Headline
Threat Roundup for August 5 to August 12
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Aug. 5 and Aug. 12. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found herethat includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files. The most prevalent threats highlighted in this roundup are:
Threat Name Type Description
Win.Dropper.Tofsee-9960568-0 Dropper Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages to infect additional systems and increase the size of the botnet under the operator’s control. Win.Dropper.TrickBot-9960840-0 Dropper Trickbot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts. Win.Trojan.Zusy-9960880-0 Trojan Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as “explorer.exe” and “winver.exe.” When the user accesses a banking website, it displays a form to trick the user into submitting personal information. Win.Dropper.DarkComet-9961766-1 Dropper DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. This malware can download files from a user’s machine, mechanisms for persistence and hiding. It also has the ability to send back usernames and passwords from the infected system. Win.Ransomware.TeslaCrypt-9960924-0 Ransomware TeslaCrypt is a well-known ransomware family that encrypts a user’s files with strong encryption and demands Bitcoin in exchange for a file decryption service. A flaw in the encryption algorithm was discovered that allowed files to be decrypted without paying the ransomware, and eventually, the malware developers released the master key allowing all encrypted files to be recovered easily. Win.Virus.Xpiro-9960895-1 Virus Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks. Win.Dropper.Emotet-9961142-0 Dropper Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails. Win.Dropper.Remcos-9961392-0 Dropper Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, and capture screenshots. This malware is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails. Win.Dropper.Ramnit-9961396-0 Dropper Ramnit is a banking trojan that monitors web browser activity on an infected machine and collects login information from financial websites. It also has the ability to steal browser cookies and attempts to hide from popular antivirus software.
Threat Breakdown
Win.Dropper.Tofsee-9960568-0
Indicators of Compromise
IOCs collected from dynamic analysis of 10 samples
Registry Keys Occurrences
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config4 3
<HKU>\.DEFAULT\CONTROL PANEL\BUSES 3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList 3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpqec.dll,-100 3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpqec.dll,-101 3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpqec.dll,-103 3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpqec.dll,-102 3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\napipsec.dll,-1 3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\napipsec.dll,-2 3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\napipsec.dll,-4 3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\napipsec.dll,-3 3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\tsgqec.dll,-100 3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\tsgqec.dll,-101 3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\tsgqec.dll,-102 3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\tsgqec.dll,-103 3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\eapqec.dll,-100 3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\eapqec.dll,-101 3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\eapqec.dll,-102 3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\eapqec.dll,-103 3
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config0 3
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config1 3
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2 3
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config3 3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FNWISXTV
Value Name: ErrorControl 1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FNWISXTV
Value Name: DisplayName 1
Mutexes Occurrences
Global\27a1e0c1-13fc-11ed-9660-001517101edf 1
Global\30977501-13fc-11ed-9660-001517215b93 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
216[.]146[.]35[.]35 3
31[.]13[.]65[.]174 3
142[.]251[.]40[.]196 3
96[.]103[.]145[.]165 3
31[.]41[.]244[.]82 3
31[.]41[.]244[.]85 3
80[.]66[.]75[.]254 3
80[.]66[.]75[.]4 3
31[.]41[.]244[.]128 3
31[.]41[.]244[.]126/31 3
208[.]76[.]51[.]51 2
74[.]208[.]5[.]20 2
208[.]76[.]50[.]50 2
202[.]137[.]234[.]30 2
212[.]77[.]101[.]4 2
193[.]222[.]135[.]150 2
203[.]205[.]219[.]57 2
47[.]43[.]18[.]9 2
67[.]231[.]144[.]94 2
188[.]125[.]72[.]74 2
40[.]93[.]207[.]0/31 2
205[.]220[.]176[.]72 2
135[.]148[.]130[.]75 2
121[.]53[.]85[.]11 2
67[.]195[.]204[.]72/30 1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
249[.]5[.]55[.]69[.]bl[.]spamcop[.]net 3
249[.]5[.]55[.]69[.]cbl[.]abuseat[.]org 3
249[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net 3
249[.]5[.]55[.]69[.]in-addr[.]arpa 3
249[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org 3
249[.]5[.]55[.]69[.]zen[.]spamhaus[.]org 3
microsoft-com[.]mail[.]protection[.]outlook[.]com 3
microsoft[.]com 3
www[.]google[.]com 3
www[.]instagram[.]com 3
comcast[.]net 3
mx1a1[.]comcast[.]net 3
jotunheim[.]name 3
niflheimr[.]cn 3
whois[.]arin[.]net 2
whois[.]iana[.]org 2
mx-eu[.]mail[.]am0[.]yahoodns[.]net 2
aspmx[.]l[.]google[.]com 2
mta5[.]am0[.]yahoodns[.]net 2
icloud[.]com 2
cox[.]net 2
walla[.]com 2
hanmail[.]net 2
allstate[.]com 2
wp[.]pl 2
*See JSON for more IOCs
Files and or directories created Occurrences
%SystemRoot%\SysWOW64\config\systemprofile 3
%SystemRoot%\SysWOW64\config\systemprofile:.repos 3
%SystemRoot%\SysWOW64\fnwisxtv 1
%SystemRoot%\SysWOW64\airdnsoq 1
%SystemRoot%\SysWOW64\uclxhmik 1
%TEMP%\dnyabinr.exe 1
%TEMP%\lcxykqya.exe 1
%TEMP%\qzguacfj.exe 1
File Hashes
098ad43e2067c5c814cebe1fc52bdc528289c6a2cc96daf4e8bac90d1c95a0b3 2240525bf4ee830766ec33e2e3c0dfcdf871748088fcf068770fd306940c5957 693cd93fbc6bfb587ad011477ae870805725c5403260621a290f61bb0d243f47 a6b68aa5d00739401b413ed936526ea5e767824fddb4e768e03fb05dc369a6fd b9820bc7b09bfa88556efac463b7459d2f4a47f06cc953529a9782fdbefd4959 c2cb05d50c06d9ed65a7c53fb2f6b7977f2988f5fbbd928266bb8ea27723b243 d6df88c6f61812a4bb662abb8d90fb4ba7e17ae5b9351251d001b7945d7aae98 ec745df5a9e65776f76b97e9685ad86fbb130bb6a3146a7823bd94c7c6502f1d f3e93f62b4f4699a3d20e85fa3c9e8b7eb9129a15ca66720d4f677cae0c5a469 f8a2e41ea8ca0e998bcd54d8256cb538b1e32cec4e80eb810e8df003427b886b
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.TrickBot-9960840-0
Indicators of Compromise
IOCs collected from dynamic analysis of 36 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\USERDS 36
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS
Value Name: 4334c972 36
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS
Value Name: 2d17e659 36
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: IntelPowerAgent3 7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: IntelPowerAgent5 5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: IntelPowerAgent9 4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: IntelPowerAgent6 4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: IntelPowerAgent7 3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: IntelPowerAgent2 3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: IntelPowerAgent1 3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: IntelPowerAgent8 3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: IntelPowerAgent0 2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: IntelPowerAgent4 2
Mutexes Occurrences
98b59d0b000000cc 36
98b59d0b00000120 36
Global\{2d17e659d34601689591} 36
98b59d0b00000174 36
98b59d0b00000150 36
98b59d0b00000158 36
98b59d0b000001ac 35
98b59d0b00000308 35
98b59d0b0000043c 35
98b59d0b000004b4 35
98b59d0b000001bc 35
98b59d0b000002ec 35
98b59d0b000001f0 35
98b59d0b000001c4 35
98b59d0b0000021c 35
98b59d0b0000025c 35
98b59d0b00000294 35
98b59d0b00000320 35
98b59d0b000003d4 35
98b59d0b000003f8 35
98b59d0b000004dc 35
98b59d0b0000060c 8
98b59d0b000005cc 8
98b59d0b000004f8 8
98b59d0b00000614 7
*See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
209[.]197[.]3[.]8 11
72[.]21[.]81[.]240 7
69[.]164[.]46[.]0 6
8[.]253[.]154[.]236/31 3
23[.]46[.]150[.]81 2
23[.]46[.]150[.]58 2
8[.]253[.]141[.]249 1
8[.]253[.]38[.]248 1
8[.]253[.]140[.]118 1
23[.]46[.]150[.]43 1
8[.]247[.]119[.]126 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
download[.]windowsupdate[.]com 36
adtejoyo1377[.]tk 36
Files and or directories created Occurrences
%ProgramData%\c7150968.exe 1
%LOCALAPPDATA%\gusEBBF.tmp.bat 1
%ProgramData%\ba886437.exe 1
%HOMEPATH%\jfpDCC6.tmp.bat 1
%ProgramData%\63b007ed.exe 1
%HOMEPATH%\dtaE10F.tmp.bat 1
%ProgramData%\545ba94b.exe 1
%HOMEPATH%\hcv6907.tmp.bat 1
%ProgramData%\7afae1e8.exe 1
%HOMEPATH%\greA7E2.tmp.bat 1
%ProgramData%\9421c9aa.exe 1
%APPDATA%\vqpA923.tmp.bat 1
%ProgramData%\f779fb59.exe 1
%ProgramData%\xywA29.tmp.bat 1
%ProgramData%\940d0a1e.exe 1
%HOMEPATH%\jawD8CB.tmp.bat 1
%ProgramData%\a37667ce.exe 1
%HOMEPATH%\lkyB72F.tmp.bat 1
%ProgramData%\edcfad58.exe 1
%HOMEPATH%\pvf22C5.tmp.bat 1
%ProgramData%\182b8517.exe 1
%LOCALAPPDATA%\qsw15A4.tmp.bat 1
%ProgramData%\a3a20124.exe 1
%HOMEPATH%\xqh15A4.tmp.bat 1
%ProgramData%\a116e074.exe 1
*See JSON for more IOCs
File Hashes
007a16c9f6908085a2d65e991ae691f41e7ceab17653200669b4286af82e8c12 017306c686a5a81630e746b9518106fd5e54b410b50a61f43cba7a3850b1fec8 024d73837dea32792852294b951dcb246c56442ebde4643cef6733f411f581b6 0284c0aff10ff3ca7e6078f3d8191fc9c4db42fbfb912a8cefabc937c1eca87d 02df9ec5bfb9e1bb613b5ee7d4a518bccc9f87580182f26d6e5d5a643036e3a1 03226228480f9e9d87a0370428d337023226314bd9447efccdbc03bb672ec81b 0337b9f06cda7d7a6e96ce2a29e0f004fb6df49d3b82d294a17a13604e754f86 03a89b1af244c7d20db8498d9284c20deea9462fb15db2f89b4c59a9be47c2f0 04432d06396fac85167c0a9dadf206dc50ea8527c29b943b77f192e45dbce22d 04679de514d8e3902341b314e324e6f75ba536d09da05e99958dc5b4a689de42 049f0322736b0abeec70630b9efbbd40d9a0916ce359a5a8168165d25a76e48f 04e819e635fc974afd4ee533b478841ba581ddcff254034fdbfea6522939ef5f 05b51b8179992a7e21259d9eacdaf8b1115e51056ec0104daddda5a0810f7126 0734ea55ac016a1e6b6ac40837883a684656eec9ce857351c9f99d3c965d6501 07e4ebd0b135dbfcf1e7d2b60386c9b52fa5d154d072a5689eb3a7a2b15112d6 08da477f7c363ddbc11224260717cf6f7f48e849cff403e25559529029b8fdf4 08e9ccb010aceac1ea0c0fbb41e58c8e2552b30de500bf43e298a645f5acedf7 097f9d7400b8a8c8bf5aa5339bf18359148a533f9136cd9b6279623e4db293d7 0bde820541632a300070601291eb1c478b9d09da2b405f740d6fe92b290a45de 0be2e49c02aa297d158bd5fe213a96584455fb4cea7c24dd100b9922df2a45c5 0bf64ebc68956ea9d73858f32530c20fab4243fb09320adfd500fb94842a9888 0c29c2763f311604136a06a99fa76ed09411572cd796021b60c66806e6c8e5a9 0c6b997f98a1e58caf5a16a90317d2cb1d2474ac5c5926f26fa2b14a9299638a 0d30d3c9cf63898bb2e970ec5a54dfe868fc5f519fd6b283bd00a2d22a01a653 0da6c492cc755852c07bf7511b774e2527dce42be420f602e9445f1bb760ad33
*See JSON for more IOCs
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella N/A
WSA N/A
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Trojan.Zusy-9960880-0
Indicators of Compromise
IOCs collected from dynamic analysis of 16 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH 12
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH
Value Name: MarkTime 12
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH
Value Name: Description 2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH
Value Name: Type 2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH
Value Name: Start 2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH
Value Name: ErrorControl 2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH
Value Name: ImagePath 2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH
Value Name: DisplayName 2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH
Value Name: WOW64 2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH
Value Name: ObjectName 2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH
Value Name: FailureActions 2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PQRSTU 2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PQRSTU
Value Name: MarkTime 2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH
Value Name: Group 2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH
Value Name: InstallTime 2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF
Value Name: Description 1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF
Value Name: Type 1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF
Value Name: Start 1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF
Value Name: ErrorControl 1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF
Value Name: DisplayName 1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF
Value Name: WOW64 1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF
Value Name: ObjectName 1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF
Value Name: FailureActions 1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PQRSTU
Value Name: Description 1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PQRSTU
Value Name: Type 1
Mutexes Occurrences
127.0.0.1:8000:Cdefgh 3
112.74.89.58:44366:Cdefgh 3
112.74.89.58:42150:Cdefgh 1
47.100.137.128:8001:Pqrstu 1
22.23.24.56:8001:Pqrstu 1
hz122.f3322.org:8001:Cdefgh 1
112.74.89.58:35807:Cdefgh 1
112.74.89.58:46308:Cdefgh 1
101.33.196.136:3389:Cdefgh 1
127.0.0.1:8001:Cdefgh 1
183.28.28.43:8001:Abcdef 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
112[.]74[.]89[.]58 6
22[.]23[.]24[.]56 1
47[.]100[.]137[.]128 1
101[.]33[.]196[.]136 1
183[.]28[.]28[.]43 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
hz122[.]f3322[.]org 1
Files and or directories created Occurrences
%SystemRoot%\svchost.exe 4
File Hashes
04fa031e5d2d86f8dbe0d3b95d67ea774448df4613e8acce79f0c9a30ef041bc 2444b744b5c06e9410ee5c3baa807569fde44c5092192428de935e03d25b1edb 466ca0805173034a7b12a5ffce104bbe5ed312e7441abdb98849ae4103150d04 5a755f07d3b90ac5a2041fd04fd764c40882dd20b50f91fddbc10b8c6341591d 5b53262a14fe1dcd42d670b0488d0de11aeb7cfa84e36acb4eec0c13b5fd2d73 5ca6b22c6e7de5f0b9437970f1f9360ad4f3a74f964eb319080e347c27c6dff9 6ea5fdaa95dbe09ccbc474ba4fc9fbe796e79c02d2b4f65f223feda5643f5400 86bd70bc7bb74d3d4991b0f1c7e15ddef1d09695b3940c5fb015f2d00ce5f558 b9b344bd7005b233cbb85395f61c309938fe70e2f8a8d0b2c24441ba074f9ca5 bea6c7b4117eb1f894d830c77ddf6d4424bccb6043d0f43c257522d253321c3e c0a8a6e606e46a970cefe81f269ec6aec2a538830c2f7e03cf0eac55b135a59a c968ae3cfbbd89673b49f6bfd474eea846bdb1e2e3a7c5376dbcda5290d445ed dfc315d962da82d84b54683a849edf4e7b16bb136dbc2eb1198d35e528920103 ec6cb8ff27e33d7e69ce02885baa9c08fd5a03349a16a52590353a4ec364c464 f240b80b34fa480dc7236ddecb5c326e719a094e49df5a6f2070712650553066 fd0e616e5ebb9075c44bb6772cf8b2c46801fafdb0716636850dc2ec0fe06f8c
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella N/A
WSA
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.DarkComet-9961766-1
Indicators of Compromise
IOCs collected from dynamic analysis of 33 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\DC3_FEXEC 29
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Debugger 24
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: UserInit 23
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList 19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: MicroUpdate 11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: svchost.exe 7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA 5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM 5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: EnableFirewall 4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DisableNotifications 4
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify 4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableTaskMgr 3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify 3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start 3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableRegistryTools 3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: rundll32 3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\CURRENTVERSION\EXPLORERN
Value Name: NoControlPanel 1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\CURRENTVERSION 1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\CURRENTVERSION\EXPLORERN 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Microsoft 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Updater 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Update 1
Mutexes Occurrences
DC_MUTEX-<random, matching [A-Z0-9]{7}> 22
DCPERSFWBP 18
DC_MUTEX-5DND8AT 7
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
99[.]229[.]175[.]244 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
pervert[.]no-ip[.]info 7
pervert2[.]no-ip[.]info 7
delvega[.]no-ip[.]org 2
wp-enhanced[.]no-ip[.]org 2
funstuff712[.]zapto[.]org 2
fflazhhf1[.]no-ip[.]org 1
darkcometss[.]no-ip[.]org 1
not4umac[.]no-ip[.]biz 1
sanderkidah[.]no-ip[.]org 1
bobolobob[.]no-ip[.]biz 1
hg-ma[.]zapto5[.]org 1
corrosivegas2010[.]zapto[.]org 1
profi555[.]no-ip[.]org 1
hg-ma[.]zapto[.]org 1
jugoboy1[.]zapto[.]org 1
hg-ma[.]zapto1[.]org 1
hg-ma[.]zapto2[.]org 1
hg-ma[.]zapto3[.]org 1
hg-ma[.]zapto4[.]org 1
jackreapez[.]zapto[.]org 1
magicmq[.]no-ip[.]org 1
kenrickm[.]no-ip[.]org 1
mrganja[.]no-ip[.]org 1
cherubi[.]no-ip[.]org 1
Files and or directories created Occurrences
%APPDATA%\WinDbg 30
%APPDATA%\WinDbg\windbg.exe 29
%APPDATA%\dclogs 28
\svchost.exe 7
%TEMP%\uxcv9v 7
%TEMP%\uxcv9v.vbs 7
%HOMEPATH%\Documents\MSDCSC 6
%HOMEPATH%\Documents\MSDCSC\msdcsc.exe 6
%TEMP%\MSDCSC 5
%TEMP%\MSDCSC\msdcsc.exe 5
%SystemRoot%\SysWOW64\MSDCSC 3
%SystemRoot%\SysWOW64\MSDCSC\msdcsc.exe 3
%TEMP%\tMMjnM 1
%TEMP%\xMWbLz.vbs 1
%TEMP%\tMMjnM.vbs 1
%APPDATA%\WinDbg\msdnaa.exe 1
%TEMP%\Mi0z67 1
%HOMEPATH%\Documents\Explorer\Iexplorer.exe 1
%TEMP%\q7EVTk 1
%TEMP%\mmsHyU 1
%TEMP%\q7EVTk.vbs 1
%TEMP%\mmsHyU.vbs 1
%APPDATA%\WinUpd\WinUpdater.exe 1
%TEMP%\alRnXV 1
%TEMP%\alRnXV.vbs 1
*See JSON for more IOCs
File Hashes
0153ea1e28f729d6604f422075202e48a599969c04c30e4a3056e3a308148eb3 050332edd1c7356a6e8a86471699135d90ba402d1f7ac0a27da39ccdb94ba0e8 07525015abc52c0820727bbfe3a29f62e1e5e0ca8af36ca8716ae5ea12e71a75 09fce07fb07b90dc54f5e72dd08d8677f62e948e6a0450e63f25cc6e22f99ff5 0a5710ed174fbee931562112147c3bf6cf8609a5f1674d0c878a6888548cb0c9 0db09a5cc0ff770b4024f14bf6b56b03c4ec599fe0499fc3a8d5da2625d93954 0f67c4df374d4e01f9838a7dc6ab174c0d8f4b5f2485b670f24c7fcdf65f3269 10f39ff02541b02857c11ca18a1cc745e075224ad510af7ad18b21dcb0d3cfa0 12449565aed227128301078ece7695cd6fbd8fb735e8f8b4238e08a1b181a651 13d377317be765d9d333e6a6d41bb83cffb606547dc308fefe0dcea87133b172 157be56d2b1cee72ad290957752e089cd39f39c51807c6791b25b875113758ab 15c65c639231d17726fa4a2c0cef2a7975a52f5d71ba8d7e4e3e1f053c066528 16cc7eabf5a54d8b376b6de32e2591902044a558ded0a527fcc0143e1686c4af 16e972675f3d1bd26aff1accdde7925e4cd5ba6d5f2a33826d3d75606a1bc955 173cae8d47a5d796b06fdd18c951003342ad08d0aee4be2823332df003b5673a 17dbbd57df81e29f2d19aba93c1626efe92bff713ad8b8e65b449e843aff54e8 19370c555e8e7ed5133ca6efa7acc98fc360983cc04193cc195ea0c8a0bf2931 1984c2439c1acacb9ec7c6468db48017d8c2aa4e2da5829d572bb6f5050e80cd 1b7a03db77e43e04badd95d28554df1f9e3d97197605af709df0387d3bd0c1e8 1b9f9491a6d98e3de499641caa8ac736f2c6f76e4ac8960170d89fea7026c69e 1bd9838e181acb88813cdea1d228b445e06b921bff3cece199f9551522eff27d 1cd35eff6c0963356162d68f5434b19728f2805db71b5c616ff534d2c961d093 1d25e1479054eea2355385f60a9ce320af2e5ff5ff1333bfabc72518f7337056 1f3c3ebac21a63328b72317246fb5731720e1d311cdb7928543e1c13e87994d3 2066531192b69556304df9a65266a2d2e5978ae8cec323b6860eb230fd2faa79
*See JSON for more IOCs
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella N/A
WSA N/A
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Ransomware.TeslaCrypt-9960924-0
Indicators of Compromise
IOCs collected from dynamic analysis of 16 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLinkedConnections 16
<HKU>\.DEFAULT\SOFTWARE\TRUEIMG 16
<HKCU>\SOFTWARE\TRUEIMG 16
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0
Value Name: CheckSetting 16
<HKCU>\SOFTWARE\TRUEIMG
Value Name: ID 16
<HKCU>\Software\<random, matching '[A-Z0-9]{14,16}'> 16
<HKCU>\Software\<random, matching '[A-Z0-9]{14,16}'>
Value Name: data 16
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: _lfia 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: _hfnk 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: _kcgt 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: _ppqk 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: _kaol 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: _abtg 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: _rpua 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: _raet 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: _kwxa 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: _ojsf 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: _kiyk 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: _iykv 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: _hpdk 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: _htkc 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: _fshu 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: _fanp 1
Mutexes Occurrences
__xfghx__ 16
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
74[.]220[.]199[.]6 16
64[.]190[.]63[.]111 16
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
prodocument[.]co[.]uk 16
marketathart[.]com 16
joshsawyerdesign[.]com 16
emmy2015[.]com 16
nlhomegarden[.]com 16
esbook[.]com 16
Files and or directories created Occurrences
%ProgramFiles%\7-Zip\Lang\lv.txt 16
%ProgramFiles%\7-Zip\Lang\mk.txt 16
%ProgramFiles%\7-Zip\Lang\mn.txt 16
%ProgramFiles%\7-Zip\Lang\mng.txt 16
%ProgramFiles%\7-Zip\Lang\mng2.txt 16
%ProgramFiles%\7-Zip\Lang\mr.txt 16
%ProgramFiles%\7-Zip\Lang\ms.txt 16
%ProgramFiles%\7-Zip\Lang\nb.txt 16
%ProgramFiles%\7-Zip\Lang\ne.txt 16
%ProgramFiles%\7-Zip\Lang\nl.txt 16
%ProgramFiles%\7-Zip\Lang\nn.txt 16
%ProgramFiles%\7-Zip\Lang\pa-in.txt 16
%ProgramFiles%\7-Zip\Lang\pl.txt 16
%ProgramFiles%\7-Zip\Lang\ps.txt 16
%ProgramFiles%\7-Zip\Lang\pt-br.txt 16
%ProgramFiles%\7-Zip\Lang\pt.txt 16
%ProgramFiles%\7-Zip\Lang\ro.txt 16
%ProgramFiles%\7-Zip\Lang\ru.txt 16
%ProgramFiles%\7-Zip\Lang\sa.txt 16
%ProgramFiles%\7-Zip\Lang\si.txt 16
%ProgramFiles%\7-Zip\Lang\sk.txt 16
%ProgramFiles%\7-Zip\Lang\sl.txt 16
%ProgramFiles%\7-Zip\Lang\sq.txt 16
%ProgramFiles%\7-Zip\Lang\sr-spc.txt 16
%ProgramFiles%\7-Zip\Lang\sr-spl.txt 16
*See JSON for more IOCs
File Hashes
00e862ecba1e2a71769a67fc5c27499e00c5594f6b7ed4e4114c2fe1fb43492f 144c480ed69ac652c4eb4efa5b6038d7a68ed3bca67089997b4228e1c814f7c4 1b02123c913912f44a6ef1c3c4a5a008270d9d8e802e92b4baa259135f25dc21 22f322c8241b4860c066f5ae57115c58f373753e3d8c9bede4521e5a5ed85e65 35aeb94c99b948b122f3e4bd4298107ab15cb8bbdb11b533d32666dbb1455ae3 3ba05e043bf3148202f498dcddb6bd67680f76640aef2d08f9ae1272ff85e719 41cba3025ecc75863b7a836ee00fdf2bbc2df90dffb17541b5bb1c9fcb269bd1 9223631593b46b54450b76028a69ddd837d06cd7e9b3d8e3f7bd584a46af22bf b2713458d2c3ebd4b558f8c2ce19a90bd97095ca868fd499755bf1c9cbd0c388 bdf2c5fcf72e7d7870e81ffacdd01206ed98d2446a85c28e7eaf73e26d7a6eda be9fac828e64c19e0a3fbf3c4a752d5332b7c0b849556f5388645515a29538ee c00039c0454935a5079dc801ce4420457eb9964cbed8372b5aff5c60a45fa26c d540b31f009a4138b5d35735fa9976522f4d5ee9e6b8dbdbde479796ebc6d4c0 dba60ef1804b4d90d74a2988fe53f044d7619f469d0ba9660e5646a1a67439cd f1ab2d7ace4656b5f3770186d088ac0644482fe43f38fe2bdb9217744d0f58c1 ff6f821dc0526f3615b1a3c37b2b14094f53d05cb0a6a753cb257cb0bcde6898
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Virus.Xpiro-9960895-1
Indicators of Compromise
IOCs collected from dynamic analysis of 23 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32
Value Name: Type 23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64
Value Name: Type 23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32
Value Name: Type 23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32
Value Name: Start 23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\COMSYSAPP
Value Name: Type 23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\COMSYSAPP
Value Name: Start 23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MOZILLAMAINTENANCE
Value Name: Type 23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MOZILLAMAINTENANCE
Value Name: Start 23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\OSE
Value Name: Type 23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\OSE
Value Name: Start 23
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC\S-1-5-21-2580483871-590521980-3826313501-500 23
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC\S-1-5-21-2580483871-590521980-3826313501-500
Value Name: EnableNotifications 23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32
Value Name: Start 23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64
Value Name: Start 23
<HKLM>\SOFTWARE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATE
Value Name: AccumulatedWaitIdleTime 23
<HKLM>\SOFTWARE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\LISTENEDSTATE
Value Name: RootstoreDirty 23
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATE
Value Name: AccumulatedWaitIdleTime 23
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\LISTENEDSTATE
Value Name: RootstoreDirty 23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start 22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_64
Value Name: Type 22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_64
Value Name: Start 22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IEETWCOLLECTORSERVICE
Value Name: Type 22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IEETWCOLLECTORSERVICE
Value Name: Start 22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start 21
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} 18
Mutexes Occurrences
kkq-vx_mtx63 23
kkq-vx_mtx64 23
kkq-vx_mtx65 23
kkq-vx_mtx66 23
kkq-vx_mtx67 23
kkq-vx_mtx68 23
kkq-vx_mtx69 23
kkq-vx_mtx70 23
kkq-vx_mtx71 23
kkq-vx_mtx72 23
kkq-vx_mtx73 23
kkq-vx_mtx74 23
kkq-vx_mtx75 23
kkq-vx_mtx76 23
kkq-vx_mtx77 23
kkq-vx_mtx78 23
kkq-vx_mtx79 23
kkq-vx_mtx80 23
kkq-vx_mtx81 23
kkq-vx_mtx82 23
kkq-vx_mtx83 23
kkq-vx_mtx84 23
kkq-vx_mtx85 23
kkq-vx_mtx86 23
kkq-vx_mtx87 23
*See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
107[.]22[.]125[.]105 7
3[.]217[.]206[.]46 4
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
ninite[.]com 21
www[.]bing[.]com 1
Files and or directories created Occurrences
%CommonProgramFiles%\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE 23
%CommonProgramFiles(x86)%\microsoft shared\Source Engine\OSE.EXE 23
%ProgramFiles(x86)%\Microsoft Office\Office14\GROOVE.EXE 23
%ProgramFiles(x86)%\Mozilla Maintenance Service\maintenanceservice.exe 23
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe 23
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe 23
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 23
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 23
%System32%\FXSSVC.exe 23
%System32%\alg.exe 23
%System32%\dllhost.exe 23
%SystemRoot%\ehome\ehsched.exe 23
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.log 23
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log 23
%SystemRoot%\SysWOW64\dllhost.exe 23
%SystemRoot%\SysWOW64\svchost.exe 23
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log 23
%SystemRoot%\SysWOW64\dllhost.vir 23
%SystemRoot%\SysWOW64\svchost.vir 23
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat 23
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock 23
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat 23
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock 23
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat 23
%CommonProgramFiles(x86)%\microsoft shared\source engine\ose.vir 23
*See JSON for more IOCs
File Hashes
137ad3b55addd7191c8c974beef6b65bae791bc4de1e86b7e2965b311d40e2d0 1cfd0fd601a0f5234ce72672ec9c6c866dca03836198d93a320ed5df0bddd7f8 1e831b6d0cabaa8b44de36c1b96dd6e54e295502eb171be4f87723212fe574ca 1f935627d9866da115f1aad78be290f60a639bec1a94d6b8397326eeb46c111b 30ffb87628211e78074a3a891b8bd173db6f2d74dc97e735ff386361cf29aee1 3f948d4350c566416101441adb1c00121bd835db40cc08c73a556b764458673d 47934d4f40e9a5af0ee572a7e1e088d29d3bfd655d4aff26018a64118ad68a24 563c16cb752614726d350000fbf514a8b8d32a8074cd12c7545d6ff93f790ed9 591ae4985fd6993f580eae6f93f3e96f7c73c14dc3927e96223e8003f9ab3588 5cbd454095120231e23ca372fee8e9e76f34e3f5491f8ab10e8e5203e4c52570 6f0f5fda67646bc8def9c66497041528cd8ed7158a169c1b0787f59360c28ea8 7ec4a0246b5d33dfe811f4f34ab94a6b82d822196776afbe28a0f543ade8ad63 97d0aeeca4859c38984086ff1bef13c9bd11466131058fabda20dd1b21342f7a a2839faa3c7ecbff8afa71ca5787690e0e3eaeb36b899bab1926b19ce32b8c6d bcf2ae9a67fe974c02e95fbdd4edcce7df377a288c7586dae9d0b625aeedc93b c51d235b290424ad6baf08d67ab600a260200846a3f4b218e916933594b40537 d3d7dd910bd5e79fdb39d51aa83afaccdfd10538d30dd69bc7219a146e897361 d445c1ac4afae6cb028a2508c655271e3d69e07d9e016887d89d790c80fc0409 e23566aabaa7743da973840338829cc25d6936e8fcb5fb8d9b78b0ccac46c1ea e37b0661d4e4483048abcf0abba65060c78716672790e12bb0a768f04b18134b e48a371f7f5f3ad1cda0d16312f30846b6a12494967c8fba8de7f65a5673b1ff eb1ecc1ef099105b4882ccace3caf843ed1508b1463f8af6cc94adaa0181b721 ec1bc44db50911234444c575d91335113232ab5b1f6cad6acf5e52ff16ccd8fb
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella N/A
WSA N/A
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Emotet-9961142-0
Indicators of Compromise
IOCs collected from dynamic analysis of 218 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList 190
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type 64
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start 64
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl 64
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName 64
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64 64
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName 64
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 63
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath 61
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description 60
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%systemroot%\system32\dot3svc.dll,-1103 14
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @oleres.dll,-5013 10
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%systemroot%\system32\browser.dll,-101 9
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\AxInstSV.dll,-104 9
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%systemroot%\system32\dps.dll,-501 9
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\ehome\ehrecvr.exe,-102 8
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @appmgmts.dll,-3251 8
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpcore.dll,-101 8
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%systemroot%\system32\appinfo.dll,-101 8
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\System32\audiosrv.dll,-205 7
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%systemroot%\system32\appidsvc.dll,-101 7
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @comres.dll,-948 7
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\System32\dnsapi.dll,-102 7
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%systemroot%\system32\cscsvc.dll,-201 7
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\System32\bthserv.dll,-102 7
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
5[.]196[.]74[.]210 82
74[.]208[.]45[.]104 82
45[.]55[.]219[.]163 82
45[.]55[.]36[.]51 82
174[.]45[.]13[.]118 82
180[.]92[.]239[.]110 82
91[.]83[.]93[.]99 82
217[.]199[.]160[.]224 78
89[.]32[.]150[.]160 78
68[.]183[.]190[.]199 78
45[.]161[.]242[.]102 78
209[.]236[.]123[.]42 78
71[.]197[.]211[.]156 78
91[.]121[.]54[.]71 78
85[.]25[.]207[.]108 58
88[.]249[.]181[.]198 58
65[.]156[.]53[.]186 58
68[.]183[.]233[.]80 58
177[.]32[.]8[.]85 58
81[.]17[.]93[.]134 58
197[.]232[.]36[.]108 58
23[.]46[.]150[.]72 30
23[.]46[.]150[.]48 27
23[.]221[.]72[.]27 13
23[.]221[.]72[.]10 6
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
apps[.]identrust[.]com 82
Files and or directories created Occurrences
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'> 35
%SystemRoot%\SysWOW64\printui 2
%SystemRoot%\SysWOW64\NlsLexicons0414 2
%SystemRoot%\SysWOW64\utildll 2
%SystemRoot%\SysWOW64\NlsData000a 2
%SystemRoot%\SysWOW64\fthsvc 2
%SystemRoot%\SysWOW64\shlwapi 2
%SystemRoot%\SysWOW64\WcsPlugInService 2
%SystemRoot%\SysWOW64\NlsLexicons0002 2
%SystemRoot%\SysWOW64\d3d8thk 1
%SystemRoot%\SysWOW64\instnm 1
%SystemRoot%\SysWOW64\cttune 1
%SystemRoot%\SysWOW64\tsbyuv 1
%SystemRoot%\SysWOW64\KBDSW 1
%SystemRoot%\SysWOW64\fc 1
%SystemRoot%\SysWOW64\rshx32 1
%SystemRoot%\SysWOW64\KBDHE220 1
%SystemRoot%\SysWOW64\WMADMOE 1
%SystemRoot%\SysWOW64\NlsData0002 1
%SystemRoot%\SysWOW64\iprop 1
%SystemRoot%\SysWOW64\rastls 1
%SystemRoot%\SysWOW64\aecache 1
%SystemRoot%\SysWOW64\SMBHelperClass 1
%SystemRoot%\SysWOW64\KBDNO 1
%SystemRoot%\SysWOW64\mfc100 1
*See JSON for more IOCs
File Hashes
0154a4e3faa4dafca324954364d049324d6fcc6b8a1c90cbae92cd41f8927c4e 01ea88880d59cd617d53bfd1849ad0c2023c9febc43b48579d06802c9b324d77 0222be0813e32c7a2c87a31482e33830a91b73a750aff3499da5caa100646607 0242673f6b5b086a61873f4773b8b7f119d025325f2724cb362b1151adccfc8b 02f7999d6693f08f5983effb8bee06145be3f7dc22ff1e5b745e8d0633fe19d6 038008283ccba00047b767169fd02554182310d7b32c6def8a3fc1c6a045daf1 0403b01de17d2130faa4eecf11111acf15bc672dfeb9394054e5aa05166b8289 044242411968ca1c92b3a645d7f470cf0cda1a220920da688558fde7f4108eb9 055014bbf3a21173e4e2d9fb22124d7d249bc8f8c748151197d6e985bdf06f67 05cf33a7202716161360fc0e6fd45091f9a290954ba26a64037745652fa4b487 066202dc95bd51220d42f603a030ef71527b8dc56e62200f0d175f09f3f89c27 06ee8bc6b3c35b3d3ea924f73db6da1df9061e69b487bad9718328f1d186f0c7 0780d91df0f27af4b00d51e531a1cf12d50bbb048a211e0b287820bd9313eab5 07c262357505c7bef31ebfe2bb6c13a3d386e38d262ba2bdbfb2e52c1bd066fd 080fc908405201cbf074d6343acf66ee3c4d57f231c399b87097f75b8ca7960f 08e6bfa50d4fe544c03474d1a23776762a47a0ceed44dbe5bbb6e09fce30b055 091b50c4a374f1fc1d15e81044c2b50f03fa7c3e8359eb09bb95dc25deeebd4d 098861c8b4411225b4fde8737ccb518052ef40c896ee4e42dfeecf322e56f07f 09c4a4a31a51590b27a82bcff450c29391d3dfde480df012f43020e858efb639 0b533cf67e6fd8298b62d3aaea82f07ad11c600fa8917f3b683a72da9ca2fa7e 0c33a1f3687e65daa8825856f309cc40ef97d0892ef7742a77355124e296b815 0ccab31b5610aac24a242c812f474ff24b8e345aa78fd4b7d0a92b690938f908 0cd25d45a5e31de0fc1b75ba65c5b43d934b60b7d07638aaa1ce0d83afd984ec 0d3fee19509a873e96a1b2559d9193cf046f7f35f49d16b180438d9df7da027f 0ea6a45d2ad1115ce7141f15693139b8bd9e5ffebb5a1321ab8c48e62d65fab9
*See JSON for more IOCs
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella N/A
WSA
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Remcos-9961392-0
Indicators of Compromise
IOCs collected from dynamic analysis of 14 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\POULUS 14
<HKCU>\SOFTWARE\POULUS\MICROMINIATURISER 14
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\BRUGERNAVNETS 14
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\BRUGERNAVNETS\TIVOLIET 14
<HKCU>\SOFTWARE\POULUS\MICROMINIATURISER
Value Name: Komplettes 14
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\BRUGERNAVNETS\TIVOLIET
Value Name: Fins 14
<HKCU>\SOFTWARE\!27MZCJW9@REXF-NJL3J3 7
<HKCU>\SOFTWARE\!27MZCJW9@REXF-NJL3J3
Value Name: licence 7
<HKCU>\SOFTWARE\!27MZCJW9@REXF-NJL3J3
Value Name: exepath 7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: ornamenterne 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Hyldetrs 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: lnglidninger 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Vampirebat 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Dereferencing 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Sarkastisk 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Martyrologistic 1
Mutexes Occurrences
Remcos_Mutex_Inj 7
!27Mzcjw9@Rexf-NJL3J3 7
Global\916138a1-15e4-11ed-9660-00151792685a 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
5[.]2[.]75[.]164 7
181[.]235[.]13[.]200 4
186[.]169[.]54[.]97 3
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
colpatvalidacionnuevo[.]xyz 7
Files and or directories created Occurrences
%HOMEPATH%\Desktop\Markedness.ini 14
%TEMP%\ns<random, matching '[a-z][A-F0-9]{1,4}'>.tmp 14
%TEMP%\ns<random, matching '[a-z][A-F0-9]{4}'>.tmp\System.dll 14
%TEMP%\logsflat458 7
%TEMP%\logsflat458\sasgs527.dat 7
\TEMP\en-US\22d69844486d029467b528c89bf763a6.exe.mui 1
\TEMP\en-US\ef6731323cff411f303c2bd29b9f15c8.exe.mui 1
\TEMP\en-US\b2a7538d257a51b1a506b646c248fcbe.exe.mui 1
\TEMP\en-US\570979659276a2a985f97f7965f97f76.exe.mui 1
\TEMP\en-US\f231d436f8d62de3082ea791da78ed50.exe.mui 1
\TEMP\en\f231d436f8d62de3082ea791da78ed50.exe.mui 1
\TEMP\en\ef6731323cff411f303c2bd29b9f15c8.exe.mui 1
%TEMP%\Selenitic 1
%TEMP%\Dextroamphetamine 1
%TEMP%\Selenitic\Uncooping.exe 1
%TEMP%\Dextroamphetamine\Lobcokt.exe 1
\TEMP\en\22d69844486d029467b528c89bf763a6.exe.mui 1
%TEMP%\Tiki124 1
%TEMP%\Tiki124\Unexpecting.exe 1
\TEMP\en\b2a7538d257a51b1a506b646c248fcbe.exe.mui 1
\TEMP\en\570979659276a2a985f97f7965f97f76.exe.mui 1
%TEMP%\Sekundrkommunens 1
%TEMP%\Giganter27 1
%TEMP%\Sekundrkommunens\Unpracticability174.exe 1
%TEMP%\Giganter27\Spandauerne.exe 1
*See JSON for more IOCs
File Hashes
125b94822affbd4b1b67333905a91231c62e427334475ada0daa44d007e884c1 332cb82247db85cd4c772200938a7623c4161a15d680157cdc688b53aae2303a 3efb2166b220fd7d7e5df42739d998f6ed4c70fefdcb03b6a9b1810d6dcfcd77 42d77fbb29467078ade8ecba705a648d3d4aeacd5f6735a6d92d17cb55ff7049 6761e346725d0cfa3436b459176ff467f7b4a426af0559845032c912420747cd 72d9be63e832a89a04ffcfb48c30199d3461fe982bde962f57c7cf71e0f5f06a 8c420a6337376e20c987679a34e3d09194e504c444fbf50619328f5c0dda9217 942dcafe7a16cfdd1769048c73590ec2c29e9c76a9f6c46e6b6e88ac2220b0ef 9ead44844a24092afb456478686839852e04cd1ad8e081185ae432f1171baa1b a3ec71d27779875c7262d608c3c5e591fa7c12f0893e006bb6f7d2ad1d710142 a742e0a1f7939fdaf5eb615bac3da040781bd19e84e3f647186314ecb6e0fa5e ce2ff79b4178d9b7f142001bc227753dd395fcd1a28a385bfa379e0857181467 d52c22336b2e2efaeab6b8eb2be8726a36eaea553905b01102d9716d4c6184af e2deccb5d8cc1ec270d95501aaa7e53951bd7f89c2c0bcd50420bf94b7057675
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Ramnit-9961396-0
Indicators of Compromise
IOCs collected from dynamic analysis of 26 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusOverride 26
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify 26
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallDisableNotify 26
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallOverride 26
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify 26
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UacDisableNotify 26
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA 26
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: EnableFirewall 26
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DoNotAllowExceptions 26
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DisableNotifications 26
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start 26
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start 26
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Start 26
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION
Value Name: jfghdug_ooetvtgk 26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: JudCsgdy 26
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV
Value Name: Start 26
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Defender 26
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Userinit 26
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Userinit 26
Mutexes Occurrences
qazwsxedc 26
{7930D12C-1D38-EB63-89CF-4C8161B79ED4} 26
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
72[.]26[.]218[.]70 25
195[.]201[.]179[.]207 25
208[.]100[.]26[.]245 25
46[.]165[.]220[.]155 25
35[.]205[.]61[.]67 25
142[.]250[.]80[.]14 25
63[.]251[.]235[.]76 25
64[.]225[.]91[.]73 25
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
google[.]com 25
gjvoemsjvb[.]com 25
ahpygyxe[.]com 25
msoalrhvphqrnjv[.]com 25
rdslmvlipid[.]com 25
jpcqdmfvn[.]com 25
rrmlyaviljwuoph[.]com 25
maajnyhst[.]com 25
enbbojmjpss[.]com 25
oqmfrxak[.]com 25
tdccjwtetv[.]com 25
tpxobasr[.]com 25
xpdsuvpcvrcrnwbxqfx[.]com 25
fbrlgikmlriqlvel[.]com 25
boeyrhmrd[.]com 25
ugcukkcpplmouoah[.]com 25
gugendolik[.]com 25
Files and or directories created Occurrences
%LOCALAPPDATA%\bolpidti 26
%LOCALAPPDATA%\bolpidti\judcsgdy.exe 26
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\judcsgdy.exe 26
File Hashes
081742e8ed56a1a933e0507ccd536aaaf7242ac76d47a1a49626ee71c6756b53 0e372167303e500219b580a1a0367d2b69ab693e56934584e05cd963736bd463 10cef31349a4842546edbc5244d0d3aaed1e3c058008800c889abf5dc43ec343 127ee9c2897fb600dec742861451fdcf48820c200e15df7479542ed4232c0584 155b0301ce2f88c396fb7aa77cbc82c51a01660e6a74b63f7ba8dc8f023ea7e8 1e1773938b5bdd08be479ca9186a30d3fad83ea67ae905f391508ac543c2a38f 263351025d462b47660ea4bacd71ae1fd694de45a3d9bd5b14e58be1c4362d00 2e2ac92783031efdde48674b0ed3362c81fac9b25756ee39af1629f39309ccc2 340833674362d0c01995cc8657a95a628fddeb853272b6d89dfcf98bbe106cbe 39b9cfa59e688e1d56e6499b80637f321f777d022dff4a9eaf691ba9a1e9cc86 3cc065b26f54c993606649d1679bca81068c10e3727fdf9ee811fa6a17c1ebad 41b21c4398fa089007a9a34aac8a3f5d14b61814ff036b555cc6b09c8efd81aa 4b183d215f86d026ef2bac0cf5dd4b28146612d52206e358169b0f1d3209c76d 4ed2cf991c4ed810cdbb5d567d33e1f1d94218ae43c506d6b33d2acc35009598 57fa2ea50d27a8cc8feec2867a680ae6e9a0d1a47d117733a73db86da3bf8416 5de59e2cc183ce5f34b2ca66fbd1edce54b3a6208ae7621c49cbd78835bdcbf5 699e006e4a6871ca898aacf55f84c36ea43d8b9e421b71dd20a0fe5a06378d66 6a216904abbf52246819029936c7e8705f50c61ba0ee6a62d8a14881cfca0a33 77aeccd3d538a6effc3623344a331d5190c747489a5cc511d4e7d973e879ff8a 77c966ca4088e8b918b4e40ed539a510fad2a2631ff17d1a1b01a1670e6fa400 79622d5b5ef3c93d32bcaaba64cfbbe4a88ec7f56d1f7f2160b9219321058f29 8c878b6608dba85c650ffda157cc14d885f14559e8c6b38a5ae0be85d5a73001 8d5f17bf76258cf83d0678cef645b0fa2f0b6df56858fb0ec4cab8894b59b316 a1574bfff6cebf0757ab5a7fc7634b7956fed8943e088b87820ff13be65789c4 af0aa7289a5770da3a158d0f0fbea1c5073b6ca4f6fe5a7bebdde44a55ca2c2e
*See JSON for more IOCs
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Aug. 5 and Aug. 12. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.
The most prevalent threats highlighted in this roundup are:
Threat Name
Type
Description
Win.Dropper.Tofsee-9960568-0
Dropper
Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages to infect additional systems and increase the size of the botnet under the operator’s control.
Win.Dropper.TrickBot-9960840-0
Dropper
Trickbot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts.
Win.Trojan.Zusy-9960880-0
Trojan
Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as “explorer.exe” and “winver.exe.” When the user accesses a banking website, it displays a form to trick the user into submitting personal information.
Win.Dropper.DarkComet-9961766-1
Dropper
DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. This malware can download files from a user’s machine, mechanisms for persistence and hiding. It also has the ability to send back usernames and passwords from the infected system.
Win.Ransomware.TeslaCrypt-9960924-0
Ransomware
TeslaCrypt is a well-known ransomware family that encrypts a user’s files with strong encryption and demands Bitcoin in exchange for a file decryption service. A flaw in the encryption algorithm was discovered that allowed files to be decrypted without paying the ransomware, and eventually, the malware developers released the master key allowing all encrypted files to be recovered easily.
Win.Virus.Xpiro-9960895-1
Virus
Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.
Win.Dropper.Emotet-9961142-0
Dropper
Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Dropper.Remcos-9961392-0
Dropper
Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, and capture screenshots. This malware is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Dropper.Ramnit-9961396-0
Dropper
Ramnit is a banking trojan that monitors web browser activity on an infected machine and collects login information from financial websites. It also has the ability to steal browser cookies and attempts to hide from popular antivirus software.
Threat Breakdown****Win.Dropper.Tofsee-9960568-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 10 samples
Registry Keys
Occurrences
<HKU>.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config4
3
<HKU>.DEFAULT\CONTROL PANEL\BUSES
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpqec.dll,-100
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpqec.dll,-101
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpqec.dll,-103
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpqec.dll,-102
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\napipsec.dll,-1
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\napipsec.dll,-2
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\napipsec.dll,-4
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\napipsec.dll,-3
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\tsgqec.dll,-100
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\tsgqec.dll,-101
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\tsgqec.dll,-102
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\tsgqec.dll,-103
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\eapqec.dll,-100
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\eapqec.dll,-101
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\eapqec.dll,-102
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\eapqec.dll,-103
3
<HKU>.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config0
3
<HKU>.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config1
3
<HKU>.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2
3
<HKU>.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config3
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FNWISXTV
Value Name: ErrorControl
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FNWISXTV
Value Name: DisplayName
1
Mutexes
Occurrences
Global\27a1e0c1-13fc-11ed-9660-001517101edf
1
Global\30977501-13fc-11ed-9660-001517215b93
1
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
216[.]146[.]35[.]35
3
31[.]13[.]65[.]174
3
142[.]251[.]40[.]196
3
96[.]103[.]145[.]165
3
31[.]41[.]244[.]82
3
31[.]41[.]244[.]85
3
80[.]66[.]75[.]254
3
80[.]66[.]75[.]4
3
31[.]41[.]244[.]128
3
31[.]41[.]244[.]126/31
3
208[.]76[.]51[.]51
2
74[.]208[.]5[.]20
2
208[.]76[.]50[.]50
2
202[.]137[.]234[.]30
2
212[.]77[.]101[.]4
2
193[.]222[.]135[.]150
2
203[.]205[.]219[.]57
2
47[.]43[.]18[.]9
2
67[.]231[.]144[.]94
2
188[.]125[.]72[.]74
2
40[.]93[.]207[.]0/31
2
205[.]220[.]176[.]72
2
135[.]148[.]130[.]75
2
121[.]53[.]85[.]11
2
67[.]195[.]204[.]72/30
1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
249[.]5[.]55[.]69[.]bl[.]spamcop[.]net
3
249[.]5[.]55[.]69[.]cbl[.]abuseat[.]org
3
249[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net
3
249[.]5[.]55[.]69[.]in-addr[.]arpa
3
249[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org
3
249[.]5[.]55[.]69[.]zen[.]spamhaus[.]org
3
microsoft-com[.]mail[.]protection[.]outlook[.]com
3
microsoft[.]com
3
www[.]google[.]com
3
www[.]instagram[.]com
3
comcast[.]net
3
mx1a1[.]comcast[.]net
3
jotunheim[.]name
3
niflheimr[.]cn
3
whois[.]arin[.]net
2
whois[.]iana[.]org
2
mx-eu[.]mail[.]am0[.]yahoodns[.]net
2
aspmx[.]l[.]google[.]com
2
mta5[.]am0[.]yahoodns[.]net
2
icloud[.]com
2
cox[.]net
2
walla[.]com
2
hanmail[.]net
2
allstate[.]com
2
wp[.]pl
2
*See JSON for more IOCs
Files and or directories created
Occurrences
%SystemRoot%\SysWOW64\config\systemprofile
3
%SystemRoot%\SysWOW64\config\systemprofile:.repos
3
%SystemRoot%\SysWOW64\fnwisxtv
1
%SystemRoot%\SysWOW64\airdnsoq
1
%SystemRoot%\SysWOW64\uclxhmik
1
%TEMP%\dnyabinr.exe
1
%TEMP%\lcxykqya.exe
1
%TEMP%\qzguacfj.exe
1
File Hashes
098ad43e2067c5c814cebe1fc52bdc528289c6a2cc96daf4e8bac90d1c95a0b3
2240525bf4ee830766ec33e2e3c0dfcdf871748088fcf068770fd306940c5957
693cd93fbc6bfb587ad011477ae870805725c5403260621a290f61bb0d243f47
a6b68aa5d00739401b413ed936526ea5e767824fddb4e768e03fb05dc369a6fd
b9820bc7b09bfa88556efac463b7459d2f4a47f06cc953529a9782fdbefd4959
c2cb05d50c06d9ed65a7c53fb2f6b7977f2988f5fbbd928266bb8ea27723b243
d6df88c6f61812a4bb662abb8d90fb4ba7e17ae5b9351251d001b7945d7aae98
ec745df5a9e65776f76b97e9685ad86fbb130bb6a3146a7823bd94c7c6502f1d
f3e93f62b4f4699a3d20e85fa3c9e8b7eb9129a15ca66720d4f677cae0c5a469
f8a2e41ea8ca0e998bcd54d8256cb538b1e32cec4e80eb810e8df003427b886b
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.TrickBot-9960840-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 36 samples
Registry Keys
Occurrences
<HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\USERDS
36
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS
Value Name: 4334c972
36
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS
Value Name: 2d17e659
36
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: IntelPowerAgent3
7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: IntelPowerAgent5
5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: IntelPowerAgent9
4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: IntelPowerAgent6
4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: IntelPowerAgent7
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: IntelPowerAgent2
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: IntelPowerAgent1
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: IntelPowerAgent8
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: IntelPowerAgent0
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: IntelPowerAgent4
2
Mutexes
Occurrences
98b59d0b000000cc
36
98b59d0b00000120
36
Global{2d17e659d34601689591}
36
98b59d0b00000174
36
98b59d0b00000150
36
98b59d0b00000158
36
98b59d0b000001ac
35
98b59d0b00000308
35
98b59d0b0000043c
35
98b59d0b000004b4
35
98b59d0b000001bc
35
98b59d0b000002ec
35
98b59d0b000001f0
35
98b59d0b000001c4
35
98b59d0b0000021c
35
98b59d0b0000025c
35
98b59d0b00000294
35
98b59d0b00000320
35
98b59d0b000003d4
35
98b59d0b000003f8
35
98b59d0b000004dc
35
98b59d0b0000060c
8
98b59d0b000005cc
8
98b59d0b000004f8
8
98b59d0b00000614
7
*See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
209[.]197[.]3[.]8
11
72[.]21[.]81[.]240
7
69[.]164[.]46[.]0
6
8[.]253[.]154[.]236/31
3
23[.]46[.]150[.]81
2
23[.]46[.]150[.]58
2
8[.]253[.]141[.]249
1
8[.]253[.]38[.]248
1
8[.]253[.]140[.]118
1
23[.]46[.]150[.]43
1
8[.]247[.]119[.]126
1
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
download[.]windowsupdate[.]com
36
adtejoyo1377[.]tk
36
Files and or directories created
Occurrences
%ProgramData%\c7150968.exe
1
%LOCALAPPDATA%\gusEBBF.tmp.bat
1
%ProgramData%\ba886437.exe
1
%HOMEPATH%\jfpDCC6.tmp.bat
1
%ProgramData%\63b007ed.exe
1
%HOMEPATH%\dtaE10F.tmp.bat
1
%ProgramData%\545ba94b.exe
1
%HOMEPATH%\hcv6907.tmp.bat
1
%ProgramData%\7afae1e8.exe
1
%HOMEPATH%\greA7E2.tmp.bat
1
%ProgramData%\9421c9aa.exe
1
%APPDATA%\vqpA923.tmp.bat
1
%ProgramData%\f779fb59.exe
1
%ProgramData%\xywA29.tmp.bat
1
%ProgramData%\940d0a1e.exe
1
%HOMEPATH%\jawD8CB.tmp.bat
1
%ProgramData%\a37667ce.exe
1
%HOMEPATH%\lkyB72F.tmp.bat
1
%ProgramData%\edcfad58.exe
1
%HOMEPATH%\pvf22C5.tmp.bat
1
%ProgramData%\182b8517.exe
1
%LOCALAPPDATA%\qsw15A4.tmp.bat
1
%ProgramData%\a3a20124.exe
1
%HOMEPATH%\xqh15A4.tmp.bat
1
%ProgramData%\a116e074.exe
1
*See JSON for more IOCs
File Hashes
007a16c9f6908085a2d65e991ae691f41e7ceab17653200669b4286af82e8c12
017306c686a5a81630e746b9518106fd5e54b410b50a61f43cba7a3850b1fec8
024d73837dea32792852294b951dcb246c56442ebde4643cef6733f411f581b6
0284c0aff10ff3ca7e6078f3d8191fc9c4db42fbfb912a8cefabc937c1eca87d
02df9ec5bfb9e1bb613b5ee7d4a518bccc9f87580182f26d6e5d5a643036e3a1
03226228480f9e9d87a0370428d337023226314bd9447efccdbc03bb672ec81b
0337b9f06cda7d7a6e96ce2a29e0f004fb6df49d3b82d294a17a13604e754f86
03a89b1af244c7d20db8498d9284c20deea9462fb15db2f89b4c59a9be47c2f0
04432d06396fac85167c0a9dadf206dc50ea8527c29b943b77f192e45dbce22d
04679de514d8e3902341b314e324e6f75ba536d09da05e99958dc5b4a689de42
049f0322736b0abeec70630b9efbbd40d9a0916ce359a5a8168165d25a76e48f
04e819e635fc974afd4ee533b478841ba581ddcff254034fdbfea6522939ef5f
05b51b8179992a7e21259d9eacdaf8b1115e51056ec0104daddda5a0810f7126
0734ea55ac016a1e6b6ac40837883a684656eec9ce857351c9f99d3c965d6501
07e4ebd0b135dbfcf1e7d2b60386c9b52fa5d154d072a5689eb3a7a2b15112d6
08da477f7c363ddbc11224260717cf6f7f48e849cff403e25559529029b8fdf4
08e9ccb010aceac1ea0c0fbb41e58c8e2552b30de500bf43e298a645f5acedf7
097f9d7400b8a8c8bf5aa5339bf18359148a533f9136cd9b6279623e4db293d7
0bde820541632a300070601291eb1c478b9d09da2b405f740d6fe92b290a45de
0be2e49c02aa297d158bd5fe213a96584455fb4cea7c24dd100b9922df2a45c5
0bf64ebc68956ea9d73858f32530c20fab4243fb09320adfd500fb94842a9888
0c29c2763f311604136a06a99fa76ed09411572cd796021b60c66806e6c8e5a9
0c6b997f98a1e58caf5a16a90317d2cb1d2474ac5c5926f26fa2b14a9299638a
0d30d3c9cf63898bb2e970ec5a54dfe868fc5f519fd6b283bd00a2d22a01a653
0da6c492cc755852c07bf7511b774e2527dce42be420f602e9445f1bb760ad33
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Trojan.Zusy-9960880-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 16 samples
Registry Keys
Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH
12
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH
Value Name: MarkTime
12
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH
Value Name: Description
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH
Value Name: Type
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH
Value Name: Start
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH
Value Name: ErrorControl
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH
Value Name: ImagePath
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH
Value Name: DisplayName
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH
Value Name: WOW64
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH
Value Name: ObjectName
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH
Value Name: FailureActions
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PQRSTU
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PQRSTU
Value Name: MarkTime
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH
Value Name: Group
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CDEFGH
Value Name: InstallTime
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF
Value Name: Type
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF
Value Name: Start
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF
Value Name: ErrorControl
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF
Value Name: DisplayName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF
Value Name: WOW64
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF
Value Name: ObjectName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABCDEF
Value Name: FailureActions
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PQRSTU
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PQRSTU
Value Name: Type
1
Mutexes
Occurrences
127.0.0.1:8000:Cdefgh
3
112.74.89.58:44366:Cdefgh
3
112.74.89.58:42150:Cdefgh
1
47.100.137.128:8001:Pqrstu
1
22.23.24.56:8001:Pqrstu
1
hz122.f3322.org:8001:Cdefgh
1
112.74.89.58:35807:Cdefgh
1
112.74.89.58:46308:Cdefgh
1
101.33.196.136:3389:Cdefgh
1
127.0.0.1:8001:Cdefgh
1
183.28.28.43:8001:Abcdef
1
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
112[.]74[.]89[.]58
6
22[.]23[.]24[.]56
1
47[.]100[.]137[.]128
1
101[.]33[.]196[.]136
1
183[.]28[.]28[.]43
1
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
hz122[.]f3322[.]org
1
Files and or directories created
Occurrences
%SystemRoot%\svchost.exe
4
File Hashes
04fa031e5d2d86f8dbe0d3b95d67ea774448df4613e8acce79f0c9a30ef041bc
2444b744b5c06e9410ee5c3baa807569fde44c5092192428de935e03d25b1edb
466ca0805173034a7b12a5ffce104bbe5ed312e7441abdb98849ae4103150d04
5a755f07d3b90ac5a2041fd04fd764c40882dd20b50f91fddbc10b8c6341591d
5b53262a14fe1dcd42d670b0488d0de11aeb7cfa84e36acb4eec0c13b5fd2d73
5ca6b22c6e7de5f0b9437970f1f9360ad4f3a74f964eb319080e347c27c6dff9
6ea5fdaa95dbe09ccbc474ba4fc9fbe796e79c02d2b4f65f223feda5643f5400
86bd70bc7bb74d3d4991b0f1c7e15ddef1d09695b3940c5fb015f2d00ce5f558
b9b344bd7005b233cbb85395f61c309938fe70e2f8a8d0b2c24441ba074f9ca5
bea6c7b4117eb1f894d830c77ddf6d4424bccb6043d0f43c257522d253321c3e
c0a8a6e606e46a970cefe81f269ec6aec2a538830c2f7e03cf0eac55b135a59a
c968ae3cfbbd89673b49f6bfd474eea846bdb1e2e3a7c5376dbcda5290d445ed
dfc315d962da82d84b54683a849edf4e7b16bb136dbc2eb1198d35e528920103
ec6cb8ff27e33d7e69ce02885baa9c08fd5a03349a16a52590353a4ec364c464
f240b80b34fa480dc7236ddecb5c326e719a094e49df5a6f2070712650553066
fd0e616e5ebb9075c44bb6772cf8b2c46801fafdb0716636850dc2ec0fe06f8c
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.DarkComet-9961766-1****Indicators of Compromise
- IOCs collected from dynamic analysis of 33 samples
Registry Keys
Occurrences
<HKCU>\SOFTWARE\DC3_FEXEC
29
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Debugger
24
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: UserInit
23
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: MicroUpdate
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: svchost.exe
7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: EnableFirewall
4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DisableNotifications
4
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify
4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableTaskMgr
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableRegistryTools
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: rundll32
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\CURRENTVERSION\EXPLORERN
Value Name: NoControlPanel
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\CURRENTVERSION
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\CURRENTVERSION\EXPLORERN
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Microsoft
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Updater
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Update
1
Mutexes
Occurrences
DC_MUTEX-<random, matching [A-Z0-9]{7}>
22
DCPERSFWBP
18
DC_MUTEX-5DND8AT
7
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
99[.]229[.]175[.]244
1
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
pervert[.]no-ip[.]info
7
pervert2[.]no-ip[.]info
7
delvega[.]no-ip[.]org
2
wp-enhanced[.]no-ip[.]org
2
funstuff712[.]zapto[.]org
2
fflazhhf1[.]no-ip[.]org
1
darkcometss[.]no-ip[.]org
1
not4umac[.]no-ip[.]biz
1
sanderkidah[.]no-ip[.]org
1
bobolobob[.]no-ip[.]biz
1
hg-ma[.]zapto5[.]org
1
corrosivegas2010[.]zapto[.]org
1
profi555[.]no-ip[.]org
1
hg-ma[.]zapto[.]org
1
jugoboy1[.]zapto[.]org
1
hg-ma[.]zapto1[.]org
1
hg-ma[.]zapto2[.]org
1
hg-ma[.]zapto3[.]org
1
hg-ma[.]zapto4[.]org
1
jackreapez[.]zapto[.]org
1
magicmq[.]no-ip[.]org
1
kenrickm[.]no-ip[.]org
1
mrganja[.]no-ip[.]org
1
cherubi[.]no-ip[.]org
1
Files and or directories created
Occurrences
%APPDATA%\WinDbg
30
%APPDATA%\WinDbg\windbg.exe
29
%APPDATA%\dclogs
28
\svchost.exe
7
%TEMP%\uxcv9v
7
%TEMP%\uxcv9v.vbs
7
%HOMEPATH%\Documents\MSDCSC
6
%HOMEPATH%\Documents\MSDCSC\msdcsc.exe
6
%TEMP%\MSDCSC
5
%TEMP%\MSDCSC\msdcsc.exe
5
%SystemRoot%\SysWOW64\MSDCSC
3
%SystemRoot%\SysWOW64\MSDCSC\msdcsc.exe
3
%TEMP%\tMMjnM
1
%TEMP%\xMWbLz.vbs
1
%TEMP%\tMMjnM.vbs
1
%APPDATA%\WinDbg\msdnaa.exe
1
%TEMP%\Mi0z67
1
%HOMEPATH%\Documents\Explorer\Iexplorer.exe
1
%TEMP%\q7EVTk
1
%TEMP%\mmsHyU
1
%TEMP%\q7EVTk.vbs
1
%TEMP%\mmsHyU.vbs
1
%APPDATA%\WinUpd\WinUpdater.exe
1
%TEMP%\alRnXV
1
%TEMP%\alRnXV.vbs
1
*See JSON for more IOCs
File Hashes
0153ea1e28f729d6604f422075202e48a599969c04c30e4a3056e3a308148eb3
050332edd1c7356a6e8a86471699135d90ba402d1f7ac0a27da39ccdb94ba0e8
07525015abc52c0820727bbfe3a29f62e1e5e0ca8af36ca8716ae5ea12e71a75
09fce07fb07b90dc54f5e72dd08d8677f62e948e6a0450e63f25cc6e22f99ff5
0a5710ed174fbee931562112147c3bf6cf8609a5f1674d0c878a6888548cb0c9
0db09a5cc0ff770b4024f14bf6b56b03c4ec599fe0499fc3a8d5da2625d93954
0f67c4df374d4e01f9838a7dc6ab174c0d8f4b5f2485b670f24c7fcdf65f3269
10f39ff02541b02857c11ca18a1cc745e075224ad510af7ad18b21dcb0d3cfa0
12449565aed227128301078ece7695cd6fbd8fb735e8f8b4238e08a1b181a651
13d377317be765d9d333e6a6d41bb83cffb606547dc308fefe0dcea87133b172
157be56d2b1cee72ad290957752e089cd39f39c51807c6791b25b875113758ab
15c65c639231d17726fa4a2c0cef2a7975a52f5d71ba8d7e4e3e1f053c066528
16cc7eabf5a54d8b376b6de32e2591902044a558ded0a527fcc0143e1686c4af
16e972675f3d1bd26aff1accdde7925e4cd5ba6d5f2a33826d3d75606a1bc955
173cae8d47a5d796b06fdd18c951003342ad08d0aee4be2823332df003b5673a
17dbbd57df81e29f2d19aba93c1626efe92bff713ad8b8e65b449e843aff54e8
19370c555e8e7ed5133ca6efa7acc98fc360983cc04193cc195ea0c8a0bf2931
1984c2439c1acacb9ec7c6468db48017d8c2aa4e2da5829d572bb6f5050e80cd
1b7a03db77e43e04badd95d28554df1f9e3d97197605af709df0387d3bd0c1e8
1b9f9491a6d98e3de499641caa8ac736f2c6f76e4ac8960170d89fea7026c69e
1bd9838e181acb88813cdea1d228b445e06b921bff3cece199f9551522eff27d
1cd35eff6c0963356162d68f5434b19728f2805db71b5c616ff534d2c961d093
1d25e1479054eea2355385f60a9ce320af2e5ff5ff1333bfabc72518f7337056
1f3c3ebac21a63328b72317246fb5731720e1d311cdb7928543e1c13e87994d3
2066531192b69556304df9a65266a2d2e5978ae8cec323b6860eb230fd2faa79
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Ransomware.TeslaCrypt-9960924-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 16 samples
Registry Keys
Occurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLinkedConnections
16
<HKU>.DEFAULT\SOFTWARE\TRUEIMG
16
<HKCU>\SOFTWARE\TRUEIMG
16
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0
Value Name: CheckSetting
16
<HKCU>\SOFTWARE\TRUEIMG
Value Name: ID
16
<HKCU>\Software<random, matching '[A-Z0-9]{14,16}’>
16
<HKCU>\Software<random, matching '[A-Z0-9]{14,16}’>
Value Name: data
16
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: _lfia
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: _hfnk
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: _kcgt
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: _ppqk
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: _kaol
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: _abtg
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: _rpua
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: _raet
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: _kwxa
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: _ojsf
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: _kiyk
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: _iykv
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: _hpdk
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: _htkc
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: _fshu
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: _fanp
1
Mutexes
Occurrences
xfghx
16
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
74[.]220[.]199[.]6
16
64[.]190[.]63[.]111
16
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
prodocument[.]co[.]uk
16
marketathart[.]com
16
joshsawyerdesign[.]com
16
emmy2015[.]com
16
nlhomegarden[.]com
16
esbook[.]com
16
Files and or directories created
Occurrences
%ProgramFiles%\7-Zip\Lang\lv.txt
16
%ProgramFiles%\7-Zip\Lang\mk.txt
16
%ProgramFiles%\7-Zip\Lang\mn.txt
16
%ProgramFiles%\7-Zip\Lang\mng.txt
16
%ProgramFiles%\7-Zip\Lang\mng2.txt
16
%ProgramFiles%\7-Zip\Lang\mr.txt
16
%ProgramFiles%\7-Zip\Lang\ms.txt
16
%ProgramFiles%\7-Zip\Lang\nb.txt
16
%ProgramFiles%\7-Zip\Lang\ne.txt
16
%ProgramFiles%\7-Zip\Lang\nl.txt
16
%ProgramFiles%\7-Zip\Lang\nn.txt
16
%ProgramFiles%\7-Zip\Lang\pa-in.txt
16
%ProgramFiles%\7-Zip\Lang\pl.txt
16
%ProgramFiles%\7-Zip\Lang\ps.txt
16
%ProgramFiles%\7-Zip\Lang\pt-br.txt
16
%ProgramFiles%\7-Zip\Lang\pt.txt
16
%ProgramFiles%\7-Zip\Lang\ro.txt
16
%ProgramFiles%\7-Zip\Lang\ru.txt
16
%ProgramFiles%\7-Zip\Lang\sa.txt
16
%ProgramFiles%\7-Zip\Lang\si.txt
16
%ProgramFiles%\7-Zip\Lang\sk.txt
16
%ProgramFiles%\7-Zip\Lang\sl.txt
16
%ProgramFiles%\7-Zip\Lang\sq.txt
16
%ProgramFiles%\7-Zip\Lang\sr-spc.txt
16
%ProgramFiles%\7-Zip\Lang\sr-spl.txt
16
*See JSON for more IOCs
File Hashes
00e862ecba1e2a71769a67fc5c27499e00c5594f6b7ed4e4114c2fe1fb43492f
144c480ed69ac652c4eb4efa5b6038d7a68ed3bca67089997b4228e1c814f7c4
1b02123c913912f44a6ef1c3c4a5a008270d9d8e802e92b4baa259135f25dc21
22f322c8241b4860c066f5ae57115c58f373753e3d8c9bede4521e5a5ed85e65
35aeb94c99b948b122f3e4bd4298107ab15cb8bbdb11b533d32666dbb1455ae3
3ba05e043bf3148202f498dcddb6bd67680f76640aef2d08f9ae1272ff85e719
41cba3025ecc75863b7a836ee00fdf2bbc2df90dffb17541b5bb1c9fcb269bd1
9223631593b46b54450b76028a69ddd837d06cd7e9b3d8e3f7bd584a46af22bf
b2713458d2c3ebd4b558f8c2ce19a90bd97095ca868fd499755bf1c9cbd0c388
bdf2c5fcf72e7d7870e81ffacdd01206ed98d2446a85c28e7eaf73e26d7a6eda
be9fac828e64c19e0a3fbf3c4a752d5332b7c0b849556f5388645515a29538ee
c00039c0454935a5079dc801ce4420457eb9964cbed8372b5aff5c60a45fa26c
d540b31f009a4138b5d35735fa9976522f4d5ee9e6b8dbdbde479796ebc6d4c0
dba60ef1804b4d90d74a2988fe53f044d7619f469d0ba9660e5646a1a67439cd
f1ab2d7ace4656b5f3770186d088ac0644482fe43f38fe2bdb9217744d0f58c1
ff6f821dc0526f3615b1a3c37b2b14094f53d05cb0a6a753cb257cb0bcde6898
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Virus.Xpiro-9960895-1****Indicators of Compromise
- IOCs collected from dynamic analysis of 23 samples
Registry Keys
Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32
Value Name: Type
23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64
Value Name: Type
23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32
Value Name: Type
23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32
Value Name: Start
23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\COMSYSAPP
Value Name: Type
23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\COMSYSAPP
Value Name: Start
23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MOZILLAMAINTENANCE
Value Name: Type
23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MOZILLAMAINTENANCE
Value Name: Start
23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\OSE
Value Name: Type
23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\OSE
Value Name: Start
23
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC\S-1-5-21-2580483871-590521980-3826313501-500
23
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC\S-1-5-21-2580483871-590521980-3826313501-500
Value Name: EnableNotifications
23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32
Value Name: Start
23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64
Value Name: Start
23
<HKLM>\SOFTWARE\MICROSOFT.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATE
Value Name: AccumulatedWaitIdleTime
23
<HKLM>\SOFTWARE\MICROSOFT.NETFRAMEWORK\V2.0.50727\NGENSERVICE\LISTENEDSTATE
Value Name: RootstoreDirty
23
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATE
Value Name: AccumulatedWaitIdleTime
23
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT.NETFRAMEWORK\V2.0.50727\NGENSERVICE\LISTENEDSTATE
Value Name: RootstoreDirty
23
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_64
Value Name: Type
22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_64
Value Name: Start
22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IEETWCOLLECTORSERVICE
Value Name: Type
22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IEETWCOLLECTORSERVICE
Value Name: Start
22
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
21
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
18
Mutexes
Occurrences
kkq-vx_mtx63
23
kkq-vx_mtx64
23
kkq-vx_mtx65
23
kkq-vx_mtx66
23
kkq-vx_mtx67
23
kkq-vx_mtx68
23
kkq-vx_mtx69
23
kkq-vx_mtx70
23
kkq-vx_mtx71
23
kkq-vx_mtx72
23
kkq-vx_mtx73
23
kkq-vx_mtx74
23
kkq-vx_mtx75
23
kkq-vx_mtx76
23
kkq-vx_mtx77
23
kkq-vx_mtx78
23
kkq-vx_mtx79
23
kkq-vx_mtx80
23
kkq-vx_mtx81
23
kkq-vx_mtx82
23
kkq-vx_mtx83
23
kkq-vx_mtx84
23
kkq-vx_mtx85
23
kkq-vx_mtx86
23
kkq-vx_mtx87
23
*See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
107[.]22[.]125[.]105
7
3[.]217[.]206[.]46
4
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
ninite[.]com
21
www[.]bing[.]com
1
Files and or directories created
Occurrences
%CommonProgramFiles%\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
23
%CommonProgramFiles(x86)%\microsoft shared\Source Engine\OSE.EXE
23
%ProgramFiles(x86)%\Microsoft Office\Office14\GROOVE.EXE
23
%ProgramFiles(x86)%\Mozilla Maintenance Service\maintenanceservice.exe
23
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
23
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
23
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
23
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
23
%System32%\FXSSVC.exe
23
%System32%\alg.exe
23
%System32%\dllhost.exe
23
%SystemRoot%\ehome\ehsched.exe
23
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
23
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log
23
%SystemRoot%\SysWOW64\dllhost.exe
23
%SystemRoot%\SysWOW64\svchost.exe
23
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log
23
%SystemRoot%\SysWOW64\dllhost.vir
23
%SystemRoot%\SysWOW64\svchost.vir
23
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat
23
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock
23
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat
23
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock
23
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat
23
%CommonProgramFiles(x86)%\microsoft shared\source engine\ose.vir
23
*See JSON for more IOCs
File Hashes
137ad3b55addd7191c8c974beef6b65bae791bc4de1e86b7e2965b311d40e2d0
1cfd0fd601a0f5234ce72672ec9c6c866dca03836198d93a320ed5df0bddd7f8
1e831b6d0cabaa8b44de36c1b96dd6e54e295502eb171be4f87723212fe574ca
1f935627d9866da115f1aad78be290f60a639bec1a94d6b8397326eeb46c111b
30ffb87628211e78074a3a891b8bd173db6f2d74dc97e735ff386361cf29aee1
3f948d4350c566416101441adb1c00121bd835db40cc08c73a556b764458673d
47934d4f40e9a5af0ee572a7e1e088d29d3bfd655d4aff26018a64118ad68a24
563c16cb752614726d350000fbf514a8b8d32a8074cd12c7545d6ff93f790ed9
591ae4985fd6993f580eae6f93f3e96f7c73c14dc3927e96223e8003f9ab3588
5cbd454095120231e23ca372fee8e9e76f34e3f5491f8ab10e8e5203e4c52570
6f0f5fda67646bc8def9c66497041528cd8ed7158a169c1b0787f59360c28ea8
7ec4a0246b5d33dfe811f4f34ab94a6b82d822196776afbe28a0f543ade8ad63
97d0aeeca4859c38984086ff1bef13c9bd11466131058fabda20dd1b21342f7a
a2839faa3c7ecbff8afa71ca5787690e0e3eaeb36b899bab1926b19ce32b8c6d
bcf2ae9a67fe974c02e95fbdd4edcce7df377a288c7586dae9d0b625aeedc93b
c51d235b290424ad6baf08d67ab600a260200846a3f4b218e916933594b40537
d3d7dd910bd5e79fdb39d51aa83afaccdfd10538d30dd69bc7219a146e897361
d445c1ac4afae6cb028a2508c655271e3d69e07d9e016887d89d790c80fc0409
e23566aabaa7743da973840338829cc25d6936e8fcb5fb8d9b78b0ccac46c1ea
e37b0661d4e4483048abcf0abba65060c78716672790e12bb0a768f04b18134b
e48a371f7f5f3ad1cda0d16312f30846b6a12494967c8fba8de7f65a5673b1ff
eb1ecc1ef099105b4882ccace3caf843ed1508b1463f8af6cc94adaa0181b721
ec1bc44db50911234444c575d91335113232ab5b1f6cad6acf5e52ff16ccd8fb
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Emotet-9961142-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 218 samples
Registry Keys
Occurrences
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
190
<HKLM>\SYSTEM\CONTROLSET001\SERVICES<random, matching '[A-Z0-9]{8}’>
Value Name: Type
64
<HKLM>\SYSTEM\CONTROLSET001\SERVICES<random, matching '[A-Z0-9]{8}’>
Value Name: Start
64
<HKLM>\SYSTEM\CONTROLSET001\SERVICES<random, matching '[A-Z0-9]{8}’>
Value Name: ErrorControl
64
<HKLM>\SYSTEM\CONTROLSET001\SERVICES<random, matching '[A-Z0-9]{8}’>
Value Name: DisplayName
64
<HKLM>\SYSTEM\CONTROLSET001\SERVICES<random, matching '[A-Z0-9]{8}’>
Value Name: WOW64
64
<HKLM>\SYSTEM\CONTROLSET001\SERVICES<random, matching '[A-Z0-9]{8}’>
Value Name: ObjectName
64
<HKLM>\SYSTEM\CONTROLSET001\SERVICES<random, matching '[A-Z0-9]{8}’>
63
<HKLM>\SYSTEM\CONTROLSET001\SERVICES<random, matching '[A-Z0-9]{8}’>
Value Name: ImagePath
61
<HKLM>\SYSTEM\CONTROLSET001\SERVICES<random, matching '[A-Z0-9]{8}’>
Value Name: Description
60
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%systemroot%\system32\dot3svc.dll,-1103
14
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @oleres.dll,-5013
10
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%systemroot%\system32\browser.dll,-101
9
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\AxInstSV.dll,-104
9
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%systemroot%\system32\dps.dll,-501
9
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\ehome\ehrecvr.exe,-102
8
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @appmgmts.dll,-3251
8
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpcore.dll,-101
8
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%systemroot%\system32\appinfo.dll,-101
8
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\System32\audiosrv.dll,-205
7
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%systemroot%\system32\appidsvc.dll,-101
7
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @comres.dll,-948
7
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\System32\dnsapi.dll,-102
7
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%systemroot%\system32\cscsvc.dll,-201
7
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\System32\bthserv.dll,-102
7
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
5[.]196[.]74[.]210
82
74[.]208[.]45[.]104
82
45[.]55[.]219[.]163
82
45[.]55[.]36[.]51
82
174[.]45[.]13[.]118
82
180[.]92[.]239[.]110
82
91[.]83[.]93[.]99
82
217[.]199[.]160[.]224
78
89[.]32[.]150[.]160
78
68[.]183[.]190[.]199
78
45[.]161[.]242[.]102
78
209[.]236[.]123[.]42
78
71[.]197[.]211[.]156
78
91[.]121[.]54[.]71
78
85[.]25[.]207[.]108
58
88[.]249[.]181[.]198
58
65[.]156[.]53[.]186
58
68[.]183[.]233[.]80
58
177[.]32[.]8[.]85
58
81[.]17[.]93[.]134
58
197[.]232[.]36[.]108
58
23[.]46[.]150[.]72
30
23[.]46[.]150[.]48
27
23[.]221[.]72[.]27
13
23[.]221[.]72[.]10
6
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
apps[.]identrust[.]com
82
Files and or directories created
Occurrences
%SystemRoot%\SysWOW64<random, matching '[a-z]{8}’>
35
%SystemRoot%\SysWOW64\printui
2
%SystemRoot%\SysWOW64\NlsLexicons0414
2
%SystemRoot%\SysWOW64\utildll
2
%SystemRoot%\SysWOW64\NlsData000a
2
%SystemRoot%\SysWOW64\fthsvc
2
%SystemRoot%\SysWOW64\shlwapi
2
%SystemRoot%\SysWOW64\WcsPlugInService
2
%SystemRoot%\SysWOW64\NlsLexicons0002
2
%SystemRoot%\SysWOW64\d3d8thk
1
%SystemRoot%\SysWOW64\instnm
1
%SystemRoot%\SysWOW64\cttune
1
%SystemRoot%\SysWOW64\tsbyuv
1
%SystemRoot%\SysWOW64\KBDSW
1
%SystemRoot%\SysWOW64\fc
1
%SystemRoot%\SysWOW64\rshx32
1
%SystemRoot%\SysWOW64\KBDHE220
1
%SystemRoot%\SysWOW64\WMADMOE
1
%SystemRoot%\SysWOW64\NlsData0002
1
%SystemRoot%\SysWOW64\iprop
1
%SystemRoot%\SysWOW64\rastls
1
%SystemRoot%\SysWOW64\aecache
1
%SystemRoot%\SysWOW64\SMBHelperClass
1
%SystemRoot%\SysWOW64\KBDNO
1
%SystemRoot%\SysWOW64\mfc100
1
*See JSON for more IOCs
File Hashes
0154a4e3faa4dafca324954364d049324d6fcc6b8a1c90cbae92cd41f8927c4e
01ea88880d59cd617d53bfd1849ad0c2023c9febc43b48579d06802c9b324d77
0222be0813e32c7a2c87a31482e33830a91b73a750aff3499da5caa100646607
0242673f6b5b086a61873f4773b8b7f119d025325f2724cb362b1151adccfc8b
02f7999d6693f08f5983effb8bee06145be3f7dc22ff1e5b745e8d0633fe19d6
038008283ccba00047b767169fd02554182310d7b32c6def8a3fc1c6a045daf1
0403b01de17d2130faa4eecf11111acf15bc672dfeb9394054e5aa05166b8289
044242411968ca1c92b3a645d7f470cf0cda1a220920da688558fde7f4108eb9
055014bbf3a21173e4e2d9fb22124d7d249bc8f8c748151197d6e985bdf06f67
05cf33a7202716161360fc0e6fd45091f9a290954ba26a64037745652fa4b487
066202dc95bd51220d42f603a030ef71527b8dc56e62200f0d175f09f3f89c27
06ee8bc6b3c35b3d3ea924f73db6da1df9061e69b487bad9718328f1d186f0c7
0780d91df0f27af4b00d51e531a1cf12d50bbb048a211e0b287820bd9313eab5
07c262357505c7bef31ebfe2bb6c13a3d386e38d262ba2bdbfb2e52c1bd066fd
080fc908405201cbf074d6343acf66ee3c4d57f231c399b87097f75b8ca7960f
08e6bfa50d4fe544c03474d1a23776762a47a0ceed44dbe5bbb6e09fce30b055
091b50c4a374f1fc1d15e81044c2b50f03fa7c3e8359eb09bb95dc25deeebd4d
098861c8b4411225b4fde8737ccb518052ef40c896ee4e42dfeecf322e56f07f
09c4a4a31a51590b27a82bcff450c29391d3dfde480df012f43020e858efb639
0b533cf67e6fd8298b62d3aaea82f07ad11c600fa8917f3b683a72da9ca2fa7e
0c33a1f3687e65daa8825856f309cc40ef97d0892ef7742a77355124e296b815
0ccab31b5610aac24a242c812f474ff24b8e345aa78fd4b7d0a92b690938f908
0cd25d45a5e31de0fc1b75ba65c5b43d934b60b7d07638aaa1ce0d83afd984ec
0d3fee19509a873e96a1b2559d9193cf046f7f35f49d16b180438d9df7da027f
0ea6a45d2ad1115ce7141f15693139b8bd9e5ffebb5a1321ab8c48e62d65fab9
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Remcos-9961392-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 14 samples
Registry Keys
Occurrences
<HKCU>\SOFTWARE\POULUS
14
<HKCU>\SOFTWARE\POULUS\MICROMINIATURISER
14
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\BRUGERNAVNETS
14
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\BRUGERNAVNETS\TIVOLIET
14
<HKCU>\SOFTWARE\POULUS\MICROMINIATURISER
Value Name: Komplettes
14
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\BRUGERNAVNETS\TIVOLIET
Value Name: Fins
14
<HKCU>\SOFTWARE!27MZCJW9@REXF-NJL3J3
7
<HKCU>\SOFTWARE!27MZCJW9@REXF-NJL3J3
Value Name: licence
7
<HKCU>\SOFTWARE!27MZCJW9@REXF-NJL3J3
Value Name: exepath
7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: ornamenterne
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Hyldetrs
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: lnglidninger
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Vampirebat
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Dereferencing
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Sarkastisk
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Martyrologistic
1
Mutexes
Occurrences
Remcos_Mutex_Inj
7
!27Mzcjw9@Rexf-NJL3J3
7
Global\916138a1-15e4-11ed-9660-00151792685a
1
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
5[.]2[.]75[.]164
7
181[.]235[.]13[.]200
4
186[.]169[.]54[.]97
3
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
colpatvalidacionnuevo[.]xyz
7
Files and or directories created
Occurrences
%HOMEPATH%\Desktop\Markedness.ini
14
%TEMP%\ns<random, matching '[a-z][A-F0-9]{1,4}’>.tmp
14
%TEMP%\ns<random, matching '[a-z][A-F0-9]{4}’>.tmp\System.dll
14
%TEMP%\logsflat458
7
%TEMP%\logsflat458\sasgs527.dat
7
\TEMP\en-US\22d69844486d029467b528c89bf763a6.exe.mui
1
\TEMP\en-US\ef6731323cff411f303c2bd29b9f15c8.exe.mui
1
\TEMP\en-US\b2a7538d257a51b1a506b646c248fcbe.exe.mui
1
\TEMP\en-US\570979659276a2a985f97f7965f97f76.exe.mui
1
\TEMP\en-US\f231d436f8d62de3082ea791da78ed50.exe.mui
1
\TEMP\en\f231d436f8d62de3082ea791da78ed50.exe.mui
1
\TEMP\en\ef6731323cff411f303c2bd29b9f15c8.exe.mui
1
%TEMP%\Selenitic
1
%TEMP%\Dextroamphetamine
1
%TEMP%\Selenitic\Uncooping.exe
1
%TEMP%\Dextroamphetamine\Lobcokt.exe
1
\TEMP\en\22d69844486d029467b528c89bf763a6.exe.mui
1
%TEMP%\Tiki124
1
%TEMP%\Tiki124\Unexpecting.exe
1
\TEMP\en\b2a7538d257a51b1a506b646c248fcbe.exe.mui
1
\TEMP\en\570979659276a2a985f97f7965f97f76.exe.mui
1
%TEMP%\Sekundrkommunens
1
%TEMP%\Giganter27
1
%TEMP%\Sekundrkommunens\Unpracticability174.exe
1
%TEMP%\Giganter27\Spandauerne.exe
1
*See JSON for more IOCs
File Hashes
125b94822affbd4b1b67333905a91231c62e427334475ada0daa44d007e884c1
332cb82247db85cd4c772200938a7623c4161a15d680157cdc688b53aae2303a
3efb2166b220fd7d7e5df42739d998f6ed4c70fefdcb03b6a9b1810d6dcfcd77
42d77fbb29467078ade8ecba705a648d3d4aeacd5f6735a6d92d17cb55ff7049
6761e346725d0cfa3436b459176ff467f7b4a426af0559845032c912420747cd
72d9be63e832a89a04ffcfb48c30199d3461fe982bde962f57c7cf71e0f5f06a
8c420a6337376e20c987679a34e3d09194e504c444fbf50619328f5c0dda9217
942dcafe7a16cfdd1769048c73590ec2c29e9c76a9f6c46e6b6e88ac2220b0ef
9ead44844a24092afb456478686839852e04cd1ad8e081185ae432f1171baa1b
a3ec71d27779875c7262d608c3c5e591fa7c12f0893e006bb6f7d2ad1d710142
a742e0a1f7939fdaf5eb615bac3da040781bd19e84e3f647186314ecb6e0fa5e
ce2ff79b4178d9b7f142001bc227753dd395fcd1a28a385bfa379e0857181467
d52c22336b2e2efaeab6b8eb2be8726a36eaea553905b01102d9716d4c6184af
e2deccb5d8cc1ec270d95501aaa7e53951bd7f89c2c0bcd50420bf94b7057675
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Ramnit-9961396-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 26 samples
Registry Keys
Occurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusOverride
26
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify
26
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallDisableNotify
26
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallOverride
26
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify
26
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UacDisableNotify
26
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
26
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: EnableFirewall
26
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DoNotAllowExceptions
26
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DisableNotifications
26
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
26
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
26
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Start
26
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION
Value Name: jfghdug_ooetvtgk
26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: JudCsgdy
26
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV
Value Name: Start
26
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Defender
26
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Userinit
26
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Userinit
26
Mutexes
Occurrences
qazwsxedc
26
{7930D12C-1D38-EB63-89CF-4C8161B79ED4}
26
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
72[.]26[.]218[.]70
25
195[.]201[.]179[.]207
25
208[.]100[.]26[.]245
25
46[.]165[.]220[.]155
25
35[.]205[.]61[.]67
25
142[.]250[.]80[.]14
25
63[.]251[.]235[.]76
25
64[.]225[.]91[.]73
25
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
google[.]com
25
gjvoemsjvb[.]com
25
ahpygyxe[.]com
25
msoalrhvphqrnjv[.]com
25
rdslmvlipid[.]com
25
jpcqdmfvn[.]com
25
rrmlyaviljwuoph[.]com
25
maajnyhst[.]com
25
enbbojmjpss[.]com
25
oqmfrxak[.]com
25
tdccjwtetv[.]com
25
tpxobasr[.]com
25
xpdsuvpcvrcrnwbxqfx[.]com
25
fbrlgikmlriqlvel[.]com
25
boeyrhmrd[.]com
25
ugcukkcpplmouoah[.]com
25
gugendolik[.]com
25
Files and or directories created
Occurrences
%LOCALAPPDATA%\bolpidti
26
%LOCALAPPDATA%\bolpidti\judcsgdy.exe
26
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\judcsgdy.exe
26
File Hashes
081742e8ed56a1a933e0507ccd536aaaf7242ac76d47a1a49626ee71c6756b53
0e372167303e500219b580a1a0367d2b69ab693e56934584e05cd963736bd463
10cef31349a4842546edbc5244d0d3aaed1e3c058008800c889abf5dc43ec343
127ee9c2897fb600dec742861451fdcf48820c200e15df7479542ed4232c0584
155b0301ce2f88c396fb7aa77cbc82c51a01660e6a74b63f7ba8dc8f023ea7e8
1e1773938b5bdd08be479ca9186a30d3fad83ea67ae905f391508ac543c2a38f
263351025d462b47660ea4bacd71ae1fd694de45a3d9bd5b14e58be1c4362d00
2e2ac92783031efdde48674b0ed3362c81fac9b25756ee39af1629f39309ccc2
340833674362d0c01995cc8657a95a628fddeb853272b6d89dfcf98bbe106cbe
39b9cfa59e688e1d56e6499b80637f321f777d022dff4a9eaf691ba9a1e9cc86
3cc065b26f54c993606649d1679bca81068c10e3727fdf9ee811fa6a17c1ebad
41b21c4398fa089007a9a34aac8a3f5d14b61814ff036b555cc6b09c8efd81aa
4b183d215f86d026ef2bac0cf5dd4b28146612d52206e358169b0f1d3209c76d
4ed2cf991c4ed810cdbb5d567d33e1f1d94218ae43c506d6b33d2acc35009598
57fa2ea50d27a8cc8feec2867a680ae6e9a0d1a47d117733a73db86da3bf8416
5de59e2cc183ce5f34b2ca66fbd1edce54b3a6208ae7621c49cbd78835bdcbf5
699e006e4a6871ca898aacf55f84c36ea43d8b9e421b71dd20a0fe5a06378d66
6a216904abbf52246819029936c7e8705f50c61ba0ee6a62d8a14881cfca0a33
77aeccd3d538a6effc3623344a331d5190c747489a5cc511d4e7d973e879ff8a
77c966ca4088e8b918b4e40ed539a510fad2a2631ff17d1a1b01a1670e6fa400
79622d5b5ef3c93d32bcaaba64cfbbe4a88ec7f56d1f7f2160b9219321058f29
8c878b6608dba85c650ffda157cc14d885f14559e8c6b38a5ae0be85d5a73001
8d5f17bf76258cf83d0678cef645b0fa2f0b6df56858fb0ec4cab8894b59b316
a1574bfff6cebf0757ab5a7fc7634b7956fed8943e088b87820ff13be65789c4
af0aa7289a5770da3a158d0f0fbea1c5073b6ca4f6fe5a7bebdde44a55ca2c2e
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK