for more IOCs

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                                                                              
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                     N/A                                                          
             
        WSA                                                                     N/A                                                          

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

TALOS
#vulnerability#web#ios#mac#windows#google#microsoft#js#java#botnet#firefox#sap

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Aug. 12 and Aug. 19. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name

Type

Description

Win.Dropper.Ramnit-9964110-0

Dropper

Ramnit is a banking trojan that monitors web browser activity on an infected machine and collects login information from financial websites. It could also steal browser cookies and hide from popular antivirus software.

Win.Ransomware.Locky-9963624-0

Ransomware

Locky is ransomware typically distributed via spam emails containing a maliciously crafted Microsoft Word document crafted to trick targets into enabling malicious macros. This family was originally released in 2016 and updated over the years with additional functionality.

Win.Dropper.Shiz-9963681-0

Dropper

Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information. It is commonly spread via droppers or by victims visiting a malicious site.

Win.Dropper.XtremeRAT-9963701-0

Dropper

XtremeRAT is a remote access trojan active since 2010 that allows the attacker eavesdrop on users and modify the running system. The source code for XtremeRAT, written in Delphi, was leaked online and has since been used by similar RATs.

Win.Dropper.Nanocore-9963905-0

Dropper

Nanocore is a .NET remote access trojan. Its source code has been leaked several times, making it widely available. Like other RATs, it allows full control of the system, including recording video and audio, stealing passwords, downloading files and recording keystrokes.

Win.Ransomware.Cerber-9964084-0

Ransomware

Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension “.cerber,” although in more recent campaigns, other file extensions are used.

Win.Dropper.Dorkbot-9964085-0

Dropper

Dorkbot is a worm that spreads itself through social networking sites and messaging apps. Once installed, the infected computer becomes part of a botnet, allowing the controller to control the machine remotely.

Win.Worm.Kuluoz-9964104-0

Worm

Kuluoz, sometimes known as “Asprox,” is a modular remote access trojan that is also known to download and execute follow-on malware, such as fake antivirus software. It often is delivered via spam emails pretending to be shipment delivery notifications or flight booking confirmations.

Threat Breakdown****Win.Dropper.Ramnit-9964110-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples

Mutexes

Occurrences

{79345B6A-421F-2958-EA08-07396ADB9E27}

26

Global<random guid>

26

Files and or directories created

Occurrences

%TEMP%~TMDB5A.tmp

2

%TEMP%~TMDB99.tmp

2

%TEMP%~TM314F.tmp

1

%TEMP%~TM31DD.tmp

1

%TEMP%~TMDBC8.tmp

1

%TEMP%~TMDC25.tmp

1

%TEMP%~TME21E.tmp

1

%TEMP%~TMDC93.tmp

1

%TEMP%~TME2BB.tmp

1

%TEMP%~TME337.tmp

1

%TEMP%~TME3A5.tmp

1

%TEMP%~TME0D6.tmp

1

%TEMP%~TMDBF7.tmp

1

%TEMP%~TME164.tmp

1

%TEMP%~TMD977.tmp

1

%TEMP%~TMD9E5.tmp

1

%TEMP%~TMD9C5.tmp

1

%TEMP%~TMDA42.tmp

1

%TEMP%~TME0F5.tmp

1

%TEMP%~TME173.tmp

1

%TEMP%~TMDBE8.tmp

1

%TEMP%~TMDCC1.tmp

1

%TEMP%~TMDF60.tmp

1

%TEMP%~TMDD2F.tmp

1

%TEMP%~TMDFED.tmp

1

*See JSON for more IOCs

File Hashes

    03ba150882170b2cfee8c30f556c2be840697b7cc1e7dcc47594dd3bd9758c7b

    0eb56bcb11905ba125c5d4e2527fa4441b03f6ce0278269498be539833b5bbe9

    1368aa53291ec289ffa8bb86c5ec7c335350a10a240b88e31a3b2d1181fa785f

    169b28a24d77797b1c2a61dda32b7d766d6f150bcefdf2333ca635a7b4837778

    18465059a485b9f35a472b16d8fec399c795799d3dff1dab57d537e620749902

    1c3bde330d7cfe197ecfab80309e463d6e6e61bdf6885d250cb0b08c5f98b767

    1cd1a5d2b64aef0c352e7984ae3822c9f6d661d8907526aacd2b6321a4f7a8fd

    1d548c85594dc4b83ac1c69ac82da842dc68eac75f683aed693929c728c83184

    1fd5e9430201472831856a7720fee930a1555f9b134af3145f1acc5a7f712a82

    250c9cf38912e781afc5b32907da411279f7b22b4b2e6b97729aad81a1e0f48a

    29ca8b176e9977bf0d3bdc9f214665b89f087ba0799e9d9e22bddfecc4bb7e09

    29fbd2e07f2bcdac0a69364621df335bf899787c48353f7e448e302263d0cee1

    2e00b1d9d04175dd0a8101ac3222dde48833693400a9684717fddceb532ae258

    315ab01236a2ccb7231731878bf7d7fb23d9c6fd9603c7df3501f453f3ec76c1

    31bb435f6ce6446d3ce1c97cb80de5084d30abff6fc9711c6d0b0c191031b361

    35d9d318da08e7ff963b14fcb2f73fb178374688b21a27ba872f87fb353405eb

    377406362d74f2789685c3a0aa128312bf82b092f9c047a36fb1d62e22348a8d

    38cd0e89eb7ab0edc2cee7f2edfa86e938a5963ed6ae3212b1c26bf2722cb75a

    3921b067ddb8b3fe65e9f8c680f46d72ac52077334cfba1c8ee1192d84bb44cd

    395e9fdef9e5694c3a2e8e5ecce9ced85cac141ad2a0d4851620c596ed5eb32a

    3cae2eed75c901adbff0fc907433d56f5caeacafade3666eb90b39956add686c

    3f72bd0dbdbbb4f9ea83fe224363dc423f8d6f88df526c69431c892938ff2360

    40013e1bd081743d85e878edb53179b70546bf6c8ff3ac03f5c0fbf2f590967e

    405b9a602c73ce29d1f4e5ab15bf3a5c51a8b087bf6ae7dbf064a48817d1532b

    48d7d44420db0625d5d05caf04aac82f3e3daeff65f4d6b9c33cb94c3b939566

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Ransomware.Locky-9963624-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 16 samples

Registry Keys

Occurrences

<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES{0633EE93-D776-472F-A0FF-E1416B8B2E3A}

        Value Name: FaviconPath

16

<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES{0633EE93-D776-472F-A0FF-E1416B8B2E3A}

        Value Name: Deleted

16

<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES

        Value Name: DefaultScope

16

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VSS\DIAG\VSSAPIPUBLISHER

16

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: LanguageList

16

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

16

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @C:\Windows\System32\intl.cpl,-1

1

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @C:\Windows\System32\intl.cpl,-2

1

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @C:\Windows\System32\hgcpl.dll,-2

1

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @C:\Windows\System32\main.cpl,-100

1

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @C:\Windows\System32\main.cpl,-101

1

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @C:\Windows\System32\main.cpl,-102

1

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @C:\Windows\System32\main.cpl,-103

1

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @C:\Windows\System32\devmgr.dll,-4

1

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @C:\Windows\System32\devmgr.dll,-5

1

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @C:\Windows\System32\icardres.dll,-4097

1

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @C:\Windows\System32\icardres.dll,-4098

1

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @C:\Windows\System32\PerfCenterCPL.dll,-2

1

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @C:\Windows\system32\appwiz.cpl,-160

1

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @C:\Windows\System32\netcenter.dll,-2

1

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @C:\Windows\System32\wpccpl.dll,-101

1

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @C:\Windows\System32\autoplay.dll,-1

1

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @C:\Windows\System32\autoplay.dll,-2

1

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @C:\Windows\System32\SyncCenter.dll,-3001

1

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @C:\Windows\System32\recovery.dll,-101

1

Mutexes

Occurrences

Global\4aEa7aGa9a4aBa6a4a4aBa1a5a8a4a1a

16

Local\4aEa7aGa9a4aBa6a4a4aBa1a5a8a4a1a

16

Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!16613a8

16

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

13[.]107[.]21[.]200

10

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

www[.]bing[.]com

16

Files and or directories created

Occurrences

\Users\Default\NTUSER.DAT.LOG

16

%ProgramData%\Mozilla\logs\maintenanceservice-install.log

16

%ProgramData%\Sun\Java\Java Update\jaureglist.xml

16

%ProgramData%\Microsoft\RAC\StateData\RacMetaData.dat

16

%ProgramData%\Adobe\Updater6\AdobeESDGlobalApps.xml

16

%ProgramData%\Microsoft\IlsCache\ilrcache.xml

16

%ProgramData%\Microsoft\IlsCache\imcrcache.xml

16

%ProgramData%\Microsoft\User Account Pictures\admin.dat

16

%HOMEPATH%\Desktop\lukitus.bmp

16

%HOMEPATH%\Desktop\lukitus.htm

16

\MSOCache\All Users{90140000-0016-0409-0000-0000000FF1CE}-C\0PZW71P4-

16

\MSOCache\All Users{90140000-0016-0409-0000-0000000FF1CE}-C\0PZW71P4-ZQ0

16

\MSOCache\All Users{90140000-0018-0409-0000-0000000FF1CE}-C\0PZW71P4-

16

\MSOCache\All Users{90140000-0018-0409-0000-0000000FF1CE}-C\0PZW71P4-ZQ0I-J19

16

\MSOCache\All Users{90140000-0019-0409-0000-0000000FF1CE}-C\0PZW71P4-

16

\MSOCache\All Users{90140000-0019-0409-0000-0000000FF1CE}-C\0PZW71P4-ZQ0I-J1

16

\MSOCache\All Users{90140000-001A-0409-0000-0000000FF1CE}-C\0PZW71P4-

16

\MSOCache\All Users{90140000-001A-0409-0000-0000000FF1CE}-C\0PZW71P4-ZQ0I-

16

\MSOCache\All Users{90140000-001B-0409-0000-0000000FF1CE}-C\0PZW71P4-

16

\MSOCache\All Users{90140000-001B-0409-0000-0000000FF1CE}-C\0PZW71P4-ZQ

16

\MSOCache\All Users{90140000-002C-0409-0000-0000000FF1CE}-C\0PZW71P4-

16

\MSOCache\All Users{90140000-002C-0409-0000-0000000FF1CE}-C\0PZW71P4-ZQ0

16

\MSOCache\All Users{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\0PZW71P4-

16

\MSOCache\All Users{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\0PZW71P4-

16

\MSOCache\All Users{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\0PZW71P4-

16

*See JSON for more IOCs

File Hashes

    1afe66e4aaf044636b8bfb0e625e8182a7bb116cfa3b4673ed102094c55b8f84

    1cdcb07c8a79bdb3faad6feae4b2720cec8dc8de0cfb1431502f91e8c9152e94

    244f76876485ad65f57466338fee2a571057c6315ba9a9699d89ff0add323e72

    3140bd4af08e8d487c04c24cb3a6977464ef6bfed46e3f54ba52175b09ceee41

    37621fe42fb7154d158b82e54b8735ad876902e8f55178387254689802f8d419

    56ee0ae4072920f29e35c10af707ac97bc87ba4191aca1afec235d7a5a96de10

    659f0b2aa1699e98b57433d85b08f56fef032fcdce4858cfcf21bb405e784bc2

    7af3b8e631e7d557b4039cca14f0f5ad2686b3dab6a81da181ab46e2518b4fcd

    8d62a963beb4ac49096277d54d3d6bc78c1142ff30b600b0373256eaa6b7a73c

    9be2a26538acb1111657ab79c6680d7f8bde43f5a6e51f38c674967e21d69627

    c6f8e43f2db3725ea18520ff3b5370a32ef28c62fe1a82df1575c1003ac10acf

    ce8d65f815402e4bc06fade45b66398930ae73d6e5c9368564c87745643703dd

    da37a954efc572ccd4f5f43912e1b041acce412d8f4cfac31a23349adb7e43c5

    ed96e3c04c7af4bb0863e2e4091e1280ced24a5f68c9712ffba34062d7a46229

    f681a28f44ca9a7fe31e4fce8881aafaf125727dafd4db68280cfe6ea6f9e0e8

    fdacb9b5a9551464e1bba01a3f279d247c2b3c7d0e4b5768763fcf26bb4e5837

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Shiz-9963681-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 21 samples

Registry Keys

Occurrences

<HKLM>\SOFTWARE\MICROSOFT

        Value Name: 67497551a

21

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON

        Value Name: 98b68e3c

21

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON

        Value Name: userinit

21

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON

        Value Name: System

21

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS

        Value Name: load

21

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS

        Value Name: run

21

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: userinit

21

Mutexes

Occurrences

Global\674972E3a

21

Global\MicrosoftSysenterGate7

21

internal_wutex_0x000004b4

21

internal_wutex_0x0000043c

21

internal_wutex_0x<random, matching [0-9a-f]{8}>

21

internal_wutex_0x000004dc

20

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

13[.]107[.]21[.]200

15

45[.]33[.]30[.]197

7

45[.]33[.]23[.]183

5

96[.]126[.]123[.]244

4

45[.]56[.]79[.]23

4

45[.]33[.]2[.]79

4

45[.]79[.]19[.]196

3

45[.]33[.]20[.]235

3

72[.]14[.]185[.]43

3

198[.]58[.]118[.]167

2

45[.]33[.]18[.]44

2

173[.]255[.]194[.]134

2

72[.]14[.]178[.]174

2

85[.]94[.]194[.]169

1

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

rynikulokop[.]eu

21

lyvoguraxeh[.]eu

21

xuxetiryqem[.]eu

21

puzewilurip[.]eu

21

cilynitiseg[.]eu

21

vojizitoken[.]eu

21

fogokozazit[.]eu

21

gadedozymiz[.]eu

21

masytoturen[.]eu

21

nofagoteveg[.]eu

21

jepuqoxupit[.]eu

21

qetunopifef[.]eu

21

kericoxojil[.]eu

21

ryqozapaleb[.]eu

21

lymajaxecir[.]eu

21

xubysaxywil[.]eu

21

dixonesohed[.]eu

21

marawukyqos[.]eu

21

dikuvizigiz[.]eu

21

puvutaputeb[.]eu

21

ciciqacidir[.]eu

21

ryhuneqevyv[.]eu

21

kejywajazok[.]eu

21

xudakejupok[.]eu

21

lygivejynow[.]eu

21

*See JSON for more IOCs

Files and or directories created

Occurrences

%TEMP%<random, matching [A-F0-9]{1,4}>.tmp

21

File Hashes

    0ddc226c722e18199274ea9f05f0bebdfd0e871713b53e89dc094fd53fbf21fb

    12fbf08de48d56346c43dfc4369e7c70c71023e7322f84991591fcde46aa5532

    1b56b352ab8e26ce29fabdc5ce020e616db96b6004ee540e88fef580b16a4f78

    1d65fa03284d71963c8ec3cee40b25afdc06d9f6f6404d214ca0091c0130cb53

    232a41bbdda2fe1b5e7b90c7beb1136b671d127a400699b6591278c44eb828a2

    3a7f6106cbe35dcd0c7f25bb6c4b1fc9c19eb348cafba007121f03e74c6d73e2

    4d0d263dc8c8f69d6cbcfb13564f53d70955772552e9a4e32aa5a14851bdd1ac

    4dfcf95c402c12d20034ac961076c2772f835a9aa442d7062b914a2f53f37f9b

    5077b57947941ef15fb8445db7819e641fd5499067969e38f680d2cb6f6430a0

    54b0b511221b0498f1c5a2eeb0e2ae633cae232cf75c13fa9eaff6f711cebef1

    5b0787632726f2d55a209f853f04eea8109d87cd9630be7e8a42a384bd8cb7a5

    6820579b06e8cb0e4298270a497b475baf2645430b4c62d4a3e22f4d7c7bc0ee

    69b5080868bfbdc18d868318cb6be406c4cc268fe4e183e5e81f62c7e6922fd9

    69e5f2613c4aad5956e83985743210ae058862c12e3d7f104537f6efd0aa1c51

    7324bb74d697cb54b2acfa41ab0caab30a14e40b8628b50acdfd4d26b1dfba17

    7807700902786f550ce24bb63e93e62e35527857a24f2b655467dd243c40e5d3

    79c880d0a639206d2ad9a77647940b11b9200680431e98fc155410f855354be8

    85b1e95b8a1be8d5a16525b879d9e8e9a7a1f491449d036f08504b9e9f118b96

    91c02affdcd16a87eb278a461fdabaa021ab4d5b7987a24d162563012ba49bcc

    a38da3b0920e292f513272bfe95c0d5debd6e201cb63d2526fe25c6293b8ed0e

    d19619fd50ebefcc45deb67abe2d2aab162806fcfd41db0765c7ddf96cdb02b9

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

WSA

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.XtremeRAT-9963701-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 12 samples

Registry Keys

Occurrences

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: LanguageList

9

<HKCU>\SOFTWARE<random, matching '[a-zA-Z0-9]{5,9}’>

9

<HKCU>\SOFTWARE<random, matching '[a-zA-Z0-9]{5,9}’>

        Value Name: InstalledServer

8

<HKCU>\SOFTWARE<random, matching '[a-zA-Z0-9]{5,9}’>

        Value Name: ServerStarted

7

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: HKLM

6

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: HKCU

6

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS{5460C4DF-B266-909E-CB58-E32B79832EB2}

4

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS{5460C4DF-B266-909E-CB58-E32B79832EB2}

        Value Name: StubPath

4

<HKCU>\SOFTWARE((MUTEX))

3

<HKCU>\SOFTWARE((MUTEX))

        Value Name: InstalledServer

3

<HKCU>\SOFTWARE((MUTEX))

        Value Name: ServerStarted

3

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: HKLX

2

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: HKCL

2

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS

        Value Name: StubPath

2

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS{7OFBR713-LB7J-5G81-7WC8-161211U08C56}

        Value Name: StubPath

2

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS{7OFBR713-LB7J-5G81-7WC8-161211U08C56}

2

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @C:\Windows\system32\DeviceCenter.dll,-2000

1

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @explorer.exe,-7001

1

<HKCU>\SOFTWARE\XTREMERAT

        Value Name: TDados

1

<HKCU>\SOFTWARE\SS

1

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS{11AKP4MN-X763-4313-1615-X6G4IX7N4S25}

1

<HKCU>\SOFTWARE\SS

        Value Name: ServerStarted

1

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS{M0J1AY7S-64N4-SUDU-RQ0E-5HNUA5PF0MI0}

1

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: ss

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: ss

1

Mutexes

Occurrences

XTREMEUPDATE

12

<random, matching [a-zA-Z0-9]{5,9}>

9

<random, matching [a-zA-Z0-9]{5,9}>PERSIST

8

<random, matching [a-zA-Z0-9]{5,9}EXIT>

8

((Mutex))

3

((Mutex))PERSIST

2

((Mutex))EXIT

2

STUBXTREMEINJECTED

1

ss

1

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

dstar[.]hopto[.]org

1

may00[.]zapto[.]org

1

Files and or directories created

Occurrences

%TEMP%\x.html

10

%APPDATA%\Microsoft\Windows<random, matching '[a-zA-Z0-9]{5,9}’>.cfg

8

%APPDATA%\Microsoft\Windows((Mutex)).cfg

3

%SystemRoot%\InstallDir

2

%APPDATA%\InstallDir

2

%APPDATA%\InstallDir\dll.exe

2

%SystemRoot%\InstallDir\Server.exe

1

%ProgramFiles(x86)%\ISSA.exe

1

%ProgramFiles(x86)%\ss.exe

1

%APPDATA%\Microsoft\Windows\ss.cfg

1

%APPDATA%\Microsoft\Windows\ss.dat

1

%APPDATA%\Microsoft\Windows\SpUDj.dat

1

%SystemRoot%\GOOGLE.exe

1

%APPDATA%\windoy.exe

1

%SystemRoot%\SysWOW64\windoy.exe

1

%APPDATA%\soft.exe

1

%SystemRoot%\SysWOW64\soft.exe

1

%SystemRoot%\InstallDir\browse.exe

1

%SystemRoot%\SysWOW64\migc.exe

1

%APPDATA%\migc.exe

1

%SystemRoot%\CREATE.exe

1

File Hashes

    00c5b7cc78f982e42062c84a8a5c1c5aaeea7276b0f00635d61e4bfdcf6ed4b2

    05316395bee1b9759134e86ecf28413d197c95cc6c25bb96a3fd957adfb767fe

    10f0a0f8b51964b8a3fc497040601a48fe0493a7e4010ee89e61068cc8e2d92d

    33ed0e091cc5ccc71d0a9d37c4f82d73f3959ffcd55f9c2f8660e7e13f68393e

    3e5302bb99e282cd9303eda70e64589529704b3c2edee6637cb040887b02f42f

    593d60c61df90a5de77d5ee31815eafd3c2657f1581cdd7fe36e74f72956a7e3

    62243f0a6f197f167173d12b985b2bbd4a8f98864eb4f99c77e28a9f561f4b0d

    6798aa4e8218c8783acab06e700b519eb31856ac0e46c6c82f5dfbf22e13ddb5

    9906c6c6ce2eb7199023bbfcff346303f08dab61f475da22fe358f0e09d083bd

    c11cd59cb06cf9e1a9f95e3d78300a2aa8edf94ed7964b73ccb7135a5b23a7d6

    d20e8dd51f00f03a0aacfcc4989d86411e2bc6c6f0a91961f420a056a86eef07

    d8df5b44e3469d7a7c0ffc4dba88d34bff093cf4453500074a54b837d50d93c6

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Nanocore-9963905-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 20 samples

Registry Keys

Occurrences

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: LanguageList

9

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: jVULYR

2

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: AGP Manager

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: WGmLd

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: ddnKQs

1

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @explorer.exe,-7001

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: capsole

1

Mutexes

Occurrences

8-3503835SZBFHHZ

1

NL20T01E6BXGZI09

1

fKZhNqRta

1

Global{bbc5d79f-8cc7-4aa7-b9fa-0c15cee443cd}

1

GfAQbAoN

1

GZVlUzSZeINZ

1

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

149[.]154[.]167[.]220

2

208[.]91[.]199[.]224

1

208[.]91[.]198[.]143

1

208[.]91[.]199[.]223

1

205[.]134[.]234[.]70

1

107[.]182[.]129[.]128

1

162[.]0[.]229[.]41

1

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

api[.]telegram[.]org

2

mail[.]albacon-ojeda[.]pe

1

smtp[.]saudlunion[.]com

1

smtp[.]transmase[.]com

1

smtp[.]utt-ae[.]com

1

brightnano1[.]ddns[.]net

1

mail[.]fasttunpcbs[.]com

1

Files and or directories created

Occurrences

%System32%\Tasks\Updates

6

%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp

6

%System32%\drivers\etc\hosts

3

%APPDATA%\jVULYR

2

%APPDATA%\jVULYR\jVULYR.exe

2

%ProgramFiles(x86)%\AGP Manager

1

%ProgramFiles(x86)%\AGP Manager\agpmgr.exe

1

%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5

1

%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs

1

%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs\Administrator

1

%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\run.dat

1

%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\task.dat

1

%System32%\Tasks\AGP Manager

1

%System32%\Tasks\AGP Manager Task

1

%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\catalog.dat

1

%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\settings.bin

1

%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\storage.dat

1

%APPDATA%\WGmLd

1

%APPDATA%\WGmLd\WGmLd.exe

1

%APPDATA%\ddnKQs

1

%APPDATA%\ddnKQs\ddnKQs.exe

1

%APPDATA%\HFkIOmiwFQY.exe

1

%System32%\Tasks\Updates\HFkIOmiwFQY

1

%APPDATA%\h0gct1lm.mo4

1

%APPDATA%\h0gct1lm.mo4\Firefox

1

*See JSON for more IOCs

File Hashes

    1f41465839f9e90dc6298156eb0f0eab361414c1dc207c22e2593e608dc6f5d5

    28d4e2a68e9b5db5a71cbd94fcaa241dfd1937e99eadbddab572ff4efab999d7

    2b61ef6e2d493e4eb8bd0ce74d2cf9fb7de72245ec0e76afe9198b9518f2cb40

    2c04f3b128381e4f3e3687566623fd653d7a211dfdd17efd94317bebaae1b78b

    35157e080e4f612ef306a1195e55ce5068844cc7daf3442d0f73c98c224d4c9d

    35ad1d5553d61763b2e94c6e4d66cd5b6cba0578736f202a12c88525b9125804

    420c5ccde64ea630f1223e27d1cae8b0887aca1a4e87d6f9c307011c0e266bf9

    43f5c35dc913dbd764a028b5686d0a3c47bcb745c3b277b778742e22989784ca

    46675d5b6e4c352b50804c760bf4ef3174a8ef93b875f1b7e0f343e22573a6c5

    6b4bbd2e534c8e089691829e219ea54c8e113012f1ecb6d912a5d791c7157c2e

    7605008ef9c187be6862403b9a5eef21eb271ff656db288759a50dc3785caeeb

    76b3123c5245713b390b8f28fafddddef75a55199621a196124e9c55ac55d1af

    878a27d70fd8b04b70298f1e102053e02faeaab461a8455fdf843262118231ad

    9238603739f090fa4b311ab4c76739c1b54d21e410139c6be208025b4dd7a33f

    a2631bee5c6505f12449f250e56d2091a50fd25d876ad49efefeb4ea7f63e45d

    b863d3d875966054e0a8a19ae649a08ecf80a2be46b937c5f6d0a634cba4e465

    ce88fb263d3e6a38cac9d2b4ec0f27bfc724d46b4d274fc7adb25330bae9e724

    daf4c0820c45f6be84cf248504e10bfee063ea6fc8de3b397adaa6682e4bb610

    e06d33553621160bf21cdc08eaecb5e977a59e6e416c37922a6d263620141a7d

    fa0ddfe8dd1e9509529086469444221a673fb0d16f380c968150a7a53f68b0d9

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Ransomware.Cerber-9964084-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples

Registry Keys

Occurrences

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: LanguageList

26

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\dhcpqec.dll,-100

26

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\dhcpqec.dll,-101

26

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\dhcpqec.dll,-103

26

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\dhcpqec.dll,-102

26

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\napipsec.dll,-1

26

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\napipsec.dll,-2

26

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\napipsec.dll,-4

26

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\napipsec.dll,-3

26

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\tsgqec.dll,-100

26

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\tsgqec.dll,-101

26

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\tsgqec.dll,-102

26

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\tsgqec.dll,-103

26

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\eapqec.dll,-100

26

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\eapqec.dll,-101

26

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\eapqec.dll,-102

26

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\eapqec.dll,-103

26

<HKCU>\SOFTWARE\MICROSOFT\SPEECH\CURRENTUSERLEXICON\FILES

1

<HKCU>\SOFTWARE\MICROSOFT\SPEECH\CURRENTUSERLEXICON\FILES

        Value Name: Datafile

1

Mutexes

Occurrences

shell.{381828AA-8B28-3374-1B67-35680555C5EF}

26

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

178[.]128[.]255[.]179

26

149[.]202[.]64[.]0/27

26

149[.]202[.]122[.]0/27

26

149[.]202[.]248[.]0/22

26

172[.]66[.]41[.]18

15

104[.]20[.]21[.]251

11

172[.]66[.]42[.]238

11

172[.]67[.]2[.]88

8

104[.]20[.]20[.]251

7

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

api[.]blockcypher[.]com

26

bitaps[.]com

26

chain[.]so

26

btc[.]blockr[.]io

26

xxxxxxxxxxxxxxxx[.]1k1dxt[.]top

26

Files and or directories created

Occurrences

%TEMP%\d19ab989

26

%TEMP%\d19ab989\4710.tmp

26

%TEMP%\d19ab989\a35f.tmp

26

%LOCALAPPDATA%\Microsoft\Office\Groove1\System\CSMIPC.dat

26

%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp

26

%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.bmp

26

<dir>_READ_THIS_FILE_<random, matching [A-F0-9]{4,8}>_.hta

26

<dir>_READ_THIS_FILE_<random, matching [A-F0-9]{4,8}>_.txt

26

<dir>_READ_THIS_FILE_<random, matching [A-F0-9]{4,8}>_.jpeg

26

File Hashes

    07d1b61970c982a009d3d3bd455b1ce6628819fbe47cf82d35b3b2d83a6b1690

    097a210c11bc3b1d1768d92e0f080382f350da4116177c38bd81ecaf01bf252f

    1015da0524bf981e3f7da09097e695418d2aeb20c8dfc027e927ea274c927743

    1a201ba2922601f743606e4f8762e042355fb95704ae08f1e9d46539e9a9c53e

    24eb2bfa038ccf1002d6c67bb35241514e265dda1e7ed5e310602e385cb942bd

    2788aeb4b8ce3220bc2352ecf6f6dc6fc899934691e5f7778c160d43a654c752

    2b921630e3606ceded2567dd7c2665ff59d3894e8f17b0c4c515cfcfea9281f6

    2c56f82b2109c74ffc9ac8bb6a75a4fadc7b5dbc8c6e4973dc576b4f6e44b3fd

    3107cfd1631d01d58fe6bcfddf6bb649286ee1e4632a2f6da9e0522e72adf66c

    313a8059da3a543dc1615e4b0e08d9b6ba02b82a915811bed92ec41a6b282cd5

    404b2ca147b0fd48ad897ae91ec951500eac740d3641552ed2175075eccd3d91

    405cda0e472fc0c7ea7bd7f523bf1eb77c020a68f895d28d8300ecbcaf689dd7

    4fae94bd1def53411ff126fcc1b5e91d25f5b42bc0792df01721217194d5cad1

    5490d8d2dd89b8298b5a7b5954f30157c40e4a9e7a13e89b3678169b274190c4

    614458dcdaebfaf39ac96fef19b98813852061b7f049c332d1a7d96099ec9971

    661992c14354d9a884da5c0d354ec2722aa2d4bc7c6c088e9fbea1781408a48d

    6660f96c1b098447cb40ac571cb3301e62dab35ed7d603a262e824c55ec0e2ba

    673175cc9fc60fed6f87badae959858cc73317e497bbc63be01d412538d8cd4a

    6ac22f719648c97dafca9980c3b2cc4d20c65411be0f3823eb5fbd2ad9907935

    746617c675d2a770eab8c726ebc402418cebdbb8200734454baadd99caddf189

    74f331f2928d6577c9d0767cbb16f5e19cdd9db4302b1f853b02de01e7797eaa

    761c6d04388582f39dcb4e11253bd2e05690bee6f1f5ed960dac7b2121946e7f

    763c7dd7964eaf334f7840f0b1c73340890b358f2e0892e455cb58b262828716

    76578d8841dc939a7eaafb0740943988f084d18871e5e82d88a8474945c290a0

    807ab02bc36e5465e67956df8cd09cd0f6baa69e99c80729eef0ef8a486da894

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Dorkbot-9964085-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples

Registry Keys

Occurrences

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED

        Value Name: Hidden

7

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM

        Value Name: EnableLUA

7

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC

        Value Name: Start

7

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND

        Value Name: Start

7

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED

        Value Name: ShowSuperHidden

7

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC

        Value Name: Start

7

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER

        Value Name: HideSCAHealth

7

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER

        Value Name: HideSCAHealth

7

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV

        Value Name: Start

7

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER

        Value Name: TaskbarNoNotification

7

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER

        Value Name: TaskbarNoNotification

7

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS

        Value Name: Load

7

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: 1081297374

7

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN

        Value Name: 1081297374

7

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN

7

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON

        Value Name: Taskman

6

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON

        Value Name: Shell

6

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: Windows Update Manager

6

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN

6

<HKCU>\SOFTWARE\UAZI SOFT

        Value Name: UaziVer

5

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: Windows Live Installer

5

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN

        Value Name: Windows Live

5

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: Windows Live

5

<HKCU>\SOFTWARE\UAZI SOFT

5

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: BCSSync

5

Mutexes

Occurrences

PuredairyBB9

6

PuredairyBB10

6

PuredairyBB2

6

PuredairyBB4

6

PuredairyBB8

6

PuredairyBB7

6

PuredairyBB6

6

PuredairyBB15

6

PuredairyBB14

6

PuredairyBB13

6

PuredairyBB12

6

PSPSndkvsdvd0199201

6

PuredairyBB1

6

PuredairyBB5

6

PuredairyBB3

6

PuredairyBB16

6

PuredairyBB17

6

PuredairyBB18

6

PuredairyBB22

6

PuredairyBB20

6

PuredairyBB21

6

PuredairyBB19

6

PuredairyBB29

6

PuredairyBB31

6

PuredairyBB23

6

*See JSON for more IOCs

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

20[.]112[.]52[.]29

7

109[.]236[.]82[.]19

6

80[.]82[.]64[.]8

6

93[.]190[.]140[.]103

6

109[.]236[.]82[.]142

6

109[.]236[.]88[.]101

6

94[.]102[.]52[.]22

6

109[.]236[.]88[.]161

6

93[.]190[.]139[.]14

6

217[.]23[.]14[.]136

6

94[.]102[.]52[.]19

6

217[.]23[.]8[.]142

6

109[.]236[.]86[.]119

6

93[.]190[.]140[.]141

6

108[.]59[.]2[.]221

6

109[.]236[.]83[.]12

6

80[.]82[.]65[.]207

6

217[.]23[.]3[.]105

6

217[.]23[.]4[.]220

6

93[.]190[.]140[.]113

6

217[.]23[.]9[.]104

6

93[.]190[.]142[.]191

6

94[.]102[.]51[.]231

6

217[.]23[.]7[.]3

6

80[.]82[.]65[.]199

6

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

microsoft[.]com

7

faumoussuperstars[.]ru

5

powerrembo[.]ru

5

europe[.]pool[.]ntp[.]org

2

go[.]microsoft[.]com

1

www[.]msn[.]com

1

north-america[.]pool[.]ntp[.]org

1

maps[.]pilenga[.]mobi

1

hostnamessimply1[.]effers[.]com

1

apps[.]audimobile[.]info

1

bootstrap4cache[.]com

1

Files and or directories created

Occurrences

%APPDATA%\WindowsUpdate

11

%ProgramData%\msodtyzm.exe

7

\RECYCLER

6

\TEMP\C\UPDATE

6

%APPDATA%\WindowsUpdate\MSupdate.exe

6

%TEMP%\temp41.tmp

5

%APPDATA%\WindowsUpdate\Live.exe

5

%TEMP%\apiSoftCA

5

%APPDATA%\Windows Live

5

%APPDATA%\Windows Live\debug_cache_dump_2384394.dmp

5

%APPDATA%\Windows Live\pldufejsya.exe

5

\RECYCLER\S-1-5-21-0243556031-888888379-781862338-18611771

5

%APPDATA%\fcvifgrs

1

%APPDATA%\fcvifgrs\jisgivdt.exe

1

\RECYCLER\S-1-5-21-0243556031-888888379-781862338-1861771

1

%ProgramData%\3741550053

1

%ProgramData%\3741551629

1

%ProgramData%\3741549335

1

%ProgramData%\3741546871

1

%ProgramData%\3741543454

1

%ProgramData%\3741548555

1

%ProgramData%\3741550771

1

File Hashes

    0ce367d545da1ed522fe364fdafc4bf39f1aa9aa326d0413c104132464c4b0f5

    0ff57cf4b79588ba6c721f78a042e79a8c4e4eb6544dad9147c6918efc0a9bfd

    1487cbb9c1025017bf767b8f9feab2bcdd9f500cd4bed79ca334c4eda4df1d71

    1a15e5ebecd8f3025b89a1ee2149311bd0883bc62928092980604cecddf5718f

    1c21c85c814609bc6db76824eda6333b2d26be11f8736bbb7397e97ad95c9f2e

    1d0d652abf31a5b4f9ecf5ee6d201b4d31e977f6fc769a34cd34a5468e362e14

    1e358ccc5c00767b2d7518ad5b34639c172a33118f691b6e989c0da4a4067781

    29e771b03f40a6cd492b49826238364933a37c65bee5bf7990d711ff14d3511e

    2bbac09df0fbb667c042f25c8d4810a08d6a3129a57ec70363debad39f917bd2

    32ac146ea9c7899e04a57c42d48407468323b46a40462febfb0453e27466ed11

    3ab978d7ba8cadbfa40ce0d1b6acb6922d6f7b2d8322f420bf03db0c44d94755

    4faa3a69a429a598863c9369d0b4d572fa01b5bbf567b0d76f5a42f596430003

    57d6deb95dad820da83a96f691230e6927f02bd7dc81fd22117a84ce1ff983b1

    84055ce5bc4ef2bdf486e82e444e5665c73f4fe627a8734edc463b59f443bfcc

    90853a92441d02881129621868f5a83d4fda693e6602a043dae622186b654a0d

    90b11cecdac4d67db66c36a3f692361425eaf99c3f243c107e884091d209ee8b

    94b5e03c8c149c8065dcf1a3696ca0c0801f6932e3a6b73985081dd36bb04194

    9bf72ac43dcab3750686c49abbf1b0835505186a37187b6435539ea871dfd829

    adbbf9cf8048f45fce2ad9fb1d681ea9334813a442d6d5b051cd11285fc71154

    af69bafe28d0df36ddba5768583cf25bd5cae24b312e17f607c77294b731f0dd

    b478d67b97fa15e88d047c643232590d1c6c2d2179e330df5bdc78c4e56036ee

    b7d2ff1e59e0d30e46adf03d7a90dcc0ed83f2ff1e9b35702a70486954f1d3dd

    c254f12058d6367578b877c09bd219abcc583003db8d15d270ab284bad923234

    caf84844a5809c4e1c513299792f95ca26a87c40dc70627e8bddf5b65775206e

    d401626e94cd830c3037cec51863d3315a97daf17c16f0836914a8ff8424213f

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Worm.Kuluoz-9964104-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples

Registry Keys

Occurrences

<HKCU>\SOFTWARE<random, matching '[a-zA-Z0-9]{5,9}’>

26

<HKCU>\SOFTWARE\TKQJXHIR

        Value Name: nnagtvkf

2

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: iemwudbv

2

<HKCU>\SOFTWARE\PKBQSDOK

        Value Name: wfiqbttr

2

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: deiobboq

2

<HKCU>\SOFTWARE\TEFAPJXX

        Value Name: hjlkqasv

2

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: nmvftwdp

2

<HKCU>\SOFTWARE\ROHCSWFU

        Value Name: ivxesusr

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: rskaarvw

1

<HKCU>\SOFTWARE\ONFHUPBQ

        Value Name: qrlpghvv

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: dwxwetxw

1

<HKCU>\SOFTWARE\JUNLDJNI

        Value Name: paxvvuef

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: buwqaweo

1

<HKCU>\SOFTWARE\QPANUOIR

        Value Name: mmvjkbpj

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: lawgdaar

1

<HKCU>\SOFTWARE\IDIFICQU

        Value Name: uqiuudaf

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: uaugufwr

1

<HKCU>\SOFTWARE\EPCSQSNO

        Value Name: sdkgxoqv

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: nojriosh

1

<HKCU>\SOFTWARE\IIBPNATQ

        Value Name: qbmgekoa

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: tabswxsd

1

<HKCU>\SOFTWARE\CHUFRWHS

        Value Name: nhmwllub

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: kawalexr

1

<HKCU>\SOFTWARE\QDCTDCFM

        Value Name: ietjtgir

1

<HKCU>\SOFTWARE\JUOBFMWV

        Value Name: ucngtfoi

1

Mutexes

Occurrences

2GVWNQJz1

26

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

91[.]196[.]126[.]16

21

88[.]198[.]25[.]17

20

173[.]203[.]113[.]44

19

178[.]33[.]162[.]8

18

176[.]31[.]106[.]226

18

74[.]50[.]60[.]116

18

198[.]24[.]142[.]66

17

Files and or directories created

Occurrences

%LOCALAPPDATA%<random, matching '[a-z]{8}’>.exe

26

File Hashes

    0828aee088e7c191c463dac5a2449474da1b106da5e12b6335f61d2dd3ae320e

    0ddf461f926f814d19696d3851f3673c10d69a15fa2d7cfac9552c3af9460c66

    12b274776143da76ceea8cfc1b8219535bca09dea1ea6059a48e74dd6a78e80d

    160999be2e3f124a106ced958bce6b6f94fbc3645895aa0129e4dedb443011d7

    21245351ac8d14c31552d46c0f8ceec6d576a1abae0ab3d5131e25e9e8fefe32

    23fec3f833e9a7ee790ea9cad1b205ade2036466282654b2e53f23516553b775

    24e1fb11b1c63caf42bc0a9d8df57cb1c84ccb11415f01c56de128d6ceb2ea4e

    2bf5a6f99c57bcaddd28a0a8dad595686b9a660843cd4037575d4abb82af8f69

    32a01832f4de0f17e438fed6be9f155d9fd30056133681c7474f0114a1731a9b

    35a4fe74474b4f7e7f9c777d063097e36a16f509bc3afb9579779c0504b73af4

    3a3fae86a4e14a7d50b6c5bc5d78dc12745fa53d240df641e1fc311449368c85

    3da619fa973717201422faf7329016a266b27b89f8a39416cac203f75f32259a

    405d7737a27f0798b16f85939c3eacfcbe9e5305b4c621dd20bcaffbe994d88f

    413f4fcae50cdad66f08e0e3ae083e60e18e54f890492fcd0241deb9dfe81b81

    44d0507ee9143aa548ae8a03171b27633f4226abbad172a0456194a2ef2eb507

    44d1449c19d3f79a3fe21e2ab9d333a1bea4156565a3106fc2203ccefa869a9b

    4979dce8592c0d16bdc6228b9741ef6c315e3bb1ff34de14271fb3499cd0f139

    4b7891ed58a08b45b576282afd74fe835845cd4be8c5aab467ad09136e87ec8e

    4bc8eb3d2e72a44384b3d824b33a971ace9eae20998dfe8bdd2ab9b9267b5b43

    4c6528d000e07485c69f1c32a95967a454fd20864a4ad2c062160d99987822ef

    50c108f9fc31557d55216dfe28b9eeac15fe5f1175a089ff196e1129d6ddf593

    5730f9ce8c84e6f1c153c247146ac1590fd989a73cdc9dce9d67594b33caf354

    5a45837812962153f5d480918eab77093394dd41c45c610ffd142461ab433668

    5e37715cc8a5d1b6c5bed437eea25da495285bb1386cf2aef2b5484fd6c30e69

    5ee4adead518246dc926545a0d28e1a488f04d530c49591cc788a8e2b360ad89

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

TALOS: Latest News

New PXA Stealer targets government and education sectors for sensitive information