Security
Headlines
HeadlinesLatestCVEs

Headline

Threat Roundup for August 19 to August 26

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Aug. 19 and Aug. 26. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found herethat includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files. The most prevalent threats highlighted in this roundup are:

Threat Name    Type    Description

Win.Virus.Ramnit-9964077-0 Virus Ramnit is a banking trojan that monitors web browser activity on an infected machine and collects login information from financial websites. It also steals browser cookies and attempts to hide from popular antivirus software. Win.Virus.Xpiro-9964080-1 Virus Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks. Win.Dropper.Cerber-9964300-0 Dropper Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension “.cerber,” although in more recent campaigns, other file extensions are used. Win.Worm.Kuluoz-9964104-0 Worm Kuluoz, sometimes known as “Asprox,” is a modular remote access trojan that is also known to download and execute follow-on malware, such as fake antivirus software. Kuluoz is often delivered via spam emails pretending to be shipment delivery notifications or flight booking confirmations. Win.Dropper.HawkEye-9964231-0 Dropper HawkEye is an information-stealing malware that specifically targets usernames and passwords stored by web browsers and mail clients on an infected machine. It is commonly spread via email and can propagate through removable media. Win.Dropper.Formbook-9964246-0 Dropper Formbook is an information stealer that attempts to collect sensitive information from an infected machine by logging keystrokes, stealing saved web browser credentials, and monitoring information copied to the clipboard. Win.Dropper.Remcos-9964868-1 Dropper Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam and capture screenshots. This malware is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails. Win.Dropper.XtremeRAT-9964479-0 Dropper XtremeRAT is a remote access trojan active since 2010 that allows the attacker to eavesdrop on users and modify the running system. The source code for XtremeRAT, written in Delphi, was leaked online and has since been used by similar RATs. Win.Packed.Shiz-9964480-0 Packed Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information. It is commonly spread via droppers or by visiting a malicious site.

Threat Breakdown

Win.Virus.Ramnit-9964077-0

Indicators of Compromise

IOCs collected from dynamic analysis of 18 samples

        Registry Keys            Occurrences        
                             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER                          
        Value Name: AntiVirusOverride                            18        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER                          
        Value Name: AntiVirusDisableNotify                            18        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER                          
        Value Name: FirewallDisableNotify                            18        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER                          
        Value Name: FirewallOverride                            18        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER                          
        Value Name: UpdatesDisableNotify                            18        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER                          
        Value Name: UacDisableNotify                            18        
             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM                          
        Value Name: EnableLUA                            18        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE                          
        Value Name: EnableFirewall                            18        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE                          
        Value Name: DoNotAllowExceptions                            18        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE                          
        Value Name: DisableNotifications                            18        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC                          
        Value Name: Start                            18        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND                          
        Value Name: Start                            18        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC                          
        Value Name: Start                            18        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION                          
        Value Name: jfghdug_ooetvtgk                            18        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV                          
        Value Name: Start                            18        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: Windows Defender                            18        
             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON                          
        Value Name: Userinit                            18        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON                          
        Value Name: Userinit                            18        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: JudCsgdy                            18        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND                             1        
                     
                
            
        Mutexes            Occurrences        
                                 
        {7930D12C-1D38-EB63-89CF-4C8161B79ED4}            18            
                 
        {79345B6A-421F-2958-EA08-07396ADB9E27}            17            
                 
        {7930D12D-1D38-EB63-89CF-4C8161B79ED4}            16            
                 
        {7930CC18-1D38-EB63-89CF-4C8161B79ED4}            16            
                 
        {7930DB19-1D38-EB63-89CF-4C8161B79ED4}            16            
                 
        {<random GUID>}            16            
                     
                         
            
        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        46[.]165[.]254[.]201            18            
                 
        72[.]26[.]218[.]70            18            
                 
        195[.]201[.]179[.]207            18            
                 
        208[.]100[.]26[.]245            18            
                 
        206[.]191[.]152[.]58            18            
                 
        142[.]250[.]72[.]110            18            
                 
        64[.]225[.]91[.]73            18            
                     
                          
            
        Domain Names contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        google[.]com            18            
                 
        testetst[.]ru            18            
                 
        iihsmkek[.]com            18            
                 
        mtsoexdphaqliva[.]com            18            
                 
        uulwwmawqjujuuprpp[.]com            18            
                 
        twuybywnrlqcf[.]com            18            
                 
        wcqqjiixqutt[.]com            18            
                 
        ubgjsqkad[.]com            18            
                 
        tlmmcvqvearpxq[.]com            18            
                 
        flkheyxtcedehipox[.]com            18            
                 
        edirhtuawurxlobk[.]com            18            
                 
        tfjcwlxcjoviuvtr[.]com            18            
                     
                          
            
        Files and or directories created            Occurrences        
                                 
        %LOCALAPPDATA%\bolpidti            18            
                 
        %LOCALAPPDATA%\bolpidti\judcsgdy.exe            18            
                 
        %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\judcsgdy.exe            18            
                 
        %TEMP%\squhapjc.exe            16            
                 
        %TEMP%\aacwxnxw.exe            16            
                 
        %ProgramData%\qvqdlyny.log            16            
                 
        %LOCALAPPDATA%\yjghhxdl.log            16            
                 
        %LOCALAPPDATA%\aanqrsjf.log            14            
                 
        \TEMP\tFXd2E8YU            1            
                 
        %LOCALAPPDATA%\bolpidti\pxBC6E.tmp            1            
                 
        \TEMP\5ETGN6snq            1            
                 
        \TEMP\zYyccBVe            1            
                 
        %LOCALAPPDATA%\bolpidti\pxBE23.tmp            1            
                 
        %LOCALAPPDATA%\bolpidti\pxACA6.tmp            1            
                 
        %LOCALAPPDATA%\bolpidti\pxB5DA.tmp            1            
                 
        \TEMP\cjTnE8Jr            1            
                 
        \TEMP\o2gKdKfQ            1            
                 
        \TEMP\o192e68            1            
                 
        \TEMP\QYnhH23            1            
                 
        \TEMP\lgxG4A4            1            
                 
        \TEMP\YWj2Vj1            1            
                 
        \TEMP\5nPK0vwsR            1            
                 
        %LOCALAPPDATA%\bolpidti\pxBDC6.tmp            1            
                 
        %LOCALAPPDATA%\bolpidti\pxB676.tmp            1            
                 
        %LOCALAPPDATA%\bolpidti\pxB53E.tmp            1            

*See JSON for more IOCs

File Hashes

             16b156359492fd1c04ca8024be9520ed9b2f2c1c3a9d2d72177b74e53c5f7237              1837b9072548d7fd6ccff6dff1c9f6261df6ab977c06aef95b328bcbcde8f24d              1a74c2f06d531a5947ea3fa980fb9e08dd4ef2938cd53215b1fb04403160632d              1b85483edb2968b8303b3a3edeb69776cc237bfb2e844862315aad399a1fbb60              3cf846acf89647d5eec22871e3b8d36fb2e6a1e24b609cc140fb4d32b3627a89              3ea014d13ab9de10c12705d951d36001fade2375373992d09f04a13991abdda6              650b142204d54fb6be3adc953325be09df8e8472f6e75bf89bd96fac0604df07              705e36bc25534e3496cf040179df7965df62f4f8d20d2296af65ed2c7765ad08              7d34aa04431ca6d29ae750551d62303521f50e7302e508b8c3a68c2501cedbc7              7dcf9ef1156ebc96cd7f33fa65da1aa3ee6c4e40d98f396ef4f997384324debd              9ad3fe646a2e70461cbd0c6b5baf6e6aa86780bfec67324dc37cc71abc16dc6d              9f42d128eadd1933ef6f05b58612799009a028830d9e62a384565616fca5d6a3              c963abb11b88bd5d2b451b6a73e2e853ce7777ff07a5a481d1c6d195f5d6bf34              d9799be6fc5a08a58f2da15d8ce3550fb462ccb97b6e932d1531ffdbc4af28c7              d9cbec3c2d30347d5781f4f656e0775eda33ae905092bc1673a8d68aeb9f643a              ecc77e015461dc1d4f9760ae11faa17ed9a46916a15c958cd2fd888b9d18441a              f1e64265f0a305cba4442afeb8014c726b93c5065b92cbe997ebe02ff38f4092              fd2ee83c36b70791828d0143ad3737d917edaaf909f72499f6709615391e3700              

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                                                                              
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                                                                              
             
        WSA                                                                                                                              

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Virus.Xpiro-9964080-1

Indicators of Compromise

IOCs collected from dynamic analysis of 25 samples

        Registry Keys            Occurrences        
                             
    <HKCU>\SOFTWARE\MICROSOFT\WISP\PEN\SYSEVENTPARAMETERS                          
        Value Name: RightMaskEnable                            25        
             
    <HKCU>\SOFTWARE\MICROSOFT\WISP\PEN\SYSEVENTPARAMETERS                          
        Value Name: ShakeEnable                            25        
             
    <HKCU>\SOFTWARE\MICROSOFT\WISP\PEN\PERSIST\0\1                          
        Value Name: HidCursorName                            25        
             
    <HKCU>\SOFTWARE\MICROSOFT\WISP\PEN\PERSIST\0                          
        Value Name: type                            25        
             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\TABLET PC                          
        Value Name: Ident                            25        
             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\TABLET PC\CACHE                          
        Value Name: HPITP                            25        
             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\TABLET PC\CACHE                          
        Value Name: HPETP                            25        
             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\TABLET PC                          
        Value Name: IsTabletPC                            25        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\TABLET PC                          
        Value Name: IsTabletPC                            25        
             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\TABLET PC                          
        Value Name: DeviceKind                            25        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABLETINPUTSERVICE                          
        Value Name: Start                            25        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABLETINPUTSERVICE\TRIGGERINFO\0                          
        Value Name: Type                            25        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABLETINPUTSERVICE\TRIGGERINFO\0                          
        Value Name: Action                            25        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABLETINPUTSERVICE\TRIGGERINFO\0                          
        Value Name: Guid                            25        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABLETINPUTSERVICE\TRIGGERINFO\0                          
        Value Name: Data0                            25        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABLETINPUTSERVICE\TRIGGERINFO\0                          
        Value Name: DataType0                            25        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABLETINPUTSERVICE\TRIGGERINFO\0                          
        Value Name: Data1                            25        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABLETINPUTSERVICE\TRIGGERINFO\0                          
        Value Name: DataType1                            25        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABLETINPUTSERVICE\TRIGGERINFO\0                          
        Value Name: Data2                            25        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABLETINPUTSERVICE\TRIGGERINFO\0                          
        Value Name: DataType2                            25        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABLETINPUTSERVICE\TRIGGERINFO\0                          
        Value Name: Data3                            25        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABLETINPUTSERVICE\TRIGGERINFO\0                          
        Value Name: DataType3                            25        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND                          
        Value Name: Start                            25        
             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER                          
        Value Name: HideSCAHealth                            25        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV                          
        Value Name: Start                            25        
                     
                
            
        Mutexes            Occurrences        
                                 
        kkq-vx_mtx63            25            
                 
        kkq-vx_mtx64            25            
                 
        kkq-vx_mtx65            25            
                 
        kkq-vx_mtx66            25            
                 
        kkq-vx_mtx67            25            
                 
        kkq-vx_mtx68            25            
                 
        kkq-vx_mtx69            25            
                 
        kkq-vx_mtx70            25            
                 
        kkq-vx_mtx71            25            
                 
        kkq-vx_mtx72            25            
                 
        kkq-vx_mtx73            25            
                 
        kkq-vx_mtx74            25            
                 
        kkq-vx_mtx75            25            
                 
        kkq-vx_mtx76            25            
                 
        kkq-vx_mtx77            25            
                 
        kkq-vx_mtx78            25            
                 
        kkq-vx_mtx79            25            
                 
        kkq-vx_mtx80            25            
                 
        kkq-vx_mtx81            25            
                 
        kkq-vx_mtx82            25            
                 
        kkq-vx_mtx83            25            
                 
        kkq-vx_mtx84            25            
                 
        kkq-vx_mtx85            25            
                 
        kkq-vx_mtx86            25            
                 
        kkq-vx_mtx87            25            

*See JSON for more IOCs

        Files and or directories created            Occurrences        
                                 
        %CommonProgramFiles%\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE            25            
                 
        %CommonProgramFiles(x86)%\microsoft shared\Source Engine\OSE.EXE            25            
                 
        %ProgramFiles(x86)%\Microsoft Office\Office14\GROOVE.EXE            25            
                 
        %ProgramFiles(x86)%\Mozilla Maintenance Service\maintenanceservice.exe            25            
                 
        %SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe            25            
                 
        %SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe            25            
                 
        %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe            25            
                 
        %SystemRoot%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe            25            
                 
        %System32%\alg.exe            25            
                 
        %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.log            25            
                 
        %SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log            25            
                 
        %SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log            25            
                 
        %SystemRoot%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log            25            
                 
        %SystemRoot%\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat            25            
                 
        %SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat            25            
                 
        %SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat            25            
                 
        %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock            25            
                 
        %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat            25            
                 
        %SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock            25            
                 
        %SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat            25            
                 
        %SystemRoot%\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat            25            
                 
        %SystemRoot%\Microsoft.NET\ngenservice_pri1_lock.dat            25            
                 
        %SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat            25            
                 
        %LOCALAPPDATA%\Microsoft\Journal            25            
                 
        %LOCALAPPDATA%\Microsoft\Journal\Cache            25            

*See JSON for more IOCs

File Hashes

             0070146a1ddd5e7afa882029c836662a3fb7b83f2c838d1d89caf36ceaa73a47              00b9049e01ce60ee17e973f88fc730db18f2354b24a991cac09045cf697ffcf2              016023a53be6ce6624efe73b85c47c87d1e11ba8593009e261361addc6b5229e              048729edafbebec1b073db5db75450793fdd7e424dff0f851ad7500637b18bb3              087ef762c54b247a6fe8c1780073c934a4109a19dea80daefeec3bc98ca184ba              0b903e0f08dd1d929b6465e79971af4270fd7adb95e3271f442e4f6c2b6c01cf              0e40ef742a696da27514cf05055133991293a0e7d451ccc6d96ec93c0e864518              0e5e93e845310617138227cb8a453da259c23edcc9a8059fac49da8e947887a5              158627899237148353fefd8771d26c622b873d6177960e2efe00355179fb4926              1a4a30778ce717e13e02870993244eea6614a74a47bd0c5b01a8d839c670ef3c              1b56d9fe2ff011d5fad562c8e8da9dcb15a8f417619e5f506772acb6d53b3814              1b6494daf80b3f3afa22ffb43976d529383b9c3e0e2a337fa03234c784ce68a6              1e955e41ac1707547188639c3e0d8dcf46c0a05880041076eafb967a5cb2e6ca              1f48b7aaccb5c9c37c9a5322aecde23cec77a378e20db829c3ea8888c153bdc2              1f89fcbb17f91bee3821e3ae7ad9b8c2f2427ecb7e11b2af366713111c5f4a9f              21a7485afe868ce040664494eb3adbefd2f88eaed2fbf168feac2ec1eb2fa213              28e949123a4493bc7276085d3387c5f8aa761087087b9488782543b41c47cf7f              2bb191ac9f42eeb32f06ed94083221c5abb6b894f0bffe17355e125773a85f7f              2d5faf0c2fce5f825fa278dea2aef683d928326d30e976aa8d85bd3d1a3bf947              30408f887ac16f3a1b11b1ba075c5c6aa6a8fd34dc3059ecb611dcd80245b70a              341507c416c481481ced2ca2b4739e58a23882bcf8d3a48b193e4983743db45f              347b1f4517869f1574065c2867ed410a6a8c5bac063b8551133769890f16305e              3bbbe0a4c6cf2f6a1a57c7b31adc6abff0bd39e9b4ead44ec93558f03e5aa9dc              3bcdda17309cd36926504ad0300da1226ba126413c25aaabed729d889e293deb              3c35ed8b6f46dec8e7386f380ea3f0530fb592e50f0a66486a5c1d1390441f2c              

*See JSON for more IOCs

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                     N/A                                                          
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                     N/A                                                          
             
        WSA                                                                     N/A                                                          

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Cerber-9964300-0

Indicators of Compromise

IOCs collected from dynamic analysis of 25 samples

        Mutexes            Occurrences        
                                 
        shell.{381828AA-8B28-3374-1B67-35680555C5EF}            25            
                     
                         
            
        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        31[.]184[.]234[.]0/23            25            
                     
                                 
            
        Files and or directories created            Occurrences        
                                 
        %APPDATA%\Microsoft\Access\AccessCache.accdb            1            
                 
        %APPDATA%\Microsoft\Access\# HELP DECRYPT #.html            1            
                 
        %APPDATA%\Microsoft\Access\# HELP DECRYPT #.txt            1            
                 
        %APPDATA%\Microsoft\Access\# HELP DECRYPT #.url            1            
                 
        %HOMEPATH%\Documents\Outlook Files\# HELP DECRYPT #.html            1            
                 
        %HOMEPATH%\Documents\Outlook Files\# HELP DECRYPT #.txt            1            
                 
        %HOMEPATH%\Documents\Outlook Files\# HELP DECRYPT #.url            1            
                 
        %HOMEPATH%\Documents\OneNote Notebooks\Notes\# HELP DECRYPT #.html            1            
                 
        %HOMEPATH%\Documents\OneNote Notebooks\Notes\# HELP DECRYPT #.txt            1            
                 
        %HOMEPATH%\Documents\OneNote Notebooks\Notes\# HELP DECRYPT #.url            1            
                 
        %HOMEPATH%\Documents\# HELP DECRYPT #.html            1            
                 
        %HOMEPATH%\Documents\# HELP DECRYPT #.txt            1            
                 
        %HOMEPATH%\Documents\# HELP DECRYPT #.url            1            
                 
        %HOMEPATH%\Documents\OneNote Notebooks\Personal\# HELP DECRYPT #.html            1            

File Hashes

             1d742c8577645242811867311339af6291f2ec45f74bc8065a1cf167a140a5fd              241a8a73608aae3d0b55451290c7e3d46ff6b53d7cfad628ddc43892fb4ee89f              32cafa5a0a63f137fda8532c81a4825895a71b4bd5192ef77ee46b4f5f6f55c9              3f066735d5b3e9e1d145865b805dad9f17c7569e86a2fd0dadfd82fa3f2494b5              46df3cbdc0c960cc03467797f2a8f4000de6f3860ddd87a93f0db4bc04bf3dc9              5145e134c5c488fac15c3772747505246139842d64e995a20aa343e87d05805a              529c0ad1eba89641544fe5eb534b717fdb0a21e36db94874cdc7720b3e58170d              65fb6bf40643b54875192d5964ead478b867784c09708c9be583a06d820462e8              6a380578e8f27a835c45af896c8292c173ccf10819eadb160d8fd1ec9301ae61              6bd30bfa9ee3dcf045298887cb839ccf7ebd19950a4a1798bb15c9c2bcd89df6              715e19ce015fb13ad5b0bd5aa520b7a9fdb52c15a58b78da79db3c74cdccee83              74a423f877c5f0819116f6f93870658bac4ac7de6048e68d5f1cb98df9c77992              7781696924168577eb1045874ac6a259617184cd2bdf429fd032efd63254016d              7eecc13411c597f5e2fa68c77ae65943ae99c0eb6bb76e527a9711ffff73d505              832487a8c89c32e86036b1c94353117ab0ca7a4276a9f4c08b29c96c447247fa              89ec20a6130f663160015755f0c1b4f1698812e3f0e39d3e7094950c3644bca4              8ab03a0c900cc88a57e9474d3ced6b4f43be422750f5afc8a08ff6cdb801930b              936d99a0dc23922d4e5874f1548114fe8f2170016f29d9b91858796a1b2ab095              96671b8ca3f8cf75427a23de8ddde2513efd4f1eba5afa2b18610c66548d0b55              988a44db0411379ea08fece4af0577d3af7ed5114dcbd897a03ec46474fafa81              a162009fa564f3c20b801568ab82dd34b53655473c6e379272e3dfd766fe2c02              a3004d7f08a9357c5d0a9e063dafd5f4c627fce7b030a575b6959f0f5f7c9ff1              b2f4ef1398ae23fabaa137be5f8f7f5412b1b8f74f902d23de5e0a87ef5a3867              bcc77c2e25a5ceee5fd7023dd879baa53a16ce0f4b3187a90a5eb22cf46631af              df5d03a2ca58bb71c44a8b23191c7d3e24327e806509dfcccad1cd63729dc445              

*See JSON for more IOCs

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                     N/A                                                          
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                     N/A                                                          
             
        WSA                                                                     N/A                                                          

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Worm.Kuluoz-9964104-0

Indicators of Compromise

IOCs collected from dynamic analysis of 26 samples

        Registry Keys            Occurrences        
                             
    <HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'>                             26        
             
    <HKCU>\SOFTWARE\TKQJXHIR                          
        Value Name: nnagtvkf                            2        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: iemwudbv                            2        
             
    <HKCU>\SOFTWARE\PKBQSDOK                          
        Value Name: wfiqbttr                            2        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: deiobboq                            2        
             
    <HKCU>\SOFTWARE\TEFAPJXX                          
        Value Name: hjlkqasv                            2        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: nmvftwdp                            2        
             
    <HKCU>\SOFTWARE\ROHCSWFU                          
        Value Name: ivxesusr                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: rskaarvw                            1        
             
    <HKCU>\SOFTWARE\ONFHUPBQ                          
        Value Name: qrlpghvv                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: dwxwetxw                            1        
             
    <HKCU>\SOFTWARE\JUNLDJNI                          
        Value Name: paxvvuef                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: buwqaweo                            1        
             
    <HKCU>\SOFTWARE\QPANUOIR                          
        Value Name: mmvjkbpj                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: lawgdaar                            1        
             
    <HKCU>\SOFTWARE\IDIFICQU                          
        Value Name: uqiuudaf                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: uaugufwr                            1        
             
    <HKCU>\SOFTWARE\EPCSQSNO                          
        Value Name: sdkgxoqv                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: nojriosh                            1        
             
    <HKCU>\SOFTWARE\IIBPNATQ                          
        Value Name: qbmgekoa                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: tabswxsd                            1        
             
    <HKCU>\SOFTWARE\CHUFRWHS                          
        Value Name: nhmwllub                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: kawalexr                            1        
             
    <HKCU>\SOFTWARE\QDCTDCFM                          
        Value Name: ietjtgir                            1        
             
    <HKCU>\SOFTWARE\JUOBFMWV                          
        Value Name: ucngtfoi                            1        
                     
                
            
        Mutexes            Occurrences        
                                 
        2GVWNQJz1            26            
                     
                         
            
        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        91[.]196[.]126[.]16            21            
                 
        88[.]198[.]25[.]17            20            
                 
        173[.]203[.]113[.]44            19            
                 
        178[.]33[.]162[.]8            18            
                 
        176[.]31[.]106[.]226            18            
                 
        74[.]50[.]60[.]116            18            
                 
        198[.]24[.]142[.]66            17            
                     
                                 
            
        Files and or directories created            Occurrences        
                                 
        %LOCALAPPDATA%\<random, matching '[a-z]{8}'>.exe            26            

File Hashes

             0828aee088e7c191c463dac5a2449474da1b106da5e12b6335f61d2dd3ae320e              0ddf461f926f814d19696d3851f3673c10d69a15fa2d7cfac9552c3af9460c66              12b274776143da76ceea8cfc1b8219535bca09dea1ea6059a48e74dd6a78e80d              160999be2e3f124a106ced958bce6b6f94fbc3645895aa0129e4dedb443011d7              21245351ac8d14c31552d46c0f8ceec6d576a1abae0ab3d5131e25e9e8fefe32              23fec3f833e9a7ee790ea9cad1b205ade2036466282654b2e53f23516553b775              24e1fb11b1c63caf42bc0a9d8df57cb1c84ccb11415f01c56de128d6ceb2ea4e              2bf5a6f99c57bcaddd28a0a8dad595686b9a660843cd4037575d4abb82af8f69              32a01832f4de0f17e438fed6be9f155d9fd30056133681c7474f0114a1731a9b              35a4fe74474b4f7e7f9c777d063097e36a16f509bc3afb9579779c0504b73af4              3a3fae86a4e14a7d50b6c5bc5d78dc12745fa53d240df641e1fc311449368c85              3da619fa973717201422faf7329016a266b27b89f8a39416cac203f75f32259a              405d7737a27f0798b16f85939c3eacfcbe9e5305b4c621dd20bcaffbe994d88f              413f4fcae50cdad66f08e0e3ae083e60e18e54f890492fcd0241deb9dfe81b81              44d0507ee9143aa548ae8a03171b27633f4226abbad172a0456194a2ef2eb507              44d1449c19d3f79a3fe21e2ab9d333a1bea4156565a3106fc2203ccefa869a9b              4979dce8592c0d16bdc6228b9741ef6c315e3bb1ff34de14271fb3499cd0f139              4b7891ed58a08b45b576282afd74fe835845cd4be8c5aab467ad09136e87ec8e              4bc8eb3d2e72a44384b3d824b33a971ace9eae20998dfe8bdd2ab9b9267b5b43              4c6528d000e07485c69f1c32a95967a454fd20864a4ad2c062160d99987822ef              50c108f9fc31557d55216dfe28b9eeac15fe5f1175a089ff196e1129d6ddf593              5730f9ce8c84e6f1c153c247146ac1590fd989a73cdc9dce9d67594b33caf354              5a45837812962153f5d480918eab77093394dd41c45c610ffd142461ab433668              5e37715cc8a5d1b6c5bed437eea25da495285bb1386cf2aef2b5484fd6c30e69              5ee4adead518246dc926545a0d28e1a488f04d530c49591cc788a8e2b360ad89              

*See JSON for more IOCs

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                                                                              
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                     N/A                                                          
             
        WSA                                                                     N/A                                                          

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.HawkEye-9964231-0

Indicators of Compromise

IOCs collected from dynamic analysis of 25 samples

        Registry Keys            Occurrences        
                             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: Audiodgi                            11        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM                          
        Value Name: DisableRegistryTools                            1        
             
    <HKCU>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SYSTEM                          
        Value Name: DisableCMD                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM                             1        
             
    <HKCU>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SYSTEM                             1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: wsntcffy                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: nvidia                            1        
                     
                
            
        Mutexes            Occurrences        
                                 
        <random, matching [a-zA-Z0-9]{5,9}>            25            
                 
        Global\2ef47fa0-2008-11ed-9660-001517841a07            1            
                 
        Global\30820541-2008-11ed-9660-001517841a07            1            
                     
                         
            
        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        178[.]62[.]9[.]171            8            
                 
        185[.]53[.]177[.]51            8            
                 
        172[.]253[.]62[.]108/31            5            
                 
        178[.]217[.]187[.]144/31            3            
                 
        217[.]69[.]139[.]160            2            
                 
        123[.]126[.]97[.]113            2            
                 
        103[.]224[.]182[.]246            1            
                 
        178[.]217[.]186[.]170            1            
                 
        178[.]217[.]187[.]103            1            
                     
                          
            
        Domain Names contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        myip[.]ru            8            
                 
        resolveme[.]org            8            
                 
        www[.]myip[.]ru            8            
                 
        smtp[.]gmail[.]com            5            
                 
        smtp[.]mail[.]ru            2            
                 
        smtp[.]163[.]com            2            
                 
        bobbyjoeconfirmed[.]biz            2            
                 
        pradaengaged[.]serveftp[.]com            1            
                 
        xtradaniels[.]no-ip[.]biz            1            
                 
        funtalk[.]info            1            
                 
        moneymakingmachines[.]in            1            
                     
                          
            
        Files and or directories created            Occurrences        
                                 
        %APPDATA%\_backups            25            
                 
        %TEMP%\logff.txt            16            
                 
        %TEMP%\logmail.txt            16            
                 
        %APPDATA%\AudioSettings            12            
                 
        %APPDATA%\AudioSettings\Audiodgi.exe            9            
                 
        %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Audiodgi.exe            8            
                 
        %APPDATA%\Audiodgi.exe            2            
                 
        %TEMP%\mRef.vbs            1            
                 
        %APPDATA%\21bc764836db3d1ea78f465895072d4b.exe            1            
                 
        %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\wsntcffy.exe            1            
                 
        %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\nvidia.exe            1            

File Hashes

             03766a0f7239053205ddf362d05c9714374468c47b7978c5f180d4346ad8dd75              04d8e6413d217a3b8667284be0d3f1fc586a12ccb29f03f798b48e92c2ba2a6a              051c2a84fd29361d952dc213ebaa39da5dadfa41927b9424e8960e79556ff91d              08c9702801db0785656c59c1d180a3a026ece467bf674aeaf9329611ae442306              13c0b67b1985e5e8292200b4c340090d5cc9ef1885a1f891b00f6f08a33c45da              1506c249e7b6fc69f4c1ec396ccc692de2c8546685f6aed55e5bcf33849255ab              1bea6b0a9773065b3ef5ed3ce7c3ad5a2b495406a539b4dccb3c1e32073961e4              1cbf4d46e6d149b1f97de0013aea8bda5b2f4535a1b5fca4ca8739e88f95a4ba              22f80ae2cad2fd2aa7a7cb0565721804cd24c72e2eeaeb2783ef70f81b99e843              2a2b148519552d60b9c62b888f0d9ee578113f5ce58256d8471913dfb5a32578              2eed91ed6b2132227ac6b4889bbe8d355af50741cf8cef18cbed1e4395c8c42d              370ce2f768b84e42a2c56e597fe7a2d86799a7715e683e59fc4beb826a69ba6c              3d6425c514e23ca7982ab26f5b2f1ca29abada5b15e19826611be2610be094bc              4294385e9d05112594442aa9b7dcbc37a39a1324301c5e80e8d2549ba984b537              46324728750feb25ce7ce3f933aed27cb0daf27731205b0e05dbbba4923faf36              47122b45356ff2c4f0edfa9048cb93f11c277b05287ae178436083a255719d1f              4be4967316c1b328c834cc67659c4d441a94d5625be466a0010138f90d7a0279              4e382da874ae16b2ba6b98b3398db36bd3c6623d0708f4d10571dc15baac1c65              52d93afc8cb34ee03f9fbf9c38a519573f78bf3e05ab428ae33efc84aa48b419              5887043c8072209c8a0060620a6161446aae16c9b47f71ad6f26e77bdc448ecc              5f3dd03b1c9156a7adf1926b4aacc9e799aa18b3e28eefe9be5e2f19229a0544              606bc0f3eb81ef1f352adfad845122dac3d67294bc5218aead9c9d43ab771133              654ad2f7e51da105511c1963e47206a7cbd45d50d9637f1411c0a31a4639e342              67c0c1048e1a354c6bc71745f552d7c2e51311ae6983cddce72526c4e0da3022              6942e3afa79edc13dcfd9a3d7142b960bf4b13618b1918dab731ba7dadb0eaa4              

*See JSON for more IOCs

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                                                                              
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                                                                              
             
        WSA                                                                                                                              

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Formbook-9964246-0

Indicators of Compromise

IOCs collected from dynamic analysis of 18 samples

        Registry Keys            Occurrences        
                             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: LanguageList                            11        
             
    <HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\INTELLIFORMS\STORAGE2                             1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: Ejetkygbp                            1        
                     
                
            
        Mutexes            Occurrences        
                                 
        8-3503835SZBFHHZ            1            
                 
        862Q-UTS0E2J0FF1            1            
                     
                         
            
        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        13[.]107[.]42[.]12/31            4            
                 
        172[.]64[.]149[.]82            4            
                 
        104[.]18[.]38[.]174            3            
                 
        162[.]159[.]136[.]232            1            
                 
        20[.]190[.]154[.]18            1            
                 
        52[.]95[.]165[.]126            1            
                     
                          
            
        Domain Names contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        onedrive[.]live[.]com            11            
                 
        cacerts[.]digicert[.]com            7            
                 
        login[.]live[.]com            1            
                 
        discord[.]com            1            
                 
        www[.]samtaxitours[.]com            1            
                 
        dioefa[.]ph[.]files[.]1drv[.]com            1            
                 
        patronkingoopsalmghandnaiojamexicoquadaras[.]s3[.]sa-east-1[.]amazonaws[.]com            1            
                 
        vuladq[.]am[.]files[.]1drv[.]com            1            
                 
        dimk5w[.]ph[.]files[.]1drv[.]com            1            
                 
        njie9a[.]am[.]files[.]1drv[.]com            1            
                 
        ibjoxq[.]dm[.]files[.]1drv[.]com            1            
                 
        zlpuma[.]bn[.]files[.]1drv[.]com            1            
                 
        rqy3zg[.]db[.]files[.]1drv[.]com            1            
                     
                          
            
        Files and or directories created            Occurrences        
                                 
        %APPDATA%\862Q-UTS            1            
                 
        %APPDATA%\862Q-UTS\862log.ini            1            
                 
        %APPDATA%\862Q-UTS\862logrc.ini            1            
                 
        %APPDATA%\862Q-UTS\862logri.ini            1            
                 
        %PUBLIC%\Libraries\Ejetkygbp.exe            1            
                 
        %PUBLIC%\Libraries\pbgyktejE.url            1            

File Hashes

             0f972ec1fd4fb660cc86ed459c5a793a134451d479154b00a2d4a1a360d44e42              13e91b5a246dc5f98cc413508e78136fd38c9f2e9151c65a96f509b2d82ddf46              13f7ce642c44202a089400e9b33db0ed02f824b5291ed4b5da3d080ecc40589f              14ce5ef3e6e3d3354150ae58fd4e9938bcb747c5e4190bd5f793043355e009e4              5a377c52fb8f4bbce7272f13d3f6ac8c36ce7a6f51561ed0a79cca6b8facf23e              5fb5546859ff3e2a9d75d37a208f43449f254442f67a2da49b60cfd169abdc44              6555c0d7b9acbff665b84aec9164dd1cf01740a10e735791f25c28a5da830740              6c232920b9bb1f2c3bf71124f93f06f49fdf41c3bae35237f7b031bebba14cc5              b4175a0744b29d7aecf1245dfb253e6417f839d2eeb2ef90b8ed222e1387aa1e              c2062d2d3ac3815d7a050a1bfb261c98581e7398f8b0c7ca670d7ddb328611d2              c6628dd39b388886cc7867d66b7a133f61b666421ad489bb0bddaf5c856ce841              cac68bb4b0df3a7078d4c66d810a0d8f8863afd22722cd3dd0788af291dd1853              cdcf2ed4c36ebd0856e7663921d67c31e51ad8a6cbb5c5cdd401d30812e25a62              d332fa69a36ac7e14d35c336a609a04f74e8da6c51b6ad6286f23ad5f2837cd8              dc31d2ad84fda1d9af2e623493e1e4f5dcfc8aa3abd55c6d58d1eae807cb56d8              e62a70218462e892bcf89e851549e6a4f75131d52d57734bc642332141169aa9              eda74534f0c37003022c0003d4b4c3262016d486d919298a323164eae4f0925a              ee2ced66adeccfe45722c49efd8b99fd032d0426ff74cd10fc1e182521431404              

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                                                                              
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                     N/A                                                          
             
        WSA                                                                     N/A                                                          

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Remcos-9964868-1

Indicators of Compromise

IOCs collected from dynamic analysis of 14 samples

        Registry Keys            Occurrences        
                             
    <HKCU>\SOFTWARE\REMCOS_VOXCYIGINC                             14        
             
    <HKCU>\SOFTWARE\REMCOS_VOXCYIGINC                          
        Value Name: EXEpath                            14        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: LanguageList                            12        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @explorer.exe,-7001                            12        
                     
                
            
        Mutexes            Occurrences        
                                 
        Remcos_Mutex_Inj            14            
                 
        remcos_voxcyiginc            14            
                     
                                
            
        Domain Names contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        urchamadi[.]ddns[.]net            14            
                     
                          
            
        Files and or directories created            Occurrences        
                                 
        %APPDATA%\remcos            14            
                 
        %APPDATA%\remcos\logs.dat            14            
                 
        %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\windows.vbe            14            
                 
        %APPDATA%\windows.exe            14            

File Hashes

             027f1a3e4c10fcf167c4df0451862b388e934e0ec1ee0f799f5113d830566415              280e9283aa6b2a3f5237de7c01d2ae8abaa9ba4e54655e3f367e889407f259ec              47dc41e8614cfa6f3e7fcd6d718321db4c9306146a176632aa124b345d530611              56f3edac172934d7ceea861ecffc2a727241deb5e939d1b69c5220c7333bef8c              616b57cac5aa00dfb8030f79094d170bad2b6a082bb963594cfc29397cce8b5d              83ab1ddbc24e145b0e170e8af46f3fc5fd4f6e1f571abac0aed6992c5d136071              af24dd23d021d1e43844af9cb31ba7f552377c7a7e49d536abbf2a6ecf1b54a2              b203e1e8f2083c7edf540cb91c424915bed88565dcaac579ffba224d4d76c714              b2516e86182da64f80fbf82cf84a6bcfcd37547cea16d1ff07a75c866fd4d36f              d1e35f8e65cd1da6f33177604901c8d6b1a77cf7ee0735aa0b072f492e3f2194              de62cfc82da844304fb94bef7151808d025b183c5df68c77dfad9a035dd41690              e30895e1d44a156b336bfc8a685d5d2176341cb24620f51b5732f60ab64167f5              f127a27a300ecd23bc6115577884521a30884d67251df39fcbdecb63aaba3523              ff307f7c3f5c00ba357b696914a2772ddd656fa29c501eda006b7bbb91440607              

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                     N/A                                                          
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                     N/A                                                          
             
        WSA                                                                     N/A                                                          

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.XtremeRAT-9964479-0

Indicators of Compromise

IOCs collected from dynamic analysis of 15 samples

        Registry Keys            Occurrences        
                             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED                          
        Value Name: EnableBalloonTips                            15        
             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM                          
        Value Name: EnableLUA                            12        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER                          
        Value Name: UACDisableNotify                            12        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN                             10        
             
    <HKCU>\ENVIRONMENT                          
        Value Name: ProgramData                            8        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: explorer                            6        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE                          
        Value Name: explorer                            6        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN                          
        Value Name: explorer                            6        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM                          
        Value Name: DisableTaskMgr                            5        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM                          
        Value Name: DisableRegistryTools                            5        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM                             5        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: services                            3        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE                          
        Value Name: services                            3        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN                          
        Value Name: services                            3        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: spoolsv                            2        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE                          
        Value Name: spoolsv                            2        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: atiedxx                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\FEEFA                             1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE                          
        Value Name: atiedxx                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\OPKYIF                             1        
             
    <HKCU>\SOFTWARE\MICROSOFT                          
        Value Name: zupi.exe                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN                          
        Value Name: atiedxx                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT                          
        Value Name: uwhuevat.exe                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\FEEFA                          
        Value Name: Yrivxya                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\OPKYIF                          
        Value Name: Otmabyek                            1        
                     
                
            
        Mutexes            Occurrences        
                                 
        6nkxLO02qtXYL2vjf6Q3Ld1BXvM8Xk            4            
                 
        Local\{E79956D8-8C6C-29D3-F3B6-46F6B67AA745}            3            
                 
        Local\{E79956DA-8C6E-29D3-F3B6-46F6B67AA745}            3            
                 
        Local\{E79956DB-8C6F-29D3-F3B6-46F6B67AA745}            3            
                 
        GLOBAL\{<random GUID>}            3            
                 
        qYLS3Rl0xK7U0fJaaFHI9gyEU4OQEO            2            
                 
        JbdhwlrcWDpyZ78nPglBqnLY8exSoG            2            
                 
        hbOblX81rgTLtJRBvLX2JB0nKVPZRh            1            
                 
        BRMVTk3lQ1Jq0Oqd4zcgHKYq4NnaR9            1            
                 
        f5SUSZmQlEOC00yG9p1Ivna3rOzI0e            1            
                 
        akRIZKudnSn2WvMCpN5alLvywbcRXT            1            
                     
                         
            
        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        23[.]202[.]81[.]150            12            
                     
                          
            
        Domain Names contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        tulipbloom[.]in            6            
                 
        iamthecause[.]top            3            
                 
        www[.]tribosjovens[.]org[.]br            1            
                 
        www[.]streetfighterx[.]top            1            
                 
        www[.]cheapestconcerttickets[.]top            1            
                     
                          
            
        Files and or directories created            Occurrences        
                                 
        %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe            6            
                 
        %APPDATA%\com6.{00C6D95F-329C-409a-81D7-C46C66EA7F33}\Off.c            6            
                 
        %APPDATA%\com6.{00C6D95F-329C-409a-81D7-C46C66EA7F33}            6            
                 
        %APPDATA%\com6.{00C6D95F-329C-409a-81D7-C46C66EA7F33}\explorer.exe            6            
                 
        %System32%\Tasks\explorer.exe            6            
                 
        %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\services.exe            3            
                 
        %System32%\Tasks\services.exe            3            
                 
        %TEMP%\com6.{00C6D95F-329C-409a-81D7-C46C66EA7F33}            3            
                 
        %TEMP%\com6.{00C6D95F-329C-409a-81D7-C46C66EA7F33}\services.exe            3            
                 
        %TEMP%\com6.{00C6D95F-329C-409a-81D7-C46C66EA7F33}\Off.c            3            
                 
        %ProgramData%\<random, matching '[a-z0-9]{3,7}'>            3            
                 
        %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\spoolsv.exe            2            
                 
        %TEMP%\com8.{15eae92e-f17a-4431-9f28-805e482dafd4}            2            
                 
        %TEMP%\com8.{15eae92e-f17a-4431-9f28-805e482dafd4}\spoolsv.exe            2            
                 
        %TEMP%\com8.{15eae92e-f17a-4431-9f28-805e482dafd4}\Off.c            2            
                 
        %TEMP%\D0B38F0F.cmd            1            
                 
        %TEMP%\DA9F635A.cmd            1            
                 
        %TEMP%\AA95177A.cmd            1            
                 
        %TEMP%\4DA5383F.cmd            1            
                 
        %TEMP%\D925C77F.cmd            1            
                 
        %TEMP%\F0470C51.cmd            1            
                 
        %APPDATA%\com3.{025A5937-A6BE-4686-A844-36FE4BEC8B6D}            1            
                 
        %APPDATA%\com3.{025A5937-A6BE-4686-A844-36FE4BEC8B6D}\atiedxx.exe            1            
                 
        %TEMP%\97BB41A5.cmd            1            
                 
        %TEMP%\5DBB78C4.cmd            1            

*See JSON for more IOCs

File Hashes

             048b8ea9aef3287bae09d9327536faea0b662d48e9cb0d477e88805a7797bcc7              21cd479707dc5865122fa6f1cc638ab15953b09c43ee41abc8a197823a60b65b              34e610d6e74bc3332d7a8a25f61f6a979be8deab8dc1f8f6fdf487dd4ddd3070              5ea6b3668a008b77f6dff12788101e258e6c90d2b08de9e89d7d886834d98ad0              63cae1e75e5d8e54c8dfccebe7552e5a9aa2592cf259357a516d0115ebcf655e              75ee917f5022839d776082a470333a6c6c82069a7f443005f77cce1ff2ccaeb9              7817f2ee4c83e004d9b9602d8f68adc04076f949e1bc868a3bb28c47d98a4933              8159704f8517ba8d8a2f9ea6ec42f5fd4e18438c940806e48dcdd726b923ab66              856869554541785eaadb13c38bfb22392c38254968fc9a41d8d0f1c2b4d420be              8c99d803e23df187a0925aade258e7eeb1dea15607670a05f1fade726320cc05              8e770cc47212a54fee1deb9a642c6afb52238c176cc00bdd2fd3d473e3b601fc              a79939e710792b9d290f2ee2a9ae82529b4b78ba7a578341e52a7994aef5ef11              b9298520c6b390e4fb488f7fc7d99d1651c28482b06e6c008512e29049714a20              cc9d4f4daddee4e5e0c9839543c0c84360c8cc42758f894bc13bb814fbd572f1              da303496b9ba5a139b724e5cd1d35da3d04b89ccd82b281de14e8febb68f4eb6              

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                                                                              
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                     N/A                                                          
             
        WSA                                                                     N/A                                                          

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Packed.Shiz-9964480-0

Indicators of Compromise

IOCs collected from dynamic analysis of 26 samples

        Registry Keys            Occurrences        
                             
    <HKLM>\SOFTWARE\MICROSOFT                          
        Value Name: 67497551a                            26        
             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON                          
        Value Name: 98b68e3c                            26        
             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON                          
        Value Name: userinit                            26        
             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON                          
        Value Name: System                            26        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS                          
        Value Name: load                            26        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS                          
        Value Name: run                            26        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: userinit                            26        
                     
                
            
        Mutexes            Occurrences        
                                 
        Global\674972E3a            26            
                 
        Global\MicrosoftSysenterGate7            26            
                 
        internal_wutex_0x000004b4            26            
                 
        internal_wutex_0x0000043c            26            
                 
        internal_wutex_0x000004dc            26            
                 
        internal_wutex_0x<random, matching [0-9a-f]{8}>            26            
                     
                         
            
        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        13[.]107[.]21[.]200            13            
                 
        45[.]33[.]18[.]44            7            
                 
        45[.]79[.]19[.]196            5            
                 
        45[.]33[.]2[.]79            5            
                 
        173[.]255[.]194[.]134            5            
                 
        45[.]33[.]20[.]235            5            
                 
        198[.]58[.]118[.]167            4            
                 
        72[.]14[.]185[.]43            4            
                 
        96[.]126[.]123[.]244            3            
                 
        45[.]56[.]79[.]23            3            
                 
        45[.]33[.]30[.]197            3            
                 
        72[.]14[.]178[.]174            3            
                 
        45[.]33[.]23[.]183            1            
                 
        85[.]94[.]194[.]169            1            
                     
                          
            
        Domain Names contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        gahoqohofib[.]eu            26            
                 
        rytifaquwer[.]eu            26            
                 
        kepujajynib[.]eu            26            
                 
        lyrosajupid[.]eu            26            
                 
        tuwaraqidek[.]eu            26            
                 
        xuqeqejohiv[.]eu            26            
                 
        pumebeqalew[.]eu            26            
                 
        cinycekecid[.]eu            26            
                 
        divulewybek[.]eu            26            
                 
        cilakyfaloq[.]eu            26            
                 
        vocijekyqiv[.]eu            26            
                 
        foxofewuteq[.]eu            26            
                 
        nozapekidis[.]eu            26            
                 
        makymykakic[.]eu            26            
                 
        galerywogej[.]eu            26            
                 
        qeguxylevus[.]eu            26            
                 
        rydohyluruc[.]eu            26            
                 
        lysafurisam[.]eu            26            
                 
        tupepulofup[.]eu            26            
                 
        kefilyrymaj[.]eu            26            
                 
        purumulazux[.]eu            26            
                 
        xutyrurojah[.]eu            26            
                 
        ciqivutevam[.]eu            26            
                 
        dimoxuzynup[.]eu            26            
                 
        citonocebyl[.]eu            26            

*See JSON for more IOCs

        Files and or directories created            Occurrences        
                                 
        %TEMP%\<random, matching [A-F0-9]{1,4}>.tmp            26            

File Hashes

             0aa01d0e6ab4b0dab543cd0f7d226a1971c896c1b5668ef55d5d84fd8aac331f              232b980cba11ed3757cd13e6e4ec20993f819d07254999411e7a308561f10ac9              27eb369a639c17edfcc1eefc7f2d21d0680f62dd00a7bd2cf0a3d50030134dc9              2ebf268325f6e2840fa65e481e61cee94d0dc889f3f032abdf7492dd7772be07              31532a2178c74921a141b257175fd25aa587d611e480ae6399255000a875f86b              3634d7d5b0e31a068dbb17eec6dd39b927dc2e6ca7a7d1f50fe122fd9a348578              3ce214e14dc05772c4f6ed8bf5df0c2f6916c3cb78cad5ec7960e8a5aa3183dd              3db521931dd32b2d76a0b694eba198d54db0642289c4c04797d81abba1e8cc1c              44aaba781695fd9c5a859fe91a1b251f3700cfc65d20c70827108aade73a2d47              491e939589d3df18f8c2601acd0ecb2e730744625208a9ef10e1153c8fbd999d              4aef6f77172ffbe97608338d59b4e327f80ac6b1280234acfd1a35c519a8cc54              5153f49e288d120950522e3cedade50d389452cb5344344672b1dbbe4fd6b2c3              5950d60ccaf62ebbd4d8e6f67c8aae6ffa9d7c7f3950aa3aa6c97810f2e192b4              5bdcf125d1dd26dc4eea102736976a474e7c95ca4486ca8e13cf404ed6b54661              66703ea93baf17db72cce7c91b39df923574a9173768ebfda5f78580e1f1e05e              6728f5c294584f01a2e8a8f320cce6df9a85656b582f29e7dcd1b226d51d0b46              706de588bf28a2345331005686aeb0a65d92eea4195050f948577ce0623bc7b3              8818d782007a434aaf773fa601467cb8ea9514ffbdba74a4b2cf8ad0ee096110              914e601f65f04fb41f1ede09babc33d9d067fdf089a6f720eb7dcb5489da182c              a3b5359d0320885dc46a8e01583304adcc8f8697bd72d4a9fa1e02b0d210e061              b9d4f9b412b05af3a6f1b601041422117f3c4ccdfa02b140a1b06da1ba53193b              bcf08953ce18c297e8b3714bd66563fde1d031b9eec8c26cc5a880f6b57eea5c              bd984088a849d6b0593a970dec6a8792b82c8c04edecd4032cfd6a447d4f3c48              c7297544b35ded090c59b73c53c1c6a3f50b0b30206f237c1f84114b01adcdfd              ccaa68c04b2d4378b62753b540e5b25cb36e6334a48a10eb9975c2064fc393da              

*See JSON for more IOCs

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                                                                              
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                                                                              
             
        WSA                                                                                                                              

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

TALOS
#vulnerability#web#ios#mac#windows#google#microsoft#amazon#js#intel#acer

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Aug. 19 and Aug. 26. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name

Type

Description

Win.Virus.Ramnit-9964077-0

Virus

Ramnit is a banking trojan that monitors web browser activity on an infected machine and collects login information from financial websites. It also steals browser cookies and attempts to hide from popular antivirus software.

Win.Virus.Xpiro-9964080-1

Virus

Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.

Win.Dropper.Cerber-9964300-0

Dropper

Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension “.cerber,” although in more recent campaigns, other file extensions are used.

Win.Worm.Kuluoz-9964104-0

Worm

Kuluoz, sometimes known as “Asprox,” is a modular remote access trojan that is also known to download and execute follow-on malware, such as fake antivirus software. Kuluoz is often delivered via spam emails pretending to be shipment delivery notifications or flight booking confirmations.

Win.Dropper.HawkEye-9964231-0

Dropper

HawkEye is an information-stealing malware that specifically targets usernames and passwords stored by web browsers and mail clients on an infected machine. It is commonly spread via email and can propagate through removable media.

Win.Dropper.Formbook-9964246-0

Dropper

Formbook is an information stealer that attempts to collect sensitive information from an infected machine by logging keystrokes, stealing saved web browser credentials, and monitoring information copied to the clipboard.

Win.Dropper.Remcos-9964868-1

Dropper

Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam and capture screenshots. This malware is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.

Win.Dropper.XtremeRAT-9964479-0

Dropper

XtremeRAT is a remote access trojan active since 2010 that allows the attacker to eavesdrop on users and modify the running system. The source code for XtremeRAT, written in Delphi, was leaked online and has since been used by similar RATs.

Win.Packed.Shiz-9964480-0

Packed

Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information. It is commonly spread via droppers or by visiting a malicious site.

Threat Breakdown****Win.Virus.Ramnit-9964077-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 18 samples

Registry Keys

Occurrences

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER

        Value Name: AntiVirusOverride

18

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER

        Value Name: AntiVirusDisableNotify

18

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER

        Value Name: FirewallDisableNotify

18

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER

        Value Name: FirewallOverride

18

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER

        Value Name: UpdatesDisableNotify

18

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER

        Value Name: UacDisableNotify

18

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM

        Value Name: EnableLUA

18

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE

        Value Name: EnableFirewall

18

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE

        Value Name: DoNotAllowExceptions

18

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE

        Value Name: DisableNotifications

18

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC

        Value Name: Start

18

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND

        Value Name: Start

18

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC

        Value Name: Start

18

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION

        Value Name: jfghdug_ooetvtgk

18

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV

        Value Name: Start

18

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: Windows Defender

18

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON

        Value Name: Userinit

18

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON

        Value Name: Userinit

18

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: JudCsgdy

18

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND

1

Mutexes

Occurrences

{7930D12C-1D38-EB63-89CF-4C8161B79ED4}

18

{79345B6A-421F-2958-EA08-07396ADB9E27}

17

{7930D12D-1D38-EB63-89CF-4C8161B79ED4}

16

{7930CC18-1D38-EB63-89CF-4C8161B79ED4}

16

{7930DB19-1D38-EB63-89CF-4C8161B79ED4}

16

{<random GUID>}

16

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

46[.]165[.]254[.]201

18

72[.]26[.]218[.]70

18

195[.]201[.]179[.]207

18

208[.]100[.]26[.]245

18

206[.]191[.]152[.]58

18

142[.]250[.]72[.]110

18

64[.]225[.]91[.]73

18

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

google[.]com

18

testetst[.]ru

18

iihsmkek[.]com

18

mtsoexdphaqliva[.]com

18

uulwwmawqjujuuprpp[.]com

18

twuybywnrlqcf[.]com

18

wcqqjiixqutt[.]com

18

ubgjsqkad[.]com

18

tlmmcvqvearpxq[.]com

18

flkheyxtcedehipox[.]com

18

edirhtuawurxlobk[.]com

18

tfjcwlxcjoviuvtr[.]com

18

Files and or directories created

Occurrences

%LOCALAPPDATA%\bolpidti

18

%LOCALAPPDATA%\bolpidti\judcsgdy.exe

18

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\judcsgdy.exe

18

%TEMP%\squhapjc.exe

16

%TEMP%\aacwxnxw.exe

16

%ProgramData%\qvqdlyny.log

16

%LOCALAPPDATA%\yjghhxdl.log

16

%LOCALAPPDATA%\aanqrsjf.log

14

\TEMP\tFXd2E8YU

1

%LOCALAPPDATA%\bolpidti\pxBC6E.tmp

1

\TEMP\5ETGN6snq

1

\TEMP\zYyccBVe

1

%LOCALAPPDATA%\bolpidti\pxBE23.tmp

1

%LOCALAPPDATA%\bolpidti\pxACA6.tmp

1

%LOCALAPPDATA%\bolpidti\pxB5DA.tmp

1

\TEMP\cjTnE8Jr

1

\TEMP\o2gKdKfQ

1

\TEMP\o192e68

1

\TEMP\QYnhH23

1

\TEMP\lgxG4A4

1

\TEMP\YWj2Vj1

1

\TEMP\5nPK0vwsR

1

%LOCALAPPDATA%\bolpidti\pxBDC6.tmp

1

%LOCALAPPDATA%\bolpidti\pxB676.tmp

1

%LOCALAPPDATA%\bolpidti\pxB53E.tmp

1

*See JSON for more IOCs

File Hashes

    16b156359492fd1c04ca8024be9520ed9b2f2c1c3a9d2d72177b74e53c5f7237

    1837b9072548d7fd6ccff6dff1c9f6261df6ab977c06aef95b328bcbcde8f24d

    1a74c2f06d531a5947ea3fa980fb9e08dd4ef2938cd53215b1fb04403160632d

    1b85483edb2968b8303b3a3edeb69776cc237bfb2e844862315aad399a1fbb60

    3cf846acf89647d5eec22871e3b8d36fb2e6a1e24b609cc140fb4d32b3627a89

    3ea014d13ab9de10c12705d951d36001fade2375373992d09f04a13991abdda6

    650b142204d54fb6be3adc953325be09df8e8472f6e75bf89bd96fac0604df07

    705e36bc25534e3496cf040179df7965df62f4f8d20d2296af65ed2c7765ad08

    7d34aa04431ca6d29ae750551d62303521f50e7302e508b8c3a68c2501cedbc7

    7dcf9ef1156ebc96cd7f33fa65da1aa3ee6c4e40d98f396ef4f997384324debd

    9ad3fe646a2e70461cbd0c6b5baf6e6aa86780bfec67324dc37cc71abc16dc6d

    9f42d128eadd1933ef6f05b58612799009a028830d9e62a384565616fca5d6a3

    c963abb11b88bd5d2b451b6a73e2e853ce7777ff07a5a481d1c6d195f5d6bf34

    d9799be6fc5a08a58f2da15d8ce3550fb462ccb97b6e932d1531ffdbc4af28c7

    d9cbec3c2d30347d5781f4f656e0775eda33ae905092bc1673a8d68aeb9f643a

    ecc77e015461dc1d4f9760ae11faa17ed9a46916a15c958cd2fd888b9d18441a

    f1e64265f0a305cba4442afeb8014c726b93c5065b92cbe997ebe02ff38f4092

    fd2ee83c36b70791828d0143ad3737d917edaaf909f72499f6709615391e3700

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

WSA

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Virus.Xpiro-9964080-1****Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples

Registry Keys

Occurrences

<HKCU>\SOFTWARE\MICROSOFT\WISP\PEN\SYSEVENTPARAMETERS

        Value Name: RightMaskEnable

25

<HKCU>\SOFTWARE\MICROSOFT\WISP\PEN\SYSEVENTPARAMETERS

        Value Name: ShakeEnable

25

<HKCU>\SOFTWARE\MICROSOFT\WISP\PEN\PERSIST\0\1

        Value Name: HidCursorName

25

<HKCU>\SOFTWARE\MICROSOFT\WISP\PEN\PERSIST\0

        Value Name: type

25

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\TABLET PC

        Value Name: Ident

25

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\TABLET PC\CACHE

        Value Name: HPITP

25

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\TABLET PC\CACHE

        Value Name: HPETP

25

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\TABLET PC

        Value Name: IsTabletPC

25

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\TABLET PC

        Value Name: IsTabletPC

25

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\TABLET PC

        Value Name: DeviceKind

25

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABLETINPUTSERVICE

        Value Name: Start

25

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABLETINPUTSERVICE\TRIGGERINFO\0

        Value Name: Type

25

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABLETINPUTSERVICE\TRIGGERINFO\0

        Value Name: Action

25

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABLETINPUTSERVICE\TRIGGERINFO\0

        Value Name: Guid

25

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABLETINPUTSERVICE\TRIGGERINFO\0

        Value Name: Data0

25

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABLETINPUTSERVICE\TRIGGERINFO\0

        Value Name: DataType0

25

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABLETINPUTSERVICE\TRIGGERINFO\0

        Value Name: Data1

25

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABLETINPUTSERVICE\TRIGGERINFO\0

        Value Name: DataType1

25

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABLETINPUTSERVICE\TRIGGERINFO\0

        Value Name: Data2

25

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABLETINPUTSERVICE\TRIGGERINFO\0

        Value Name: DataType2

25

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABLETINPUTSERVICE\TRIGGERINFO\0

        Value Name: Data3

25

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABLETINPUTSERVICE\TRIGGERINFO\0

        Value Name: DataType3

25

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND

        Value Name: Start

25

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER

        Value Name: HideSCAHealth

25

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV

        Value Name: Start

25

Mutexes

Occurrences

kkq-vx_mtx63

25

kkq-vx_mtx64

25

kkq-vx_mtx65

25

kkq-vx_mtx66

25

kkq-vx_mtx67

25

kkq-vx_mtx68

25

kkq-vx_mtx69

25

kkq-vx_mtx70

25

kkq-vx_mtx71

25

kkq-vx_mtx72

25

kkq-vx_mtx73

25

kkq-vx_mtx74

25

kkq-vx_mtx75

25

kkq-vx_mtx76

25

kkq-vx_mtx77

25

kkq-vx_mtx78

25

kkq-vx_mtx79

25

kkq-vx_mtx80

25

kkq-vx_mtx81

25

kkq-vx_mtx82

25

kkq-vx_mtx83

25

kkq-vx_mtx84

25

kkq-vx_mtx85

25

kkq-vx_mtx86

25

kkq-vx_mtx87

25

*See JSON for more IOCs

Files and or directories created

Occurrences

%CommonProgramFiles%\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

25

%CommonProgramFiles(x86)%\microsoft shared\Source Engine\OSE.EXE

25

%ProgramFiles(x86)%\Microsoft Office\Office14\GROOVE.EXE

25

%ProgramFiles(x86)%\Mozilla Maintenance Service\maintenanceservice.exe

25

%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

25

%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

25

%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

25

%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

25

%System32%\alg.exe

25

%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

25

%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

25

%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

25

%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

25

%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat

25

%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat

25

%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat

25

%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock

25

%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat

25

%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock

25

%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat

25

%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat

25

%SystemRoot%\Microsoft.NET\ngenservice_pri1_lock.dat

25

%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat

25

%LOCALAPPDATA%\Microsoft\Journal

25

%LOCALAPPDATA%\Microsoft\Journal\Cache

25

*See JSON for more IOCs

File Hashes

    0070146a1ddd5e7afa882029c836662a3fb7b83f2c838d1d89caf36ceaa73a47

    00b9049e01ce60ee17e973f88fc730db18f2354b24a991cac09045cf697ffcf2

    016023a53be6ce6624efe73b85c47c87d1e11ba8593009e261361addc6b5229e

    048729edafbebec1b073db5db75450793fdd7e424dff0f851ad7500637b18bb3

    087ef762c54b247a6fe8c1780073c934a4109a19dea80daefeec3bc98ca184ba

    0b903e0f08dd1d929b6465e79971af4270fd7adb95e3271f442e4f6c2b6c01cf

    0e40ef742a696da27514cf05055133991293a0e7d451ccc6d96ec93c0e864518

    0e5e93e845310617138227cb8a453da259c23edcc9a8059fac49da8e947887a5

    158627899237148353fefd8771d26c622b873d6177960e2efe00355179fb4926

    1a4a30778ce717e13e02870993244eea6614a74a47bd0c5b01a8d839c670ef3c

    1b56d9fe2ff011d5fad562c8e8da9dcb15a8f417619e5f506772acb6d53b3814

    1b6494daf80b3f3afa22ffb43976d529383b9c3e0e2a337fa03234c784ce68a6

    1e955e41ac1707547188639c3e0d8dcf46c0a05880041076eafb967a5cb2e6ca

    1f48b7aaccb5c9c37c9a5322aecde23cec77a378e20db829c3ea8888c153bdc2

    1f89fcbb17f91bee3821e3ae7ad9b8c2f2427ecb7e11b2af366713111c5f4a9f

    21a7485afe868ce040664494eb3adbefd2f88eaed2fbf168feac2ec1eb2fa213

    28e949123a4493bc7276085d3387c5f8aa761087087b9488782543b41c47cf7f

    2bb191ac9f42eeb32f06ed94083221c5abb6b894f0bffe17355e125773a85f7f

    2d5faf0c2fce5f825fa278dea2aef683d928326d30e976aa8d85bd3d1a3bf947

    30408f887ac16f3a1b11b1ba075c5c6aa6a8fd34dc3059ecb611dcd80245b70a

    341507c416c481481ced2ca2b4739e58a23882bcf8d3a48b193e4983743db45f

    347b1f4517869f1574065c2867ed410a6a8c5bac063b8551133769890f16305e

    3bbbe0a4c6cf2f6a1a57c7b31adc6abff0bd39e9b4ead44ec93558f03e5aa9dc

    3bcdda17309cd36926504ad0300da1226ba126413c25aaabed729d889e293deb

    3c35ed8b6f46dec8e7386f380ea3f0530fb592e50f0a66486a5c1d1390441f2c

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Cerber-9964300-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples

Mutexes

Occurrences

shell.{381828AA-8B28-3374-1B67-35680555C5EF}

25

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

31[.]184[.]234[.]0/23

25

Files and or directories created

Occurrences

%APPDATA%\Microsoft\Access\AccessCache.accdb

1

%APPDATA%\Microsoft\Access# HELP DECRYPT #.html

1

%APPDATA%\Microsoft\Access# HELP DECRYPT #.txt

1

%APPDATA%\Microsoft\Access# HELP DECRYPT #.url

1

%HOMEPATH%\Documents\Outlook Files# HELP DECRYPT #.html

1

%HOMEPATH%\Documents\Outlook Files# HELP DECRYPT #.txt

1

%HOMEPATH%\Documents\Outlook Files# HELP DECRYPT #.url

1

%HOMEPATH%\Documents\OneNote Notebooks\Notes# HELP DECRYPT #.html

1

%HOMEPATH%\Documents\OneNote Notebooks\Notes# HELP DECRYPT #.txt

1

%HOMEPATH%\Documents\OneNote Notebooks\Notes# HELP DECRYPT #.url

1

%HOMEPATH%\Documents# HELP DECRYPT #.html

1

%HOMEPATH%\Documents# HELP DECRYPT #.txt

1

%HOMEPATH%\Documents# HELP DECRYPT #.url

1

%HOMEPATH%\Documents\OneNote Notebooks\Personal# HELP DECRYPT #.html

1

File Hashes

    1d742c8577645242811867311339af6291f2ec45f74bc8065a1cf167a140a5fd

    241a8a73608aae3d0b55451290c7e3d46ff6b53d7cfad628ddc43892fb4ee89f

    32cafa5a0a63f137fda8532c81a4825895a71b4bd5192ef77ee46b4f5f6f55c9

    3f066735d5b3e9e1d145865b805dad9f17c7569e86a2fd0dadfd82fa3f2494b5

    46df3cbdc0c960cc03467797f2a8f4000de6f3860ddd87a93f0db4bc04bf3dc9

    5145e134c5c488fac15c3772747505246139842d64e995a20aa343e87d05805a

    529c0ad1eba89641544fe5eb534b717fdb0a21e36db94874cdc7720b3e58170d

    65fb6bf40643b54875192d5964ead478b867784c09708c9be583a06d820462e8

    6a380578e8f27a835c45af896c8292c173ccf10819eadb160d8fd1ec9301ae61

    6bd30bfa9ee3dcf045298887cb839ccf7ebd19950a4a1798bb15c9c2bcd89df6

    715e19ce015fb13ad5b0bd5aa520b7a9fdb52c15a58b78da79db3c74cdccee83

    74a423f877c5f0819116f6f93870658bac4ac7de6048e68d5f1cb98df9c77992

    7781696924168577eb1045874ac6a259617184cd2bdf429fd032efd63254016d

    7eecc13411c597f5e2fa68c77ae65943ae99c0eb6bb76e527a9711ffff73d505

    832487a8c89c32e86036b1c94353117ab0ca7a4276a9f4c08b29c96c447247fa

    89ec20a6130f663160015755f0c1b4f1698812e3f0e39d3e7094950c3644bca4

    8ab03a0c900cc88a57e9474d3ced6b4f43be422750f5afc8a08ff6cdb801930b

    936d99a0dc23922d4e5874f1548114fe8f2170016f29d9b91858796a1b2ab095

    96671b8ca3f8cf75427a23de8ddde2513efd4f1eba5afa2b18610c66548d0b55

    988a44db0411379ea08fece4af0577d3af7ed5114dcbd897a03ec46474fafa81

    a162009fa564f3c20b801568ab82dd34b53655473c6e379272e3dfd766fe2c02

    a3004d7f08a9357c5d0a9e063dafd5f4c627fce7b030a575b6959f0f5f7c9ff1

    b2f4ef1398ae23fabaa137be5f8f7f5412b1b8f74f902d23de5e0a87ef5a3867

    bcc77c2e25a5ceee5fd7023dd879baa53a16ce0f4b3187a90a5eb22cf46631af

    df5d03a2ca58bb71c44a8b23191c7d3e24327e806509dfcccad1cd63729dc445

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Worm.Kuluoz-9964104-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples

Registry Keys

Occurrences

<HKCU>\SOFTWARE<random, matching '[a-zA-Z0-9]{5,9}’>

26

<HKCU>\SOFTWARE\TKQJXHIR

        Value Name: nnagtvkf

2

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: iemwudbv

2

<HKCU>\SOFTWARE\PKBQSDOK

        Value Name: wfiqbttr

2

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: deiobboq

2

<HKCU>\SOFTWARE\TEFAPJXX

        Value Name: hjlkqasv

2

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: nmvftwdp

2

<HKCU>\SOFTWARE\ROHCSWFU

        Value Name: ivxesusr

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: rskaarvw

1

<HKCU>\SOFTWARE\ONFHUPBQ

        Value Name: qrlpghvv

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: dwxwetxw

1

<HKCU>\SOFTWARE\JUNLDJNI

        Value Name: paxvvuef

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: buwqaweo

1

<HKCU>\SOFTWARE\QPANUOIR

        Value Name: mmvjkbpj

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: lawgdaar

1

<HKCU>\SOFTWARE\IDIFICQU

        Value Name: uqiuudaf

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: uaugufwr

1

<HKCU>\SOFTWARE\EPCSQSNO

        Value Name: sdkgxoqv

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: nojriosh

1

<HKCU>\SOFTWARE\IIBPNATQ

        Value Name: qbmgekoa

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: tabswxsd

1

<HKCU>\SOFTWARE\CHUFRWHS

        Value Name: nhmwllub

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: kawalexr

1

<HKCU>\SOFTWARE\QDCTDCFM

        Value Name: ietjtgir

1

<HKCU>\SOFTWARE\JUOBFMWV

        Value Name: ucngtfoi

1

Mutexes

Occurrences

2GVWNQJz1

26

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

91[.]196[.]126[.]16

21

88[.]198[.]25[.]17

20

173[.]203[.]113[.]44

19

178[.]33[.]162[.]8

18

176[.]31[.]106[.]226

18

74[.]50[.]60[.]116

18

198[.]24[.]142[.]66

17

Files and or directories created

Occurrences

%LOCALAPPDATA%<random, matching '[a-z]{8}’>.exe

26

File Hashes

    0828aee088e7c191c463dac5a2449474da1b106da5e12b6335f61d2dd3ae320e

    0ddf461f926f814d19696d3851f3673c10d69a15fa2d7cfac9552c3af9460c66

    12b274776143da76ceea8cfc1b8219535bca09dea1ea6059a48e74dd6a78e80d

    160999be2e3f124a106ced958bce6b6f94fbc3645895aa0129e4dedb443011d7

    21245351ac8d14c31552d46c0f8ceec6d576a1abae0ab3d5131e25e9e8fefe32

    23fec3f833e9a7ee790ea9cad1b205ade2036466282654b2e53f23516553b775

    24e1fb11b1c63caf42bc0a9d8df57cb1c84ccb11415f01c56de128d6ceb2ea4e

    2bf5a6f99c57bcaddd28a0a8dad595686b9a660843cd4037575d4abb82af8f69

    32a01832f4de0f17e438fed6be9f155d9fd30056133681c7474f0114a1731a9b

    35a4fe74474b4f7e7f9c777d063097e36a16f509bc3afb9579779c0504b73af4

    3a3fae86a4e14a7d50b6c5bc5d78dc12745fa53d240df641e1fc311449368c85

    3da619fa973717201422faf7329016a266b27b89f8a39416cac203f75f32259a

    405d7737a27f0798b16f85939c3eacfcbe9e5305b4c621dd20bcaffbe994d88f

    413f4fcae50cdad66f08e0e3ae083e60e18e54f890492fcd0241deb9dfe81b81

    44d0507ee9143aa548ae8a03171b27633f4226abbad172a0456194a2ef2eb507

    44d1449c19d3f79a3fe21e2ab9d333a1bea4156565a3106fc2203ccefa869a9b

    4979dce8592c0d16bdc6228b9741ef6c315e3bb1ff34de14271fb3499cd0f139

    4b7891ed58a08b45b576282afd74fe835845cd4be8c5aab467ad09136e87ec8e

    4bc8eb3d2e72a44384b3d824b33a971ace9eae20998dfe8bdd2ab9b9267b5b43

    4c6528d000e07485c69f1c32a95967a454fd20864a4ad2c062160d99987822ef

    50c108f9fc31557d55216dfe28b9eeac15fe5f1175a089ff196e1129d6ddf593

    5730f9ce8c84e6f1c153c247146ac1590fd989a73cdc9dce9d67594b33caf354

    5a45837812962153f5d480918eab77093394dd41c45c610ffd142461ab433668

    5e37715cc8a5d1b6c5bed437eea25da495285bb1386cf2aef2b5484fd6c30e69

    5ee4adead518246dc926545a0d28e1a488f04d530c49591cc788a8e2b360ad89

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.HawkEye-9964231-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples

Registry Keys

Occurrences

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: Audiodgi

11

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM

        Value Name: DisableRegistryTools

1

<HKCU>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SYSTEM

        Value Name: DisableCMD

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM

1

<HKCU>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SYSTEM

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: wsntcffy

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: nvidia

1

Mutexes

Occurrences

<random, matching [a-zA-Z0-9]{5,9}>

25

Global\2ef47fa0-2008-11ed-9660-001517841a07

1

Global\30820541-2008-11ed-9660-001517841a07

1

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

178[.]62[.]9[.]171

8

185[.]53[.]177[.]51

8

172[.]253[.]62[.]108/31

5

178[.]217[.]187[.]144/31

3

217[.]69[.]139[.]160

2

123[.]126[.]97[.]113

2

103[.]224[.]182[.]246

1

178[.]217[.]186[.]170

1

178[.]217[.]187[.]103

1

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

myip[.]ru

8

resolveme[.]org

8

www[.]myip[.]ru

8

smtp[.]gmail[.]com

5

smtp[.]mail[.]ru

2

smtp[.]163[.]com

2

bobbyjoeconfirmed[.]biz

2

pradaengaged[.]serveftp[.]com

1

xtradaniels[.]no-ip[.]biz

1

funtalk[.]info

1

moneymakingmachines[.]in

1

Files and or directories created

Occurrences

%APPDATA%_backups

25

%TEMP%\logff.txt

16

%TEMP%\logmail.txt

16

%APPDATA%\AudioSettings

12

%APPDATA%\AudioSettings\Audiodgi.exe

9

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Audiodgi.exe

8

%APPDATA%\Audiodgi.exe

2

%TEMP%\mRef.vbs

1

%APPDATA%\21bc764836db3d1ea78f465895072d4b.exe

1

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\wsntcffy.exe

1

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\nvidia.exe

1

File Hashes

    03766a0f7239053205ddf362d05c9714374468c47b7978c5f180d4346ad8dd75

    04d8e6413d217a3b8667284be0d3f1fc586a12ccb29f03f798b48e92c2ba2a6a

    051c2a84fd29361d952dc213ebaa39da5dadfa41927b9424e8960e79556ff91d

    08c9702801db0785656c59c1d180a3a026ece467bf674aeaf9329611ae442306

    13c0b67b1985e5e8292200b4c340090d5cc9ef1885a1f891b00f6f08a33c45da

    1506c249e7b6fc69f4c1ec396ccc692de2c8546685f6aed55e5bcf33849255ab

    1bea6b0a9773065b3ef5ed3ce7c3ad5a2b495406a539b4dccb3c1e32073961e4

    1cbf4d46e6d149b1f97de0013aea8bda5b2f4535a1b5fca4ca8739e88f95a4ba

    22f80ae2cad2fd2aa7a7cb0565721804cd24c72e2eeaeb2783ef70f81b99e843

    2a2b148519552d60b9c62b888f0d9ee578113f5ce58256d8471913dfb5a32578

    2eed91ed6b2132227ac6b4889bbe8d355af50741cf8cef18cbed1e4395c8c42d

    370ce2f768b84e42a2c56e597fe7a2d86799a7715e683e59fc4beb826a69ba6c

    3d6425c514e23ca7982ab26f5b2f1ca29abada5b15e19826611be2610be094bc

    4294385e9d05112594442aa9b7dcbc37a39a1324301c5e80e8d2549ba984b537

    46324728750feb25ce7ce3f933aed27cb0daf27731205b0e05dbbba4923faf36

    47122b45356ff2c4f0edfa9048cb93f11c277b05287ae178436083a255719d1f

    4be4967316c1b328c834cc67659c4d441a94d5625be466a0010138f90d7a0279

    4e382da874ae16b2ba6b98b3398db36bd3c6623d0708f4d10571dc15baac1c65

    52d93afc8cb34ee03f9fbf9c38a519573f78bf3e05ab428ae33efc84aa48b419

    5887043c8072209c8a0060620a6161446aae16c9b47f71ad6f26e77bdc448ecc

    5f3dd03b1c9156a7adf1926b4aacc9e799aa18b3e28eefe9be5e2f19229a0544

    606bc0f3eb81ef1f352adfad845122dac3d67294bc5218aead9c9d43ab771133

    654ad2f7e51da105511c1963e47206a7cbd45d50d9637f1411c0a31a4639e342

    67c0c1048e1a354c6bc71745f552d7c2e51311ae6983cddce72526c4e0da3022

    6942e3afa79edc13dcfd9a3d7142b960bf4b13618b1918dab731ba7dadb0eaa4

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

WSA

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Formbook-9964246-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 18 samples

Registry Keys

Occurrences

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: LanguageList

11

<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\INTELLIFORMS\STORAGE2

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: Ejetkygbp

1

Mutexes

Occurrences

8-3503835SZBFHHZ

1

862Q-UTS0E2J0FF1

1

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

13[.]107[.]42[.]12/31

4

172[.]64[.]149[.]82

4

104[.]18[.]38[.]174

3

162[.]159[.]136[.]232

1

20[.]190[.]154[.]18

1

52[.]95[.]165[.]126

1

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

onedrive[.]live[.]com

11

cacerts[.]digicert[.]com

7

login[.]live[.]com

1

discord[.]com

1

www[.]samtaxitours[.]com

1

dioefa[.]ph[.]files[.]1drv[.]com

1

patronkingoopsalmghandnaiojamexicoquadaras[.]s3[.]sa-east-1[.]amazonaws[.]com

1

vuladq[.]am[.]files[.]1drv[.]com

1

dimk5w[.]ph[.]files[.]1drv[.]com

1

njie9a[.]am[.]files[.]1drv[.]com

1

ibjoxq[.]dm[.]files[.]1drv[.]com

1

zlpuma[.]bn[.]files[.]1drv[.]com

1

rqy3zg[.]db[.]files[.]1drv[.]com

1

Files and or directories created

Occurrences

%APPDATA%\862Q-UTS

1

%APPDATA%\862Q-UTS\862log.ini

1

%APPDATA%\862Q-UTS\862logrc.ini

1

%APPDATA%\862Q-UTS\862logri.ini

1

%PUBLIC%\Libraries\Ejetkygbp.exe

1

%PUBLIC%\Libraries\pbgyktejE.url

1

File Hashes

    0f972ec1fd4fb660cc86ed459c5a793a134451d479154b00a2d4a1a360d44e42

    13e91b5a246dc5f98cc413508e78136fd38c9f2e9151c65a96f509b2d82ddf46

    13f7ce642c44202a089400e9b33db0ed02f824b5291ed4b5da3d080ecc40589f

    14ce5ef3e6e3d3354150ae58fd4e9938bcb747c5e4190bd5f793043355e009e4

    5a377c52fb8f4bbce7272f13d3f6ac8c36ce7a6f51561ed0a79cca6b8facf23e

    5fb5546859ff3e2a9d75d37a208f43449f254442f67a2da49b60cfd169abdc44

    6555c0d7b9acbff665b84aec9164dd1cf01740a10e735791f25c28a5da830740

    6c232920b9bb1f2c3bf71124f93f06f49fdf41c3bae35237f7b031bebba14cc5

    b4175a0744b29d7aecf1245dfb253e6417f839d2eeb2ef90b8ed222e1387aa1e

    c2062d2d3ac3815d7a050a1bfb261c98581e7398f8b0c7ca670d7ddb328611d2

    c6628dd39b388886cc7867d66b7a133f61b666421ad489bb0bddaf5c856ce841

    cac68bb4b0df3a7078d4c66d810a0d8f8863afd22722cd3dd0788af291dd1853

    cdcf2ed4c36ebd0856e7663921d67c31e51ad8a6cbb5c5cdd401d30812e25a62

    d332fa69a36ac7e14d35c336a609a04f74e8da6c51b6ad6286f23ad5f2837cd8

    dc31d2ad84fda1d9af2e623493e1e4f5dcfc8aa3abd55c6d58d1eae807cb56d8

    e62a70218462e892bcf89e851549e6a4f75131d52d57734bc642332141169aa9

    eda74534f0c37003022c0003d4b4c3262016d486d919298a323164eae4f0925a

    ee2ced66adeccfe45722c49efd8b99fd032d0426ff74cd10fc1e182521431404

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Remcos-9964868-1****Indicators of Compromise

  • IOCs collected from dynamic analysis of 14 samples

Registry Keys

Occurrences

<HKCU>\SOFTWARE\REMCOS_VOXCYIGINC

14

<HKCU>\SOFTWARE\REMCOS_VOXCYIGINC

        Value Name: EXEpath

14

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: LanguageList

12

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @explorer.exe,-7001

12

Mutexes

Occurrences

Remcos_Mutex_Inj

14

remcos_voxcyiginc

14

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

urchamadi[.]ddns[.]net

14

Files and or directories created

Occurrences

%APPDATA%\remcos

14

%APPDATA%\remcos\logs.dat

14

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\windows.vbe

14

%APPDATA%\windows.exe

14

File Hashes

    027f1a3e4c10fcf167c4df0451862b388e934e0ec1ee0f799f5113d830566415

    280e9283aa6b2a3f5237de7c01d2ae8abaa9ba4e54655e3f367e889407f259ec

    47dc41e8614cfa6f3e7fcd6d718321db4c9306146a176632aa124b345d530611

    56f3edac172934d7ceea861ecffc2a727241deb5e939d1b69c5220c7333bef8c

    616b57cac5aa00dfb8030f79094d170bad2b6a082bb963594cfc29397cce8b5d

    83ab1ddbc24e145b0e170e8af46f3fc5fd4f6e1f571abac0aed6992c5d136071

    af24dd23d021d1e43844af9cb31ba7f552377c7a7e49d536abbf2a6ecf1b54a2

    b203e1e8f2083c7edf540cb91c424915bed88565dcaac579ffba224d4d76c714

    b2516e86182da64f80fbf82cf84a6bcfcd37547cea16d1ff07a75c866fd4d36f

    d1e35f8e65cd1da6f33177604901c8d6b1a77cf7ee0735aa0b072f492e3f2194

    de62cfc82da844304fb94bef7151808d025b183c5df68c77dfad9a035dd41690

    e30895e1d44a156b336bfc8a685d5d2176341cb24620f51b5732f60ab64167f5

    f127a27a300ecd23bc6115577884521a30884d67251df39fcbdecb63aaba3523

    ff307f7c3f5c00ba357b696914a2772ddd656fa29c501eda006b7bbb91440607

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.XtremeRAT-9964479-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 15 samples

Registry Keys

Occurrences

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED

        Value Name: EnableBalloonTips

15

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM

        Value Name: EnableLUA

12

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER

        Value Name: UACDisableNotify

12

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN

10

<HKCU>\ENVIRONMENT

        Value Name: ProgramData

8

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: explorer

6

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE

        Value Name: explorer

6

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN

        Value Name: explorer

6

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM

        Value Name: DisableTaskMgr

5

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM

        Value Name: DisableRegistryTools

5

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM

5

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: services

3

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE

        Value Name: services

3

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN

        Value Name: services

3

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: spoolsv

2

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE

        Value Name: spoolsv

2

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: atiedxx

1

<HKCU>\SOFTWARE\MICROSOFT\FEEFA

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE

        Value Name: atiedxx

1

<HKCU>\SOFTWARE\MICROSOFT\OPKYIF

1

<HKCU>\SOFTWARE\MICROSOFT

        Value Name: zupi.exe

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN

        Value Name: atiedxx

1

<HKCU>\SOFTWARE\MICROSOFT

        Value Name: uwhuevat.exe

1

<HKCU>\SOFTWARE\MICROSOFT\FEEFA

        Value Name: Yrivxya

1

<HKCU>\SOFTWARE\MICROSOFT\OPKYIF

        Value Name: Otmabyek

1

Mutexes

Occurrences

6nkxLO02qtXYL2vjf6Q3Ld1BXvM8Xk

4

Local{E79956D8-8C6C-29D3-F3B6-46F6B67AA745}

3

Local{E79956DA-8C6E-29D3-F3B6-46F6B67AA745}

3

Local{E79956DB-8C6F-29D3-F3B6-46F6B67AA745}

3

GLOBAL{<random GUID>}

3

qYLS3Rl0xK7U0fJaaFHI9gyEU4OQEO

2

JbdhwlrcWDpyZ78nPglBqnLY8exSoG

2

hbOblX81rgTLtJRBvLX2JB0nKVPZRh

1

BRMVTk3lQ1Jq0Oqd4zcgHKYq4NnaR9

1

f5SUSZmQlEOC00yG9p1Ivna3rOzI0e

1

akRIZKudnSn2WvMCpN5alLvywbcRXT

1

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

23[.]202[.]81[.]150

12

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

tulipbloom[.]in

6

iamthecause[.]top

3

www[.]tribosjovens[.]org[.]br

1

www[.]streetfighterx[.]top

1

www[.]cheapestconcerttickets[.]top

1

Files and or directories created

Occurrences

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe

6

%APPDATA%\com6.{00C6D95F-329C-409a-81D7-C46C66EA7F33}\Off.c

6

%APPDATA%\com6.{00C6D95F-329C-409a-81D7-C46C66EA7F33}

6

%APPDATA%\com6.{00C6D95F-329C-409a-81D7-C46C66EA7F33}\explorer.exe

6

%System32%\Tasks\explorer.exe

6

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\services.exe

3

%System32%\Tasks\services.exe

3

%TEMP%\com6.{00C6D95F-329C-409a-81D7-C46C66EA7F33}

3

%TEMP%\com6.{00C6D95F-329C-409a-81D7-C46C66EA7F33}\services.exe

3

%TEMP%\com6.{00C6D95F-329C-409a-81D7-C46C66EA7F33}\Off.c

3

%ProgramData%<random, matching '[a-z0-9]{3,7}’>

3

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\spoolsv.exe

2

%TEMP%\com8.{15eae92e-f17a-4431-9f28-805e482dafd4}

2

%TEMP%\com8.{15eae92e-f17a-4431-9f28-805e482dafd4}\spoolsv.exe

2

%TEMP%\com8.{15eae92e-f17a-4431-9f28-805e482dafd4}\Off.c

2

%TEMP%\D0B38F0F.cmd

1

%TEMP%\DA9F635A.cmd

1

%TEMP%\AA95177A.cmd

1

%TEMP%\4DA5383F.cmd

1

%TEMP%\D925C77F.cmd

1

%TEMP%\F0470C51.cmd

1

%APPDATA%\com3.{025A5937-A6BE-4686-A844-36FE4BEC8B6D}

1

%APPDATA%\com3.{025A5937-A6BE-4686-A844-36FE4BEC8B6D}\atiedxx.exe

1

%TEMP%\97BB41A5.cmd

1

%TEMP%\5DBB78C4.cmd

1

*See JSON for more IOCs

File Hashes

    048b8ea9aef3287bae09d9327536faea0b662d48e9cb0d477e88805a7797bcc7

    21cd479707dc5865122fa6f1cc638ab15953b09c43ee41abc8a197823a60b65b

    34e610d6e74bc3332d7a8a25f61f6a979be8deab8dc1f8f6fdf487dd4ddd3070

    5ea6b3668a008b77f6dff12788101e258e6c90d2b08de9e89d7d886834d98ad0

    63cae1e75e5d8e54c8dfccebe7552e5a9aa2592cf259357a516d0115ebcf655e

    75ee917f5022839d776082a470333a6c6c82069a7f443005f77cce1ff2ccaeb9

    7817f2ee4c83e004d9b9602d8f68adc04076f949e1bc868a3bb28c47d98a4933

    8159704f8517ba8d8a2f9ea6ec42f5fd4e18438c940806e48dcdd726b923ab66

    856869554541785eaadb13c38bfb22392c38254968fc9a41d8d0f1c2b4d420be

    8c99d803e23df187a0925aade258e7eeb1dea15607670a05f1fade726320cc05

    8e770cc47212a54fee1deb9a642c6afb52238c176cc00bdd2fd3d473e3b601fc

    a79939e710792b9d290f2ee2a9ae82529b4b78ba7a578341e52a7994aef5ef11

    b9298520c6b390e4fb488f7fc7d99d1651c28482b06e6c008512e29049714a20

    cc9d4f4daddee4e5e0c9839543c0c84360c8cc42758f894bc13bb814fbd572f1

    da303496b9ba5a139b724e5cd1d35da3d04b89ccd82b281de14e8febb68f4eb6

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Packed.Shiz-9964480-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples

Registry Keys

Occurrences

<HKLM>\SOFTWARE\MICROSOFT

        Value Name: 67497551a

26

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON

        Value Name: 98b68e3c

26

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON

        Value Name: userinit

26

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON

        Value Name: System

26

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS

        Value Name: load

26

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS

        Value Name: run

26

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: userinit

26

Mutexes

Occurrences

Global\674972E3a

26

Global\MicrosoftSysenterGate7

26

internal_wutex_0x000004b4

26

internal_wutex_0x0000043c

26

internal_wutex_0x000004dc

26

internal_wutex_0x<random, matching [0-9a-f]{8}>

26

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

13[.]107[.]21[.]200

13

45[.]33[.]18[.]44

7

45[.]79[.]19[.]196

5

45[.]33[.]2[.]79

5

173[.]255[.]194[.]134

5

45[.]33[.]20[.]235

5

198[.]58[.]118[.]167

4

72[.]14[.]185[.]43

4

96[.]126[.]123[.]244

3

45[.]56[.]79[.]23

3

45[.]33[.]30[.]197

3

72[.]14[.]178[.]174

3

45[.]33[.]23[.]183

1

85[.]94[.]194[.]169

1

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

gahoqohofib[.]eu

26

rytifaquwer[.]eu

26

kepujajynib[.]eu

26

lyrosajupid[.]eu

26

tuwaraqidek[.]eu

26

xuqeqejohiv[.]eu

26

pumebeqalew[.]eu

26

cinycekecid[.]eu

26

divulewybek[.]eu

26

cilakyfaloq[.]eu

26

vocijekyqiv[.]eu

26

foxofewuteq[.]eu

26

nozapekidis[.]eu

26

makymykakic[.]eu

26

galerywogej[.]eu

26

qeguxylevus[.]eu

26

rydohyluruc[.]eu

26

lysafurisam[.]eu

26

tupepulofup[.]eu

26

kefilyrymaj[.]eu

26

purumulazux[.]eu

26

xutyrurojah[.]eu

26

ciqivutevam[.]eu

26

dimoxuzynup[.]eu

26

citonocebyl[.]eu

26

*See JSON for more IOCs

Files and or directories created

Occurrences

%TEMP%<random, matching [A-F0-9]{1,4}>.tmp

26

File Hashes

    0aa01d0e6ab4b0dab543cd0f7d226a1971c896c1b5668ef55d5d84fd8aac331f

    232b980cba11ed3757cd13e6e4ec20993f819d07254999411e7a308561f10ac9

    27eb369a639c17edfcc1eefc7f2d21d0680f62dd00a7bd2cf0a3d50030134dc9

    2ebf268325f6e2840fa65e481e61cee94d0dc889f3f032abdf7492dd7772be07

    31532a2178c74921a141b257175fd25aa587d611e480ae6399255000a875f86b

    3634d7d5b0e31a068dbb17eec6dd39b927dc2e6ca7a7d1f50fe122fd9a348578

    3ce214e14dc05772c4f6ed8bf5df0c2f6916c3cb78cad5ec7960e8a5aa3183dd

    3db521931dd32b2d76a0b694eba198d54db0642289c4c04797d81abba1e8cc1c

    44aaba781695fd9c5a859fe91a1b251f3700cfc65d20c70827108aade73a2d47

    491e939589d3df18f8c2601acd0ecb2e730744625208a9ef10e1153c8fbd999d

    4aef6f77172ffbe97608338d59b4e327f80ac6b1280234acfd1a35c519a8cc54

    5153f49e288d120950522e3cedade50d389452cb5344344672b1dbbe4fd6b2c3

    5950d60ccaf62ebbd4d8e6f67c8aae6ffa9d7c7f3950aa3aa6c97810f2e192b4

    5bdcf125d1dd26dc4eea102736976a474e7c95ca4486ca8e13cf404ed6b54661

    66703ea93baf17db72cce7c91b39df923574a9173768ebfda5f78580e1f1e05e

    6728f5c294584f01a2e8a8f320cce6df9a85656b582f29e7dcd1b226d51d0b46

    706de588bf28a2345331005686aeb0a65d92eea4195050f948577ce0623bc7b3

    8818d782007a434aaf773fa601467cb8ea9514ffbdba74a4b2cf8ad0ee096110

    914e601f65f04fb41f1ede09babc33d9d067fdf089a6f720eb7dcb5489da182c

    a3b5359d0320885dc46a8e01583304adcc8f8697bd72d4a9fa1e02b0d210e061

    b9d4f9b412b05af3a6f1b601041422117f3c4ccdfa02b140a1b06da1ba53193b

    bcf08953ce18c297e8b3714bd66563fde1d031b9eec8c26cc5a880f6b57eea5c

    bd984088a849d6b0593a970dec6a8792b82c8c04edecd4032cfd6a447d4f3c48

    c7297544b35ded090c59b73c53c1c6a3f50b0b30206f237c1f84114b01adcdfd

    ccaa68c04b2d4378b62753b540e5b25cb36e6334a48a10eb9975c2064fc393da

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

WSA

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

TALOS: Latest News

Welcome to the party, pal!