Security
Headlines
HeadlinesLatestCVEs

Headline

Threat Roundup for September 16 to September 23

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Sept. 16 and Sept. 23. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, orokibot ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found herethat includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files. The most prevalent threats highlighted in this roundup are:

Threat Name    Type    Description

Win.Dropper.NetWire-9970213-0 Dropper NetWire is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, remote desktop and read data from connected USB devices. NetWire is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails. Win.Trojan.LokiBot-9970418-0 Trojan Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails. Win.Ransomware.Cerber-9970426-0 Ransomware Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension “.cerber,” although in more recent campaigns, other file extensions are used. Win.Packed.Gamarue-9970619-0 Packed Gamarue, also known as Andromeda, is a botnet used to spread malware, steal information and perform activities such as click fraud. Win.Packed.Nanocore-9970631-0 Packed Nanocore is a .NET remote access trojan. Its source code has been leaked several times, making it widely available. Like other RATs, it allows full control of the system, including recording video and audio, stealing passwords, downloading files and recording keystrokes. Win.Dropper.Formbook-9970817-0 Dropper Formbook is an information stealer that attempts to collect sensitive information from an infected machine by logging keystrokes, stealing saved web browser credentials, and monitoring information copied to the clipboard. Win.Ransomware.BlackMatter-9970818-0 Ransomware BlackCat ransomware, also known as "ALPHV", has quickly gained notoriety for being used in double ransom attacks against companies in which attackers encrypt files and threaten to leak them. It uses the combination of AES128-CTR and RSA-2048 to encrypt the files on the victim’s computer. Win.Dropper.DarkKomet-9970824-0 Dropper DarkKomet is a freeware remote access trojan released by an independent software developer. It provides the same functionality you would expect from a remote access tool: keylogging, webcam access, microphone access, remote desktop, URL download and program execution, etc.

Threat Breakdown

Win.Dropper.NetWire-9970213-0

Indicators of Compromise

IOCs collected from dynamic analysis of 12 samples

        Registry Keys            Occurrences        
                             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: LanguageList                            7        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: WindowsUpdate                            7        
                     
                
            
        Mutexes            Occurrences        
                                 
        8-3503835SZBFHHZ            5            
                 
        73M9N-T0-UB83K6J            2            
                 
        S-1-5-21-2580483-12441695089072            2            
                 
        S-1-5-21-2580483-12443106840201            2            
                 
        1N6PO-QCTT825WY-            2            
                 
        S-1-5-21-2580483-1244465298972            1            
                 
        3MAM487FD866043M            1            
                     
                         
            
        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        149[.]154[.]167[.]220            7            
                 
        34[.]102[.]136[.]180            4            
                 
        198[.]54[.]117[.]215            2            
                 
        198[.]54[.]117[.]210/31            2            
                 
        99[.]83[.]154[.]118            2            
                 
        54[.]251[.]110[.]33            2            
                 
        198[.]54[.]117[.]217            1            
                 
        198[.]71[.]232[.]3            1            
                 
        2[.]57[.]90[.]16            1            
                 
        185[.]107[.]56[.]59            1            
                 
        52[.]20[.]84[.]62            1            
                 
        34[.]117[.]168[.]233            1            
                 
        69[.]163[.]224[.]231            1            
                 
        109[.]123[.]121[.]243            1            
                 
        216[.]40[.]34[.]41            1            
                 
        199[.]59[.]243[.]222            1            
                 
        31[.]220[.]126[.]24            1            
                 
        172[.]96[.]191[.]143            1            
                 
        45[.]224[.]128[.]33            1            
                 
        207[.]244[.]241[.]148            1            
                 
        162[.]213[.]255[.]94            1            
                 
        172[.]67[.]180[.]112            1            
                 
        23[.]230[.]152[.]134            1            
                 
        154[.]86[.]220[.]203            1            
                 
        104[.]247[.]82[.]53            1            

*See JSON for more IOCs

        Domain Names contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        api[.]telegram[.]org            7            
                 
        www[.]wearestallions[.]com            2            
                 
        www[.]intelsearchtech[.]com            2            
                 
        www[.]kigif-indonesia[.]com            2            
                 
        www[.]homecrowds[.]net            2            
                 
        www[.]beachloungespa[.]com            2            
                 
        www[.]northpierangling[.]info            1            
                 
        www[.]xn--agroisleos-09a[.]com            1            
                 
        www[.]cacconsults[.]com            1            
                 
        www[.]fdupcoffee[.]com            1            
                 
        www[.]drivemytrains[.]xyz            1            
                 
        www[.]banchers[.]com            1            
                 
        www[.]olympushotel[.]xyz            1            
                 
        www[.]imbtucan[.]site            1            
                 
        www[.]leeanacosta[.]com            1            
                 
        www[.]searchnewsmax[.]com            1            
                 
        www[.]supera-digital[.]com            1            
                 
        www[.]fitnesshubus[.]com            1            
                 
        www[.]kettlekingz[.]co[.]uk            1            
                 
        www[.]meditgaming[.]store            1            
                 
        www[.]alpenfieber-events[.]com            1            
                 
        www[.]bobijnvidit[.]xyz            1            
                 
        www[.]thespecialtstore[.]com            1            
                 
        www[.]momotou[.]xyz            1            
                 
        www[.]tricon[.]info            1            

*See JSON for more IOCs

        Files and or directories created            Occurrences        
                                 
        %HOMEPATH%\temp            12            
                 
        %TEMP%\RegSvcs.exe            7            
                 
        \9_101\jhipudjmrh.pdf            1            
                 
        %TEMP%\5_610\wuqiiqpl.cpl            1            
                 
        \9_101\kxfbovr.dll            1            
                 
        %TEMP%\5_610\xjusg.bin            1            
                 
        \9_101\lbmnehl.log            1            
                 
        %TEMP%\5_610\xpdmnqvrj.cpl            1            
                 
        \9_101\lexccit.txt            1            
                 
        %TEMP%\5_610\xxnvjp.log            1            
                 
        \9_101\lpuhp.docx            1            
                 
        \9_101\lresp.xl            1            
                 
        \9_101\mitwohb.dll            1            
                 
        \9_101\mnxau.jpg            1            
                 
        \9_101\mrbwugug.ico            1            
                 
        \9_101\mvevanqm.pdf            1            
                 
        \9_101\nimkrnwadi.mcq            1            
                 
        \9_101\njbrtxdts.xls            1            
                 
        \9_101\njxivhu.ppt            1            
                 
        \9_101\nnnbox.exe            1            
                 
        \9_101\nxvix.log            1            
                 
        \9_101\oavf.xml            1            
                 
        \9_101\ocuqib.dll            1            
                 
        \9_101\oipjamjjo.jpg            1            
                 
        \4_58\vxgw.cpl            1            

*See JSON for more IOCs

File Hashes

             17d3937fb3aceacc0ac99f94a2347b87b22cbc2e7c341830ad9ad0a8f88babee              27288965d55cf7459cfa35b7a37ab9298f34e6e7734f6d6609527d573e5db71e              3788fc76ea84b87735527d224d39b4672b970c6bbcdd59b60978945b76d0fb1b              39ef261dd5ada5c7b29412ca0e95e6950de77ac8ab9f6e096692fd553a6e3ace              4101b1f2efa7e4ac9711140c8e5e724bf5a74ac0b4ab76f0d6c4e23374977627              49f2bb5892eda8223f4709f6b84366911b000652eb19085b09dc5998fe8c8259              815132096b824dbe0c8497cfd85f7508eeac3718c147541c791701df09b6f196              8f8813e3ed0cdb3ac92de8e6003bc83c0ec859fc717748cab6a45f56a98a9201              a96ccfc5b5b64660b986d22b9bcc96cb5e178d3d506893bd24a959a5338a4a32              d22989a65a91ee78b6af2fd2a9cadf2656637959cc07cd1b92baeb8c5950b45d              e2ad52e5cc9b5e5a51811e13daeed3f6d61e239a079ec3617f2c1a4400f6dcaf              f7a74e6284a41f39cba3f0c186c61ad96fac8a3099b88e04071fdd8e1eabe9bf              

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                                                                              
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                                                                              
             
        WSA                                                                                                                              

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Trojan.LokiBot-9970418-0

Indicators of Compromise

IOCs collected from dynamic analysis of 11 samples

        Registry Keys            Occurrences        
                             
    <HKLM>\SOFTWARE\WOW6432NODE\PAADMME                             11        
             
    <HKLM>\SOFTWARE\WOW6432NODE\PAADMME\NEAPOLITANERE                             11        
             
    <HKLM>\SOFTWARE\WOW6432NODE\PAADMME\NEAPOLITANERE\BINOCLES                             11        
             
    <HKLM>\SOFTWARE\WOW6432NODE\PAADMME\NEAPOLITANERE\BINOCLES\UDPRINT                             11        
             
    <HKLM>\SOFTWARE\WOW6432NODE\TOXOSIS                             11        
             
    <HKLM>\SOFTWARE\WOW6432NODE\TOXOSIS\BENZENSULFONAT                             11        
             
    <HKLM>\SOFTWARE\WOW6432NODE\TOXOSIS\BENZENSULFONAT\INGEVALDS                             11        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\SKABHALS                             11        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\SKABHALS\AMARYLLIS                             11        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\SKABHALS\AMARYLLIS\RECHARTING                             11        
             
    <HKLM>\SOFTWARE\WOW6432NODE\PAADMME\NEAPOLITANERE\BINOCLES\UDPRINT                          
        Value Name: Girleen                            11        
             
    <HKLM>\SOFTWARE\WOW6432NODE\TOXOSIS\BENZENSULFONAT\INGEVALDS                          
        Value Name: befugteres                            11        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\SKABHALS\AMARYLLIS\RECHARTING                          
        Value Name: Krogfiskeri                            11        
                     
                       
            
        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        103[.]170[.]254[.]140            1            
                     
                                 
            
        Files and or directories created            Occurrences        
                                 
        %LOCALAPPDATA%\Konstellations            11            
                 
        %LOCALAPPDATA%\Konstellations\Materes            11            
                 
        %LOCALAPPDATA%\Konstellations\Materes\window-restore-symbolic.symbolic.png            11            
                 
        %TEMP%\ns<random, matching '[a-z][A-F0-9]{1,4}'>.tmp            11            
                 
        %TEMP%\ns<random, matching '[a-z][A-F0-9]{4}'>.tmp\System.dll            11            
                 
        %LOCALAPPDATA%\Konstellations\Materes\Arider.bmp            1            
                 
        %LOCALAPPDATA%\Konstellations\Materes\FROSSEN.bmp            1            
                 
        %LOCALAPPDATA%\Konstellations\Materes\Praktikleder8.bmp            1            
                 
        %LOCALAPPDATA%\Konstellations\Materes\Digoxins6.bmp            1            
                 
        %LOCALAPPDATA%\Konstellations\Materes\BIOSYNTHESIZE.bmp            1            
                 
        %LOCALAPPDATA%\Konstellations\Materes\countertime.bmp            1            
                 
        %LOCALAPPDATA%\Konstellations\Materes\ACRITOL.bmp            1            
                 
        %LOCALAPPDATA%\Konstellations\Materes\lnlige.bmp            1            
                 
        %LOCALAPPDATA%\Konstellations\Materes\Kloakeringsomraadet.bmp            1            
                 
        %LOCALAPPDATA%\Konstellations\Materes\Coitalt.bmp            1            
                 
        %LOCALAPPDATA%\Konstellations\Materes\Charlies.bmp            1            

File Hashes

             14d11fc331b5d9a84a42fa8b6b2155f687cf66c1af5bd32ae1347fda6667fa60              2d15ef038e1702ebcd7b6d50eab97db925195cb382a9cabcf6a70ac62452d39c              418a2c968f439988a20034816348d47e0ba3fa2a6150a1f5760202a8b3a5621e              7d48995a3e95a8f0f758601cc5fbedbda1570eb17fd73e3091e6690a4f423a45              a0f0783a36626040af491251f7fc77bdfd3fdc89ee7d8ade8a289828c35e9280              a4238922317136e633e9dd9d654fd89cc47414766a658a3bdcb16963aa191ed0              a72cbeca7367862e3597f4923b36ef84c534d771aa1d439ab21bc74de1dde400              ca449b3e0e043546c5746fa6787b29c94ecb86b3f42de21e944d704502ade3da              d4912d4d34d11e30c5859742186d8355a42b1e83fb54ac2a121186fa46234862              d93f4740ef92a826d328f73dea62803903254fbcdb1e02aeb6dc78e214bc0645              f0ece4c4a676aef252751fa3277e1ad4a3e1050c177bd289994c63852ae3198e              

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                     N/A                                                          
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                     N/A                                                          
             
        WSA                                                                     N/A                                                          

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Ransomware.Cerber-9970426-0

Indicators of Compromise

IOCs collected from dynamic analysis of 24 samples

        Registry Keys            Occurrences        
                             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: LanguageList                            24        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\dhcpqec.dll,-100                            24        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\dhcpqec.dll,-101                            24        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\dhcpqec.dll,-103                            24        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\dhcpqec.dll,-102                            24        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\napipsec.dll,-1                            24        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\napipsec.dll,-2                            24        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\napipsec.dll,-4                            24        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\napipsec.dll,-3                            24        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\tsgqec.dll,-100                            24        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\tsgqec.dll,-101                            24        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\tsgqec.dll,-102                            24        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\tsgqec.dll,-103                            24        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\eapqec.dll,-100                            24        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\eapqec.dll,-101                            24        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\eapqec.dll,-102                            24        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @%SystemRoot%\system32\eapqec.dll,-103                            24        
                     
                
            
        Mutexes            Occurrences        
                                 
        shell.{381828AA-8B28-3374-1B67-35680555C5EF}            24            
                     
                         
            
        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        178[.]128[.]255[.]179            24            
                 
        149[.]202[.]64[.]0/27            24            
                 
        149[.]202[.]122[.]0/27            24            
                 
        149[.]202[.]248[.]0/22            24            
                 
        172[.]66[.]42[.]238            16            
                 
        172[.]67[.]2[.]88            11            
                 
        172[.]66[.]41[.]18            8            
                 
        104[.]20[.]20[.]251            7            
                 
        104[.]20[.]21[.]251            6            
                     
                          
            
        Domain Names contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        api[.]blockcypher[.]com            24            
                 
        bitaps[.]com            24            
                 
        chain[.]so            24            
                 
        btc[.]blockr[.]io            24            
                 
        xxxxxxxxxxxxxxxx[.]1k1dxt[.]top            24            
                     
                          
            
        Files and or directories created            Occurrences        
                                 
        %TEMP%\d19ab989            24            
                 
        %TEMP%\d19ab989\4710.tmp            24            
                 
        %TEMP%\d19ab989\a35f.tmp            24            
                 
        %LOCALAPPDATA%\Microsoft\Office\Groove1\System\CSMIPC.dat            24            
                 
        %TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp            24            
                 
        %TEMP%\tmp<random, matching [A-F0-9]{1,4}>.bmp            24            
                 
        <dir>\_READ_THIS_FILE_<random, matching [A-F0-9]{4,8}>_.hta            24            
                 
        <dir>\_READ_THIS_FILE_<random, matching [A-F0-9]{4,8}>_.txt            24            
                 
        <dir>\_READ_THIS_FILE_<random, matching [A-F0-9]{4,8}>_.jpeg            24            

File Hashes

             05602feb977139c96c226969997d8bc55bd47b1d142252d3ec4067591dda85f2              06cba247d80b0c6c4f5865e34ad3c33fc1ef5ffd0a285f3009d64109b0ee3d22              09768afcaa8eae74f05841e49ece1ac338318c0d5f0153c2db6cecf169718698              0fb820719ef10ee032dbb69607c6fc222fa70b64844af4f04f6eecafc08345a7              2738e1df3421ba011f912c22e19bdae3b29d1fb1092be51174da6dbbbc72df8d              3c6776dd10054cad73b50c96d62e3b7a1e807ef1f8e6355d097cac12ddccb8c8              3eb0b591eb274fa052c4a7cdfcb6c943361c9a199ca33679678791399e8b8988              4505a343015d3ef0ad624e61ecfc61e2fc499a11fc5a52911c424de5ccd99d9e              52573c863390fde5244133cc965bf2501f0eb28e7d76a9996bc300070d41941b              5ce6f26a04a5bf871018eecafb8e9f8f7284ebbd134230574da1574830d4646e              5ed48cdf13e9681085390956e25883680a6b1b4600d99608d84c126d57832025              61a051fabbf66383709e43bf77fb49c6a645f2f479eaddffa6769010cb690eea              74c864c6b31afa1db6c8d6fb2bb8860b655d3554c8d309a91d894fd210351b7e              8642a1c54c99774f7ffc1ade073f2ccc90b6e2fcacb0118f1eca20b20018d590              9d14c9d7fca8e623607986ac1c27a149dfa9a82ac267475bed080636a5870269              a8d9f9469418516807ac7ce3dbf50de0ef3e0d2ef122b2932ba908cdadc3a5bb              b289bcb40e6ee16638ae7bdadb95ebbebae75568e751820d261959394d7e7f02              b86d1564a606793a4427d5795a37825eeb11296b01cae339da01ab64feb73922              c4698b067e10ecf2ac5a4e318703d46b33cbdcd9803ffabc4a9da147e5d271f1              dee4d4d3b765fc0ad7ba88d69104b5cf90a448eaf1623445033a0f671e44ffd1              e50306b8c8b4bfd52da321a30e3e28bbef41b333e5803a303791f27798a1299c              e5af2faef6688bf5e5889e78357bf993e13a1d21086dfb8a4ae268ae2004068f              f330c988680055316a3aa2bc341e409096517381395469a32aa369a1940e9e5c              ff2c3f6c56786af4fea96c55bb7877094ea482a162050721397dda1d82246ea0              

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                                                                              
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                     N/A                                                          
             
        WSA                                                                                                                              

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Packed.Gamarue-9970619-0

Indicators of Compromise

IOCs collected from dynamic analysis of 25 samples

        Registry Keys            Occurrences        
                             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: apdsdtsh                            25        
             
    <HKCU>\SOFTWARE\APPDATALOW\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5                             25        
             
    <HKCU>\SOFTWARE\APPDATALOW\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5                          
        Value Name: Install                            25        
             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS                          
        Value Name: C:\Windows\system32\Authias.exe                            25        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: LanguageList                            25        
             
    <HKCU>\SOFTWARE\APPDATALOW\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5                          
        Value Name: Client                            25        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.106                          
        Value Name: CheckSetting                            25        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{01979C6A-42FA-414C-B8AA-EEE2C8202018}.CHECK.100                          
        Value Name: CheckSetting                            25        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{852FB1F8-5CC6-4567-9C0E-7C330F8807C2}.CHECK.100                          
        Value Name: CheckSetting                            25        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{852FB1F8-5CC6-4567-9C0E-7C330F8807C2}.CHECK.101                          
        Value Name: CheckSetting                            25        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\SHELL                          
        Value Name: NodeSlots                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\SHELL                          
        Value Name: MRUListEx                            1        
             
    <HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL                          
        Value Name: NodeSlots                            1        
             
    <HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL                          
        Value Name: MRUListEx                            1        
                     
                
            
        Mutexes            Occurrences        
                                 
        Local\{7FD07DA6-D223-0971-D423-264D4807BAD1}            25            
                 
        {<random GUID>}            25            
                     
                                
            
        Domain Names contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        alrthesecuritywith[.]su            25            
                     
                          
            
        Files and or directories created            Occurrences        
                                 
        \{4BC230AC-2EB3-B560-90AF-42B9C45396FD}            25            
                 
        %LOCALAPPDATA%\Microsoft\Windows\WER\ERC\statecache.lock            25            
                 
        %System32%\Authias.exe            25            

File Hashes

             04deccd24c8ba2a38462b2fbe8bbdfc70484892cbc0acdb28345de60b381f17c              07f1a829b39eb8df6754b4dbed45a71d4aac24c073702254b867113661423831              10bbe562791a00906cfcf42ce12046233438aedd689b92081c546f038fd23194              12981607682dab89979727d0ec582315b1565bf94a54cb5a08a876345c8c4dd7              17692c251e7257d3ab0db70615d9b30eeaddaf6958dcbd949bbaef0ded9e5d1e              23349c88ef430438af6b527e241074c7b2d6809337879da50b098c1a809cf814              25e0618244af804051450a99c664772473615c351714ce5a3d8912573ba964df              28b34665550780af293c665483967e1ba6be39b50bf1dd5d89c716990b67df4a              292139a3d2e6ac70015b05a225072c3f9d9d0b8ac39448e12733e33dbcb8add0              3662025e620ac8a337cb2e4a53d8953de01a92ee1439c2bac9b72de592dca969              3dca218d2bb5c419d0f92c5c5b8e9a891c817bc4c52f465fc89980f9c55551e6              4a2e7161239b8f9f3f9a3fcf868aa0fca6ca4890eceb629886062b6ff729385a              5535c54c6922219bf1ed1049b5e00c5a838f632b618b80eef36ccb10852f3de2              587713ec906ea8c3e5fee650abace23a1396ca69dd183253b8a6244bdfa3d5df              5e9f652ff2720dec825edb85e2abe9466e944287b35db49ac80e9adf95df165c              66196b18fcce2381b23c5575822a79542d009f039ec872eeaa199dbe97bbb26f              67f172a5505a404b8817a9f6dabb11a7d5c0bb4cc22d60e13a38d9a70a4d8e97              855033ed08a2ab3e8e157ba89696d9d9eab207a98fde70a60752f88607394b98              8cc1dcb771e5d781e5fa805cbfc349b768996cb363ee311b97a56b7a485c50c3              8e2761a959dbf166a680e0865438238f3f857a25466fc497bb5c25c1ce7f31c6              957881f71c8988d70b6d9aef095a70bae4256adefc160374ef4db1a09cf526b7              965e0adee6460a5bf1724e9b9c37542cff44abc50a7c8cf1a7b027bd0a3c8885              99584a5853ee407a4924921589e995dbbc135014c2f7a09e0887f45dfb0ce1c4              9b6b29ddd0789e95a73c9ea48d7335555dbf20064b8459549729332044c341c2              a917ac90f8a680731d543c6f93cdb7968d750fda8a36e8f531c01b5849150cb2              

*See JSON for more IOCs

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                                                                              
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                     N/A                                                          
             
        WSA                                                                     N/A                                                          

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Packed.Nanocore-9970631-0

Indicators of Compromise

IOCs collected from dynamic analysis of 16 samples

        Registry Keys            Occurrences        
                             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: AGP Manager                            16        
                     
                
            
        Mutexes            Occurrences        
                                 
        Global\{5f88600c-86da-4b30-b45c-8e6d9614baec}            16            
                     
                         
            
        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        176[.]136[.]210[.]152            16            
                     
                          
            
        Domain Names contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        foobosmy[.]duckdns[.]org            16            
                     
                          
            
        Files and or directories created            Occurrences        
                                 
        %ProgramFiles(x86)%\AGP Manager            16            
                 
        %ProgramFiles(x86)%\AGP Manager\agpmgr.exe            16            
                 
        %APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5            16            
                 
        %APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs            16            
                 
        %APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs\Administrator            16            
                 
        %APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\run.dat            16            
                 
        %APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\task.dat            16            
                 
        %System32%\Tasks\AGP Manager            16            
                 
        %System32%\Tasks\AGP Manager Task            16            
                 
        %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\vftwrxguvulmqhj.eu.url            16            
                 
        %APPDATA%\zvgrxunhzg            16            
                 
        %APPDATA%\zvgrxunhzg\vftwrxguvulmqhj.exe            16            
                 
        %TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp            16            

File Hashes

             134e0430e528508da28d81b2b4ece6c9273fb568a561dd507f26d666a9eb06b3              168455cbc98ae29cafcd0dc1587c449e208e5c4f8ca59420b3667c9f698a7c51              18d834d0819c859ca179e182dfb1cdedac88857124024bfce1d0368b414f50c0              3974f625f1fb08a2174021705db11ae31aa326357728ae0b1cdf102b80eb5763              3a7b0af05b1e41786cc3ff6d99d723418b89340df9ae67837001c6a31cafb4e5              6ffff5899e1086659ba7b24a72212c8531c334643757c46d4c837460c5380693              82defa5374685563056b630ef12a46f21408cace520e72af239b47afea32e8f8              8eb183d70b6842a68d17c3950b22fabbc4f2e6de8129afddcd2fb25d03fc7df9              8fe07daa7730dc17d3fdf7134e85da268a10ce447b4c3d810d433285a35cc9e6              9b46ecd089a55744c52ac2df7882a507dd1f97a3fd40805d9eccbdbbb6aed463              9dcfa90e87d3e281a4f42d3253b1ae3386930985c0ae5f9fb29e32284d7924ce              aa4adb36cd79f611579e74bc562fb5f6282bce4d9cc5699e1db2aeb7a92151de              b2eb77614315a5d51d44911016d2a235324af0d403de6a55262c9b1e3e74130f              dc6284d0afde4a6fb81efdb496149c6b708af0f3497e96a63162131a839879c1              dff727df396c8c954148fa078980de5e7d35a2fc000bb75905b94e6a2b7f5ff0              fd70c1b68017c46b3050ee7932d3494bca6216151ddb7fcabc36f1a0649112d3              

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                                                                              
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                     N/A                                                          
             
        WSA                                                                     N/A                                                          

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Formbook-9970817-0

Indicators of Compromise

IOCs collected from dynamic analysis of 15 samples

        Registry Keys            Occurrences        
                             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: LanguageList                            4        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: QWbqZbz                            1        
                     
                
            
        Mutexes            Occurrences        
                                 
        8-3503835SZBFHHZ            1            
                 
        S-1-5-21-2580483-12441345692046            1            
                 
        KP30NU33--DvY01Z            1            
                 
        Global\5292ba81-3a39-11ed-9660-001517e40972            1            
                 
        aenDyAN            1            
                 
        Global\46b1a361-3a9e-11ed-9660-001517a459ad            1            
                     
                         
            
        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        132[.]226[.]247[.]73            2            
                 
        198[.]185[.]159[.]145            1            
                 
        149[.]154[.]167[.]220            1            
                 
        34[.]102[.]136[.]180            1            
                 
        193[.]122[.]6[.]168            1            
                 
        193[.]122[.]130[.]0            1            
                 
        34[.]194[.]149[.]67            1            
                 
        104[.]18[.]115[.]97            1            
                 
        199[.]59[.]243[.]222            1            
                 
        8[.]130[.]101[.]174            1            
                 
        154[.]86[.]16[.]11            1            
                 
        5[.]2[.]84[.]51            1            
                     
                          
            
        Domain Names contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        checkip[.]dyndns[.]org            4            
                 
        icanhazip[.]com            1            
                 
        api[.]telegram[.]org            1            
                 
        www[.]locallywhitstable[.]co[.]uk            1            
                 
        www[.]fftblogs[.]com            1            
                 
        www[.]lanyuelou[.]com            1            
                 
        www[.]icishopping[.]com            1            
                 
        www[.]mooreandsonsak[.]net            1            
                 
        www[.]junaidsubhani[.]tech            1            
                 
        mail[.]boyyem[.]com[.]tr            1            
                     
                          
            
        Files and or directories created            Occurrences        
                                 
        %System32%\Tasks\Updates            3            
                 
        %APPDATA%\QWbqZbz            1            
                 
        %APPDATA%\QWbqZbz\QWbqZbz.exe            1            
                 
        %TEMP%\tmp67A.tmp            1            
                 
        %APPDATA%\Hmcuym.exe            1            
                 
        %System32%\Tasks\Updates\Hmcuym            1            
                 
        %TEMP%\tmpBA86.tmp            1            
                 
        %APPDATA%\hmlkDX.exe            1            
                 
        %System32%\Tasks\Updates\hmlkDX            1            
                 
        %TEMP%\tmpA204.tmp            1            
                 
        %APPDATA%\idnepTZUXvdc.exe            1            
                 
        %System32%\Tasks\Updates\idnepTZUXvdc            1            

File Hashes

             23ed86473177a66d71540c3d3ac737aa5a4d30644af5710a54ebbb5e348fa2ee              2f2e0f257103ce5edb8051b532f00204bf882cbdec68de38c6fe8ea18390f9d2              33f83dffcd247e3fefedefb2b591598eda89c7a47892d45d3051df760b60a74a              39dd36743f55ee7885cd4033e9705a0bdf2dea44416bbdc6ec6d8384c3d4e20d              53a95222b2d47e3b44240183d0eafbc7f64bcbd88bbe61af3580ab00c5f0ff85              75ce7e84cc5c6682354ceb8edc7f0b77be3ecdda500d1b0178accd0c6158f980              9da14f5b4c27946dc53283a1773e0de7246b170e11b06be9fd8c27d095054d5b              a8b84e503c11cce5530fb019cd43a0306656dd22e78eac4279a332b00430ed8d              a933028fe3b25879543cc98653b7cf66d5b2ef8dfbae539bb8d284a5f9cd4c9e              c1226a8fab28514368ebf700c5bb48e993c05e019e86a6db8c7ccc6105696a21              ca3afdd3df6970f8026481a1d7800d86ba9852aa6a12325330a91f05aa60fb32              da67541015af6ddee5bad1432ecc3efbf85cde69c494fd1635edbae606c4a628              e7612d60681cabff03ff3bbcb0a3985a94430375e941fd8dc58e1df8151930b1              e7cbf5001db95b997003f00bcac7ca10231130e2127470ead43f6563ebcda5fc              f46e6b0438003a0daeec5461f9f01dd676b39243be432365a9c59116dc6613b5              

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                                                                              
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                     N/A                                                          
             
        WSA                                                                     N/A                                                          

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Ransomware.BlackMatter-9970818-0

Indicators of Compromise

IOCs collected from dynamic analysis of 18 samples

        Registry Keys            Occurrences        
                             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: LanguageList                            18        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER                          
        Value Name: GlobalAssocChangedCounter                            17        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\VSS                          
        Value Name: DeleteFlag                            16        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\VSS                          
        Value Name: Start                            16        
             
    <HKLM>\SOFTWARE\CLASSES\ISTTBGKAF\DEFAULTICON                             1        
             
    <HKLM>\SOFTWARE\CLASSES\.YYBUFJ3PN                             1        
             
    <HKLM>\SOFTWARE\CLASSES\YYBUFJ3PN                             1        
             
    <HKLM>\SOFTWARE\CLASSES\YYBUFJ3PN\DEFAULTICON                             1        
             
    <HKLM>\SOFTWARE\CLASSES\.YYBUFJ3PN                             1        
             
    <HKLM>\SOFTWARE\CLASSES\YYBUFJ3PN\DEFAULTICON                             1        
             
    <HKLM>\SOFTWARE\CLASSES\.WQCENFTHJ                             1        
             
    <HKLM>\SOFTWARE\CLASSES\WQCENFTHJ                             1        
             
    <HKLM>\SOFTWARE\CLASSES\WQCENFTHJ\DEFAULTICON                             1        
             
    <HKLM>\SOFTWARE\CLASSES\.EL7OOPHD2                             1        
             
    <HKLM>\SOFTWARE\CLASSES\.WQCENFTHJ                             1        
             
    <HKLM>\SOFTWARE\CLASSES\EL7OOPHD2                             1        
             
    <HKLM>\SOFTWARE\CLASSES\WQCENFTHJ\DEFAULTICON                             1        
             
    <HKLM>\SOFTWARE\CLASSES\EL7OOPHD2\DEFAULTICON                             1        
             
    <HKLM>\SOFTWARE\CLASSES\.EL7OOPHD2                             1        
             
    <HKLM>\SOFTWARE\CLASSES\EL7OOPHD2\DEFAULTICON                             1        
             
    <HKLM>\SOFTWARE\CLASSES\.PF4SBMUII                             1        
             
    <HKLM>\SOFTWARE\CLASSES\PF4SBMUII                             1        
             
    <HKLM>\SOFTWARE\CLASSES\PF4SBMUII\DEFAULTICON                             1        
             
    <HKLM>\SOFTWARE\CLASSES\.PF4SBMUII                             1        
             
    <HKLM>\SOFTWARE\CLASSES\PF4SBMUII\DEFAULTICON                             1        
                     
                
            
        Mutexes            Occurrences        
                                 
        Global\{649F4E29-16CB-DD42-8922-9FFF0592856B}            1            
                 
        Global\dc0d7207879493a1bb8d21571501a3c6            1            
                 
        Global\03b84b750e7b0c183e81917fcc29ae2b            1            
                 
        Global\68d784f599b693adb48d474d1722e8e9            1            
                 
        Global\10b5e1850ed6703d7665a1adf3e368f4            1            
                 
        Global\b36e0b827c995460aa570434a5517221            1            
                 
        Global\2f26f3d09ccaf40de88c7029b61a3701            1            
                 
        Global\9edc1729071cfeb8f9fe5f019ce0054a            1            
                 
        Global\459bf63110ce888f28d3fd21adc5b730            1            
                 
        Global\391396896a2cb3a40a83c4fbbe4675f3            1            
                 
        Global\4c3e3cb8c6ed0804dcd51ba2638722cd            1            
                 
        Global\0b32ca9dec339d33dd1bd5908acf4ce2            1            
                 
        Global\4fe0268a70e4d52b0350071e277b194f            1            
                 
        Global\ee7e1dcdc809584b5f8189eb071d9f66            1            
                 
        Global\dfd07220109cd1dfb3c5268b025a72f3            1            
                 
        Global\aa1f32bc8faeb8bbba36c0d7ccb5c0a0            1            
                 
        Global\2c43957a37f865be08b53665ca3386d7            1            
                 
        Global\d40e39e3314b8106bbc67d7dd3c2c4f4            1            
                     
                                
            
        Domain Names contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        test[.]white-datasheet[.]com            1            
                     
                          
            
        Files and or directories created            Occurrences        
                                 
        \$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-1002\desktop.ini            18            
                 
        \$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I08BO8F.xlsx            18            
                 
        \$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I11KHR4.doc            18            
                 
        \$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I5QKHLN.doc            18            
                 
        \$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I62TWBD.ppt            18            
                 
        \$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I6FZORX.doc            18            
                 
        \$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IABMX83.pdf            18            
                 
        \$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IAJ2Y6R.pdf            18            
                 
        \$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IALGTCS.xlsx            18            
                 
        \$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IAPSNOM.tsv            18            
                 
        \$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IGORSF7.xsn            18            
                 
        \$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IGTBBSA.accdb            18            
                 
        \$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IH49RPF.ppt            18            
                 
        \$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IH71GGR.ppt            18            
                 
        \$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IJKODPH.pdf            18            
                 
        \$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IJP965K.accdb            18            
                 
        \$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IKY5R3M.pdf            18            
                 
        \$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IMYCSIT.pdf            18            
                 
        \$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$ISLP722.doc            18            
                 
        \$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IXLC77A.pdf            18            
                 
        \$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IXUL2U1.doc            18            
                 
        \$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IYSR1FU.ppt            18            
                 
        \$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IZ2GMJW.XLSX            18            
                 
        \$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$R08BO8F.xlsx            18            
                 
        \$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$R11KHR4.doc            18            

*See JSON for more IOCs

File Hashes

             072d0633006eeafc77c0b0144fdac84a57fa1e4f8b96d9aa33d377bd789bc533              0c4c93e6d8473b76a094a158b6dd045904bdc78e92a0bbc6faffa222df7acb6b              12b6fead37cca9d8ca4c00c2a9d56c0a402e760ab309356f078587acb7f33396              4b8fbb8a6e46b9db78bdf5ac1aa924f901270fe369411bf431fce8a46c48ca2a              50fad26d726e0af6dbed3225267934ae9ef22b31e48fc623ce93ba582a7e6110              58729cd09a74e3f69d26653b71412f9c9285ffaba52a9beb5b6d634014c98e1a              5f4ce514d8624a72d78cae3837a197ccb44cee28d4334a7641c02beb5496b3d0              6a255e2ee08490123fa594de4fe0dac977579deb541afcf455b59de2dbe05831              7d7357e4963c7d6f087a11e22d683cacf614dc7f269c2907bbb12ae30f2b007d              84d0154234d274d9188f3f1cf1852c58cfa8020a23f99812bced94d94b7f7fe5              97002e942beed0aff194d817e98fe9fa46abb30de87e893f328f01e638bbeed1              97320395d90b28ad3d5cd0ed0416b0fe379cc0cc3d65f0b27e50db4da5902ec2              b1f44fbe839e4f53bdcf5448b637ffcab3167dc931f7f7fd39738f83ae827f5e              cb537a122fb0531f14c76dfd0a87cc304c26a9ab01aec46a5fd17f268ac80854              e609bf8406b61613f3e605d277cf445059974a4c71c3edd09fffae86a3c5dbfe              ece96607ae4f56f49d06aa2d790f21837beec9dfcb4aeabf69f6a80965c54fdd              f02cf38d417fc6e3d5f9fc05ebf49ca37e6106ffc62ce21145888338598e0c70              f1ecb57988caf26216683b1314607f06f8bf051632ff7ba73f17c2dc9b3aafcc              

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                     N/A                                                          
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                     N/A                                                          
             
        WSA                                                                     N/A                                                          

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.DarkKomet-9970824-0

Indicators of Compromise

IOCs collected from dynamic analysis of 269 samples

        Registry Keys            Occurrences        
                             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWSDRIVER                             268        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWSDRIVER                          
        Value Name: Type                            268        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWSDRIVER                          
        Value Name: Start                            268        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWSDRIVER                          
        Value Name: ErrorControl                            268        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWSDRIVER                          
        Value Name: ImagePath                            268        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWSDRIVER                          
        Value Name: DisplayName                            268        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWSDRIVER                          
        Value Name: WOW64                            268        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWSDRIVER                          
        Value Name: ObjectName                            268        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWSDRIVER\PARAMETERS                             268        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SVCHOST                          
        Value Name: WindowsDriver                            268        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWSDRIVER\PARAMETERS                          
        Value Name: ServiceDll                            268        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: LanguageList                            19        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @explorer.exe,-7001                            10        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @C:\Windows\system32\DeviceCenter.dll,-2000                            5        
             
    <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\\CACHE\CONTENT                          
        Value Name: CachePrefix                            2        
             
    <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\\CACHE\COOKIES                          
        Value Name: CachePrefix                            2        
             
    <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\\CACHE\HISTORY                          
        Value Name: CachePrefix                            2        
                     
                
            
        Mutexes            Occurrences        
                                 
        IEo.txt            268            
                 
        quansg            265            
                     
                         
            
        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        183[.]110[.]225[.]61            265            
                 
        112[.]175[.]100[.]207            265            
                     
                          
            
        Domain Names contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        kanmay[.]cafe24[.]com            265            
                     
                          
            
        Files and or directories created            Occurrences        
                                 
        %SystemRoot%\SysWOW64\IEn.txt            268            
                 
        %SystemRoot%\SysWOW64\WindowsDriver.dll            268            

File Hashes

             00eb6c2df37113f0e4003b628ee1a475c9f0400829b77299c299b1e9c95c418d              01794606a7a92c15bc8ba6502162976c823ba5d4ebc3a88467791a9db3778ef7              022f8be735d9e9d3997908a93196a52a87732dad299536c069ea85feeeea160f              02b9cd9c9154a18666fd00ed905d6da9b12009853cb9f8ce2e0cf92f87bd4135              02bad02ca69901b56f664e2885bafb295121452b5e109a3874f91f1ff4ffe23e              03412cef90bb6952d8c8972f197ee6b1ea28d295c4974d1a72b3b6d9095c1269              03906939f8b5a5ed4144066225b7386aec74d4c06b5e7cb81a2974e2c687f4da              04982dc42efe67ff4158e9fd73e30d728a29c0aaddafb6ba0e6fb0985bf89098              04b5517c234f42019237157847c6f66a9f3cdb90c218516f570bd82f259884da              0726d0dfa08cff2b64c73fcd9c62f0d422f9ad79ba8cedb571a4a01cbc821604              0801823675ac75c805fa9539faffaad12984ff7b5ca048ad246b75f3f23714c0              0920c8647741aa522efbc0f346802eb49d53364de493957d1f0e8690cbcff11c              0981457a5d19d389ff9add2ab40483b1e404ef8a08576125d602533619ef5d12              0bc073e7c6861c4cfab2a4c9beb7384bb78e102902874703ee0ccef855154155              0ca9110869dd63e0118be5c519c9e143010f4cf0ba2b1101aba59249f1285b52              0dfd8aae9b3535191eeb81ec4705625e9e57a6aa135a6c782b65ba169a80f656              0e099e281e6e3032165764a030ac73046c26b488f1fd803b64fef1fafddf2775              0eaae85e998d1617c34bc7d05db597c222f5a9fe863d995234ca7d591c8fa2fc              1131ba25f0df80d98481e1e669c5fef1e3ce0b6699e6ff0bbd40c20d0649d090              117afd55818106d5d5aad61f30f5d289666244243a41f42d7a224a89588f850b              12d5290c46b571ce5724937e85afb7d7146cbedb42c295243a55c8157fd07111              12edd2a6b213d68f391c831d4fbe706d077f01efea62a2a16db47c68df21768b              1352e8b45f865f8f5069d6c0e5e0e8239229a8bfbe000b32e6614a2d764e90ff              13d20eefb6ec5d8f0f688039c40e084665f82dc528c922c6f93a758a47befed1              14a0ae7aaf08ca98ec301d106c439cf81fbb5fb074720f2a902aa867dc91cc30              

*See JSON for more IOCs

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                     N/A                                                          
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                     N/A                                                          
             
        WSA                                                                     N/A                                                          

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

TALOS
#vulnerability#web#ios#mac#windows#microsoft#js#git#intel#pdf#botnet#bios#auth#ssh

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Sept. 16 and Sept. 23. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, orokibot ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name

Type

Description

Win.Dropper.NetWire-9970213-0

Dropper

NetWire is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, remote desktop and read data from connected USB devices. NetWire is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.

Win.Trojan.LokiBot-9970418-0

Trojan

Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.

Win.Ransomware.Cerber-9970426-0

Ransomware

Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension “.cerber,” although in more recent campaigns, other file extensions are used.

Win.Packed.Gamarue-9970619-0

Packed

Gamarue, also known as Andromeda, is a botnet used to spread malware, steal information and perform activities such as click fraud.

Win.Packed.Nanocore-9970631-0

Packed

Nanocore is a .NET remote access trojan. Its source code has been leaked several times, making it widely available. Like other RATs, it allows full control of the system, including recording video and audio, stealing passwords, downloading files and recording keystrokes.

Win.Dropper.Formbook-9970817-0

Dropper

Formbook is an information stealer that attempts to collect sensitive information from an infected machine by logging keystrokes, stealing saved web browser credentials, and monitoring information copied to the clipboard.

Win.Ransomware.BlackMatter-9970818-0

Ransomware

BlackCat ransomware, also known as "ALPHV", has quickly gained notoriety for being used in double ransom attacks against companies in which attackers encrypt files and threaten to leak them. It uses the combination of AES128-CTR and RSA-2048 to encrypt the files on the victim’s computer.

Win.Dropper.DarkKomet-9970824-0

Dropper

DarkKomet is a freeware remote access trojan released by an independent software developer. It provides the same functionality you would expect from a remote access tool: keylogging, webcam access, microphone access, remote desktop, URL download and program execution, etc.

Threat Breakdown****Win.Dropper.NetWire-9970213-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 12 samples

Registry Keys

Occurrences

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: LanguageList

7

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: WindowsUpdate

7

Mutexes

Occurrences

8-3503835SZBFHHZ

5

73M9N-T0-UB83K6J

2

S-1-5-21-2580483-12441695089072

2

S-1-5-21-2580483-12443106840201

2

1N6PO-QCTT825WY-

2

S-1-5-21-2580483-1244465298972

1

3MAM487FD866043M

1

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

149[.]154[.]167[.]220

7

34[.]102[.]136[.]180

4

198[.]54[.]117[.]215

2

198[.]54[.]117[.]210/31

2

99[.]83[.]154[.]118

2

54[.]251[.]110[.]33

2

198[.]54[.]117[.]217

1

198[.]71[.]232[.]3

1

2[.]57[.]90[.]16

1

185[.]107[.]56[.]59

1

52[.]20[.]84[.]62

1

34[.]117[.]168[.]233

1

69[.]163[.]224[.]231

1

109[.]123[.]121[.]243

1

216[.]40[.]34[.]41

1

199[.]59[.]243[.]222

1

31[.]220[.]126[.]24

1

172[.]96[.]191[.]143

1

45[.]224[.]128[.]33

1

207[.]244[.]241[.]148

1

162[.]213[.]255[.]94

1

172[.]67[.]180[.]112

1

23[.]230[.]152[.]134

1

154[.]86[.]220[.]203

1

104[.]247[.]82[.]53

1

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

api[.]telegram[.]org

7

www[.]wearestallions[.]com

2

www[.]intelsearchtech[.]com

2

www[.]kigif-indonesia[.]com

2

www[.]homecrowds[.]net

2

www[.]beachloungespa[.]com

2

www[.]northpierangling[.]info

1

www[.]xn–agroisleos-09a[.]com

1

www[.]cacconsults[.]com

1

www[.]fdupcoffee[.]com

1

www[.]drivemytrains[.]xyz

1

www[.]banchers[.]com

1

www[.]olympushotel[.]xyz

1

www[.]imbtucan[.]site

1

www[.]leeanacosta[.]com

1

www[.]searchnewsmax[.]com

1

www[.]supera-digital[.]com

1

www[.]fitnesshubus[.]com

1

www[.]kettlekingz[.]co[.]uk

1

www[.]meditgaming[.]store

1

www[.]alpenfieber-events[.]com

1

www[.]bobijnvidit[.]xyz

1

www[.]thespecialtstore[.]com

1

www[.]momotou[.]xyz

1

www[.]tricon[.]info

1

*See JSON for more IOCs

Files and or directories created

Occurrences

%HOMEPATH%\temp

12

%TEMP%\RegSvcs.exe

7

\9_101\jhipudjmrh.pdf

1

%TEMP%\5_610\wuqiiqpl.cpl

1

\9_101\kxfbovr.dll

1

%TEMP%\5_610\xjusg.bin

1

\9_101\lbmnehl.log

1

%TEMP%\5_610\xpdmnqvrj.cpl

1

\9_101\lexccit.txt

1

%TEMP%\5_610\xxnvjp.log

1

\9_101\lpuhp.docx

1

\9_101\lresp.xl

1

\9_101\mitwohb.dll

1

\9_101\mnxau.jpg

1

\9_101\mrbwugug.ico

1

\9_101\mvevanqm.pdf

1

\9_101\nimkrnwadi.mcq

1

\9_101\njbrtxdts.xls

1

\9_101\njxivhu.ppt

1

\9_101\nnnbox.exe

1

\9_101\nxvix.log

1

\9_101\oavf.xml

1

\9_101\ocuqib.dll

1

\9_101\oipjamjjo.jpg

1

\4_58\vxgw.cpl

1

*See JSON for more IOCs

File Hashes

    17d3937fb3aceacc0ac99f94a2347b87b22cbc2e7c341830ad9ad0a8f88babee

    27288965d55cf7459cfa35b7a37ab9298f34e6e7734f6d6609527d573e5db71e

    3788fc76ea84b87735527d224d39b4672b970c6bbcdd59b60978945b76d0fb1b

    39ef261dd5ada5c7b29412ca0e95e6950de77ac8ab9f6e096692fd553a6e3ace

    4101b1f2efa7e4ac9711140c8e5e724bf5a74ac0b4ab76f0d6c4e23374977627

    49f2bb5892eda8223f4709f6b84366911b000652eb19085b09dc5998fe8c8259

    815132096b824dbe0c8497cfd85f7508eeac3718c147541c791701df09b6f196

    8f8813e3ed0cdb3ac92de8e6003bc83c0ec859fc717748cab6a45f56a98a9201

    a96ccfc5b5b64660b986d22b9bcc96cb5e178d3d506893bd24a959a5338a4a32

    d22989a65a91ee78b6af2fd2a9cadf2656637959cc07cd1b92baeb8c5950b45d

    e2ad52e5cc9b5e5a51811e13daeed3f6d61e239a079ec3617f2c1a4400f6dcaf

    f7a74e6284a41f39cba3f0c186c61ad96fac8a3099b88e04071fdd8e1eabe9bf

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

WSA

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Trojan.LokiBot-9970418-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 11 samples

Registry Keys

Occurrences

<HKLM>\SOFTWARE\WOW6432NODE\PAADMME

11

<HKLM>\SOFTWARE\WOW6432NODE\PAADMME\NEAPOLITANERE

11

<HKLM>\SOFTWARE\WOW6432NODE\PAADMME\NEAPOLITANERE\BINOCLES

11

<HKLM>\SOFTWARE\WOW6432NODE\PAADMME\NEAPOLITANERE\BINOCLES\UDPRINT

11

<HKLM>\SOFTWARE\WOW6432NODE\TOXOSIS

11

<HKLM>\SOFTWARE\WOW6432NODE\TOXOSIS\BENZENSULFONAT

11

<HKLM>\SOFTWARE\WOW6432NODE\TOXOSIS\BENZENSULFONAT\INGEVALDS

11

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\SKABHALS

11

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\SKABHALS\AMARYLLIS

11

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\SKABHALS\AMARYLLIS\RECHARTING

11

<HKLM>\SOFTWARE\WOW6432NODE\PAADMME\NEAPOLITANERE\BINOCLES\UDPRINT

        Value Name: Girleen

11

<HKLM>\SOFTWARE\WOW6432NODE\TOXOSIS\BENZENSULFONAT\INGEVALDS

        Value Name: befugteres

11

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\SKABHALS\AMARYLLIS\RECHARTING

        Value Name: Krogfiskeri

11

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

103[.]170[.]254[.]140

1

Files and or directories created

Occurrences

%LOCALAPPDATA%\Konstellations

11

%LOCALAPPDATA%\Konstellations\Materes

11

%LOCALAPPDATA%\Konstellations\Materes\window-restore-symbolic.symbolic.png

11

%TEMP%\ns<random, matching '[a-z][A-F0-9]{1,4}’>.tmp

11

%TEMP%\ns<random, matching '[a-z][A-F0-9]{4}’>.tmp\System.dll

11

%LOCALAPPDATA%\Konstellations\Materes\Arider.bmp

1

%LOCALAPPDATA%\Konstellations\Materes\FROSSEN.bmp

1

%LOCALAPPDATA%\Konstellations\Materes\Praktikleder8.bmp

1

%LOCALAPPDATA%\Konstellations\Materes\Digoxins6.bmp

1

%LOCALAPPDATA%\Konstellations\Materes\BIOSYNTHESIZE.bmp

1

%LOCALAPPDATA%\Konstellations\Materes\countertime.bmp

1

%LOCALAPPDATA%\Konstellations\Materes\ACRITOL.bmp

1

%LOCALAPPDATA%\Konstellations\Materes\lnlige.bmp

1

%LOCALAPPDATA%\Konstellations\Materes\Kloakeringsomraadet.bmp

1

%LOCALAPPDATA%\Konstellations\Materes\Coitalt.bmp

1

%LOCALAPPDATA%\Konstellations\Materes\Charlies.bmp

1

File Hashes

    14d11fc331b5d9a84a42fa8b6b2155f687cf66c1af5bd32ae1347fda6667fa60

    2d15ef038e1702ebcd7b6d50eab97db925195cb382a9cabcf6a70ac62452d39c

    418a2c968f439988a20034816348d47e0ba3fa2a6150a1f5760202a8b3a5621e

    7d48995a3e95a8f0f758601cc5fbedbda1570eb17fd73e3091e6690a4f423a45

    a0f0783a36626040af491251f7fc77bdfd3fdc89ee7d8ade8a289828c35e9280

    a4238922317136e633e9dd9d654fd89cc47414766a658a3bdcb16963aa191ed0

    a72cbeca7367862e3597f4923b36ef84c534d771aa1d439ab21bc74de1dde400

    ca449b3e0e043546c5746fa6787b29c94ecb86b3f42de21e944d704502ade3da

    d4912d4d34d11e30c5859742186d8355a42b1e83fb54ac2a121186fa46234862

    d93f4740ef92a826d328f73dea62803903254fbcdb1e02aeb6dc78e214bc0645

    f0ece4c4a676aef252751fa3277e1ad4a3e1050c177bd289994c63852ae3198e

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Ransomware.Cerber-9970426-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 24 samples

Registry Keys

Occurrences

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: LanguageList

24

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\dhcpqec.dll,-100

24

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\dhcpqec.dll,-101

24

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\dhcpqec.dll,-103

24

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\dhcpqec.dll,-102

24

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\napipsec.dll,-1

24

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\napipsec.dll,-2

24

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\napipsec.dll,-4

24

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\napipsec.dll,-3

24

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\tsgqec.dll,-100

24

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\tsgqec.dll,-101

24

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\tsgqec.dll,-102

24

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\tsgqec.dll,-103

24

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\eapqec.dll,-100

24

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\eapqec.dll,-101

24

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\eapqec.dll,-102

24

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @%SystemRoot%\system32\eapqec.dll,-103

24

Mutexes

Occurrences

shell.{381828AA-8B28-3374-1B67-35680555C5EF}

24

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

178[.]128[.]255[.]179

24

149[.]202[.]64[.]0/27

24

149[.]202[.]122[.]0/27

24

149[.]202[.]248[.]0/22

24

172[.]66[.]42[.]238

16

172[.]67[.]2[.]88

11

172[.]66[.]41[.]18

8

104[.]20[.]20[.]251

7

104[.]20[.]21[.]251

6

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

api[.]blockcypher[.]com

24

bitaps[.]com

24

chain[.]so

24

btc[.]blockr[.]io

24

xxxxxxxxxxxxxxxx[.]1k1dxt[.]top

24

Files and or directories created

Occurrences

%TEMP%\d19ab989

24

%TEMP%\d19ab989\4710.tmp

24

%TEMP%\d19ab989\a35f.tmp

24

%LOCALAPPDATA%\Microsoft\Office\Groove1\System\CSMIPC.dat

24

%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp

24

%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.bmp

24

<dir>_READ_THIS_FILE_<random, matching [A-F0-9]{4,8}>_.hta

24

<dir>_READ_THIS_FILE_<random, matching [A-F0-9]{4,8}>_.txt

24

<dir>_READ_THIS_FILE_<random, matching [A-F0-9]{4,8}>_.jpeg

24

File Hashes

    05602feb977139c96c226969997d8bc55bd47b1d142252d3ec4067591dda85f2

    06cba247d80b0c6c4f5865e34ad3c33fc1ef5ffd0a285f3009d64109b0ee3d22

    09768afcaa8eae74f05841e49ece1ac338318c0d5f0153c2db6cecf169718698

    0fb820719ef10ee032dbb69607c6fc222fa70b64844af4f04f6eecafc08345a7

    2738e1df3421ba011f912c22e19bdae3b29d1fb1092be51174da6dbbbc72df8d

    3c6776dd10054cad73b50c96d62e3b7a1e807ef1f8e6355d097cac12ddccb8c8

    3eb0b591eb274fa052c4a7cdfcb6c943361c9a199ca33679678791399e8b8988

    4505a343015d3ef0ad624e61ecfc61e2fc499a11fc5a52911c424de5ccd99d9e

    52573c863390fde5244133cc965bf2501f0eb28e7d76a9996bc300070d41941b

    5ce6f26a04a5bf871018eecafb8e9f8f7284ebbd134230574da1574830d4646e

    5ed48cdf13e9681085390956e25883680a6b1b4600d99608d84c126d57832025

    61a051fabbf66383709e43bf77fb49c6a645f2f479eaddffa6769010cb690eea

    74c864c6b31afa1db6c8d6fb2bb8860b655d3554c8d309a91d894fd210351b7e

    8642a1c54c99774f7ffc1ade073f2ccc90b6e2fcacb0118f1eca20b20018d590

    9d14c9d7fca8e623607986ac1c27a149dfa9a82ac267475bed080636a5870269

    a8d9f9469418516807ac7ce3dbf50de0ef3e0d2ef122b2932ba908cdadc3a5bb

    b289bcb40e6ee16638ae7bdadb95ebbebae75568e751820d261959394d7e7f02

    b86d1564a606793a4427d5795a37825eeb11296b01cae339da01ab64feb73922

    c4698b067e10ecf2ac5a4e318703d46b33cbdcd9803ffabc4a9da147e5d271f1

    dee4d4d3b765fc0ad7ba88d69104b5cf90a448eaf1623445033a0f671e44ffd1

    e50306b8c8b4bfd52da321a30e3e28bbef41b333e5803a303791f27798a1299c

    e5af2faef6688bf5e5889e78357bf993e13a1d21086dfb8a4ae268ae2004068f

    f330c988680055316a3aa2bc341e409096517381395469a32aa369a1940e9e5c

    ff2c3f6c56786af4fea96c55bb7877094ea482a162050721397dda1d82246ea0

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Packed.Gamarue-9970619-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples

Registry Keys

Occurrences

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: apdsdtsh

25

<HKCU>\SOFTWARE\APPDATALOW\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5

25

<HKCU>\SOFTWARE\APPDATALOW\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5

        Value Name: Install

25

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS

        Value Name: C:\Windows\system32\Authias.exe

25

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: LanguageList

25

<HKCU>\SOFTWARE\APPDATALOW\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5

        Value Name: Client

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.106

        Value Name: CheckSetting

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{01979C6A-42FA-414C-B8AA-EEE2C8202018}.CHECK.100

        Value Name: CheckSetting

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{852FB1F8-5CC6-4567-9C0E-7C330F8807C2}.CHECK.100

        Value Name: CheckSetting

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{852FB1F8-5CC6-4567-9C0E-7C330F8807C2}.CHECK.101

        Value Name: CheckSetting

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\SHELL

        Value Name: NodeSlots

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\SHELL

        Value Name: MRUListEx

1

<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL

        Value Name: NodeSlots

1

<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL

        Value Name: MRUListEx

1

Mutexes

Occurrences

Local{7FD07DA6-D223-0971-D423-264D4807BAD1}

25

{<random GUID>}

25

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

alrthesecuritywith[.]su

25

Files and or directories created

Occurrences

{4BC230AC-2EB3-B560-90AF-42B9C45396FD}

25

%LOCALAPPDATA%\Microsoft\Windows\WER\ERC\statecache.lock

25

%System32%\Authias.exe

25

File Hashes

    04deccd24c8ba2a38462b2fbe8bbdfc70484892cbc0acdb28345de60b381f17c

    07f1a829b39eb8df6754b4dbed45a71d4aac24c073702254b867113661423831

    10bbe562791a00906cfcf42ce12046233438aedd689b92081c546f038fd23194

    12981607682dab89979727d0ec582315b1565bf94a54cb5a08a876345c8c4dd7

    17692c251e7257d3ab0db70615d9b30eeaddaf6958dcbd949bbaef0ded9e5d1e

    23349c88ef430438af6b527e241074c7b2d6809337879da50b098c1a809cf814

    25e0618244af804051450a99c664772473615c351714ce5a3d8912573ba964df

    28b34665550780af293c665483967e1ba6be39b50bf1dd5d89c716990b67df4a

    292139a3d2e6ac70015b05a225072c3f9d9d0b8ac39448e12733e33dbcb8add0

    3662025e620ac8a337cb2e4a53d8953de01a92ee1439c2bac9b72de592dca969

    3dca218d2bb5c419d0f92c5c5b8e9a891c817bc4c52f465fc89980f9c55551e6

    4a2e7161239b8f9f3f9a3fcf868aa0fca6ca4890eceb629886062b6ff729385a

    5535c54c6922219bf1ed1049b5e00c5a838f632b618b80eef36ccb10852f3de2

    587713ec906ea8c3e5fee650abace23a1396ca69dd183253b8a6244bdfa3d5df

    5e9f652ff2720dec825edb85e2abe9466e944287b35db49ac80e9adf95df165c

    66196b18fcce2381b23c5575822a79542d009f039ec872eeaa199dbe97bbb26f

    67f172a5505a404b8817a9f6dabb11a7d5c0bb4cc22d60e13a38d9a70a4d8e97

    855033ed08a2ab3e8e157ba89696d9d9eab207a98fde70a60752f88607394b98

    8cc1dcb771e5d781e5fa805cbfc349b768996cb363ee311b97a56b7a485c50c3

    8e2761a959dbf166a680e0865438238f3f857a25466fc497bb5c25c1ce7f31c6

    957881f71c8988d70b6d9aef095a70bae4256adefc160374ef4db1a09cf526b7

    965e0adee6460a5bf1724e9b9c37542cff44abc50a7c8cf1a7b027bd0a3c8885

    99584a5853ee407a4924921589e995dbbc135014c2f7a09e0887f45dfb0ce1c4

    9b6b29ddd0789e95a73c9ea48d7335555dbf20064b8459549729332044c341c2

    a917ac90f8a680731d543c6f93cdb7968d750fda8a36e8f531c01b5849150cb2

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Packed.Nanocore-9970631-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 16 samples

Registry Keys

Occurrences

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: AGP Manager

16

Mutexes

Occurrences

Global{5f88600c-86da-4b30-b45c-8e6d9614baec}

16

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

176[.]136[.]210[.]152

16

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

foobosmy[.]duckdns[.]org

16

Files and or directories created

Occurrences

%ProgramFiles(x86)%\AGP Manager

16

%ProgramFiles(x86)%\AGP Manager\agpmgr.exe

16

%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5

16

%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs

16

%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs\Administrator

16

%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\run.dat

16

%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\task.dat

16

%System32%\Tasks\AGP Manager

16

%System32%\Tasks\AGP Manager Task

16

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\vftwrxguvulmqhj.eu.url

16

%APPDATA%\zvgrxunhzg

16

%APPDATA%\zvgrxunhzg\vftwrxguvulmqhj.exe

16

%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp

16

File Hashes

    134e0430e528508da28d81b2b4ece6c9273fb568a561dd507f26d666a9eb06b3

    168455cbc98ae29cafcd0dc1587c449e208e5c4f8ca59420b3667c9f698a7c51

    18d834d0819c859ca179e182dfb1cdedac88857124024bfce1d0368b414f50c0

    3974f625f1fb08a2174021705db11ae31aa326357728ae0b1cdf102b80eb5763

    3a7b0af05b1e41786cc3ff6d99d723418b89340df9ae67837001c6a31cafb4e5

    6ffff5899e1086659ba7b24a72212c8531c334643757c46d4c837460c5380693

    82defa5374685563056b630ef12a46f21408cace520e72af239b47afea32e8f8

    8eb183d70b6842a68d17c3950b22fabbc4f2e6de8129afddcd2fb25d03fc7df9

    8fe07daa7730dc17d3fdf7134e85da268a10ce447b4c3d810d433285a35cc9e6

    9b46ecd089a55744c52ac2df7882a507dd1f97a3fd40805d9eccbdbbb6aed463

    9dcfa90e87d3e281a4f42d3253b1ae3386930985c0ae5f9fb29e32284d7924ce

    aa4adb36cd79f611579e74bc562fb5f6282bce4d9cc5699e1db2aeb7a92151de

    b2eb77614315a5d51d44911016d2a235324af0d403de6a55262c9b1e3e74130f

    dc6284d0afde4a6fb81efdb496149c6b708af0f3497e96a63162131a839879c1

    dff727df396c8c954148fa078980de5e7d35a2fc000bb75905b94e6a2b7f5ff0

    fd70c1b68017c46b3050ee7932d3494bca6216151ddb7fcabc36f1a0649112d3

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Formbook-9970817-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 15 samples

Registry Keys

Occurrences

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: LanguageList

4

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: QWbqZbz

1

Mutexes

Occurrences

8-3503835SZBFHHZ

1

S-1-5-21-2580483-12441345692046

1

KP30NU33–DvY01Z

1

Global\5292ba81-3a39-11ed-9660-001517e40972

1

aenDyAN

1

Global\46b1a361-3a9e-11ed-9660-001517a459ad

1

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

132[.]226[.]247[.]73

2

198[.]185[.]159[.]145

1

149[.]154[.]167[.]220

1

34[.]102[.]136[.]180

1

193[.]122[.]6[.]168

1

193[.]122[.]130[.]0

1

34[.]194[.]149[.]67

1

104[.]18[.]115[.]97

1

199[.]59[.]243[.]222

1

8[.]130[.]101[.]174

1

154[.]86[.]16[.]11

1

5[.]2[.]84[.]51

1

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

checkip[.]dyndns[.]org

4

icanhazip[.]com

1

api[.]telegram[.]org

1

www[.]locallywhitstable[.]co[.]uk

1

www[.]fftblogs[.]com

1

www[.]lanyuelou[.]com

1

www[.]icishopping[.]com

1

www[.]mooreandsonsak[.]net

1

www[.]junaidsubhani[.]tech

1

mail[.]boyyem[.]com[.]tr

1

Files and or directories created

Occurrences

%System32%\Tasks\Updates

3

%APPDATA%\QWbqZbz

1

%APPDATA%\QWbqZbz\QWbqZbz.exe

1

%TEMP%\tmp67A.tmp

1

%APPDATA%\Hmcuym.exe

1

%System32%\Tasks\Updates\Hmcuym

1

%TEMP%\tmpBA86.tmp

1

%APPDATA%\hmlkDX.exe

1

%System32%\Tasks\Updates\hmlkDX

1

%TEMP%\tmpA204.tmp

1

%APPDATA%\idnepTZUXvdc.exe

1

%System32%\Tasks\Updates\idnepTZUXvdc

1

File Hashes

    23ed86473177a66d71540c3d3ac737aa5a4d30644af5710a54ebbb5e348fa2ee

    2f2e0f257103ce5edb8051b532f00204bf882cbdec68de38c6fe8ea18390f9d2

    33f83dffcd247e3fefedefb2b591598eda89c7a47892d45d3051df760b60a74a

    39dd36743f55ee7885cd4033e9705a0bdf2dea44416bbdc6ec6d8384c3d4e20d

    53a95222b2d47e3b44240183d0eafbc7f64bcbd88bbe61af3580ab00c5f0ff85

    75ce7e84cc5c6682354ceb8edc7f0b77be3ecdda500d1b0178accd0c6158f980

    9da14f5b4c27946dc53283a1773e0de7246b170e11b06be9fd8c27d095054d5b

    a8b84e503c11cce5530fb019cd43a0306656dd22e78eac4279a332b00430ed8d

    a933028fe3b25879543cc98653b7cf66d5b2ef8dfbae539bb8d284a5f9cd4c9e

    c1226a8fab28514368ebf700c5bb48e993c05e019e86a6db8c7ccc6105696a21

    ca3afdd3df6970f8026481a1d7800d86ba9852aa6a12325330a91f05aa60fb32

    da67541015af6ddee5bad1432ecc3efbf85cde69c494fd1635edbae606c4a628

    e7612d60681cabff03ff3bbcb0a3985a94430375e941fd8dc58e1df8151930b1

    e7cbf5001db95b997003f00bcac7ca10231130e2127470ead43f6563ebcda5fc

    f46e6b0438003a0daeec5461f9f01dd676b39243be432365a9c59116dc6613b5

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Ransomware.BlackMatter-9970818-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 18 samples

Registry Keys

Occurrences

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: LanguageList

18

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER

        Value Name: GlobalAssocChangedCounter

17

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VSS

        Value Name: DeleteFlag

16

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VSS

        Value Name: Start

16

<HKLM>\SOFTWARE\CLASSES\ISTTBGKAF\DEFAULTICON

1

<HKLM>\SOFTWARE\CLASSES.YYBUFJ3PN

1

<HKLM>\SOFTWARE\CLASSES\YYBUFJ3PN

1

<HKLM>\SOFTWARE\CLASSES\YYBUFJ3PN\DEFAULTICON

1

<HKLM>\SOFTWARE\CLASSES.YYBUFJ3PN

1

<HKLM>\SOFTWARE\CLASSES\YYBUFJ3PN\DEFAULTICON

1

<HKLM>\SOFTWARE\CLASSES.WQCENFTHJ

1

<HKLM>\SOFTWARE\CLASSES\WQCENFTHJ

1

<HKLM>\SOFTWARE\CLASSES\WQCENFTHJ\DEFAULTICON

1

<HKLM>\SOFTWARE\CLASSES.EL7OOPHD2

1

<HKLM>\SOFTWARE\CLASSES.WQCENFTHJ

1

<HKLM>\SOFTWARE\CLASSES\EL7OOPHD2

1

<HKLM>\SOFTWARE\CLASSES\WQCENFTHJ\DEFAULTICON

1

<HKLM>\SOFTWARE\CLASSES\EL7OOPHD2\DEFAULTICON

1

<HKLM>\SOFTWARE\CLASSES.EL7OOPHD2

1

<HKLM>\SOFTWARE\CLASSES\EL7OOPHD2\DEFAULTICON

1

<HKLM>\SOFTWARE\CLASSES.PF4SBMUII

1

<HKLM>\SOFTWARE\CLASSES\PF4SBMUII

1

<HKLM>\SOFTWARE\CLASSES\PF4SBMUII\DEFAULTICON

1

<HKLM>\SOFTWARE\CLASSES.PF4SBMUII

1

<HKLM>\SOFTWARE\CLASSES\PF4SBMUII\DEFAULTICON

1

Mutexes

Occurrences

Global{649F4E29-16CB-DD42-8922-9FFF0592856B}

1

Global\dc0d7207879493a1bb8d21571501a3c6

1

Global\03b84b750e7b0c183e81917fcc29ae2b

1

Global\68d784f599b693adb48d474d1722e8e9

1

Global\10b5e1850ed6703d7665a1adf3e368f4

1

Global\b36e0b827c995460aa570434a5517221

1

Global\2f26f3d09ccaf40de88c7029b61a3701

1

Global\9edc1729071cfeb8f9fe5f019ce0054a

1

Global\459bf63110ce888f28d3fd21adc5b730

1

Global\391396896a2cb3a40a83c4fbbe4675f3

1

Global\4c3e3cb8c6ed0804dcd51ba2638722cd

1

Global\0b32ca9dec339d33dd1bd5908acf4ce2

1

Global\4fe0268a70e4d52b0350071e277b194f

1

Global\ee7e1dcdc809584b5f8189eb071d9f66

1

Global\dfd07220109cd1dfb3c5268b025a72f3

1

Global\aa1f32bc8faeb8bbba36c0d7ccb5c0a0

1

Global\2c43957a37f865be08b53665ca3386d7

1

Global\d40e39e3314b8106bbc67d7dd3c2c4f4

1

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

test[.]white-datasheet[.]com

1

Files and or directories created

Occurrences

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-1002\desktop.ini

18

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$I08BO8F.xlsx

18

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$I11KHR4.doc

18

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$I5QKHLN.doc

18

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$I62TWBD.ppt

18

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$I6FZORX.doc

18

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IABMX83.pdf

18

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IAJ2Y6R.pdf

18

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IALGTCS.xlsx

18

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IAPSNOM.tsv

18

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IGORSF7.xsn

18

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IGTBBSA.accdb

18

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IH49RPF.ppt

18

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IH71GGR.ppt

18

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IJKODPH.pdf

18

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IJP965K.accdb

18

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IKY5R3M.pdf

18

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IMYCSIT.pdf

18

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$ISLP722.doc

18

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IXLC77A.pdf

18

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IXUL2U1.doc

18

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IYSR1FU.ppt

18

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IZ2GMJW.XLSX

18

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$R08BO8F.xlsx

18

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$R11KHR4.doc

18

*See JSON for more IOCs

File Hashes

    072d0633006eeafc77c0b0144fdac84a57fa1e4f8b96d9aa33d377bd789bc533

    0c4c93e6d8473b76a094a158b6dd045904bdc78e92a0bbc6faffa222df7acb6b

    12b6fead37cca9d8ca4c00c2a9d56c0a402e760ab309356f078587acb7f33396

    4b8fbb8a6e46b9db78bdf5ac1aa924f901270fe369411bf431fce8a46c48ca2a

    50fad26d726e0af6dbed3225267934ae9ef22b31e48fc623ce93ba582a7e6110

    58729cd09a74e3f69d26653b71412f9c9285ffaba52a9beb5b6d634014c98e1a

    5f4ce514d8624a72d78cae3837a197ccb44cee28d4334a7641c02beb5496b3d0

    6a255e2ee08490123fa594de4fe0dac977579deb541afcf455b59de2dbe05831

    7d7357e4963c7d6f087a11e22d683cacf614dc7f269c2907bbb12ae30f2b007d

    84d0154234d274d9188f3f1cf1852c58cfa8020a23f99812bced94d94b7f7fe5

    97002e942beed0aff194d817e98fe9fa46abb30de87e893f328f01e638bbeed1

    97320395d90b28ad3d5cd0ed0416b0fe379cc0cc3d65f0b27e50db4da5902ec2

    b1f44fbe839e4f53bdcf5448b637ffcab3167dc931f7f7fd39738f83ae827f5e

    cb537a122fb0531f14c76dfd0a87cc304c26a9ab01aec46a5fd17f268ac80854

    e609bf8406b61613f3e605d277cf445059974a4c71c3edd09fffae86a3c5dbfe

    ece96607ae4f56f49d06aa2d790f21837beec9dfcb4aeabf69f6a80965c54fdd

    f02cf38d417fc6e3d5f9fc05ebf49ca37e6106ffc62ce21145888338598e0c70

    f1ecb57988caf26216683b1314607f06f8bf051632ff7ba73f17c2dc9b3aafcc

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.DarkKomet-9970824-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 269 samples

Registry Keys

Occurrences

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWSDRIVER

268

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWSDRIVER

        Value Name: Type

268

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWSDRIVER

        Value Name: Start

268

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWSDRIVER

        Value Name: ErrorControl

268

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWSDRIVER

        Value Name: ImagePath

268

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWSDRIVER

        Value Name: DisplayName

268

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWSDRIVER

        Value Name: WOW64

268

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWSDRIVER

        Value Name: ObjectName

268

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWSDRIVER\PARAMETERS

268

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SVCHOST

        Value Name: WindowsDriver

268

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWSDRIVER\PARAMETERS

        Value Name: ServiceDll

268

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: LanguageList

19

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @explorer.exe,-7001

10

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @C:\Windows\system32\DeviceCenter.dll,-2000

5

<HKU>.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CACHE\CONTENT

        Value Name: CachePrefix

2

<HKU>.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CACHE\COOKIES

        Value Name: CachePrefix

2

<HKU>.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CACHE\HISTORY

        Value Name: CachePrefix

2

Mutexes

Occurrences

IEo.txt

268

quansg

265

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

183[.]110[.]225[.]61

265

112[.]175[.]100[.]207

265

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

kanmay[.]cafe24[.]com

265

Files and or directories created

Occurrences

%SystemRoot%\SysWOW64\IEn.txt

268

%SystemRoot%\SysWOW64\WindowsDriver.dll

268

File Hashes

    00eb6c2df37113f0e4003b628ee1a475c9f0400829b77299c299b1e9c95c418d

    01794606a7a92c15bc8ba6502162976c823ba5d4ebc3a88467791a9db3778ef7

    022f8be735d9e9d3997908a93196a52a87732dad299536c069ea85feeeea160f

    02b9cd9c9154a18666fd00ed905d6da9b12009853cb9f8ce2e0cf92f87bd4135

    02bad02ca69901b56f664e2885bafb295121452b5e109a3874f91f1ff4ffe23e

    03412cef90bb6952d8c8972f197ee6b1ea28d295c4974d1a72b3b6d9095c1269

    03906939f8b5a5ed4144066225b7386aec74d4c06b5e7cb81a2974e2c687f4da

    04982dc42efe67ff4158e9fd73e30d728a29c0aaddafb6ba0e6fb0985bf89098

    04b5517c234f42019237157847c6f66a9f3cdb90c218516f570bd82f259884da

    0726d0dfa08cff2b64c73fcd9c62f0d422f9ad79ba8cedb571a4a01cbc821604

    0801823675ac75c805fa9539faffaad12984ff7b5ca048ad246b75f3f23714c0

    0920c8647741aa522efbc0f346802eb49d53364de493957d1f0e8690cbcff11c

    0981457a5d19d389ff9add2ab40483b1e404ef8a08576125d602533619ef5d12

    0bc073e7c6861c4cfab2a4c9beb7384bb78e102902874703ee0ccef855154155

    0ca9110869dd63e0118be5c519c9e143010f4cf0ba2b1101aba59249f1285b52

    0dfd8aae9b3535191eeb81ec4705625e9e57a6aa135a6c782b65ba169a80f656

    0e099e281e6e3032165764a030ac73046c26b488f1fd803b64fef1fafddf2775

    0eaae85e998d1617c34bc7d05db597c222f5a9fe863d995234ca7d591c8fa2fc

    1131ba25f0df80d98481e1e669c5fef1e3ce0b6699e6ff0bbd40c20d0649d090

    117afd55818106d5d5aad61f30f5d289666244243a41f42d7a224a89588f850b

    12d5290c46b571ce5724937e85afb7d7146cbedb42c295243a55c8157fd07111

    12edd2a6b213d68f391c831d4fbe706d077f01efea62a2a16db47c68df21768b

    1352e8b45f865f8f5069d6c0e5e0e8239229a8bfbe000b32e6614a2d764e90ff

    13d20eefb6ec5d8f0f688039c40e084665f82dc528c922c6f93a758a47befed1

    14a0ae7aaf08ca98ec301d106c439cf81fbb5fb074720f2a902aa867dc91cc30

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

TALOS: Latest News

Bidirectional communication via polyrhythms and shuffles: Without Jon the beat must go on