Security
Headlines
HeadlinesLatestCVEs

Headline

Threat Roundup for August 5 to August 12

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Aug. 5 and Aug. 12. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found herethat includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files. The most prevalent threats highlighted in this roundup are:

Threat Name    Type    Description

Win.Dropper.Tofsee-9960568-0 Dropper Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages to infect additional systems and increase the size of the botnet under the operator’s control. Win.Dropper.TrickBot-9960840-0 Dropper Trickbot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts. Win.Trojan.Zusy-9960880-0 Trojan Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as “explorer.exe” and “winver.exe.” When the user accesses a banking website, it displays a form to trick the user into submitting personal information. Win.Dropper.DarkComet-9961766-1 Dropper DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. This malware can download files from a user’s machine, mechanisms for persistence and hiding. It also has the ability to send back usernames and passwords from the infected system. Win.Ransomware.TeslaCrypt-9960924-0 Ransomware TeslaCrypt is a well-known ransomware family that encrypts a user’s files with strong encryption and demands Bitcoin in exchange for a file decryption service. A flaw in the encryption algorithm was discovered that allowed files to be decrypted without paying the ransomware, and eventually, the malware developers released the master key allowing all encrypted files to be recovered easily. Win.Virus.Xpiro-9960895-1 Virus Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks. Win.Dropper.Emotet-9961142-0 Dropper Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails. Win.Dropper.Remcos-9961392-0 Dropper Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, and capture screenshots. This malware is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails. Win.Dropper.Ramnit-9961396-0 Dropper Ramnit is a banking trojan that monitors web browser activity on an infected machine and collects login information from financial websites. It also has the ability to steal browser cookies and attempts to hide from popular antivirus software.

Threat Breakdown

Win.Dropper.Tofsee-9960568-0

Indicators of Compromise

IOCs collected from dynamic analysis of 10 samples

        Registry Keys            Occurrences        
                             
    <HKU>\.DEFAULT\CONTROL PANEL\BUSES                          
        Value Name: Config4                            3        
             
    <HKU>\.DEFAULT\CONTROL PANEL\BUSES                             3        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: LanguageList                            3        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\dhcpqec.dll,-100                            3        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\dhcpqec.dll,-101                            3        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\dhcpqec.dll,-103                            3        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\dhcpqec.dll,-102                            3        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\napipsec.dll,-1                            3        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\napipsec.dll,-2                            3        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\napipsec.dll,-4                            3        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\napipsec.dll,-3                            3        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\tsgqec.dll,-100                            3        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\tsgqec.dll,-101                            3        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\tsgqec.dll,-102                            3        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\tsgqec.dll,-103                            3        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\eapqec.dll,-100                            3        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\eapqec.dll,-101                            3        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\eapqec.dll,-102                            3        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\eapqec.dll,-103                            3        
             
    <HKU>\.DEFAULT\CONTROL PANEL\BUSES                          
        Value Name: Config0                            3        
             
    <HKU>\.DEFAULT\CONTROL PANEL\BUSES                          
        Value Name: Config1                            3        
             
    <HKU>\.DEFAULT\CONTROL PANEL\BUSES                          
        Value Name: Config2                            3        
             
    <HKU>\.DEFAULT\CONTROL PANEL\BUSES                          
        Value Name: Config3                            3        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\FNWISXTV                          
        Value Name: ErrorControl                            1        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\FNWISXTV                          
        Value Name: DisplayName                            1        
                     
                
            
        Mutexes            Occurrences        
                                 
        Global\27a1e0c1-13fc-11ed-9660-001517101edf            1            
                 
        Global\30977501-13fc-11ed-9660-001517215b93            1            
                     
                         
            
        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        216[.]146[.]35[.]35            3            
                 
        31[.]13[.]65[.]174            3            
                 
        142[.]251[.]40[.]196            3            
                 
        96[.]103[.]145[.]165            3            
                 
        31[.]41[.]244[.]82            3            
                 
        31[.]41[.]244[.]85            3            
                 
        80[.]66[.]75[.]254            3            
                 
        80[.]66[.]75[.]4            3            
                 
        31[.]41[.]244[.]128            3            
                 
        31[.]41[.]244[.]126/31            3            
                 
        208[.]76[.]51[.]51            2            
                 
        74[.]208[.]5[.]20            2            
                 
        208[.]76[.]50[.]50            2            
                 
        202[.]137[.]234[.]30            2            
                 
        212[.]77[.]101[.]4            2            
                 
        193[.]222[.]135[.]150            2            
                 
        203[.]205[.]219[.]57            2            
                 
        47[.]43[.]18[.]9            2            
                 
        67[.]231[.]144[.]94            2            
                 
        188[.]125[.]72[.]74            2            
                 
        40[.]93[.]207[.]0/31            2            
                 
        205[.]220[.]176[.]72            2            
                 
        135[.]148[.]130[.]75            2            
                 
        121[.]53[.]85[.]11            2            
                 
        67[.]195[.]204[.]72/30            1            

*See JSON for more IOCs

        Domain Names contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        249[.]5[.]55[.]69[.]bl[.]spamcop[.]net            3            
                 
        249[.]5[.]55[.]69[.]cbl[.]abuseat[.]org            3            
                 
        249[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net            3            
                 
        249[.]5[.]55[.]69[.]in-addr[.]arpa            3            
                 
        249[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org            3            
                 
        249[.]5[.]55[.]69[.]zen[.]spamhaus[.]org            3            
                 
        microsoft-com[.]mail[.]protection[.]outlook[.]com            3            
                 
        microsoft[.]com            3            
                 
        www[.]google[.]com            3            
                 
        www[.]instagram[.]com            3            
                 
        comcast[.]net            3            
                 
        mx1a1[.]comcast[.]net            3            
                 
        jotunheim[.]name            3            
                 
        niflheimr[.]cn            3            
                 
        whois[.]arin[.]net            2            
                 
        whois[.]iana[.]org            2            
                 
        mx-eu[.]mail[.]am0[.]yahoodns[.]net            2            
                 
        aspmx[.]l[.]google[.]com            2            
                 
        mta5[.]am0[.]yahoodns[.]net            2            
                 
        icloud[.]com            2            
                 
        cox[.]net            2            
                 
        walla[.]com            2            
                 
        hanmail[.]net            2            
                 
        allstate[.]com            2            
                 
        wp[.]pl            2            

*See JSON for more IOCs

        Files and or directories created            Occurrences        
                                 
        %SystemRoot%\SysWOW64\config\systemprofile            3            
                 
        %SystemRoot%\SysWOW64\config\systemprofile:.repos            3            
                 
        %SystemRoot%\SysWOW64\fnwisxtv            1            
                 
        %SystemRoot%\SysWOW64\airdnsoq            1            
                 
        %SystemRoot%\SysWOW64\uclxhmik            1            
                 
        %TEMP%\dnyabinr.exe            1            
                 
        %TEMP%\lcxykqya.exe            1            
                 
        %TEMP%\qzguacfj.exe            1            

File Hashes

             098ad43e2067c5c814cebe1fc52bdc528289c6a2cc96daf4e8bac90d1c95a0b3              2240525bf4ee830766ec33e2e3c0dfcdf871748088fcf068770fd306940c5957              693cd93fbc6bfb587ad011477ae870805725c5403260621a290f61bb0d243f47              a6b68aa5d00739401b413ed936526ea5e767824fddb4e768e03fb05dc369a6fd              b9820bc7b09bfa88556efac463b7459d2f4a47f06cc953529a9782fdbefd4959              c2cb05d50c06d9ed65a7c53fb2f6b7977f2988f5fbbd928266bb8ea27723b243              d6df88c6f61812a4bb662abb8d90fb4ba7e17ae5b9351251d001b7945d7aae98              ec745df5a9e65776f76b97e9685ad86fbb130bb6a3146a7823bd94c7c6502f1d              f3e93f62b4f4699a3d20e85fa3c9e8b7eb9129a15ca66720d4f677cae0c5a469              f8a2e41ea8ca0e998bcd54d8256cb538b1e32cec4e80eb810e8df003427b886b              

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                                                                              
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                                                                              
             
        WSA                                                                                                                              

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.TrickBot-9960840-0

Indicators of Compromise

IOCs collected from dynamic analysis of 36 samples

        Registry Keys            Occurrences        
                             
    <HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\USERDS                             36        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS                          
        Value Name: 4334c972                            36        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS                          
        Value Name: 2d17e659                            36        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: IntelPowerAgent3                            7        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: IntelPowerAgent5                            5        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: IntelPowerAgent9                            4        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: IntelPowerAgent6                            4        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: IntelPowerAgent7                            3        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: IntelPowerAgent2                            3        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: IntelPowerAgent1                            3        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: IntelPowerAgent8                            3        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: IntelPowerAgent0                            2        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: IntelPowerAgent4                            2        
                     
                
            
        Mutexes            Occurrences        
                                 
        98b59d0b000000cc            36            
                 
        98b59d0b00000120            36            
                 
        Global\{2d17e659d34601689591}            36            
                 
        98b59d0b00000174            36            
                 
        98b59d0b00000150            36            
                 
        98b59d0b00000158            36            
                 
        98b59d0b000001ac            35            
                 
        98b59d0b00000308            35            
                 
        98b59d0b0000043c            35            
                 
        98b59d0b000004b4            35            
                 
        98b59d0b000001bc            35            
                 
        98b59d0b000002ec            35            
                 
        98b59d0b000001f0            35            
                 
        98b59d0b000001c4            35            
                 
        98b59d0b0000021c            35            
                 
        98b59d0b0000025c            35            
                 
        98b59d0b00000294            35            
                 
        98b59d0b00000320            35            
                 
        98b59d0b000003d4            35            
                 
        98b59d0b000003f8            35            
                 
        98b59d0b000004dc            35            
                 
        98b59d0b0000060c            8            
                 
        98b59d0b000005cc            8            
                 
        98b59d0b000004f8            8            
                 
        98b59d0b00000614            7            

*See JSON for more IOCs

        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        209[.]197[.]3[.]8            11            
                 
        72[.]21[.]81[.]240            7            
                 
        69[.]164[.]46[.]0            6            
                 
        8[.]253[.]154[.]236/31            3            
                 
        23[.]46[.]150[.]81            2            
                 
        23[.]46[.]150[.]58            2            
                 
        8[.]253[.]141[.]249            1            
                 
        8[.]253[.]38[.]248            1            
                 
        8[.]253[.]140[.]118            1            
                 
        23[.]46[.]150[.]43            1            
                 
        8[.]247[.]119[.]126            1            
                     
                          
            
        Domain Names contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        download[.]windowsupdate[.]com            36            
                 
        adtejoyo1377[.]tk            36            
                     
                          
            
        Files and or directories created            Occurrences        
                                 
        %ProgramData%\c7150968.exe            1            
                 
        %LOCALAPPDATA%\gusEBBF.tmp.bat            1            
                 
        %ProgramData%\ba886437.exe            1            
                 
        %HOMEPATH%\jfpDCC6.tmp.bat            1            
                 
        %ProgramData%\63b007ed.exe            1            
                 
        %HOMEPATH%\dtaE10F.tmp.bat            1            
                 
        %ProgramData%\545ba94b.exe            1            
                 
        %HOMEPATH%\hcv6907.tmp.bat            1            
                 
        %ProgramData%\7afae1e8.exe            1            
                 
        %HOMEPATH%\greA7E2.tmp.bat            1            
                 
        %ProgramData%\9421c9aa.exe            1            
                 
        %APPDATA%\vqpA923.tmp.bat            1            
                 
        %ProgramData%\f779fb59.exe            1            
                 
        %ProgramData%\xywA29.tmp.bat            1            
                 
        %ProgramData%\940d0a1e.exe            1            
                 
        %HOMEPATH%\jawD8CB.tmp.bat            1            
                 
        %ProgramData%\a37667ce.exe            1            
                 
        %HOMEPATH%\lkyB72F.tmp.bat            1            
                 
        %ProgramData%\edcfad58.exe            1            
                 
        %HOMEPATH%\pvf22C5.tmp.bat            1            
                 
        %ProgramData%\182b8517.exe            1            
                 
        %LOCALAPPDATA%\qsw15A4.tmp.bat            1            
                 
        %ProgramData%\a3a20124.exe            1            
                 
        %HOMEPATH%\xqh15A4.tmp.bat            1            
                 
        %ProgramData%\a116e074.exe            1            

*See JSON for more IOCs

File Hashes

             007a16c9f6908085a2d65e991ae691f41e7ceab17653200669b4286af82e8c12              017306c686a5a81630e746b9518106fd5e54b410b50a61f43cba7a3850b1fec8              024d73837dea32792852294b951dcb246c56442ebde4643cef6733f411f581b6              0284c0aff10ff3ca7e6078f3d8191fc9c4db42fbfb912a8cefabc937c1eca87d              02df9ec5bfb9e1bb613b5ee7d4a518bccc9f87580182f26d6e5d5a643036e3a1              03226228480f9e9d87a0370428d337023226314bd9447efccdbc03bb672ec81b              0337b9f06cda7d7a6e96ce2a29e0f004fb6df49d3b82d294a17a13604e754f86              03a89b1af244c7d20db8498d9284c20deea9462fb15db2f89b4c59a9be47c2f0              04432d06396fac85167c0a9dadf206dc50ea8527c29b943b77f192e45dbce22d              04679de514d8e3902341b314e324e6f75ba536d09da05e99958dc5b4a689de42              049f0322736b0abeec70630b9efbbd40d9a0916ce359a5a8168165d25a76e48f              04e819e635fc974afd4ee533b478841ba581ddcff254034fdbfea6522939ef5f              05b51b8179992a7e21259d9eacdaf8b1115e51056ec0104daddda5a0810f7126              0734ea55ac016a1e6b6ac40837883a684656eec9ce857351c9f99d3c965d6501              07e4ebd0b135dbfcf1e7d2b60386c9b52fa5d154d072a5689eb3a7a2b15112d6              08da477f7c363ddbc11224260717cf6f7f48e849cff403e25559529029b8fdf4              08e9ccb010aceac1ea0c0fbb41e58c8e2552b30de500bf43e298a645f5acedf7              097f9d7400b8a8c8bf5aa5339bf18359148a533f9136cd9b6279623e4db293d7              0bde820541632a300070601291eb1c478b9d09da2b405f740d6fe92b290a45de              0be2e49c02aa297d158bd5fe213a96584455fb4cea7c24dd100b9922df2a45c5              0bf64ebc68956ea9d73858f32530c20fab4243fb09320adfd500fb94842a9888              0c29c2763f311604136a06a99fa76ed09411572cd796021b60c66806e6c8e5a9              0c6b997f98a1e58caf5a16a90317d2cb1d2474ac5c5926f26fa2b14a9299638a              0d30d3c9cf63898bb2e970ec5a54dfe868fc5f519fd6b283bd00a2d22a01a653              0da6c492cc755852c07bf7511b774e2527dce42be420f602e9445f1bb760ad33              

*See JSON for more IOCs

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                                                                              
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                     N/A                                                          
             
        WSA                                                                     N/A                                                          

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Trojan.Zusy-9960880-0

Indicators of Compromise

IOCs collected from dynamic analysis of 16 samples

        Registry Keys            Occurrences        
                             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH                             12        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH                          
        Value Name: MarkTime                            12        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH                          
        Value Name: Description                            2        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH                          
        Value Name: Type                            2        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH                          
        Value Name: Start                            2        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH                          
        Value Name: ErrorControl                            2        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH                          
        Value Name: ImagePath                            2        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH                          
        Value Name: DisplayName                            2        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH                          
        Value Name: WOW64                            2        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH                          
        Value Name: ObjectName                            2        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH                          
        Value Name: FailureActions                            2        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\PQRSTU                             2        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\PQRSTU                          
        Value Name: MarkTime                            2        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH                          
        Value Name: Group                            2        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH                          
        Value Name: InstallTime                            2        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF                          
        Value Name: Description                            1        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF                          
        Value Name: Type                            1        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF                          
        Value Name: Start                            1        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF                          
        Value Name: ErrorControl                            1        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF                          
        Value Name: DisplayName                            1        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF                          
        Value Name: WOW64                            1        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF                          
        Value Name: ObjectName                            1        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF                          
        Value Name: FailureActions                            1        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\PQRSTU                          
        Value Name: Description                            1        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\PQRSTU                          
        Value Name: Type                            1        
                     
                
            
        Mutexes            Occurrences        
                                 
        127.0.0.1:8000:Cdefgh            3            
                 
        112.74.89.58:44366:Cdefgh            3            
                 
        112.74.89.58:42150:Cdefgh            1            
                 
        47.100.137.128:8001:Pqrstu            1            
                 
        22.23.24.56:8001:Pqrstu            1            
                 
        hz122.f3322.org:8001:Cdefgh            1            
                 
        112.74.89.58:35807:Cdefgh            1            
                 
        112.74.89.58:46308:Cdefgh            1            
                 
        101.33.196.136:3389:Cdefgh            1            
                 
        127.0.0.1:8001:Cdefgh            1            
                 
        183.28.28.43:8001:Abcdef            1            
                     
                         
            
        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        112[.]74[.]89[.]58            6            
                 
        22[.]23[.]24[.]56            1            
                 
        47[.]100[.]137[.]128            1            
                 
        101[.]33[.]196[.]136            1            
                 
        183[.]28[.]28[.]43            1            
                     
                          
            
        Domain Names contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        hz122[.]f3322[.]org            1            
                     
                          
            
        Files and or directories created            Occurrences        
                                 
        %SystemRoot%\svchost.exe            4            

File Hashes

             04fa031e5d2d86f8dbe0d3b95d67ea774448df4613e8acce79f0c9a30ef041bc              2444b744b5c06e9410ee5c3baa807569fde44c5092192428de935e03d25b1edb              466ca0805173034a7b12a5ffce104bbe5ed312e7441abdb98849ae4103150d04              5a755f07d3b90ac5a2041fd04fd764c40882dd20b50f91fddbc10b8c6341591d              5b53262a14fe1dcd42d670b0488d0de11aeb7cfa84e36acb4eec0c13b5fd2d73              5ca6b22c6e7de5f0b9437970f1f9360ad4f3a74f964eb319080e347c27c6dff9              6ea5fdaa95dbe09ccbc474ba4fc9fbe796e79c02d2b4f65f223feda5643f5400              86bd70bc7bb74d3d4991b0f1c7e15ddef1d09695b3940c5fb015f2d00ce5f558              b9b344bd7005b233cbb85395f61c309938fe70e2f8a8d0b2c24441ba074f9ca5              bea6c7b4117eb1f894d830c77ddf6d4424bccb6043d0f43c257522d253321c3e              c0a8a6e606e46a970cefe81f269ec6aec2a538830c2f7e03cf0eac55b135a59a              c968ae3cfbbd89673b49f6bfd474eea846bdb1e2e3a7c5376dbcda5290d445ed              dfc315d962da82d84b54683a849edf4e7b16bb136dbc2eb1198d35e528920103              ec6cb8ff27e33d7e69ce02885baa9c08fd5a03349a16a52590353a4ec364c464              f240b80b34fa480dc7236ddecb5c326e719a094e49df5a6f2070712650553066              fd0e616e5ebb9075c44bb6772cf8b2c46801fafdb0716636850dc2ec0fe06f8c              

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                                                                              
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                     N/A                                                          
             
        WSA                                                                                                                              

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.DarkComet-9961766-1

Indicators of Compromise

IOCs collected from dynamic analysis of 33 samples

        Registry Keys            Occurrences        
                             
    <HKCU>\SOFTWARE\DC3_FEXEC                             29        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: Windows Debugger                            24        
             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON                          
        Value Name: UserInit                            23        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: LanguageList                            19        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: MicroUpdate                            11        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: svchost.exe                            7        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM                          
        Value Name: EnableLUA                            5        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM                             5        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE                          
        Value Name: EnableFirewall                            4        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE                          
        Value Name: DisableNotifications                            4        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER                          
        Value Name: AntiVirusDisableNotify                            4        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM                          
        Value Name: DisableTaskMgr                            3        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER                          
        Value Name: UpdatesDisableNotify                            3        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC                          
        Value Name: Start                            3        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM                          
        Value Name: DisableRegistryTools                            3        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: rundll32                            3        
             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\CURRENTVERSION\EXPLORERN                          
        Value Name: NoControlPanel                            1        
             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\CURRENTVERSION                             1        
             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\CURRENTVERSION\EXPLORERN                             1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: Microsoft                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: Windows Updater                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: Update                            1        
                     
                
            
        Mutexes            Occurrences        
                                 
        DC_MUTEX-<random, matching [A-Z0-9]{7}>            22            
                 
        DCPERSFWBP            18            
                 
        DC_MUTEX-5DND8AT            7            
                     
                         
            
        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        99[.]229[.]175[.]244            1            
                     
                          
            
        Domain Names contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        pervert[.]no-ip[.]info            7            
                 
        pervert2[.]no-ip[.]info            7            
                 
        delvega[.]no-ip[.]org            2            
                 
        wp-enhanced[.]no-ip[.]org            2            
                 
        funstuff712[.]zapto[.]org            2            
                 
        fflazhhf1[.]no-ip[.]org            1            
                 
        darkcometss[.]no-ip[.]org            1            
                 
        not4umac[.]no-ip[.]biz            1            
                 
        sanderkidah[.]no-ip[.]org            1            
                 
        bobolobob[.]no-ip[.]biz            1            
                 
        hg-ma[.]zapto5[.]org            1            
                 
        corrosivegas2010[.]zapto[.]org            1            
                 
        profi555[.]no-ip[.]org            1            
                 
        hg-ma[.]zapto[.]org            1            
                 
        jugoboy1[.]zapto[.]org            1            
                 
        hg-ma[.]zapto1[.]org            1            
                 
        hg-ma[.]zapto2[.]org            1            
                 
        hg-ma[.]zapto3[.]org            1            
                 
        hg-ma[.]zapto4[.]org            1            
                 
        jackreapez[.]zapto[.]org            1            
                 
        magicmq[.]no-ip[.]org            1            
                 
        kenrickm[.]no-ip[.]org            1            
                 
        mrganja[.]no-ip[.]org            1            
                 
        cherubi[.]no-ip[.]org            1            
                     
                          
            
        Files and or directories created            Occurrences        
                                 
        %APPDATA%\WinDbg            30            
                 
        %APPDATA%\WinDbg\windbg.exe            29            
                 
        %APPDATA%\dclogs            28            
                 
        \svchost.exe            7            
                 
        %TEMP%\uxcv9v            7            
                 
        %TEMP%\uxcv9v.vbs            7            
                 
        %HOMEPATH%\Documents\MSDCSC            6            
                 
        %HOMEPATH%\Documents\MSDCSC\msdcsc.exe            6            
                 
        %TEMP%\MSDCSC            5            
                 
        %TEMP%\MSDCSC\msdcsc.exe            5            
                 
        %SystemRoot%\SysWOW64\MSDCSC            3            
                 
        %SystemRoot%\SysWOW64\MSDCSC\msdcsc.exe            3            
                 
        %TEMP%\tMMjnM            1            
                 
        %TEMP%\xMWbLz.vbs            1            
                 
        %TEMP%\tMMjnM.vbs            1            
                 
        %APPDATA%\WinDbg\msdnaa.exe            1            
                 
        %TEMP%\Mi0z67            1            
                 
        %HOMEPATH%\Documents\Explorer\Iexplorer.exe            1            
                 
        %TEMP%\q7EVTk            1            
                 
        %TEMP%\mmsHyU            1            
                 
        %TEMP%\q7EVTk.vbs            1            
                 
        %TEMP%\mmsHyU.vbs            1            
                 
        %APPDATA%\WinUpd\WinUpdater.exe            1            
                 
        %TEMP%\alRnXV            1            
                 
        %TEMP%\alRnXV.vbs            1            

*See JSON for more IOCs

File Hashes

             0153ea1e28f729d6604f422075202e48a599969c04c30e4a3056e3a308148eb3              050332edd1c7356a6e8a86471699135d90ba402d1f7ac0a27da39ccdb94ba0e8              07525015abc52c0820727bbfe3a29f62e1e5e0ca8af36ca8716ae5ea12e71a75              09fce07fb07b90dc54f5e72dd08d8677f62e948e6a0450e63f25cc6e22f99ff5              0a5710ed174fbee931562112147c3bf6cf8609a5f1674d0c878a6888548cb0c9              0db09a5cc0ff770b4024f14bf6b56b03c4ec599fe0499fc3a8d5da2625d93954              0f67c4df374d4e01f9838a7dc6ab174c0d8f4b5f2485b670f24c7fcdf65f3269              10f39ff02541b02857c11ca18a1cc745e075224ad510af7ad18b21dcb0d3cfa0              12449565aed227128301078ece7695cd6fbd8fb735e8f8b4238e08a1b181a651              13d377317be765d9d333e6a6d41bb83cffb606547dc308fefe0dcea87133b172              157be56d2b1cee72ad290957752e089cd39f39c51807c6791b25b875113758ab              15c65c639231d17726fa4a2c0cef2a7975a52f5d71ba8d7e4e3e1f053c066528              16cc7eabf5a54d8b376b6de32e2591902044a558ded0a527fcc0143e1686c4af              16e972675f3d1bd26aff1accdde7925e4cd5ba6d5f2a33826d3d75606a1bc955              173cae8d47a5d796b06fdd18c951003342ad08d0aee4be2823332df003b5673a              17dbbd57df81e29f2d19aba93c1626efe92bff713ad8b8e65b449e843aff54e8              19370c555e8e7ed5133ca6efa7acc98fc360983cc04193cc195ea0c8a0bf2931              1984c2439c1acacb9ec7c6468db48017d8c2aa4e2da5829d572bb6f5050e80cd              1b7a03db77e43e04badd95d28554df1f9e3d97197605af709df0387d3bd0c1e8              1b9f9491a6d98e3de499641caa8ac736f2c6f76e4ac8960170d89fea7026c69e              1bd9838e181acb88813cdea1d228b445e06b921bff3cece199f9551522eff27d              1cd35eff6c0963356162d68f5434b19728f2805db71b5c616ff534d2c961d093              1d25e1479054eea2355385f60a9ce320af2e5ff5ff1333bfabc72518f7337056              1f3c3ebac21a63328b72317246fb5731720e1d311cdb7928543e1c13e87994d3              2066531192b69556304df9a65266a2d2e5978ae8cec323b6860eb230fd2faa79              

*See JSON for more IOCs

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                     N/A                                                          
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                     N/A                                                          
             
        WSA                                                                     N/A                                                          

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Ransomware.TeslaCrypt-9960924-0

Indicators of Compromise

IOCs collected from dynamic analysis of 16 samples

        Registry Keys            Occurrences        
                             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM                          
        Value Name: EnableLinkedConnections                            16        
             
    <HKU>\.DEFAULT\SOFTWARE\TRUEIMG                             16        
             
    <HKCU>\SOFTWARE\TRUEIMG                             16        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0                          
        Value Name: CheckSetting                            16        
             
    <HKCU>\SOFTWARE\TRUEIMG                          
        Value Name: ID                            16        
             
    <HKCU>\Software\<random, matching '[A-Z0-9]{14,16}'>                             16        
             
    <HKCU>\Software\<random, matching '[A-Z0-9]{14,16}'>                          
        Value Name: data                            16        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: _lfia                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: _hfnk                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: _kcgt                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: _ppqk                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: _kaol                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: _abtg                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: _rpua                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: _raet                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: _kwxa                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: _ojsf                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: _kiyk                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: _iykv                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: _hpdk                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: _htkc                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: _fshu                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: _fanp                            1        
                     
                
            
        Mutexes            Occurrences        
                                 
        __xfghx__            16            
                     
                         
            
        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        74[.]220[.]199[.]6            16            
                 
        64[.]190[.]63[.]111            16            
                     
                          
            
        Domain Names contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        prodocument[.]co[.]uk            16            
                 
        marketathart[.]com            16            
                 
        joshsawyerdesign[.]com            16            
                 
        emmy2015[.]com            16            
                 
        nlhomegarden[.]com            16            
                 
        esbook[.]com            16            
                     
                          
            
        Files and or directories created            Occurrences        
                                 
        %ProgramFiles%\7-Zip\Lang\lv.txt            16            
                 
        %ProgramFiles%\7-Zip\Lang\mk.txt            16            
                 
        %ProgramFiles%\7-Zip\Lang\mn.txt            16            
                 
        %ProgramFiles%\7-Zip\Lang\mng.txt            16            
                 
        %ProgramFiles%\7-Zip\Lang\mng2.txt            16            
                 
        %ProgramFiles%\7-Zip\Lang\mr.txt            16            
                 
        %ProgramFiles%\7-Zip\Lang\ms.txt            16            
                 
        %ProgramFiles%\7-Zip\Lang\nb.txt            16            
                 
        %ProgramFiles%\7-Zip\Lang\ne.txt            16            
                 
        %ProgramFiles%\7-Zip\Lang\nl.txt            16            
                 
        %ProgramFiles%\7-Zip\Lang\nn.txt            16            
                 
        %ProgramFiles%\7-Zip\Lang\pa-in.txt            16            
                 
        %ProgramFiles%\7-Zip\Lang\pl.txt            16            
                 
        %ProgramFiles%\7-Zip\Lang\ps.txt            16            
                 
        %ProgramFiles%\7-Zip\Lang\pt-br.txt            16            
                 
        %ProgramFiles%\7-Zip\Lang\pt.txt            16            
                 
        %ProgramFiles%\7-Zip\Lang\ro.txt            16            
                 
        %ProgramFiles%\7-Zip\Lang\ru.txt            16            
                 
        %ProgramFiles%\7-Zip\Lang\sa.txt            16            
                 
        %ProgramFiles%\7-Zip\Lang\si.txt            16            
                 
        %ProgramFiles%\7-Zip\Lang\sk.txt            16            
                 
        %ProgramFiles%\7-Zip\Lang\sl.txt            16            
                 
        %ProgramFiles%\7-Zip\Lang\sq.txt            16            
                 
        %ProgramFiles%\7-Zip\Lang\sr-spc.txt            16            
                 
        %ProgramFiles%\7-Zip\Lang\sr-spl.txt            16            

*See JSON for more IOCs

File Hashes

             00e862ecba1e2a71769a67fc5c27499e00c5594f6b7ed4e4114c2fe1fb43492f              144c480ed69ac652c4eb4efa5b6038d7a68ed3bca67089997b4228e1c814f7c4              1b02123c913912f44a6ef1c3c4a5a008270d9d8e802e92b4baa259135f25dc21              22f322c8241b4860c066f5ae57115c58f373753e3d8c9bede4521e5a5ed85e65              35aeb94c99b948b122f3e4bd4298107ab15cb8bbdb11b533d32666dbb1455ae3              3ba05e043bf3148202f498dcddb6bd67680f76640aef2d08f9ae1272ff85e719              41cba3025ecc75863b7a836ee00fdf2bbc2df90dffb17541b5bb1c9fcb269bd1              9223631593b46b54450b76028a69ddd837d06cd7e9b3d8e3f7bd584a46af22bf              b2713458d2c3ebd4b558f8c2ce19a90bd97095ca868fd499755bf1c9cbd0c388              bdf2c5fcf72e7d7870e81ffacdd01206ed98d2446a85c28e7eaf73e26d7a6eda              be9fac828e64c19e0a3fbf3c4a752d5332b7c0b849556f5388645515a29538ee              c00039c0454935a5079dc801ce4420457eb9964cbed8372b5aff5c60a45fa26c              d540b31f009a4138b5d35735fa9976522f4d5ee9e6b8dbdbde479796ebc6d4c0              dba60ef1804b4d90d74a2988fe53f044d7619f469d0ba9660e5646a1a67439cd              f1ab2d7ace4656b5f3770186d088ac0644482fe43f38fe2bdb9217744d0f58c1              ff6f821dc0526f3615b1a3c37b2b14094f53d05cb0a6a753cb257cb0bcde6898              

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                                                                              
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                                                                              
             
        WSA                                                                                                                              

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Virus.Xpiro-9960895-1

Indicators of Compromise

IOCs collected from dynamic analysis of 23 samples

        Registry Keys            Occurrences        
                             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32                          
        Value Name: Type                            23        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64                          
        Value Name: Type                            23        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32                          
        Value Name: Type                            23        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32                          
        Value Name: Start                            23        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\COMSYSAPP                          
        Value Name: Type                            23        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\COMSYSAPP                          
        Value Name: Start                            23        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\MOZILLAMAINTENANCE                          
        Value Name: Type                            23        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\MOZILLAMAINTENANCE                          
        Value Name: Start                            23        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\OSE                          
        Value Name: Type                            23        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\OSE                          
        Value Name: Start                            23        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC\S-1-5-21-2580483871-590521980-3826313501-500                             23        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC\S-1-5-21-2580483871-590521980-3826313501-500                          
        Value Name: EnableNotifications                            23        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32                          
        Value Name: Start                            23        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64                          
        Value Name: Start                            23        
             
    <HKLM>\SOFTWARE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATE                          
        Value Name: AccumulatedWaitIdleTime                            23        
             
    <HKLM>\SOFTWARE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\LISTENEDSTATE                          
        Value Name: RootstoreDirty                            23        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATE                          
        Value Name: AccumulatedWaitIdleTime                            23        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\LISTENEDSTATE                          
        Value Name: RootstoreDirty                            23        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC                          
        Value Name: Start                            22        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_64                          
        Value Name: Type                            22        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_64                          
        Value Name: Start                            22        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\IEETWCOLLECTORSERVICE                          
        Value Name: Type                            22        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\IEETWCOLLECTORSERVICE                          
        Value Name: Start                            22        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND                          
        Value Name: Start                            21        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}                             18        
                     
                
            
        Mutexes            Occurrences        
                                 
        kkq-vx_mtx63            23            
                 
        kkq-vx_mtx64            23            
                 
        kkq-vx_mtx65            23            
                 
        kkq-vx_mtx66            23            
                 
        kkq-vx_mtx67            23            
                 
        kkq-vx_mtx68            23            
                 
        kkq-vx_mtx69            23            
                 
        kkq-vx_mtx70            23            
                 
        kkq-vx_mtx71            23            
                 
        kkq-vx_mtx72            23            
                 
        kkq-vx_mtx73            23            
                 
        kkq-vx_mtx74            23            
                 
        kkq-vx_mtx75            23            
                 
        kkq-vx_mtx76            23            
                 
        kkq-vx_mtx77            23            
                 
        kkq-vx_mtx78            23            
                 
        kkq-vx_mtx79            23            
                 
        kkq-vx_mtx80            23            
                 
        kkq-vx_mtx81            23            
                 
        kkq-vx_mtx82            23            
                 
        kkq-vx_mtx83            23            
                 
        kkq-vx_mtx84            23            
                 
        kkq-vx_mtx85            23            
                 
        kkq-vx_mtx86            23            
                 
        kkq-vx_mtx87            23            

*See JSON for more IOCs

        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        107[.]22[.]125[.]105            7            
                 
        3[.]217[.]206[.]46            4            
                     
                          
            
        Domain Names contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        ninite[.]com            21            
                 
        www[.]bing[.]com            1            
                     
                          
            
        Files and or directories created            Occurrences        
                                 
        %CommonProgramFiles%\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE            23            
                 
        %CommonProgramFiles(x86)%\microsoft shared\Source Engine\OSE.EXE            23            
                 
        %ProgramFiles(x86)%\Microsoft Office\Office14\GROOVE.EXE            23            
                 
        %ProgramFiles(x86)%\Mozilla Maintenance Service\maintenanceservice.exe            23            
                 
        %SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe            23            
                 
        %SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe            23            
                 
        %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe            23            
                 
        %SystemRoot%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe            23            
                 
        %System32%\FXSSVC.exe            23            
                 
        %System32%\alg.exe            23            
                 
        %System32%\dllhost.exe            23            
                 
        %SystemRoot%\ehome\ehsched.exe            23            
                 
        %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.log            23            
                 
        %SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log            23            
                 
        %SystemRoot%\SysWOW64\dllhost.exe            23            
                 
        %SystemRoot%\SysWOW64\svchost.exe            23            
                 
        %SystemRoot%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log            23            
                 
        %SystemRoot%\SysWOW64\dllhost.vir            23            
                 
        %SystemRoot%\SysWOW64\svchost.vir            23            
                 
        %SystemRoot%\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat            23            
                 
        %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock            23            
                 
        %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat            23            
                 
        %SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock            23            
                 
        %SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat            23            
                 
        %CommonProgramFiles(x86)%\microsoft shared\source engine\ose.vir            23            

*See JSON for more IOCs

File Hashes

             137ad3b55addd7191c8c974beef6b65bae791bc4de1e86b7e2965b311d40e2d0              1cfd0fd601a0f5234ce72672ec9c6c866dca03836198d93a320ed5df0bddd7f8              1e831b6d0cabaa8b44de36c1b96dd6e54e295502eb171be4f87723212fe574ca              1f935627d9866da115f1aad78be290f60a639bec1a94d6b8397326eeb46c111b              30ffb87628211e78074a3a891b8bd173db6f2d74dc97e735ff386361cf29aee1              3f948d4350c566416101441adb1c00121bd835db40cc08c73a556b764458673d              47934d4f40e9a5af0ee572a7e1e088d29d3bfd655d4aff26018a64118ad68a24              563c16cb752614726d350000fbf514a8b8d32a8074cd12c7545d6ff93f790ed9              591ae4985fd6993f580eae6f93f3e96f7c73c14dc3927e96223e8003f9ab3588              5cbd454095120231e23ca372fee8e9e76f34e3f5491f8ab10e8e5203e4c52570              6f0f5fda67646bc8def9c66497041528cd8ed7158a169c1b0787f59360c28ea8              7ec4a0246b5d33dfe811f4f34ab94a6b82d822196776afbe28a0f543ade8ad63              97d0aeeca4859c38984086ff1bef13c9bd11466131058fabda20dd1b21342f7a              a2839faa3c7ecbff8afa71ca5787690e0e3eaeb36b899bab1926b19ce32b8c6d              bcf2ae9a67fe974c02e95fbdd4edcce7df377a288c7586dae9d0b625aeedc93b              c51d235b290424ad6baf08d67ab600a260200846a3f4b218e916933594b40537              d3d7dd910bd5e79fdb39d51aa83afaccdfd10538d30dd69bc7219a146e897361              d445c1ac4afae6cb028a2508c655271e3d69e07d9e016887d89d790c80fc0409              e23566aabaa7743da973840338829cc25d6936e8fcb5fb8d9b78b0ccac46c1ea              e37b0661d4e4483048abcf0abba65060c78716672790e12bb0a768f04b18134b              e48a371f7f5f3ad1cda0d16312f30846b6a12494967c8fba8de7f65a5673b1ff              eb1ecc1ef099105b4882ccace3caf843ed1508b1463f8af6cc94adaa0181b721              ec1bc44db50911234444c575d91335113232ab5b1f6cad6acf5e52ff16ccd8fb              

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                                                                              
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                     N/A                                                          
             
        WSA                                                                     N/A                                                          

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Emotet-9961142-0

Indicators of Compromise

IOCs collected from dynamic analysis of 218 samples

        Registry Keys            Occurrences        
                             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: LanguageList                            190        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>                          
        Value Name: Type                            64        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>                          
        Value Name: Start                            64        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>                          
        Value Name: ErrorControl                            64        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>                          
        Value Name: DisplayName                            64        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>                          
        Value Name: WOW64                            64        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>                          
        Value Name: ObjectName                            64        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>                             63        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>                          
        Value Name: ImagePath                            61        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>                          
        Value Name: Description                            60        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%systemroot%\system32\dot3svc.dll,-1103                            14        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @oleres.dll,-5013                            10        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%systemroot%\system32\browser.dll,-101                            9        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\AxInstSV.dll,-104                            9        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%systemroot%\system32\dps.dll,-501                            9        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\ehome\ehrecvr.exe,-102                            8        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @appmgmts.dll,-3251                            8        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\dhcpcore.dll,-101                            8        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%systemroot%\system32\appinfo.dll,-101                            8        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\System32\audiosrv.dll,-205                            7        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%systemroot%\system32\appidsvc.dll,-101                            7        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @comres.dll,-948                            7        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\System32\dnsapi.dll,-102                            7        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%systemroot%\system32\cscsvc.dll,-201                            7        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\System32\bthserv.dll,-102                            7        
                     
                       
            
        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        5[.]196[.]74[.]210            82            
                 
        74[.]208[.]45[.]104            82            
                 
        45[.]55[.]219[.]163            82            
                 
        45[.]55[.]36[.]51            82            
                 
        174[.]45[.]13[.]118            82            
                 
        180[.]92[.]239[.]110            82            
                 
        91[.]83[.]93[.]99            82            
                 
        217[.]199[.]160[.]224            78            
                 
        89[.]32[.]150[.]160            78            
                 
        68[.]183[.]190[.]199            78            
                 
        45[.]161[.]242[.]102            78            
                 
        209[.]236[.]123[.]42            78            
                 
        71[.]197[.]211[.]156            78            
                 
        91[.]121[.]54[.]71            78            
                 
        85[.]25[.]207[.]108            58            
                 
        88[.]249[.]181[.]198            58            
                 
        65[.]156[.]53[.]186            58            
                 
        68[.]183[.]233[.]80            58            
                 
        177[.]32[.]8[.]85            58            
                 
        81[.]17[.]93[.]134            58            
                 
        197[.]232[.]36[.]108            58            
                 
        23[.]46[.]150[.]72            30            
                 
        23[.]46[.]150[.]48            27            
                 
        23[.]221[.]72[.]27            13            
                 
        23[.]221[.]72[.]10            6            

*See JSON for more IOCs

        Domain Names contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        apps[.]identrust[.]com            82            
                     
                          
            
        Files and or directories created            Occurrences        
                                 
        %SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'>            35            
                 
        %SystemRoot%\SysWOW64\printui            2            
                 
        %SystemRoot%\SysWOW64\NlsLexicons0414            2            
                 
        %SystemRoot%\SysWOW64\utildll            2            
                 
        %SystemRoot%\SysWOW64\NlsData000a            2            
                 
        %SystemRoot%\SysWOW64\fthsvc            2            
                 
        %SystemRoot%\SysWOW64\shlwapi            2            
                 
        %SystemRoot%\SysWOW64\WcsPlugInService            2            
                 
        %SystemRoot%\SysWOW64\NlsLexicons0002            2            
                 
        %SystemRoot%\SysWOW64\d3d8thk            1            
                 
        %SystemRoot%\SysWOW64\instnm            1            
                 
        %SystemRoot%\SysWOW64\cttune            1            
                 
        %SystemRoot%\SysWOW64\tsbyuv            1            
                 
        %SystemRoot%\SysWOW64\KBDSW            1            
                 
        %SystemRoot%\SysWOW64\fc            1            
                 
        %SystemRoot%\SysWOW64\rshx32            1            
                 
        %SystemRoot%\SysWOW64\KBDHE220            1            
                 
        %SystemRoot%\SysWOW64\WMADMOE            1            
                 
        %SystemRoot%\SysWOW64\NlsData0002            1            
                 
        %SystemRoot%\SysWOW64\iprop            1            
                 
        %SystemRoot%\SysWOW64\rastls            1            
                 
        %SystemRoot%\SysWOW64\aecache            1            
                 
        %SystemRoot%\SysWOW64\SMBHelperClass            1            
                 
        %SystemRoot%\SysWOW64\KBDNO            1            
                 
        %SystemRoot%\SysWOW64\mfc100            1            

*See JSON for more IOCs

File Hashes

             0154a4e3faa4dafca324954364d049324d6fcc6b8a1c90cbae92cd41f8927c4e              01ea88880d59cd617d53bfd1849ad0c2023c9febc43b48579d06802c9b324d77              0222be0813e32c7a2c87a31482e33830a91b73a750aff3499da5caa100646607              0242673f6b5b086a61873f4773b8b7f119d025325f2724cb362b1151adccfc8b              02f7999d6693f08f5983effb8bee06145be3f7dc22ff1e5b745e8d0633fe19d6              038008283ccba00047b767169fd02554182310d7b32c6def8a3fc1c6a045daf1              0403b01de17d2130faa4eecf11111acf15bc672dfeb9394054e5aa05166b8289              044242411968ca1c92b3a645d7f470cf0cda1a220920da688558fde7f4108eb9              055014bbf3a21173e4e2d9fb22124d7d249bc8f8c748151197d6e985bdf06f67              05cf33a7202716161360fc0e6fd45091f9a290954ba26a64037745652fa4b487              066202dc95bd51220d42f603a030ef71527b8dc56e62200f0d175f09f3f89c27              06ee8bc6b3c35b3d3ea924f73db6da1df9061e69b487bad9718328f1d186f0c7              0780d91df0f27af4b00d51e531a1cf12d50bbb048a211e0b287820bd9313eab5              07c262357505c7bef31ebfe2bb6c13a3d386e38d262ba2bdbfb2e52c1bd066fd              080fc908405201cbf074d6343acf66ee3c4d57f231c399b87097f75b8ca7960f              08e6bfa50d4fe544c03474d1a23776762a47a0ceed44dbe5bbb6e09fce30b055              091b50c4a374f1fc1d15e81044c2b50f03fa7c3e8359eb09bb95dc25deeebd4d              098861c8b4411225b4fde8737ccb518052ef40c896ee4e42dfeecf322e56f07f              09c4a4a31a51590b27a82bcff450c29391d3dfde480df012f43020e858efb639              0b533cf67e6fd8298b62d3aaea82f07ad11c600fa8917f3b683a72da9ca2fa7e              0c33a1f3687e65daa8825856f309cc40ef97d0892ef7742a77355124e296b815              0ccab31b5610aac24a242c812f474ff24b8e345aa78fd4b7d0a92b690938f908              0cd25d45a5e31de0fc1b75ba65c5b43d934b60b7d07638aaa1ce0d83afd984ec              0d3fee19509a873e96a1b2559d9193cf046f7f35f49d16b180438d9df7da027f              0ea6a45d2ad1115ce7141f15693139b8bd9e5ffebb5a1321ab8c48e62d65fab9              

*See JSON for more IOCs

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                                                                              
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                     N/A                                                          
             
        WSA                                                                                                                              

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Remcos-9961392-0

Indicators of Compromise

IOCs collected from dynamic analysis of 14 samples

        Registry Keys            Occurrences        
                             
    <HKCU>\SOFTWARE\POULUS                             14        
             
    <HKCU>\SOFTWARE\POULUS\MICROMINIATURISER                             14        
             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\BRUGERNAVNETS                             14        
             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\BRUGERNAVNETS\TIVOLIET                             14        
             
    <HKCU>\SOFTWARE\POULUS\MICROMINIATURISER                          
        Value Name: Komplettes                            14        
             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\BRUGERNAVNETS\TIVOLIET                          
        Value Name: Fins                            14        
             
    <HKCU>\SOFTWARE\!27MZCJW9@REXF-NJL3J3                             7        
             
    <HKCU>\SOFTWARE\!27MZCJW9@REXF-NJL3J3                          
        Value Name: licence                            7        
             
    <HKCU>\SOFTWARE\!27MZCJW9@REXF-NJL3J3                          
        Value Name: exepath                            7        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE                          
        Value Name: ornamenterne                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE                          
        Value Name: Hyldetrs                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE                          
        Value Name: lnglidninger                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE                          
        Value Name: Vampirebat                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE                          
        Value Name: Dereferencing                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE                          
        Value Name: Sarkastisk                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE                          
        Value Name: Martyrologistic                            1        
                     
                
            
        Mutexes            Occurrences        
                                 
        Remcos_Mutex_Inj            7            
                 
        !27Mzcjw9@Rexf-NJL3J3            7            
                 
        Global\916138a1-15e4-11ed-9660-00151792685a            1            
                     
                         
            
        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        5[.]2[.]75[.]164            7            
                 
        181[.]235[.]13[.]200            4            
                 
        186[.]169[.]54[.]97            3            
                     
                          
            
        Domain Names contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        colpatvalidacionnuevo[.]xyz            7            
                     
                          
            
        Files and or directories created            Occurrences        
                                 
        %HOMEPATH%\Desktop\Markedness.ini            14            
                 
        %TEMP%\ns<random, matching '[a-z][A-F0-9]{1,4}'>.tmp            14            
                 
        %TEMP%\ns<random, matching '[a-z][A-F0-9]{4}'>.tmp\System.dll            14            
                 
        %TEMP%\logsflat458            7            
                 
        %TEMP%\logsflat458\sasgs527.dat            7            
                 
        \TEMP\en-US\22d69844486d029467b528c89bf763a6.exe.mui            1            
                 
        \TEMP\en-US\ef6731323cff411f303c2bd29b9f15c8.exe.mui            1            
                 
        \TEMP\en-US\b2a7538d257a51b1a506b646c248fcbe.exe.mui            1            
                 
        \TEMP\en-US\570979659276a2a985f97f7965f97f76.exe.mui            1            
                 
        \TEMP\en-US\f231d436f8d62de3082ea791da78ed50.exe.mui            1            
                 
        \TEMP\en\f231d436f8d62de3082ea791da78ed50.exe.mui            1            
                 
        \TEMP\en\ef6731323cff411f303c2bd29b9f15c8.exe.mui            1            
                 
        %TEMP%\Selenitic            1            
                 
        %TEMP%\Dextroamphetamine            1            
                 
        %TEMP%\Selenitic\Uncooping.exe            1            
                 
        %TEMP%\Dextroamphetamine\Lobcokt.exe            1            
                 
        \TEMP\en\22d69844486d029467b528c89bf763a6.exe.mui            1            
                 
        %TEMP%\Tiki124            1            
                 
        %TEMP%\Tiki124\Unexpecting.exe            1            
                 
        \TEMP\en\b2a7538d257a51b1a506b646c248fcbe.exe.mui            1            
                 
        \TEMP\en\570979659276a2a985f97f7965f97f76.exe.mui            1            
                 
        %TEMP%\Sekundrkommunens            1            
                 
        %TEMP%\Giganter27            1            
                 
        %TEMP%\Sekundrkommunens\Unpracticability174.exe            1            
                 
        %TEMP%\Giganter27\Spandauerne.exe            1            

*See JSON for more IOCs

File Hashes

             125b94822affbd4b1b67333905a91231c62e427334475ada0daa44d007e884c1              332cb82247db85cd4c772200938a7623c4161a15d680157cdc688b53aae2303a              3efb2166b220fd7d7e5df42739d998f6ed4c70fefdcb03b6a9b1810d6dcfcd77              42d77fbb29467078ade8ecba705a648d3d4aeacd5f6735a6d92d17cb55ff7049              6761e346725d0cfa3436b459176ff467f7b4a426af0559845032c912420747cd              72d9be63e832a89a04ffcfb48c30199d3461fe982bde962f57c7cf71e0f5f06a              8c420a6337376e20c987679a34e3d09194e504c444fbf50619328f5c0dda9217              942dcafe7a16cfdd1769048c73590ec2c29e9c76a9f6c46e6b6e88ac2220b0ef              9ead44844a24092afb456478686839852e04cd1ad8e081185ae432f1171baa1b              a3ec71d27779875c7262d608c3c5e591fa7c12f0893e006bb6f7d2ad1d710142              a742e0a1f7939fdaf5eb615bac3da040781bd19e84e3f647186314ecb6e0fa5e              ce2ff79b4178d9b7f142001bc227753dd395fcd1a28a385bfa379e0857181467              d52c22336b2e2efaeab6b8eb2be8726a36eaea553905b01102d9716d4c6184af              e2deccb5d8cc1ec270d95501aaa7e53951bd7f89c2c0bcd50420bf94b7057675              

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                                                                              
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                                                                              
             
        WSA                                                                                                                              

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Ramnit-9961396-0

Indicators of Compromise

IOCs collected from dynamic analysis of 26 samples

        Registry Keys            Occurrences        
                             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER                          
        Value Name: AntiVirusOverride                            26        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER                          
        Value Name: AntiVirusDisableNotify                            26        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER                          
        Value Name: FirewallDisableNotify                            26        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER                          
        Value Name: FirewallOverride                            26        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER                          
        Value Name: UpdatesDisableNotify                            26        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER                          
        Value Name: UacDisableNotify                            26        
             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM                          
        Value Name: EnableLUA                            26        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE                          
        Value Name: EnableFirewall                            26        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE                          
        Value Name: DoNotAllowExceptions                            26        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE                          
        Value Name: DisableNotifications                            26        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC                          
        Value Name: Start                            26        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND                          
        Value Name: Start                            26        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC                          
        Value Name: Start                            26        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION                          
        Value Name: jfghdug_ooetvtgk                            26        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: JudCsgdy                            26        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV                          
        Value Name: Start                            26        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: Windows Defender                            26        
             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON                          
        Value Name: Userinit                            26        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON                          
        Value Name: Userinit                            26        
                     
                
            
        Mutexes            Occurrences        
                                 
        qazwsxedc            26            
                 
        {7930D12C-1D38-EB63-89CF-4C8161B79ED4}            26            
                     
                         
            
        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        72[.]26[.]218[.]70            25            
                 
        195[.]201[.]179[.]207            25            
                 
        208[.]100[.]26[.]245            25            
                 
        46[.]165[.]220[.]155            25            
                 
        35[.]205[.]61[.]67            25            
                 
        142[.]250[.]80[.]14            25            
                 
        63[.]251[.]235[.]76            25            
                 
        64[.]225[.]91[.]73            25            
                     
                          
            
        Domain Names contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        google[.]com            25            
                 
        gjvoemsjvb[.]com            25            
                 
        ahpygyxe[.]com            25            
                 
        msoalrhvphqrnjv[.]com            25            
                 
        rdslmvlipid[.]com            25            
                 
        jpcqdmfvn[.]com            25            
                 
        rrmlyaviljwuoph[.]com            25            
                 
        maajnyhst[.]com            25            
                 
        enbbojmjpss[.]com            25            
                 
        oqmfrxak[.]com            25            
                 
        tdccjwtetv[.]com            25            
                 
        tpxobasr[.]com            25            
                 
        xpdsuvpcvrcrnwbxqfx[.]com            25            
                 
        fbrlgikmlriqlvel[.]com            25            
                 
        boeyrhmrd[.]com            25            
                 
        ugcukkcpplmouoah[.]com            25            
                 
        gugendolik[.]com            25            
                     
                          
            
        Files and or directories created            Occurrences        
                                 
        %LOCALAPPDATA%\bolpidti            26            
                 
        %LOCALAPPDATA%\bolpidti\judcsgdy.exe            26            
                 
        %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\judcsgdy.exe            26            

File Hashes

             081742e8ed56a1a933e0507ccd536aaaf7242ac76d47a1a49626ee71c6756b53              0e372167303e500219b580a1a0367d2b69ab693e56934584e05cd963736bd463              10cef31349a4842546edbc5244d0d3aaed1e3c058008800c889abf5dc43ec343              127ee9c2897fb600dec742861451fdcf48820c200e15df7479542ed4232c0584              155b0301ce2f88c396fb7aa77cbc82c51a01660e6a74b63f7ba8dc8f023ea7e8              1e1773938b5bdd08be479ca9186a30d3fad83ea67ae905f391508ac543c2a38f              263351025d462b47660ea4bacd71ae1fd694de45a3d9bd5b14e58be1c4362d00              2e2ac92783031efdde48674b0ed3362c81fac9b25756ee39af1629f39309ccc2              340833674362d0c01995cc8657a95a628fddeb853272b6d89dfcf98bbe106cbe              39b9cfa59e688e1d56e6499b80637f321f777d022dff4a9eaf691ba9a1e9cc86              3cc065b26f54c993606649d1679bca81068c10e3727fdf9ee811fa6a17c1ebad              41b21c4398fa089007a9a34aac8a3f5d14b61814ff036b555cc6b09c8efd81aa              4b183d215f86d026ef2bac0cf5dd4b28146612d52206e358169b0f1d3209c76d              4ed2cf991c4ed810cdbb5d567d33e1f1d94218ae43c506d6b33d2acc35009598              57fa2ea50d27a8cc8feec2867a680ae6e9a0d1a47d117733a73db86da3bf8416              5de59e2cc183ce5f34b2ca66fbd1edce54b3a6208ae7621c49cbd78835bdcbf5              699e006e4a6871ca898aacf55f84c36ea43d8b9e421b71dd20a0fe5a06378d66              6a216904abbf52246819029936c7e8705f50c61ba0ee6a62d8a14881cfca0a33              77aeccd3d538a6effc3623344a331d5190c747489a5cc511d4e7d973e879ff8a              77c966ca4088e8b918b4e40ed539a510fad2a2631ff17d1a1b01a1670e6fa400              79622d5b5ef3c93d32bcaaba64cfbbe4a88ec7f56d1f7f2160b9219321058f29              8c878b6608dba85c650ffda157cc14d885f14559e8c6b38a5ae0be85d5a73001              8d5f17bf76258cf83d0678cef645b0fa2f0b6df56858fb0ec4cab8894b59b316              a1574bfff6cebf0757ab5a7fc7634b7956fed8943e088b87820ff13be65789c4              af0aa7289a5770da3a158d0f0fbea1c5073b6ca4f6fe5a7bebdde44a55ca2c2e              

*See JSON for more IOCs

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                                                                              
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                                                                              
             
        WSA                                                                                                                              

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

TALOS
#xss#vulnerability#web#ios#mac#windows#google#microsoft#js#git#intel#botnet#sap#ssl

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Aug. 5 and Aug. 12. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name

Type

Description

Win.Dropper.Tofsee-9960568-0

Dropper

Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages to infect additional systems and increase the size of the botnet under the operator’s control.

Win.Dropper.TrickBot-9960840-0

Dropper

Trickbot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts.

Win.Trojan.Zusy-9960880-0

Trojan

Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as “explorer.exe” and “winver.exe.” When the user accesses a banking website, it displays a form to trick the user into submitting personal information.

Win.Dropper.DarkComet-9961766-1

Dropper

DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. This malware can download files from a user’s machine, mechanisms for persistence and hiding. It also has the ability to send back usernames and passwords from the infected system.

Win.Ransomware.TeslaCrypt-9960924-0

Ransomware

TeslaCrypt is a well-known ransomware family that encrypts a user’s files with strong encryption and demands Bitcoin in exchange for a file decryption service. A flaw in the encryption algorithm was discovered that allowed files to be decrypted without paying the ransomware, and eventually, the malware developers released the master key allowing all encrypted files to be recovered easily.

Win.Virus.Xpiro-9960895-1

Virus

Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.

Win.Dropper.Emotet-9961142-0

Dropper

Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.

Win.Dropper.Remcos-9961392-0

Dropper

Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, and capture screenshots. This malware is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.

Win.Dropper.Ramnit-9961396-0

Dropper

Ramnit is a banking trojan that monitors web browser activity on an infected machine and collects login information from financial websites. It also has the ability to steal browser cookies and attempts to hide from popular antivirus software.

Threat Breakdown****Win.Dropper.Tofsee-9960568-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 10 samples

Registry Keys

Occurrences

<HKU>.DEFAULT\CONTROL PANEL\BUSES

        Value Name: Config4

3

<HKU>.DEFAULT\CONTROL PANEL\BUSES

3

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: LanguageList

3

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\dhcpqec.dll,-100

3

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\dhcpqec.dll,-101

3

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\dhcpqec.dll,-103

3

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\dhcpqec.dll,-102

3

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\napipsec.dll,-1

3

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\napipsec.dll,-2

3

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\napipsec.dll,-4

3

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\napipsec.dll,-3

3

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\tsgqec.dll,-100

3

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\tsgqec.dll,-101

3

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\tsgqec.dll,-102

3

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\tsgqec.dll,-103

3

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\eapqec.dll,-100

3

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\eapqec.dll,-101

3

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\eapqec.dll,-102

3

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\eapqec.dll,-103

3

<HKU>.DEFAULT\CONTROL PANEL\BUSES

        Value Name: Config0

3

<HKU>.DEFAULT\CONTROL PANEL\BUSES

        Value Name: Config1

3

<HKU>.DEFAULT\CONTROL PANEL\BUSES

        Value Name: Config2

3

<HKU>.DEFAULT\CONTROL PANEL\BUSES

        Value Name: Config3

3

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FNWISXTV

        Value Name: ErrorControl

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FNWISXTV

        Value Name: DisplayName

1

Mutexes

Occurrences

Global\27a1e0c1-13fc-11ed-9660-001517101edf

1

Global\30977501-13fc-11ed-9660-001517215b93

1

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

216[.]146[.]35[.]35

3

31[.]13[.]65[.]174

3

142[.]251[.]40[.]196

3

96[.]103[.]145[.]165

3

31[.]41[.]244[.]82

3

31[.]41[.]244[.]85

3

80[.]66[.]75[.]254

3

80[.]66[.]75[.]4

3

31[.]41[.]244[.]128

3

31[.]41[.]244[.]126/31

3

208[.]76[.]51[.]51

2

74[.]208[.]5[.]20

2

208[.]76[.]50[.]50

2

202[.]137[.]234[.]30

2

212[.]77[.]101[.]4

2

193[.]222[.]135[.]150

2

203[.]205[.]219[.]57

2

47[.]43[.]18[.]9

2

67[.]231[.]144[.]94

2

188[.]125[.]72[.]74

2

40[.]93[.]207[.]0/31

2

205[.]220[.]176[.]72

2

135[.]148[.]130[.]75

2

121[.]53[.]85[.]11

2

67[.]195[.]204[.]72/30

1

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

249[.]5[.]55[.]69[.]bl[.]spamcop[.]net

3

249[.]5[.]55[.]69[.]cbl[.]abuseat[.]org

3

249[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net

3

249[.]5[.]55[.]69[.]in-addr[.]arpa

3

249[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org

3

249[.]5[.]55[.]69[.]zen[.]spamhaus[.]org

3

microsoft-com[.]mail[.]protection[.]outlook[.]com

3

microsoft[.]com

3

www[.]google[.]com

3

www[.]instagram[.]com

3

comcast[.]net

3

mx1a1[.]comcast[.]net

3

jotunheim[.]name

3

niflheimr[.]cn

3

whois[.]arin[.]net

2

whois[.]iana[.]org

2

mx-eu[.]mail[.]am0[.]yahoodns[.]net

2

aspmx[.]l[.]google[.]com

2

mta5[.]am0[.]yahoodns[.]net

2

icloud[.]com

2

cox[.]net

2

walla[.]com

2

hanmail[.]net

2

allstate[.]com

2

wp[.]pl

2

*See JSON for more IOCs

Files and or directories created

Occurrences

%SystemRoot%\SysWOW64\config\systemprofile

3

%SystemRoot%\SysWOW64\config\systemprofile:.repos

3

%SystemRoot%\SysWOW64\fnwisxtv

1

%SystemRoot%\SysWOW64\airdnsoq

1

%SystemRoot%\SysWOW64\uclxhmik

1

%TEMP%\dnyabinr.exe

1

%TEMP%\lcxykqya.exe

1

%TEMP%\qzguacfj.exe

1

File Hashes

    098ad43e2067c5c814cebe1fc52bdc528289c6a2cc96daf4e8bac90d1c95a0b3

    2240525bf4ee830766ec33e2e3c0dfcdf871748088fcf068770fd306940c5957

    693cd93fbc6bfb587ad011477ae870805725c5403260621a290f61bb0d243f47

    a6b68aa5d00739401b413ed936526ea5e767824fddb4e768e03fb05dc369a6fd

    b9820bc7b09bfa88556efac463b7459d2f4a47f06cc953529a9782fdbefd4959

    c2cb05d50c06d9ed65a7c53fb2f6b7977f2988f5fbbd928266bb8ea27723b243

    d6df88c6f61812a4bb662abb8d90fb4ba7e17ae5b9351251d001b7945d7aae98

    ec745df5a9e65776f76b97e9685ad86fbb130bb6a3146a7823bd94c7c6502f1d

    f3e93f62b4f4699a3d20e85fa3c9e8b7eb9129a15ca66720d4f677cae0c5a469

    f8a2e41ea8ca0e998bcd54d8256cb538b1e32cec4e80eb810e8df003427b886b

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

WSA

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.TrickBot-9960840-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 36 samples

Registry Keys

Occurrences

<HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\USERDS

36

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS

        Value Name: 4334c972

36

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS

        Value Name: 2d17e659

36

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: IntelPowerAgent3

7

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: IntelPowerAgent5

5

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: IntelPowerAgent9

4

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: IntelPowerAgent6

4

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: IntelPowerAgent7

3

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: IntelPowerAgent2

3

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: IntelPowerAgent1

3

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: IntelPowerAgent8

3

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: IntelPowerAgent0

2

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: IntelPowerAgent4

2

Mutexes

Occurrences

98b59d0b000000cc

36

98b59d0b00000120

36

Global{2d17e659d34601689591}

36

98b59d0b00000174

36

98b59d0b00000150

36

98b59d0b00000158

36

98b59d0b000001ac

35

98b59d0b00000308

35

98b59d0b0000043c

35

98b59d0b000004b4

35

98b59d0b000001bc

35

98b59d0b000002ec

35

98b59d0b000001f0

35

98b59d0b000001c4

35

98b59d0b0000021c

35

98b59d0b0000025c

35

98b59d0b00000294

35

98b59d0b00000320

35

98b59d0b000003d4

35

98b59d0b000003f8

35

98b59d0b000004dc

35

98b59d0b0000060c

8

98b59d0b000005cc

8

98b59d0b000004f8

8

98b59d0b00000614

7

*See JSON for more IOCs

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

209[.]197[.]3[.]8

11

72[.]21[.]81[.]240

7

69[.]164[.]46[.]0

6

8[.]253[.]154[.]236/31

3

23[.]46[.]150[.]81

2

23[.]46[.]150[.]58

2

8[.]253[.]141[.]249

1

8[.]253[.]38[.]248

1

8[.]253[.]140[.]118

1

23[.]46[.]150[.]43

1

8[.]247[.]119[.]126

1

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

download[.]windowsupdate[.]com

36

adtejoyo1377[.]tk

36

Files and or directories created

Occurrences

%ProgramData%\c7150968.exe

1

%LOCALAPPDATA%\gusEBBF.tmp.bat

1

%ProgramData%\ba886437.exe

1

%HOMEPATH%\jfpDCC6.tmp.bat

1

%ProgramData%\63b007ed.exe

1

%HOMEPATH%\dtaE10F.tmp.bat

1

%ProgramData%\545ba94b.exe

1

%HOMEPATH%\hcv6907.tmp.bat

1

%ProgramData%\7afae1e8.exe

1

%HOMEPATH%\greA7E2.tmp.bat

1

%ProgramData%\9421c9aa.exe

1

%APPDATA%\vqpA923.tmp.bat

1

%ProgramData%\f779fb59.exe

1

%ProgramData%\xywA29.tmp.bat

1

%ProgramData%\940d0a1e.exe

1

%HOMEPATH%\jawD8CB.tmp.bat

1

%ProgramData%\a37667ce.exe

1

%HOMEPATH%\lkyB72F.tmp.bat

1

%ProgramData%\edcfad58.exe

1

%HOMEPATH%\pvf22C5.tmp.bat

1

%ProgramData%\182b8517.exe

1

%LOCALAPPDATA%\qsw15A4.tmp.bat

1

%ProgramData%\a3a20124.exe

1

%HOMEPATH%\xqh15A4.tmp.bat

1

%ProgramData%\a116e074.exe

1

*See JSON for more IOCs

File Hashes

    007a16c9f6908085a2d65e991ae691f41e7ceab17653200669b4286af82e8c12

    017306c686a5a81630e746b9518106fd5e54b410b50a61f43cba7a3850b1fec8

    024d73837dea32792852294b951dcb246c56442ebde4643cef6733f411f581b6

    0284c0aff10ff3ca7e6078f3d8191fc9c4db42fbfb912a8cefabc937c1eca87d

    02df9ec5bfb9e1bb613b5ee7d4a518bccc9f87580182f26d6e5d5a643036e3a1

    03226228480f9e9d87a0370428d337023226314bd9447efccdbc03bb672ec81b

    0337b9f06cda7d7a6e96ce2a29e0f004fb6df49d3b82d294a17a13604e754f86

    03a89b1af244c7d20db8498d9284c20deea9462fb15db2f89b4c59a9be47c2f0

    04432d06396fac85167c0a9dadf206dc50ea8527c29b943b77f192e45dbce22d

    04679de514d8e3902341b314e324e6f75ba536d09da05e99958dc5b4a689de42

    049f0322736b0abeec70630b9efbbd40d9a0916ce359a5a8168165d25a76e48f

    04e819e635fc974afd4ee533b478841ba581ddcff254034fdbfea6522939ef5f

    05b51b8179992a7e21259d9eacdaf8b1115e51056ec0104daddda5a0810f7126

    0734ea55ac016a1e6b6ac40837883a684656eec9ce857351c9f99d3c965d6501

    07e4ebd0b135dbfcf1e7d2b60386c9b52fa5d154d072a5689eb3a7a2b15112d6

    08da477f7c363ddbc11224260717cf6f7f48e849cff403e25559529029b8fdf4

    08e9ccb010aceac1ea0c0fbb41e58c8e2552b30de500bf43e298a645f5acedf7

    097f9d7400b8a8c8bf5aa5339bf18359148a533f9136cd9b6279623e4db293d7

    0bde820541632a300070601291eb1c478b9d09da2b405f740d6fe92b290a45de

    0be2e49c02aa297d158bd5fe213a96584455fb4cea7c24dd100b9922df2a45c5

    0bf64ebc68956ea9d73858f32530c20fab4243fb09320adfd500fb94842a9888

    0c29c2763f311604136a06a99fa76ed09411572cd796021b60c66806e6c8e5a9

    0c6b997f98a1e58caf5a16a90317d2cb1d2474ac5c5926f26fa2b14a9299638a

    0d30d3c9cf63898bb2e970ec5a54dfe868fc5f519fd6b283bd00a2d22a01a653

    0da6c492cc755852c07bf7511b774e2527dce42be420f602e9445f1bb760ad33

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Trojan.Zusy-9960880-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 16 samples

Registry Keys

Occurrences

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH

12

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH

        Value Name: MarkTime

12

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH

        Value Name: Description

2

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH

        Value Name: Type

2

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH

        Value Name: Start

2

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH

        Value Name: ErrorControl

2

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH

        Value Name: ImagePath

2

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH

        Value Name: DisplayName

2

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH

        Value Name: WOW64

2

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH

        Value Name: ObjectName

2

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH

        Value Name: FailureActions

2

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PQRSTU

2

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PQRSTU

        Value Name: MarkTime

2

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH

        Value Name: Group

2

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH

        Value Name: InstallTime

2

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF

        Value Name: Description

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF

        Value Name: Type

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF

        Value Name: Start

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF

        Value Name: ErrorControl

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF

        Value Name: DisplayName

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF

        Value Name: WOW64

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF

        Value Name: ObjectName

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF

        Value Name: FailureActions

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PQRSTU

        Value Name: Description

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PQRSTU

        Value Name: Type

1

Mutexes

Occurrences

127.0.0.1:8000:Cdefgh

3

112.74.89.58:44366:Cdefgh

3

112.74.89.58:42150:Cdefgh

1

47.100.137.128:8001:Pqrstu

1

22.23.24.56:8001:Pqrstu

1

hz122.f3322.org:8001:Cdefgh

1

112.74.89.58:35807:Cdefgh

1

112.74.89.58:46308:Cdefgh

1

101.33.196.136:3389:Cdefgh

1

127.0.0.1:8001:Cdefgh

1

183.28.28.43:8001:Abcdef

1

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

112[.]74[.]89[.]58

6

22[.]23[.]24[.]56

1

47[.]100[.]137[.]128

1

101[.]33[.]196[.]136

1

183[.]28[.]28[.]43

1

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

hz122[.]f3322[.]org

1

Files and or directories created

Occurrences

%SystemRoot%\svchost.exe

4

File Hashes

    04fa031e5d2d86f8dbe0d3b95d67ea774448df4613e8acce79f0c9a30ef041bc

    2444b744b5c06e9410ee5c3baa807569fde44c5092192428de935e03d25b1edb

    466ca0805173034a7b12a5ffce104bbe5ed312e7441abdb98849ae4103150d04

    5a755f07d3b90ac5a2041fd04fd764c40882dd20b50f91fddbc10b8c6341591d

    5b53262a14fe1dcd42d670b0488d0de11aeb7cfa84e36acb4eec0c13b5fd2d73

    5ca6b22c6e7de5f0b9437970f1f9360ad4f3a74f964eb319080e347c27c6dff9

    6ea5fdaa95dbe09ccbc474ba4fc9fbe796e79c02d2b4f65f223feda5643f5400

    86bd70bc7bb74d3d4991b0f1c7e15ddef1d09695b3940c5fb015f2d00ce5f558

    b9b344bd7005b233cbb85395f61c309938fe70e2f8a8d0b2c24441ba074f9ca5

    bea6c7b4117eb1f894d830c77ddf6d4424bccb6043d0f43c257522d253321c3e

    c0a8a6e606e46a970cefe81f269ec6aec2a538830c2f7e03cf0eac55b135a59a

    c968ae3cfbbd89673b49f6bfd474eea846bdb1e2e3a7c5376dbcda5290d445ed

    dfc315d962da82d84b54683a849edf4e7b16bb136dbc2eb1198d35e528920103

    ec6cb8ff27e33d7e69ce02885baa9c08fd5a03349a16a52590353a4ec364c464

    f240b80b34fa480dc7236ddecb5c326e719a094e49df5a6f2070712650553066

    fd0e616e5ebb9075c44bb6772cf8b2c46801fafdb0716636850dc2ec0fe06f8c

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.DarkComet-9961766-1****Indicators of Compromise

  • IOCs collected from dynamic analysis of 33 samples

Registry Keys

Occurrences

<HKCU>\SOFTWARE\DC3_FEXEC

29

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: Windows Debugger

24

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON

        Value Name: UserInit

23

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: LanguageList

19

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: MicroUpdate

11

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: svchost.exe

7

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM

        Value Name: EnableLUA

5

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM

5

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE

        Value Name: EnableFirewall

4

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE

        Value Name: DisableNotifications

4

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER

        Value Name: AntiVirusDisableNotify

4

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM

        Value Name: DisableTaskMgr

3

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER

        Value Name: UpdatesDisableNotify

3

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC

        Value Name: Start

3

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM

        Value Name: DisableRegistryTools

3

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: rundll32

3

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\CURRENTVERSION\EXPLORERN

        Value Name: NoControlPanel

1

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\CURRENTVERSION

1

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\CURRENTVERSION\EXPLORERN

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: Microsoft

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: Windows Updater

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: Update

1

Mutexes

Occurrences

DC_MUTEX-<random, matching [A-Z0-9]{7}>

22

DCPERSFWBP

18

DC_MUTEX-5DND8AT

7

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

99[.]229[.]175[.]244

1

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

pervert[.]no-ip[.]info

7

pervert2[.]no-ip[.]info

7

delvega[.]no-ip[.]org

2

wp-enhanced[.]no-ip[.]org

2

funstuff712[.]zapto[.]org

2

fflazhhf1[.]no-ip[.]org

1

darkcometss[.]no-ip[.]org

1

not4umac[.]no-ip[.]biz

1

sanderkidah[.]no-ip[.]org

1

bobolobob[.]no-ip[.]biz

1

hg-ma[.]zapto5[.]org

1

corrosivegas2010[.]zapto[.]org

1

profi555[.]no-ip[.]org

1

hg-ma[.]zapto[.]org

1

jugoboy1[.]zapto[.]org

1

hg-ma[.]zapto1[.]org

1

hg-ma[.]zapto2[.]org

1

hg-ma[.]zapto3[.]org

1

hg-ma[.]zapto4[.]org

1

jackreapez[.]zapto[.]org

1

magicmq[.]no-ip[.]org

1

kenrickm[.]no-ip[.]org

1

mrganja[.]no-ip[.]org

1

cherubi[.]no-ip[.]org

1

Files and or directories created

Occurrences

%APPDATA%\WinDbg

30

%APPDATA%\WinDbg\windbg.exe

29

%APPDATA%\dclogs

28

\svchost.exe

7

%TEMP%\uxcv9v

7

%TEMP%\uxcv9v.vbs

7

%HOMEPATH%\Documents\MSDCSC

6

%HOMEPATH%\Documents\MSDCSC\msdcsc.exe

6

%TEMP%\MSDCSC

5

%TEMP%\MSDCSC\msdcsc.exe

5

%SystemRoot%\SysWOW64\MSDCSC

3

%SystemRoot%\SysWOW64\MSDCSC\msdcsc.exe

3

%TEMP%\tMMjnM

1

%TEMP%\xMWbLz.vbs

1

%TEMP%\tMMjnM.vbs

1

%APPDATA%\WinDbg\msdnaa.exe

1

%TEMP%\Mi0z67

1

%HOMEPATH%\Documents\Explorer\Iexplorer.exe

1

%TEMP%\q7EVTk

1

%TEMP%\mmsHyU

1

%TEMP%\q7EVTk.vbs

1

%TEMP%\mmsHyU.vbs

1

%APPDATA%\WinUpd\WinUpdater.exe

1

%TEMP%\alRnXV

1

%TEMP%\alRnXV.vbs

1

*See JSON for more IOCs

File Hashes

    0153ea1e28f729d6604f422075202e48a599969c04c30e4a3056e3a308148eb3

    050332edd1c7356a6e8a86471699135d90ba402d1f7ac0a27da39ccdb94ba0e8

    07525015abc52c0820727bbfe3a29f62e1e5e0ca8af36ca8716ae5ea12e71a75

    09fce07fb07b90dc54f5e72dd08d8677f62e948e6a0450e63f25cc6e22f99ff5

    0a5710ed174fbee931562112147c3bf6cf8609a5f1674d0c878a6888548cb0c9

    0db09a5cc0ff770b4024f14bf6b56b03c4ec599fe0499fc3a8d5da2625d93954

    0f67c4df374d4e01f9838a7dc6ab174c0d8f4b5f2485b670f24c7fcdf65f3269

    10f39ff02541b02857c11ca18a1cc745e075224ad510af7ad18b21dcb0d3cfa0

    12449565aed227128301078ece7695cd6fbd8fb735e8f8b4238e08a1b181a651

    13d377317be765d9d333e6a6d41bb83cffb606547dc308fefe0dcea87133b172

    157be56d2b1cee72ad290957752e089cd39f39c51807c6791b25b875113758ab

    15c65c639231d17726fa4a2c0cef2a7975a52f5d71ba8d7e4e3e1f053c066528

    16cc7eabf5a54d8b376b6de32e2591902044a558ded0a527fcc0143e1686c4af

    16e972675f3d1bd26aff1accdde7925e4cd5ba6d5f2a33826d3d75606a1bc955

    173cae8d47a5d796b06fdd18c951003342ad08d0aee4be2823332df003b5673a

    17dbbd57df81e29f2d19aba93c1626efe92bff713ad8b8e65b449e843aff54e8

    19370c555e8e7ed5133ca6efa7acc98fc360983cc04193cc195ea0c8a0bf2931

    1984c2439c1acacb9ec7c6468db48017d8c2aa4e2da5829d572bb6f5050e80cd

    1b7a03db77e43e04badd95d28554df1f9e3d97197605af709df0387d3bd0c1e8

    1b9f9491a6d98e3de499641caa8ac736f2c6f76e4ac8960170d89fea7026c69e

    1bd9838e181acb88813cdea1d228b445e06b921bff3cece199f9551522eff27d

    1cd35eff6c0963356162d68f5434b19728f2805db71b5c616ff534d2c961d093

    1d25e1479054eea2355385f60a9ce320af2e5ff5ff1333bfabc72518f7337056

    1f3c3ebac21a63328b72317246fb5731720e1d311cdb7928543e1c13e87994d3

    2066531192b69556304df9a65266a2d2e5978ae8cec323b6860eb230fd2faa79

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Ransomware.TeslaCrypt-9960924-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 16 samples

Registry Keys

Occurrences

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM

        Value Name: EnableLinkedConnections

16

<HKU>.DEFAULT\SOFTWARE\TRUEIMG

16

<HKCU>\SOFTWARE\TRUEIMG

16

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0

        Value Name: CheckSetting

16

<HKCU>\SOFTWARE\TRUEIMG

        Value Name: ID

16

<HKCU>\Software<random, matching '[A-Z0-9]{14,16}’>

16

<HKCU>\Software<random, matching '[A-Z0-9]{14,16}’>

        Value Name: data

16

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: _lfia

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: _hfnk

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: _kcgt

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: _ppqk

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: _kaol

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: _abtg

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: _rpua

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: _raet

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: _kwxa

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: _ojsf

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: _kiyk

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: _iykv

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: _hpdk

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: _htkc

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: _fshu

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: _fanp

1

Mutexes

Occurrences

xfghx

16

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

74[.]220[.]199[.]6

16

64[.]190[.]63[.]111

16

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

prodocument[.]co[.]uk

16

marketathart[.]com

16

joshsawyerdesign[.]com

16

emmy2015[.]com

16

nlhomegarden[.]com

16

esbook[.]com

16

Files and or directories created

Occurrences

%ProgramFiles%\7-Zip\Lang\lv.txt

16

%ProgramFiles%\7-Zip\Lang\mk.txt

16

%ProgramFiles%\7-Zip\Lang\mn.txt

16

%ProgramFiles%\7-Zip\Lang\mng.txt

16

%ProgramFiles%\7-Zip\Lang\mng2.txt

16

%ProgramFiles%\7-Zip\Lang\mr.txt

16

%ProgramFiles%\7-Zip\Lang\ms.txt

16

%ProgramFiles%\7-Zip\Lang\nb.txt

16

%ProgramFiles%\7-Zip\Lang\ne.txt

16

%ProgramFiles%\7-Zip\Lang\nl.txt

16

%ProgramFiles%\7-Zip\Lang\nn.txt

16

%ProgramFiles%\7-Zip\Lang\pa-in.txt

16

%ProgramFiles%\7-Zip\Lang\pl.txt

16

%ProgramFiles%\7-Zip\Lang\ps.txt

16

%ProgramFiles%\7-Zip\Lang\pt-br.txt

16

%ProgramFiles%\7-Zip\Lang\pt.txt

16

%ProgramFiles%\7-Zip\Lang\ro.txt

16

%ProgramFiles%\7-Zip\Lang\ru.txt

16

%ProgramFiles%\7-Zip\Lang\sa.txt

16

%ProgramFiles%\7-Zip\Lang\si.txt

16

%ProgramFiles%\7-Zip\Lang\sk.txt

16

%ProgramFiles%\7-Zip\Lang\sl.txt

16

%ProgramFiles%\7-Zip\Lang\sq.txt

16

%ProgramFiles%\7-Zip\Lang\sr-spc.txt

16

%ProgramFiles%\7-Zip\Lang\sr-spl.txt

16

*See JSON for more IOCs

File Hashes

    00e862ecba1e2a71769a67fc5c27499e00c5594f6b7ed4e4114c2fe1fb43492f

    144c480ed69ac652c4eb4efa5b6038d7a68ed3bca67089997b4228e1c814f7c4

    1b02123c913912f44a6ef1c3c4a5a008270d9d8e802e92b4baa259135f25dc21

    22f322c8241b4860c066f5ae57115c58f373753e3d8c9bede4521e5a5ed85e65

    35aeb94c99b948b122f3e4bd4298107ab15cb8bbdb11b533d32666dbb1455ae3

    3ba05e043bf3148202f498dcddb6bd67680f76640aef2d08f9ae1272ff85e719

    41cba3025ecc75863b7a836ee00fdf2bbc2df90dffb17541b5bb1c9fcb269bd1

    9223631593b46b54450b76028a69ddd837d06cd7e9b3d8e3f7bd584a46af22bf

    b2713458d2c3ebd4b558f8c2ce19a90bd97095ca868fd499755bf1c9cbd0c388

    bdf2c5fcf72e7d7870e81ffacdd01206ed98d2446a85c28e7eaf73e26d7a6eda

    be9fac828e64c19e0a3fbf3c4a752d5332b7c0b849556f5388645515a29538ee

    c00039c0454935a5079dc801ce4420457eb9964cbed8372b5aff5c60a45fa26c

    d540b31f009a4138b5d35735fa9976522f4d5ee9e6b8dbdbde479796ebc6d4c0

    dba60ef1804b4d90d74a2988fe53f044d7619f469d0ba9660e5646a1a67439cd

    f1ab2d7ace4656b5f3770186d088ac0644482fe43f38fe2bdb9217744d0f58c1

    ff6f821dc0526f3615b1a3c37b2b14094f53d05cb0a6a753cb257cb0bcde6898

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

WSA

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Virus.Xpiro-9960895-1****Indicators of Compromise

  • IOCs collected from dynamic analysis of 23 samples

Registry Keys

Occurrences

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32

        Value Name: Type

23

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64

        Value Name: Type

23

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32

        Value Name: Type

23

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32

        Value Name: Start

23

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\COMSYSAPP

        Value Name: Type

23

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\COMSYSAPP

        Value Name: Start

23

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MOZILLAMAINTENANCE

        Value Name: Type

23

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MOZILLAMAINTENANCE

        Value Name: Start

23

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\OSE

        Value Name: Type

23

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\OSE

        Value Name: Start

23

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC\S-1-5-21-2580483871-590521980-3826313501-500

23

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC\S-1-5-21-2580483871-590521980-3826313501-500

        Value Name: EnableNotifications

23

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32

        Value Name: Start

23

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64

        Value Name: Start

23

<HKLM>\SOFTWARE\MICROSOFT.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATE

        Value Name: AccumulatedWaitIdleTime

23

<HKLM>\SOFTWARE\MICROSOFT.NETFRAMEWORK\V2.0.50727\NGENSERVICE\LISTENEDSTATE

        Value Name: RootstoreDirty

23

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATE

        Value Name: AccumulatedWaitIdleTime

23

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT.NETFRAMEWORK\V2.0.50727\NGENSERVICE\LISTENEDSTATE

        Value Name: RootstoreDirty

23

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC

        Value Name: Start

22

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_64

        Value Name: Type

22

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_64

        Value Name: Start

22

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IEETWCOLLECTORSERVICE

        Value Name: Type

22

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IEETWCOLLECTORSERVICE

        Value Name: Start

22

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND

        Value Name: Start

21

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

18

Mutexes

Occurrences

kkq-vx_mtx63

23

kkq-vx_mtx64

23

kkq-vx_mtx65

23

kkq-vx_mtx66

23

kkq-vx_mtx67

23

kkq-vx_mtx68

23

kkq-vx_mtx69

23

kkq-vx_mtx70

23

kkq-vx_mtx71

23

kkq-vx_mtx72

23

kkq-vx_mtx73

23

kkq-vx_mtx74

23

kkq-vx_mtx75

23

kkq-vx_mtx76

23

kkq-vx_mtx77

23

kkq-vx_mtx78

23

kkq-vx_mtx79

23

kkq-vx_mtx80

23

kkq-vx_mtx81

23

kkq-vx_mtx82

23

kkq-vx_mtx83

23

kkq-vx_mtx84

23

kkq-vx_mtx85

23

kkq-vx_mtx86

23

kkq-vx_mtx87

23

*See JSON for more IOCs

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

107[.]22[.]125[.]105

7

3[.]217[.]206[.]46

4

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

ninite[.]com

21

www[.]bing[.]com

1

Files and or directories created

Occurrences

%CommonProgramFiles%\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

23

%CommonProgramFiles(x86)%\microsoft shared\Source Engine\OSE.EXE

23

%ProgramFiles(x86)%\Microsoft Office\Office14\GROOVE.EXE

23

%ProgramFiles(x86)%\Mozilla Maintenance Service\maintenanceservice.exe

23

%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

23

%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

23

%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

23

%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

23

%System32%\FXSSVC.exe

23

%System32%\alg.exe

23

%System32%\dllhost.exe

23

%SystemRoot%\ehome\ehsched.exe

23

%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

23

%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

23

%SystemRoot%\SysWOW64\dllhost.exe

23

%SystemRoot%\SysWOW64\svchost.exe

23

%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

23

%SystemRoot%\SysWOW64\dllhost.vir

23

%SystemRoot%\SysWOW64\svchost.vir

23

%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat

23

%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock

23

%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat

23

%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock

23

%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat

23

%CommonProgramFiles(x86)%\microsoft shared\source engine\ose.vir

23

*See JSON for more IOCs

File Hashes

    137ad3b55addd7191c8c974beef6b65bae791bc4de1e86b7e2965b311d40e2d0

    1cfd0fd601a0f5234ce72672ec9c6c866dca03836198d93a320ed5df0bddd7f8

    1e831b6d0cabaa8b44de36c1b96dd6e54e295502eb171be4f87723212fe574ca

    1f935627d9866da115f1aad78be290f60a639bec1a94d6b8397326eeb46c111b

    30ffb87628211e78074a3a891b8bd173db6f2d74dc97e735ff386361cf29aee1

    3f948d4350c566416101441adb1c00121bd835db40cc08c73a556b764458673d

    47934d4f40e9a5af0ee572a7e1e088d29d3bfd655d4aff26018a64118ad68a24

    563c16cb752614726d350000fbf514a8b8d32a8074cd12c7545d6ff93f790ed9

    591ae4985fd6993f580eae6f93f3e96f7c73c14dc3927e96223e8003f9ab3588

    5cbd454095120231e23ca372fee8e9e76f34e3f5491f8ab10e8e5203e4c52570

    6f0f5fda67646bc8def9c66497041528cd8ed7158a169c1b0787f59360c28ea8

    7ec4a0246b5d33dfe811f4f34ab94a6b82d822196776afbe28a0f543ade8ad63

    97d0aeeca4859c38984086ff1bef13c9bd11466131058fabda20dd1b21342f7a

    a2839faa3c7ecbff8afa71ca5787690e0e3eaeb36b899bab1926b19ce32b8c6d

    bcf2ae9a67fe974c02e95fbdd4edcce7df377a288c7586dae9d0b625aeedc93b

    c51d235b290424ad6baf08d67ab600a260200846a3f4b218e916933594b40537

    d3d7dd910bd5e79fdb39d51aa83afaccdfd10538d30dd69bc7219a146e897361

    d445c1ac4afae6cb028a2508c655271e3d69e07d9e016887d89d790c80fc0409

    e23566aabaa7743da973840338829cc25d6936e8fcb5fb8d9b78b0ccac46c1ea

    e37b0661d4e4483048abcf0abba65060c78716672790e12bb0a768f04b18134b

    e48a371f7f5f3ad1cda0d16312f30846b6a12494967c8fba8de7f65a5673b1ff

    eb1ecc1ef099105b4882ccace3caf843ed1508b1463f8af6cc94adaa0181b721

    ec1bc44db50911234444c575d91335113232ab5b1f6cad6acf5e52ff16ccd8fb

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Emotet-9961142-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 218 samples

Registry Keys

Occurrences

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: LanguageList

190

<HKLM>\SYSTEM\CONTROLSET001\SERVICES<random, matching '[A-Z0-9]{8}’>

        Value Name: Type

64

<HKLM>\SYSTEM\CONTROLSET001\SERVICES<random, matching '[A-Z0-9]{8}’>

        Value Name: Start

64

<HKLM>\SYSTEM\CONTROLSET001\SERVICES<random, matching '[A-Z0-9]{8}’>

        Value Name: ErrorControl

64

<HKLM>\SYSTEM\CONTROLSET001\SERVICES<random, matching '[A-Z0-9]{8}’>

        Value Name: DisplayName

64

<HKLM>\SYSTEM\CONTROLSET001\SERVICES<random, matching '[A-Z0-9]{8}’>

        Value Name: WOW64

64

<HKLM>\SYSTEM\CONTROLSET001\SERVICES<random, matching '[A-Z0-9]{8}’>

        Value Name: ObjectName

64

<HKLM>\SYSTEM\CONTROLSET001\SERVICES<random, matching '[A-Z0-9]{8}’>

63

<HKLM>\SYSTEM\CONTROLSET001\SERVICES<random, matching '[A-Z0-9]{8}’>

        Value Name: ImagePath

61

<HKLM>\SYSTEM\CONTROLSET001\SERVICES<random, matching '[A-Z0-9]{8}’>

        Value Name: Description

60

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%systemroot%\system32\dot3svc.dll,-1103

14

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @oleres.dll,-5013

10

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%systemroot%\system32\browser.dll,-101

9

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\AxInstSV.dll,-104

9

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%systemroot%\system32\dps.dll,-501

9

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\ehome\ehrecvr.exe,-102

8

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @appmgmts.dll,-3251

8

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\dhcpcore.dll,-101

8

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%systemroot%\system32\appinfo.dll,-101

8

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\System32\audiosrv.dll,-205

7

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%systemroot%\system32\appidsvc.dll,-101

7

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @comres.dll,-948

7

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\System32\dnsapi.dll,-102

7

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%systemroot%\system32\cscsvc.dll,-201

7

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\System32\bthserv.dll,-102

7

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

5[.]196[.]74[.]210

82

74[.]208[.]45[.]104

82

45[.]55[.]219[.]163

82

45[.]55[.]36[.]51

82

174[.]45[.]13[.]118

82

180[.]92[.]239[.]110

82

91[.]83[.]93[.]99

82

217[.]199[.]160[.]224

78

89[.]32[.]150[.]160

78

68[.]183[.]190[.]199

78

45[.]161[.]242[.]102

78

209[.]236[.]123[.]42

78

71[.]197[.]211[.]156

78

91[.]121[.]54[.]71

78

85[.]25[.]207[.]108

58

88[.]249[.]181[.]198

58

65[.]156[.]53[.]186

58

68[.]183[.]233[.]80

58

177[.]32[.]8[.]85

58

81[.]17[.]93[.]134

58

197[.]232[.]36[.]108

58

23[.]46[.]150[.]72

30

23[.]46[.]150[.]48

27

23[.]221[.]72[.]27

13

23[.]221[.]72[.]10

6

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

apps[.]identrust[.]com

82

Files and or directories created

Occurrences

%SystemRoot%\SysWOW64<random, matching '[a-z]{8}’>

35

%SystemRoot%\SysWOW64\printui

2

%SystemRoot%\SysWOW64\NlsLexicons0414

2

%SystemRoot%\SysWOW64\utildll

2

%SystemRoot%\SysWOW64\NlsData000a

2

%SystemRoot%\SysWOW64\fthsvc

2

%SystemRoot%\SysWOW64\shlwapi

2

%SystemRoot%\SysWOW64\WcsPlugInService

2

%SystemRoot%\SysWOW64\NlsLexicons0002

2

%SystemRoot%\SysWOW64\d3d8thk

1

%SystemRoot%\SysWOW64\instnm

1

%SystemRoot%\SysWOW64\cttune

1

%SystemRoot%\SysWOW64\tsbyuv

1

%SystemRoot%\SysWOW64\KBDSW

1

%SystemRoot%\SysWOW64\fc

1

%SystemRoot%\SysWOW64\rshx32

1

%SystemRoot%\SysWOW64\KBDHE220

1

%SystemRoot%\SysWOW64\WMADMOE

1

%SystemRoot%\SysWOW64\NlsData0002

1

%SystemRoot%\SysWOW64\iprop

1

%SystemRoot%\SysWOW64\rastls

1

%SystemRoot%\SysWOW64\aecache

1

%SystemRoot%\SysWOW64\SMBHelperClass

1

%SystemRoot%\SysWOW64\KBDNO

1

%SystemRoot%\SysWOW64\mfc100

1

*See JSON for more IOCs

File Hashes

    0154a4e3faa4dafca324954364d049324d6fcc6b8a1c90cbae92cd41f8927c4e

    01ea88880d59cd617d53bfd1849ad0c2023c9febc43b48579d06802c9b324d77

    0222be0813e32c7a2c87a31482e33830a91b73a750aff3499da5caa100646607

    0242673f6b5b086a61873f4773b8b7f119d025325f2724cb362b1151adccfc8b

    02f7999d6693f08f5983effb8bee06145be3f7dc22ff1e5b745e8d0633fe19d6

    038008283ccba00047b767169fd02554182310d7b32c6def8a3fc1c6a045daf1

    0403b01de17d2130faa4eecf11111acf15bc672dfeb9394054e5aa05166b8289

    044242411968ca1c92b3a645d7f470cf0cda1a220920da688558fde7f4108eb9

    055014bbf3a21173e4e2d9fb22124d7d249bc8f8c748151197d6e985bdf06f67

    05cf33a7202716161360fc0e6fd45091f9a290954ba26a64037745652fa4b487

    066202dc95bd51220d42f603a030ef71527b8dc56e62200f0d175f09f3f89c27

    06ee8bc6b3c35b3d3ea924f73db6da1df9061e69b487bad9718328f1d186f0c7

    0780d91df0f27af4b00d51e531a1cf12d50bbb048a211e0b287820bd9313eab5

    07c262357505c7bef31ebfe2bb6c13a3d386e38d262ba2bdbfb2e52c1bd066fd

    080fc908405201cbf074d6343acf66ee3c4d57f231c399b87097f75b8ca7960f

    08e6bfa50d4fe544c03474d1a23776762a47a0ceed44dbe5bbb6e09fce30b055

    091b50c4a374f1fc1d15e81044c2b50f03fa7c3e8359eb09bb95dc25deeebd4d

    098861c8b4411225b4fde8737ccb518052ef40c896ee4e42dfeecf322e56f07f

    09c4a4a31a51590b27a82bcff450c29391d3dfde480df012f43020e858efb639

    0b533cf67e6fd8298b62d3aaea82f07ad11c600fa8917f3b683a72da9ca2fa7e

    0c33a1f3687e65daa8825856f309cc40ef97d0892ef7742a77355124e296b815

    0ccab31b5610aac24a242c812f474ff24b8e345aa78fd4b7d0a92b690938f908

    0cd25d45a5e31de0fc1b75ba65c5b43d934b60b7d07638aaa1ce0d83afd984ec

    0d3fee19509a873e96a1b2559d9193cf046f7f35f49d16b180438d9df7da027f

    0ea6a45d2ad1115ce7141f15693139b8bd9e5ffebb5a1321ab8c48e62d65fab9

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Remcos-9961392-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 14 samples

Registry Keys

Occurrences

<HKCU>\SOFTWARE\POULUS

14

<HKCU>\SOFTWARE\POULUS\MICROMINIATURISER

14

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\BRUGERNAVNETS

14

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\BRUGERNAVNETS\TIVOLIET

14

<HKCU>\SOFTWARE\POULUS\MICROMINIATURISER

        Value Name: Komplettes

14

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\BRUGERNAVNETS\TIVOLIET

        Value Name: Fins

14

<HKCU>\SOFTWARE!27MZCJW9@REXF-NJL3J3

7

<HKCU>\SOFTWARE!27MZCJW9@REXF-NJL3J3

        Value Name: licence

7

<HKCU>\SOFTWARE!27MZCJW9@REXF-NJL3J3

        Value Name: exepath

7

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE

        Value Name: ornamenterne

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE

        Value Name: Hyldetrs

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE

        Value Name: lnglidninger

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE

        Value Name: Vampirebat

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE

        Value Name: Dereferencing

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE

        Value Name: Sarkastisk

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE

        Value Name: Martyrologistic

1

Mutexes

Occurrences

Remcos_Mutex_Inj

7

!27Mzcjw9@Rexf-NJL3J3

7

Global\916138a1-15e4-11ed-9660-00151792685a

1

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

5[.]2[.]75[.]164

7

181[.]235[.]13[.]200

4

186[.]169[.]54[.]97

3

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

colpatvalidacionnuevo[.]xyz

7

Files and or directories created

Occurrences

%HOMEPATH%\Desktop\Markedness.ini

14

%TEMP%\ns<random, matching '[a-z][A-F0-9]{1,4}’>.tmp

14

%TEMP%\ns<random, matching '[a-z][A-F0-9]{4}’>.tmp\System.dll

14

%TEMP%\logsflat458

7

%TEMP%\logsflat458\sasgs527.dat

7

\TEMP\en-US\22d69844486d029467b528c89bf763a6.exe.mui

1

\TEMP\en-US\ef6731323cff411f303c2bd29b9f15c8.exe.mui

1

\TEMP\en-US\b2a7538d257a51b1a506b646c248fcbe.exe.mui

1

\TEMP\en-US\570979659276a2a985f97f7965f97f76.exe.mui

1

\TEMP\en-US\f231d436f8d62de3082ea791da78ed50.exe.mui

1

\TEMP\en\f231d436f8d62de3082ea791da78ed50.exe.mui

1

\TEMP\en\ef6731323cff411f303c2bd29b9f15c8.exe.mui

1

%TEMP%\Selenitic

1

%TEMP%\Dextroamphetamine

1

%TEMP%\Selenitic\Uncooping.exe

1

%TEMP%\Dextroamphetamine\Lobcokt.exe

1

\TEMP\en\22d69844486d029467b528c89bf763a6.exe.mui

1

%TEMP%\Tiki124

1

%TEMP%\Tiki124\Unexpecting.exe

1

\TEMP\en\b2a7538d257a51b1a506b646c248fcbe.exe.mui

1

\TEMP\en\570979659276a2a985f97f7965f97f76.exe.mui

1

%TEMP%\Sekundrkommunens

1

%TEMP%\Giganter27

1

%TEMP%\Sekundrkommunens\Unpracticability174.exe

1

%TEMP%\Giganter27\Spandauerne.exe

1

*See JSON for more IOCs

File Hashes

    125b94822affbd4b1b67333905a91231c62e427334475ada0daa44d007e884c1

    332cb82247db85cd4c772200938a7623c4161a15d680157cdc688b53aae2303a

    3efb2166b220fd7d7e5df42739d998f6ed4c70fefdcb03b6a9b1810d6dcfcd77

    42d77fbb29467078ade8ecba705a648d3d4aeacd5f6735a6d92d17cb55ff7049

    6761e346725d0cfa3436b459176ff467f7b4a426af0559845032c912420747cd

    72d9be63e832a89a04ffcfb48c30199d3461fe982bde962f57c7cf71e0f5f06a

    8c420a6337376e20c987679a34e3d09194e504c444fbf50619328f5c0dda9217

    942dcafe7a16cfdd1769048c73590ec2c29e9c76a9f6c46e6b6e88ac2220b0ef

    9ead44844a24092afb456478686839852e04cd1ad8e081185ae432f1171baa1b

    a3ec71d27779875c7262d608c3c5e591fa7c12f0893e006bb6f7d2ad1d710142

    a742e0a1f7939fdaf5eb615bac3da040781bd19e84e3f647186314ecb6e0fa5e

    ce2ff79b4178d9b7f142001bc227753dd395fcd1a28a385bfa379e0857181467

    d52c22336b2e2efaeab6b8eb2be8726a36eaea553905b01102d9716d4c6184af

    e2deccb5d8cc1ec270d95501aaa7e53951bd7f89c2c0bcd50420bf94b7057675

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

WSA

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Ramnit-9961396-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples

Registry Keys

Occurrences

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER

        Value Name: AntiVirusOverride

26

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER

        Value Name: AntiVirusDisableNotify

26

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER

        Value Name: FirewallDisableNotify

26

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER

        Value Name: FirewallOverride

26

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER

        Value Name: UpdatesDisableNotify

26

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER

        Value Name: UacDisableNotify

26

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM

        Value Name: EnableLUA

26

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE

        Value Name: EnableFirewall

26

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE

        Value Name: DoNotAllowExceptions

26

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE

        Value Name: DisableNotifications

26

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC

        Value Name: Start

26

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND

        Value Name: Start

26

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC

        Value Name: Start

26

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION

        Value Name: jfghdug_ooetvtgk

26

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: JudCsgdy

26

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV

        Value Name: Start

26

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: Windows Defender

26

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON

        Value Name: Userinit

26

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON

        Value Name: Userinit

26

Mutexes

Occurrences

qazwsxedc

26

{7930D12C-1D38-EB63-89CF-4C8161B79ED4}

26

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

72[.]26[.]218[.]70

25

195[.]201[.]179[.]207

25

208[.]100[.]26[.]245

25

46[.]165[.]220[.]155

25

35[.]205[.]61[.]67

25

142[.]250[.]80[.]14

25

63[.]251[.]235[.]76

25

64[.]225[.]91[.]73

25

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

google[.]com

25

gjvoemsjvb[.]com

25

ahpygyxe[.]com

25

msoalrhvphqrnjv[.]com

25

rdslmvlipid[.]com

25

jpcqdmfvn[.]com

25

rrmlyaviljwuoph[.]com

25

maajnyhst[.]com

25

enbbojmjpss[.]com

25

oqmfrxak[.]com

25

tdccjwtetv[.]com

25

tpxobasr[.]com

25

xpdsuvpcvrcrnwbxqfx[.]com

25

fbrlgikmlriqlvel[.]com

25

boeyrhmrd[.]com

25

ugcukkcpplmouoah[.]com

25

gugendolik[.]com

25

Files and or directories created

Occurrences

%LOCALAPPDATA%\bolpidti

26

%LOCALAPPDATA%\bolpidti\judcsgdy.exe

26

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\judcsgdy.exe

26

File Hashes

    081742e8ed56a1a933e0507ccd536aaaf7242ac76d47a1a49626ee71c6756b53

    0e372167303e500219b580a1a0367d2b69ab693e56934584e05cd963736bd463

    10cef31349a4842546edbc5244d0d3aaed1e3c058008800c889abf5dc43ec343

    127ee9c2897fb600dec742861451fdcf48820c200e15df7479542ed4232c0584

    155b0301ce2f88c396fb7aa77cbc82c51a01660e6a74b63f7ba8dc8f023ea7e8

    1e1773938b5bdd08be479ca9186a30d3fad83ea67ae905f391508ac543c2a38f

    263351025d462b47660ea4bacd71ae1fd694de45a3d9bd5b14e58be1c4362d00

    2e2ac92783031efdde48674b0ed3362c81fac9b25756ee39af1629f39309ccc2

    340833674362d0c01995cc8657a95a628fddeb853272b6d89dfcf98bbe106cbe

    39b9cfa59e688e1d56e6499b80637f321f777d022dff4a9eaf691ba9a1e9cc86

    3cc065b26f54c993606649d1679bca81068c10e3727fdf9ee811fa6a17c1ebad

    41b21c4398fa089007a9a34aac8a3f5d14b61814ff036b555cc6b09c8efd81aa

    4b183d215f86d026ef2bac0cf5dd4b28146612d52206e358169b0f1d3209c76d

    4ed2cf991c4ed810cdbb5d567d33e1f1d94218ae43c506d6b33d2acc35009598

    57fa2ea50d27a8cc8feec2867a680ae6e9a0d1a47d117733a73db86da3bf8416

    5de59e2cc183ce5f34b2ca66fbd1edce54b3a6208ae7621c49cbd78835bdcbf5

    699e006e4a6871ca898aacf55f84c36ea43d8b9e421b71dd20a0fe5a06378d66

    6a216904abbf52246819029936c7e8705f50c61ba0ee6a62d8a14881cfca0a33

    77aeccd3d538a6effc3623344a331d5190c747489a5cc511d4e7d973e879ff8a

    77c966ca4088e8b918b4e40ed539a510fad2a2631ff17d1a1b01a1670e6fa400

    79622d5b5ef3c93d32bcaaba64cfbbe4a88ec7f56d1f7f2160b9219321058f29

    8c878b6608dba85c650ffda157cc14d885f14559e8c6b38a5ae0be85d5a73001

    8d5f17bf76258cf83d0678cef645b0fa2f0b6df56858fb0ec4cab8894b59b316

    a1574bfff6cebf0757ab5a7fc7634b7956fed8943e088b87820ff13be65789c4

    af0aa7289a5770da3a158d0f0fbea1c5073b6ca4f6fe5a7bebdde44a55ca2c2e

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

WSA

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

TALOS: Latest News

New PXA Stealer targets government and education sectors for sensitive information