Headline
Threat Roundup for September 16 to September 23
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Sept. 16 and Sept. 23. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, orokibot ClamAV.net.
For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found herethat includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files. The most prevalent threats highlighted in this roundup are:
Threat Name Type Description
Win.Dropper.NetWire-9970213-0 Dropper NetWire is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, remote desktop and read data from connected USB devices. NetWire is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails. Win.Trojan.LokiBot-9970418-0 Trojan Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails. Win.Ransomware.Cerber-9970426-0 Ransomware Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension “.cerber,” although in more recent campaigns, other file extensions are used. Win.Packed.Gamarue-9970619-0 Packed Gamarue, also known as Andromeda, is a botnet used to spread malware, steal information and perform activities such as click fraud. Win.Packed.Nanocore-9970631-0 Packed Nanocore is a .NET remote access trojan. Its source code has been leaked several times, making it widely available. Like other RATs, it allows full control of the system, including recording video and audio, stealing passwords, downloading files and recording keystrokes. Win.Dropper.Formbook-9970817-0 Dropper Formbook is an information stealer that attempts to collect sensitive information from an infected machine by logging keystrokes, stealing saved web browser credentials, and monitoring information copied to the clipboard. Win.Ransomware.BlackMatter-9970818-0 Ransomware BlackCat ransomware, also known as "ALPHV", has quickly gained notoriety for being used in double ransom attacks against companies in which attackers encrypt files and threaten to leak them. It uses the combination of AES128-CTR and RSA-2048 to encrypt the files on the victim’s computer. Win.Dropper.DarkKomet-9970824-0 Dropper DarkKomet is a freeware remote access trojan released by an independent software developer. It provides the same functionality you would expect from a remote access tool: keylogging, webcam access, microphone access, remote desktop, URL download and program execution, etc.
Threat Breakdown
Win.Dropper.NetWire-9970213-0
Indicators of Compromise
IOCs collected from dynamic analysis of 12 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList 7
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: WindowsUpdate 7
Mutexes Occurrences
8-3503835SZBFHHZ 5
73M9N-T0-UB83K6J 2
S-1-5-21-2580483-12441695089072 2
S-1-5-21-2580483-12443106840201 2
1N6PO-QCTT825WY- 2
S-1-5-21-2580483-1244465298972 1
3MAM487FD866043M 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
149[.]154[.]167[.]220 7
34[.]102[.]136[.]180 4
198[.]54[.]117[.]215 2
198[.]54[.]117[.]210/31 2
99[.]83[.]154[.]118 2
54[.]251[.]110[.]33 2
198[.]54[.]117[.]217 1
198[.]71[.]232[.]3 1
2[.]57[.]90[.]16 1
185[.]107[.]56[.]59 1
52[.]20[.]84[.]62 1
34[.]117[.]168[.]233 1
69[.]163[.]224[.]231 1
109[.]123[.]121[.]243 1
216[.]40[.]34[.]41 1
199[.]59[.]243[.]222 1
31[.]220[.]126[.]24 1
172[.]96[.]191[.]143 1
45[.]224[.]128[.]33 1
207[.]244[.]241[.]148 1
162[.]213[.]255[.]94 1
172[.]67[.]180[.]112 1
23[.]230[.]152[.]134 1
154[.]86[.]220[.]203 1
104[.]247[.]82[.]53 1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
api[.]telegram[.]org 7
www[.]wearestallions[.]com 2
www[.]intelsearchtech[.]com 2
www[.]kigif-indonesia[.]com 2
www[.]homecrowds[.]net 2
www[.]beachloungespa[.]com 2
www[.]northpierangling[.]info 1
www[.]xn--agroisleos-09a[.]com 1
www[.]cacconsults[.]com 1
www[.]fdupcoffee[.]com 1
www[.]drivemytrains[.]xyz 1
www[.]banchers[.]com 1
www[.]olympushotel[.]xyz 1
www[.]imbtucan[.]site 1
www[.]leeanacosta[.]com 1
www[.]searchnewsmax[.]com 1
www[.]supera-digital[.]com 1
www[.]fitnesshubus[.]com 1
www[.]kettlekingz[.]co[.]uk 1
www[.]meditgaming[.]store 1
www[.]alpenfieber-events[.]com 1
www[.]bobijnvidit[.]xyz 1
www[.]thespecialtstore[.]com 1
www[.]momotou[.]xyz 1
www[.]tricon[.]info 1
*See JSON for more IOCs
Files and or directories created Occurrences
%HOMEPATH%\temp 12
%TEMP%\RegSvcs.exe 7
\9_101\jhipudjmrh.pdf 1
%TEMP%\5_610\wuqiiqpl.cpl 1
\9_101\kxfbovr.dll 1
%TEMP%\5_610\xjusg.bin 1
\9_101\lbmnehl.log 1
%TEMP%\5_610\xpdmnqvrj.cpl 1
\9_101\lexccit.txt 1
%TEMP%\5_610\xxnvjp.log 1
\9_101\lpuhp.docx 1
\9_101\lresp.xl 1
\9_101\mitwohb.dll 1
\9_101\mnxau.jpg 1
\9_101\mrbwugug.ico 1
\9_101\mvevanqm.pdf 1
\9_101\nimkrnwadi.mcq 1
\9_101\njbrtxdts.xls 1
\9_101\njxivhu.ppt 1
\9_101\nnnbox.exe 1
\9_101\nxvix.log 1
\9_101\oavf.xml 1
\9_101\ocuqib.dll 1
\9_101\oipjamjjo.jpg 1
\4_58\vxgw.cpl 1
*See JSON for more IOCs
File Hashes
17d3937fb3aceacc0ac99f94a2347b87b22cbc2e7c341830ad9ad0a8f88babee 27288965d55cf7459cfa35b7a37ab9298f34e6e7734f6d6609527d573e5db71e 3788fc76ea84b87735527d224d39b4672b970c6bbcdd59b60978945b76d0fb1b 39ef261dd5ada5c7b29412ca0e95e6950de77ac8ab9f6e096692fd553a6e3ace 4101b1f2efa7e4ac9711140c8e5e724bf5a74ac0b4ab76f0d6c4e23374977627 49f2bb5892eda8223f4709f6b84366911b000652eb19085b09dc5998fe8c8259 815132096b824dbe0c8497cfd85f7508eeac3718c147541c791701df09b6f196 8f8813e3ed0cdb3ac92de8e6003bc83c0ec859fc717748cab6a45f56a98a9201 a96ccfc5b5b64660b986d22b9bcc96cb5e178d3d506893bd24a959a5338a4a32 d22989a65a91ee78b6af2fd2a9cadf2656637959cc07cd1b92baeb8c5950b45d e2ad52e5cc9b5e5a51811e13daeed3f6d61e239a079ec3617f2c1a4400f6dcaf f7a74e6284a41f39cba3f0c186c61ad96fac8a3099b88e04071fdd8e1eabe9bf
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Trojan.LokiBot-9970418-0
Indicators of Compromise
IOCs collected from dynamic analysis of 11 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\WOW6432NODE\PAADMME 11
<HKLM>\SOFTWARE\WOW6432NODE\PAADMME\NEAPOLITANERE 11
<HKLM>\SOFTWARE\WOW6432NODE\PAADMME\NEAPOLITANERE\BINOCLES 11
<HKLM>\SOFTWARE\WOW6432NODE\PAADMME\NEAPOLITANERE\BINOCLES\UDPRINT 11
<HKLM>\SOFTWARE\WOW6432NODE\TOXOSIS 11
<HKLM>\SOFTWARE\WOW6432NODE\TOXOSIS\BENZENSULFONAT 11
<HKLM>\SOFTWARE\WOW6432NODE\TOXOSIS\BENZENSULFONAT\INGEVALDS 11
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\SKABHALS 11
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\SKABHALS\AMARYLLIS 11
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\SKABHALS\AMARYLLIS\RECHARTING 11
<HKLM>\SOFTWARE\WOW6432NODE\PAADMME\NEAPOLITANERE\BINOCLES\UDPRINT
Value Name: Girleen 11
<HKLM>\SOFTWARE\WOW6432NODE\TOXOSIS\BENZENSULFONAT\INGEVALDS
Value Name: befugteres 11
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\SKABHALS\AMARYLLIS\RECHARTING
Value Name: Krogfiskeri 11
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
103[.]170[.]254[.]140 1
Files and or directories created Occurrences
%LOCALAPPDATA%\Konstellations 11
%LOCALAPPDATA%\Konstellations\Materes 11
%LOCALAPPDATA%\Konstellations\Materes\window-restore-symbolic.symbolic.png 11
%TEMP%\ns<random, matching '[a-z][A-F0-9]{1,4}'>.tmp 11
%TEMP%\ns<random, matching '[a-z][A-F0-9]{4}'>.tmp\System.dll 11
%LOCALAPPDATA%\Konstellations\Materes\Arider.bmp 1
%LOCALAPPDATA%\Konstellations\Materes\FROSSEN.bmp 1
%LOCALAPPDATA%\Konstellations\Materes\Praktikleder8.bmp 1
%LOCALAPPDATA%\Konstellations\Materes\Digoxins6.bmp 1
%LOCALAPPDATA%\Konstellations\Materes\BIOSYNTHESIZE.bmp 1
%LOCALAPPDATA%\Konstellations\Materes\countertime.bmp 1
%LOCALAPPDATA%\Konstellations\Materes\ACRITOL.bmp 1
%LOCALAPPDATA%\Konstellations\Materes\lnlige.bmp 1
%LOCALAPPDATA%\Konstellations\Materes\Kloakeringsomraadet.bmp 1
%LOCALAPPDATA%\Konstellations\Materes\Coitalt.bmp 1
%LOCALAPPDATA%\Konstellations\Materes\Charlies.bmp 1
File Hashes
14d11fc331b5d9a84a42fa8b6b2155f687cf66c1af5bd32ae1347fda6667fa60 2d15ef038e1702ebcd7b6d50eab97db925195cb382a9cabcf6a70ac62452d39c 418a2c968f439988a20034816348d47e0ba3fa2a6150a1f5760202a8b3a5621e 7d48995a3e95a8f0f758601cc5fbedbda1570eb17fd73e3091e6690a4f423a45 a0f0783a36626040af491251f7fc77bdfd3fdc89ee7d8ade8a289828c35e9280 a4238922317136e633e9dd9d654fd89cc47414766a658a3bdcb16963aa191ed0 a72cbeca7367862e3597f4923b36ef84c534d771aa1d439ab21bc74de1dde400 ca449b3e0e043546c5746fa6787b29c94ecb86b3f42de21e944d704502ade3da d4912d4d34d11e30c5859742186d8355a42b1e83fb54ac2a121186fa46234862 d93f4740ef92a826d328f73dea62803903254fbcdb1e02aeb6dc78e214bc0645 f0ece4c4a676aef252751fa3277e1ad4a3e1050c177bd289994c63852ae3198e
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella N/A
WSA N/A
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Ransomware.Cerber-9970426-0
Indicators of Compromise
IOCs collected from dynamic analysis of 24 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList 24
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpqec.dll,-100 24
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpqec.dll,-101 24
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpqec.dll,-103 24
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpqec.dll,-102 24
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\napipsec.dll,-1 24
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\napipsec.dll,-2 24
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\napipsec.dll,-4 24
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\napipsec.dll,-3 24
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\tsgqec.dll,-100 24
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\tsgqec.dll,-101 24
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\tsgqec.dll,-102 24
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\tsgqec.dll,-103 24
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\eapqec.dll,-100 24
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\eapqec.dll,-101 24
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\eapqec.dll,-102 24
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\eapqec.dll,-103 24
Mutexes Occurrences
shell.{381828AA-8B28-3374-1B67-35680555C5EF} 24
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
178[.]128[.]255[.]179 24
149[.]202[.]64[.]0/27 24
149[.]202[.]122[.]0/27 24
149[.]202[.]248[.]0/22 24
172[.]66[.]42[.]238 16
172[.]67[.]2[.]88 11
172[.]66[.]41[.]18 8
104[.]20[.]20[.]251 7
104[.]20[.]21[.]251 6
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
api[.]blockcypher[.]com 24
bitaps[.]com 24
chain[.]so 24
btc[.]blockr[.]io 24
xxxxxxxxxxxxxxxx[.]1k1dxt[.]top 24
Files and or directories created Occurrences
%TEMP%\d19ab989 24
%TEMP%\d19ab989\4710.tmp 24
%TEMP%\d19ab989\a35f.tmp 24
%LOCALAPPDATA%\Microsoft\Office\Groove1\System\CSMIPC.dat 24
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp 24
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.bmp 24
<dir>\_READ_THIS_FILE_<random, matching [A-F0-9]{4,8}>_.hta 24
<dir>\_READ_THIS_FILE_<random, matching [A-F0-9]{4,8}>_.txt 24
<dir>\_READ_THIS_FILE_<random, matching [A-F0-9]{4,8}>_.jpeg 24
File Hashes
05602feb977139c96c226969997d8bc55bd47b1d142252d3ec4067591dda85f2 06cba247d80b0c6c4f5865e34ad3c33fc1ef5ffd0a285f3009d64109b0ee3d22 09768afcaa8eae74f05841e49ece1ac338318c0d5f0153c2db6cecf169718698 0fb820719ef10ee032dbb69607c6fc222fa70b64844af4f04f6eecafc08345a7 2738e1df3421ba011f912c22e19bdae3b29d1fb1092be51174da6dbbbc72df8d 3c6776dd10054cad73b50c96d62e3b7a1e807ef1f8e6355d097cac12ddccb8c8 3eb0b591eb274fa052c4a7cdfcb6c943361c9a199ca33679678791399e8b8988 4505a343015d3ef0ad624e61ecfc61e2fc499a11fc5a52911c424de5ccd99d9e 52573c863390fde5244133cc965bf2501f0eb28e7d76a9996bc300070d41941b 5ce6f26a04a5bf871018eecafb8e9f8f7284ebbd134230574da1574830d4646e 5ed48cdf13e9681085390956e25883680a6b1b4600d99608d84c126d57832025 61a051fabbf66383709e43bf77fb49c6a645f2f479eaddffa6769010cb690eea 74c864c6b31afa1db6c8d6fb2bb8860b655d3554c8d309a91d894fd210351b7e 8642a1c54c99774f7ffc1ade073f2ccc90b6e2fcacb0118f1eca20b20018d590 9d14c9d7fca8e623607986ac1c27a149dfa9a82ac267475bed080636a5870269 a8d9f9469418516807ac7ce3dbf50de0ef3e0d2ef122b2932ba908cdadc3a5bb b289bcb40e6ee16638ae7bdadb95ebbebae75568e751820d261959394d7e7f02 b86d1564a606793a4427d5795a37825eeb11296b01cae339da01ab64feb73922 c4698b067e10ecf2ac5a4e318703d46b33cbdcd9803ffabc4a9da147e5d271f1 dee4d4d3b765fc0ad7ba88d69104b5cf90a448eaf1623445033a0f671e44ffd1 e50306b8c8b4bfd52da321a30e3e28bbef41b333e5803a303791f27798a1299c e5af2faef6688bf5e5889e78357bf993e13a1d21086dfb8a4ae268ae2004068f f330c988680055316a3aa2bc341e409096517381395469a32aa369a1940e9e5c ff2c3f6c56786af4fea96c55bb7877094ea482a162050721397dda1d82246ea0
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella N/A
WSA
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Packed.Gamarue-9970619-0
Indicators of Compromise
IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: apdsdtsh 25
<HKCU>\SOFTWARE\APPDATALOW\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5 25
<HKCU>\SOFTWARE\APPDATALOW\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5
Value Name: Install 25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\system32\Authias.exe 25
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList 25
<HKCU>\SOFTWARE\APPDATALOW\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5
Value Name: Client 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.106
Value Name: CheckSetting 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{01979C6A-42FA-414C-B8AA-EEE2C8202018}.CHECK.100
Value Name: CheckSetting 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{852FB1F8-5CC6-4567-9C0E-7C330F8807C2}.CHECK.100
Value Name: CheckSetting 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{852FB1F8-5CC6-4567-9C0E-7C330F8807C2}.CHECK.101
Value Name: CheckSetting 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\SHELL
Value Name: NodeSlots 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\SHELL
Value Name: MRUListEx 1
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL
Value Name: NodeSlots 1
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL
Value Name: MRUListEx 1
Mutexes Occurrences
Local\{7FD07DA6-D223-0971-D423-264D4807BAD1} 25
{<random GUID>} 25
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
alrthesecuritywith[.]su 25
Files and or directories created Occurrences
\{4BC230AC-2EB3-B560-90AF-42B9C45396FD} 25
%LOCALAPPDATA%\Microsoft\Windows\WER\ERC\statecache.lock 25
%System32%\Authias.exe 25
File Hashes
04deccd24c8ba2a38462b2fbe8bbdfc70484892cbc0acdb28345de60b381f17c 07f1a829b39eb8df6754b4dbed45a71d4aac24c073702254b867113661423831 10bbe562791a00906cfcf42ce12046233438aedd689b92081c546f038fd23194 12981607682dab89979727d0ec582315b1565bf94a54cb5a08a876345c8c4dd7 17692c251e7257d3ab0db70615d9b30eeaddaf6958dcbd949bbaef0ded9e5d1e 23349c88ef430438af6b527e241074c7b2d6809337879da50b098c1a809cf814 25e0618244af804051450a99c664772473615c351714ce5a3d8912573ba964df 28b34665550780af293c665483967e1ba6be39b50bf1dd5d89c716990b67df4a 292139a3d2e6ac70015b05a225072c3f9d9d0b8ac39448e12733e33dbcb8add0 3662025e620ac8a337cb2e4a53d8953de01a92ee1439c2bac9b72de592dca969 3dca218d2bb5c419d0f92c5c5b8e9a891c817bc4c52f465fc89980f9c55551e6 4a2e7161239b8f9f3f9a3fcf868aa0fca6ca4890eceb629886062b6ff729385a 5535c54c6922219bf1ed1049b5e00c5a838f632b618b80eef36ccb10852f3de2 587713ec906ea8c3e5fee650abace23a1396ca69dd183253b8a6244bdfa3d5df 5e9f652ff2720dec825edb85e2abe9466e944287b35db49ac80e9adf95df165c 66196b18fcce2381b23c5575822a79542d009f039ec872eeaa199dbe97bbb26f 67f172a5505a404b8817a9f6dabb11a7d5c0bb4cc22d60e13a38d9a70a4d8e97 855033ed08a2ab3e8e157ba89696d9d9eab207a98fde70a60752f88607394b98 8cc1dcb771e5d781e5fa805cbfc349b768996cb363ee311b97a56b7a485c50c3 8e2761a959dbf166a680e0865438238f3f857a25466fc497bb5c25c1ce7f31c6 957881f71c8988d70b6d9aef095a70bae4256adefc160374ef4db1a09cf526b7 965e0adee6460a5bf1724e9b9c37542cff44abc50a7c8cf1a7b027bd0a3c8885 99584a5853ee407a4924921589e995dbbc135014c2f7a09e0887f45dfb0ce1c4 9b6b29ddd0789e95a73c9ea48d7335555dbf20064b8459549729332044c341c2 a917ac90f8a680731d543c6f93cdb7968d750fda8a36e8f531c01b5849150cb2
*See JSON for more IOCs
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella N/A
WSA N/A
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Packed.Nanocore-9970631-0
Indicators of Compromise
IOCs collected from dynamic analysis of 16 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: AGP Manager 16
Mutexes Occurrences
Global\{5f88600c-86da-4b30-b45c-8e6d9614baec} 16
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
176[.]136[.]210[.]152 16
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
foobosmy[.]duckdns[.]org 16
Files and or directories created Occurrences
%ProgramFiles(x86)%\AGP Manager 16
%ProgramFiles(x86)%\AGP Manager\agpmgr.exe 16
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5 16
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs 16
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs\Administrator 16
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\run.dat 16
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\task.dat 16
%System32%\Tasks\AGP Manager 16
%System32%\Tasks\AGP Manager Task 16
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\vftwrxguvulmqhj.eu.url 16
%APPDATA%\zvgrxunhzg 16
%APPDATA%\zvgrxunhzg\vftwrxguvulmqhj.exe 16
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp 16
File Hashes
134e0430e528508da28d81b2b4ece6c9273fb568a561dd507f26d666a9eb06b3 168455cbc98ae29cafcd0dc1587c449e208e5c4f8ca59420b3667c9f698a7c51 18d834d0819c859ca179e182dfb1cdedac88857124024bfce1d0368b414f50c0 3974f625f1fb08a2174021705db11ae31aa326357728ae0b1cdf102b80eb5763 3a7b0af05b1e41786cc3ff6d99d723418b89340df9ae67837001c6a31cafb4e5 6ffff5899e1086659ba7b24a72212c8531c334643757c46d4c837460c5380693 82defa5374685563056b630ef12a46f21408cace520e72af239b47afea32e8f8 8eb183d70b6842a68d17c3950b22fabbc4f2e6de8129afddcd2fb25d03fc7df9 8fe07daa7730dc17d3fdf7134e85da268a10ce447b4c3d810d433285a35cc9e6 9b46ecd089a55744c52ac2df7882a507dd1f97a3fd40805d9eccbdbbb6aed463 9dcfa90e87d3e281a4f42d3253b1ae3386930985c0ae5f9fb29e32284d7924ce aa4adb36cd79f611579e74bc562fb5f6282bce4d9cc5699e1db2aeb7a92151de b2eb77614315a5d51d44911016d2a235324af0d403de6a55262c9b1e3e74130f dc6284d0afde4a6fb81efdb496149c6b708af0f3497e96a63162131a839879c1 dff727df396c8c954148fa078980de5e7d35a2fc000bb75905b94e6a2b7f5ff0 fd70c1b68017c46b3050ee7932d3494bca6216151ddb7fcabc36f1a0649112d3
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella N/A
WSA N/A
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Formbook-9970817-0
Indicators of Compromise
IOCs collected from dynamic analysis of 15 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList 4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: QWbqZbz 1
Mutexes Occurrences
8-3503835SZBFHHZ 1
S-1-5-21-2580483-12441345692046 1
KP30NU33--DvY01Z 1
Global\5292ba81-3a39-11ed-9660-001517e40972 1
aenDyAN 1
Global\46b1a361-3a9e-11ed-9660-001517a459ad 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
132[.]226[.]247[.]73 2
198[.]185[.]159[.]145 1
149[.]154[.]167[.]220 1
34[.]102[.]136[.]180 1
193[.]122[.]6[.]168 1
193[.]122[.]130[.]0 1
34[.]194[.]149[.]67 1
104[.]18[.]115[.]97 1
199[.]59[.]243[.]222 1
8[.]130[.]101[.]174 1
154[.]86[.]16[.]11 1
5[.]2[.]84[.]51 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
checkip[.]dyndns[.]org 4
icanhazip[.]com 1
api[.]telegram[.]org 1
www[.]locallywhitstable[.]co[.]uk 1
www[.]fftblogs[.]com 1
www[.]lanyuelou[.]com 1
www[.]icishopping[.]com 1
www[.]mooreandsonsak[.]net 1
www[.]junaidsubhani[.]tech 1
mail[.]boyyem[.]com[.]tr 1
Files and or directories created Occurrences
%System32%\Tasks\Updates 3
%APPDATA%\QWbqZbz 1
%APPDATA%\QWbqZbz\QWbqZbz.exe 1
%TEMP%\tmp67A.tmp 1
%APPDATA%\Hmcuym.exe 1
%System32%\Tasks\Updates\Hmcuym 1
%TEMP%\tmpBA86.tmp 1
%APPDATA%\hmlkDX.exe 1
%System32%\Tasks\Updates\hmlkDX 1
%TEMP%\tmpA204.tmp 1
%APPDATA%\idnepTZUXvdc.exe 1
%System32%\Tasks\Updates\idnepTZUXvdc 1
File Hashes
23ed86473177a66d71540c3d3ac737aa5a4d30644af5710a54ebbb5e348fa2ee 2f2e0f257103ce5edb8051b532f00204bf882cbdec68de38c6fe8ea18390f9d2 33f83dffcd247e3fefedefb2b591598eda89c7a47892d45d3051df760b60a74a 39dd36743f55ee7885cd4033e9705a0bdf2dea44416bbdc6ec6d8384c3d4e20d 53a95222b2d47e3b44240183d0eafbc7f64bcbd88bbe61af3580ab00c5f0ff85 75ce7e84cc5c6682354ceb8edc7f0b77be3ecdda500d1b0178accd0c6158f980 9da14f5b4c27946dc53283a1773e0de7246b170e11b06be9fd8c27d095054d5b a8b84e503c11cce5530fb019cd43a0306656dd22e78eac4279a332b00430ed8d a933028fe3b25879543cc98653b7cf66d5b2ef8dfbae539bb8d284a5f9cd4c9e c1226a8fab28514368ebf700c5bb48e993c05e019e86a6db8c7ccc6105696a21 ca3afdd3df6970f8026481a1d7800d86ba9852aa6a12325330a91f05aa60fb32 da67541015af6ddee5bad1432ecc3efbf85cde69c494fd1635edbae606c4a628 e7612d60681cabff03ff3bbcb0a3985a94430375e941fd8dc58e1df8151930b1 e7cbf5001db95b997003f00bcac7ca10231130e2127470ead43f6563ebcda5fc f46e6b0438003a0daeec5461f9f01dd676b39243be432365a9c59116dc6613b5
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella N/A
WSA N/A
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Ransomware.BlackMatter-9970818-0
Indicators of Compromise
IOCs collected from dynamic analysis of 18 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList 18
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER
Value Name: GlobalAssocChangedCounter 17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VSS
Value Name: DeleteFlag 16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VSS
Value Name: Start 16
<HKLM>\SOFTWARE\CLASSES\ISTTBGKAF\DEFAULTICON 1
<HKLM>\SOFTWARE\CLASSES\.YYBUFJ3PN 1
<HKLM>\SOFTWARE\CLASSES\YYBUFJ3PN 1
<HKLM>\SOFTWARE\CLASSES\YYBUFJ3PN\DEFAULTICON 1
<HKLM>\SOFTWARE\CLASSES\.YYBUFJ3PN 1
<HKLM>\SOFTWARE\CLASSES\YYBUFJ3PN\DEFAULTICON 1
<HKLM>\SOFTWARE\CLASSES\.WQCENFTHJ 1
<HKLM>\SOFTWARE\CLASSES\WQCENFTHJ 1
<HKLM>\SOFTWARE\CLASSES\WQCENFTHJ\DEFAULTICON 1
<HKLM>\SOFTWARE\CLASSES\.EL7OOPHD2 1
<HKLM>\SOFTWARE\CLASSES\.WQCENFTHJ 1
<HKLM>\SOFTWARE\CLASSES\EL7OOPHD2 1
<HKLM>\SOFTWARE\CLASSES\WQCENFTHJ\DEFAULTICON 1
<HKLM>\SOFTWARE\CLASSES\EL7OOPHD2\DEFAULTICON 1
<HKLM>\SOFTWARE\CLASSES\.EL7OOPHD2 1
<HKLM>\SOFTWARE\CLASSES\EL7OOPHD2\DEFAULTICON 1
<HKLM>\SOFTWARE\CLASSES\.PF4SBMUII 1
<HKLM>\SOFTWARE\CLASSES\PF4SBMUII 1
<HKLM>\SOFTWARE\CLASSES\PF4SBMUII\DEFAULTICON 1
<HKLM>\SOFTWARE\CLASSES\.PF4SBMUII 1
<HKLM>\SOFTWARE\CLASSES\PF4SBMUII\DEFAULTICON 1
Mutexes Occurrences
Global\{649F4E29-16CB-DD42-8922-9FFF0592856B} 1
Global\dc0d7207879493a1bb8d21571501a3c6 1
Global\03b84b750e7b0c183e81917fcc29ae2b 1
Global\68d784f599b693adb48d474d1722e8e9 1
Global\10b5e1850ed6703d7665a1adf3e368f4 1
Global\b36e0b827c995460aa570434a5517221 1
Global\2f26f3d09ccaf40de88c7029b61a3701 1
Global\9edc1729071cfeb8f9fe5f019ce0054a 1
Global\459bf63110ce888f28d3fd21adc5b730 1
Global\391396896a2cb3a40a83c4fbbe4675f3 1
Global\4c3e3cb8c6ed0804dcd51ba2638722cd 1
Global\0b32ca9dec339d33dd1bd5908acf4ce2 1
Global\4fe0268a70e4d52b0350071e277b194f 1
Global\ee7e1dcdc809584b5f8189eb071d9f66 1
Global\dfd07220109cd1dfb3c5268b025a72f3 1
Global\aa1f32bc8faeb8bbba36c0d7ccb5c0a0 1
Global\2c43957a37f865be08b53665ca3386d7 1
Global\d40e39e3314b8106bbc67d7dd3c2c4f4 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
test[.]white-datasheet[.]com 1
Files and or directories created Occurrences
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-1002\desktop.ini 18
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I08BO8F.xlsx 18
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I11KHR4.doc 18
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I5QKHLN.doc 18
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I62TWBD.ppt 18
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I6FZORX.doc 18
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IABMX83.pdf 18
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IAJ2Y6R.pdf 18
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IALGTCS.xlsx 18
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IAPSNOM.tsv 18
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IGORSF7.xsn 18
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IGTBBSA.accdb 18
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IH49RPF.ppt 18
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IH71GGR.ppt 18
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IJKODPH.pdf 18
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IJP965K.accdb 18
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IKY5R3M.pdf 18
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IMYCSIT.pdf 18
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$ISLP722.doc 18
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IXLC77A.pdf 18
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IXUL2U1.doc 18
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IYSR1FU.ppt 18
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IZ2GMJW.XLSX 18
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$R08BO8F.xlsx 18
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$R11KHR4.doc 18
*See JSON for more IOCs
File Hashes
072d0633006eeafc77c0b0144fdac84a57fa1e4f8b96d9aa33d377bd789bc533 0c4c93e6d8473b76a094a158b6dd045904bdc78e92a0bbc6faffa222df7acb6b 12b6fead37cca9d8ca4c00c2a9d56c0a402e760ab309356f078587acb7f33396 4b8fbb8a6e46b9db78bdf5ac1aa924f901270fe369411bf431fce8a46c48ca2a 50fad26d726e0af6dbed3225267934ae9ef22b31e48fc623ce93ba582a7e6110 58729cd09a74e3f69d26653b71412f9c9285ffaba52a9beb5b6d634014c98e1a 5f4ce514d8624a72d78cae3837a197ccb44cee28d4334a7641c02beb5496b3d0 6a255e2ee08490123fa594de4fe0dac977579deb541afcf455b59de2dbe05831 7d7357e4963c7d6f087a11e22d683cacf614dc7f269c2907bbb12ae30f2b007d 84d0154234d274d9188f3f1cf1852c58cfa8020a23f99812bced94d94b7f7fe5 97002e942beed0aff194d817e98fe9fa46abb30de87e893f328f01e638bbeed1 97320395d90b28ad3d5cd0ed0416b0fe379cc0cc3d65f0b27e50db4da5902ec2 b1f44fbe839e4f53bdcf5448b637ffcab3167dc931f7f7fd39738f83ae827f5e cb537a122fb0531f14c76dfd0a87cc304c26a9ab01aec46a5fd17f268ac80854 e609bf8406b61613f3e605d277cf445059974a4c71c3edd09fffae86a3c5dbfe ece96607ae4f56f49d06aa2d790f21837beec9dfcb4aeabf69f6a80965c54fdd f02cf38d417fc6e3d5f9fc05ebf49ca37e6106ffc62ce21145888338598e0c70 f1ecb57988caf26216683b1314607f06f8bf051632ff7ba73f17c2dc9b3aafcc
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella N/A
WSA N/A
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.DarkKomet-9970824-0
Indicators of Compromise
IOCs collected from dynamic analysis of 269 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWSDRIVER 268
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWSDRIVER
Value Name: Type 268
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWSDRIVER
Value Name: Start 268
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWSDRIVER
Value Name: ErrorControl 268
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWSDRIVER
Value Name: ImagePath 268
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWSDRIVER
Value Name: DisplayName 268
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWSDRIVER
Value Name: WOW64 268
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWSDRIVER
Value Name: ObjectName 268
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWSDRIVER\PARAMETERS 268
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SVCHOST
Value Name: WindowsDriver 268
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWSDRIVER\PARAMETERS
Value Name: ServiceDll 268
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList 19
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @explorer.exe,-7001 10
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\system32\DeviceCenter.dll,-2000 5
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\\CACHE\CONTENT
Value Name: CachePrefix 2
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\\CACHE\COOKIES
Value Name: CachePrefix 2
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\\CACHE\HISTORY
Value Name: CachePrefix 2
Mutexes Occurrences
IEo.txt 268
quansg 265
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
183[.]110[.]225[.]61 265
112[.]175[.]100[.]207 265
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
kanmay[.]cafe24[.]com 265
Files and or directories created Occurrences
%SystemRoot%\SysWOW64\IEn.txt 268
%SystemRoot%\SysWOW64\WindowsDriver.dll 268
File Hashes
00eb6c2df37113f0e4003b628ee1a475c9f0400829b77299c299b1e9c95c418d 01794606a7a92c15bc8ba6502162976c823ba5d4ebc3a88467791a9db3778ef7 022f8be735d9e9d3997908a93196a52a87732dad299536c069ea85feeeea160f 02b9cd9c9154a18666fd00ed905d6da9b12009853cb9f8ce2e0cf92f87bd4135 02bad02ca69901b56f664e2885bafb295121452b5e109a3874f91f1ff4ffe23e 03412cef90bb6952d8c8972f197ee6b1ea28d295c4974d1a72b3b6d9095c1269 03906939f8b5a5ed4144066225b7386aec74d4c06b5e7cb81a2974e2c687f4da 04982dc42efe67ff4158e9fd73e30d728a29c0aaddafb6ba0e6fb0985bf89098 04b5517c234f42019237157847c6f66a9f3cdb90c218516f570bd82f259884da 0726d0dfa08cff2b64c73fcd9c62f0d422f9ad79ba8cedb571a4a01cbc821604 0801823675ac75c805fa9539faffaad12984ff7b5ca048ad246b75f3f23714c0 0920c8647741aa522efbc0f346802eb49d53364de493957d1f0e8690cbcff11c 0981457a5d19d389ff9add2ab40483b1e404ef8a08576125d602533619ef5d12 0bc073e7c6861c4cfab2a4c9beb7384bb78e102902874703ee0ccef855154155 0ca9110869dd63e0118be5c519c9e143010f4cf0ba2b1101aba59249f1285b52 0dfd8aae9b3535191eeb81ec4705625e9e57a6aa135a6c782b65ba169a80f656 0e099e281e6e3032165764a030ac73046c26b488f1fd803b64fef1fafddf2775 0eaae85e998d1617c34bc7d05db597c222f5a9fe863d995234ca7d591c8fa2fc 1131ba25f0df80d98481e1e669c5fef1e3ce0b6699e6ff0bbd40c20d0649d090 117afd55818106d5d5aad61f30f5d289666244243a41f42d7a224a89588f850b 12d5290c46b571ce5724937e85afb7d7146cbedb42c295243a55c8157fd07111 12edd2a6b213d68f391c831d4fbe706d077f01efea62a2a16db47c68df21768b 1352e8b45f865f8f5069d6c0e5e0e8239229a8bfbe000b32e6614a2d764e90ff 13d20eefb6ec5d8f0f688039c40e084665f82dc528c922c6f93a758a47befed1 14a0ae7aaf08ca98ec301d106c439cf81fbb5fb074720f2a902aa867dc91cc30
*See JSON for more IOCs
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella N/A
WSA N/A
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Sept. 16 and Sept. 23. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, orokibot ClamAV.net.
For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.
The most prevalent threats highlighted in this roundup are:
Threat Name
Type
Description
Win.Dropper.NetWire-9970213-0
Dropper
NetWire is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, remote desktop and read data from connected USB devices. NetWire is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Trojan.LokiBot-9970418-0
Trojan
Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.
Win.Ransomware.Cerber-9970426-0
Ransomware
Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension “.cerber,” although in more recent campaigns, other file extensions are used.
Win.Packed.Gamarue-9970619-0
Packed
Gamarue, also known as Andromeda, is a botnet used to spread malware, steal information and perform activities such as click fraud.
Win.Packed.Nanocore-9970631-0
Packed
Nanocore is a .NET remote access trojan. Its source code has been leaked several times, making it widely available. Like other RATs, it allows full control of the system, including recording video and audio, stealing passwords, downloading files and recording keystrokes.
Win.Dropper.Formbook-9970817-0
Dropper
Formbook is an information stealer that attempts to collect sensitive information from an infected machine by logging keystrokes, stealing saved web browser credentials, and monitoring information copied to the clipboard.
Win.Ransomware.BlackMatter-9970818-0
Ransomware
BlackCat ransomware, also known as "ALPHV", has quickly gained notoriety for being used in double ransom attacks against companies in which attackers encrypt files and threaten to leak them. It uses the combination of AES128-CTR and RSA-2048 to encrypt the files on the victim’s computer.
Win.Dropper.DarkKomet-9970824-0
Dropper
DarkKomet is a freeware remote access trojan released by an independent software developer. It provides the same functionality you would expect from a remote access tool: keylogging, webcam access, microphone access, remote desktop, URL download and program execution, etc.
Threat Breakdown****Win.Dropper.NetWire-9970213-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 12 samples
Registry Keys
Occurrences
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
7
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: WindowsUpdate
7
Mutexes
Occurrences
8-3503835SZBFHHZ
5
73M9N-T0-UB83K6J
2
S-1-5-21-2580483-12441695089072
2
S-1-5-21-2580483-12443106840201
2
1N6PO-QCTT825WY-
2
S-1-5-21-2580483-1244465298972
1
3MAM487FD866043M
1
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
149[.]154[.]167[.]220
7
34[.]102[.]136[.]180
4
198[.]54[.]117[.]215
2
198[.]54[.]117[.]210/31
2
99[.]83[.]154[.]118
2
54[.]251[.]110[.]33
2
198[.]54[.]117[.]217
1
198[.]71[.]232[.]3
1
2[.]57[.]90[.]16
1
185[.]107[.]56[.]59
1
52[.]20[.]84[.]62
1
34[.]117[.]168[.]233
1
69[.]163[.]224[.]231
1
109[.]123[.]121[.]243
1
216[.]40[.]34[.]41
1
199[.]59[.]243[.]222
1
31[.]220[.]126[.]24
1
172[.]96[.]191[.]143
1
45[.]224[.]128[.]33
1
207[.]244[.]241[.]148
1
162[.]213[.]255[.]94
1
172[.]67[.]180[.]112
1
23[.]230[.]152[.]134
1
154[.]86[.]220[.]203
1
104[.]247[.]82[.]53
1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
api[.]telegram[.]org
7
www[.]wearestallions[.]com
2
www[.]intelsearchtech[.]com
2
www[.]kigif-indonesia[.]com
2
www[.]homecrowds[.]net
2
www[.]beachloungespa[.]com
2
www[.]northpierangling[.]info
1
www[.]xn–agroisleos-09a[.]com
1
www[.]cacconsults[.]com
1
www[.]fdupcoffee[.]com
1
www[.]drivemytrains[.]xyz
1
www[.]banchers[.]com
1
www[.]olympushotel[.]xyz
1
www[.]imbtucan[.]site
1
www[.]leeanacosta[.]com
1
www[.]searchnewsmax[.]com
1
www[.]supera-digital[.]com
1
www[.]fitnesshubus[.]com
1
www[.]kettlekingz[.]co[.]uk
1
www[.]meditgaming[.]store
1
www[.]alpenfieber-events[.]com
1
www[.]bobijnvidit[.]xyz
1
www[.]thespecialtstore[.]com
1
www[.]momotou[.]xyz
1
www[.]tricon[.]info
1
*See JSON for more IOCs
Files and or directories created
Occurrences
%HOMEPATH%\temp
12
%TEMP%\RegSvcs.exe
7
\9_101\jhipudjmrh.pdf
1
%TEMP%\5_610\wuqiiqpl.cpl
1
\9_101\kxfbovr.dll
1
%TEMP%\5_610\xjusg.bin
1
\9_101\lbmnehl.log
1
%TEMP%\5_610\xpdmnqvrj.cpl
1
\9_101\lexccit.txt
1
%TEMP%\5_610\xxnvjp.log
1
\9_101\lpuhp.docx
1
\9_101\lresp.xl
1
\9_101\mitwohb.dll
1
\9_101\mnxau.jpg
1
\9_101\mrbwugug.ico
1
\9_101\mvevanqm.pdf
1
\9_101\nimkrnwadi.mcq
1
\9_101\njbrtxdts.xls
1
\9_101\njxivhu.ppt
1
\9_101\nnnbox.exe
1
\9_101\nxvix.log
1
\9_101\oavf.xml
1
\9_101\ocuqib.dll
1
\9_101\oipjamjjo.jpg
1
\4_58\vxgw.cpl
1
*See JSON for more IOCs
File Hashes
17d3937fb3aceacc0ac99f94a2347b87b22cbc2e7c341830ad9ad0a8f88babee
27288965d55cf7459cfa35b7a37ab9298f34e6e7734f6d6609527d573e5db71e
3788fc76ea84b87735527d224d39b4672b970c6bbcdd59b60978945b76d0fb1b
39ef261dd5ada5c7b29412ca0e95e6950de77ac8ab9f6e096692fd553a6e3ace
4101b1f2efa7e4ac9711140c8e5e724bf5a74ac0b4ab76f0d6c4e23374977627
49f2bb5892eda8223f4709f6b84366911b000652eb19085b09dc5998fe8c8259
815132096b824dbe0c8497cfd85f7508eeac3718c147541c791701df09b6f196
8f8813e3ed0cdb3ac92de8e6003bc83c0ec859fc717748cab6a45f56a98a9201
a96ccfc5b5b64660b986d22b9bcc96cb5e178d3d506893bd24a959a5338a4a32
d22989a65a91ee78b6af2fd2a9cadf2656637959cc07cd1b92baeb8c5950b45d
e2ad52e5cc9b5e5a51811e13daeed3f6d61e239a079ec3617f2c1a4400f6dcaf
f7a74e6284a41f39cba3f0c186c61ad96fac8a3099b88e04071fdd8e1eabe9bf
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Trojan.LokiBot-9970418-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 11 samples
Registry Keys
Occurrences
<HKLM>\SOFTWARE\WOW6432NODE\PAADMME
11
<HKLM>\SOFTWARE\WOW6432NODE\PAADMME\NEAPOLITANERE
11
<HKLM>\SOFTWARE\WOW6432NODE\PAADMME\NEAPOLITANERE\BINOCLES
11
<HKLM>\SOFTWARE\WOW6432NODE\PAADMME\NEAPOLITANERE\BINOCLES\UDPRINT
11
<HKLM>\SOFTWARE\WOW6432NODE\TOXOSIS
11
<HKLM>\SOFTWARE\WOW6432NODE\TOXOSIS\BENZENSULFONAT
11
<HKLM>\SOFTWARE\WOW6432NODE\TOXOSIS\BENZENSULFONAT\INGEVALDS
11
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\SKABHALS
11
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\SKABHALS\AMARYLLIS
11
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\SKABHALS\AMARYLLIS\RECHARTING
11
<HKLM>\SOFTWARE\WOW6432NODE\PAADMME\NEAPOLITANERE\BINOCLES\UDPRINT
Value Name: Girleen
11
<HKLM>\SOFTWARE\WOW6432NODE\TOXOSIS\BENZENSULFONAT\INGEVALDS
Value Name: befugteres
11
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\SKABHALS\AMARYLLIS\RECHARTING
Value Name: Krogfiskeri
11
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
103[.]170[.]254[.]140
1
Files and or directories created
Occurrences
%LOCALAPPDATA%\Konstellations
11
%LOCALAPPDATA%\Konstellations\Materes
11
%LOCALAPPDATA%\Konstellations\Materes\window-restore-symbolic.symbolic.png
11
%TEMP%\ns<random, matching '[a-z][A-F0-9]{1,4}’>.tmp
11
%TEMP%\ns<random, matching '[a-z][A-F0-9]{4}’>.tmp\System.dll
11
%LOCALAPPDATA%\Konstellations\Materes\Arider.bmp
1
%LOCALAPPDATA%\Konstellations\Materes\FROSSEN.bmp
1
%LOCALAPPDATA%\Konstellations\Materes\Praktikleder8.bmp
1
%LOCALAPPDATA%\Konstellations\Materes\Digoxins6.bmp
1
%LOCALAPPDATA%\Konstellations\Materes\BIOSYNTHESIZE.bmp
1
%LOCALAPPDATA%\Konstellations\Materes\countertime.bmp
1
%LOCALAPPDATA%\Konstellations\Materes\ACRITOL.bmp
1
%LOCALAPPDATA%\Konstellations\Materes\lnlige.bmp
1
%LOCALAPPDATA%\Konstellations\Materes\Kloakeringsomraadet.bmp
1
%LOCALAPPDATA%\Konstellations\Materes\Coitalt.bmp
1
%LOCALAPPDATA%\Konstellations\Materes\Charlies.bmp
1
File Hashes
14d11fc331b5d9a84a42fa8b6b2155f687cf66c1af5bd32ae1347fda6667fa60
2d15ef038e1702ebcd7b6d50eab97db925195cb382a9cabcf6a70ac62452d39c
418a2c968f439988a20034816348d47e0ba3fa2a6150a1f5760202a8b3a5621e
7d48995a3e95a8f0f758601cc5fbedbda1570eb17fd73e3091e6690a4f423a45
a0f0783a36626040af491251f7fc77bdfd3fdc89ee7d8ade8a289828c35e9280
a4238922317136e633e9dd9d654fd89cc47414766a658a3bdcb16963aa191ed0
a72cbeca7367862e3597f4923b36ef84c534d771aa1d439ab21bc74de1dde400
ca449b3e0e043546c5746fa6787b29c94ecb86b3f42de21e944d704502ade3da
d4912d4d34d11e30c5859742186d8355a42b1e83fb54ac2a121186fa46234862
d93f4740ef92a826d328f73dea62803903254fbcdb1e02aeb6dc78e214bc0645
f0ece4c4a676aef252751fa3277e1ad4a3e1050c177bd289994c63852ae3198e
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Ransomware.Cerber-9970426-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 24 samples
Registry Keys
Occurrences
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
24
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpqec.dll,-100
24
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpqec.dll,-101
24
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpqec.dll,-103
24
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpqec.dll,-102
24
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\napipsec.dll,-1
24
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\napipsec.dll,-2
24
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\napipsec.dll,-4
24
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\napipsec.dll,-3
24
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\tsgqec.dll,-100
24
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\tsgqec.dll,-101
24
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\tsgqec.dll,-102
24
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\tsgqec.dll,-103
24
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\eapqec.dll,-100
24
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\eapqec.dll,-101
24
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\eapqec.dll,-102
24
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\eapqec.dll,-103
24
Mutexes
Occurrences
shell.{381828AA-8B28-3374-1B67-35680555C5EF}
24
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
178[.]128[.]255[.]179
24
149[.]202[.]64[.]0/27
24
149[.]202[.]122[.]0/27
24
149[.]202[.]248[.]0/22
24
172[.]66[.]42[.]238
16
172[.]67[.]2[.]88
11
172[.]66[.]41[.]18
8
104[.]20[.]20[.]251
7
104[.]20[.]21[.]251
6
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
api[.]blockcypher[.]com
24
bitaps[.]com
24
chain[.]so
24
btc[.]blockr[.]io
24
xxxxxxxxxxxxxxxx[.]1k1dxt[.]top
24
Files and or directories created
Occurrences
%TEMP%\d19ab989
24
%TEMP%\d19ab989\4710.tmp
24
%TEMP%\d19ab989\a35f.tmp
24
%LOCALAPPDATA%\Microsoft\Office\Groove1\System\CSMIPC.dat
24
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp
24
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.bmp
24
<dir>_READ_THIS_FILE_<random, matching [A-F0-9]{4,8}>_.hta
24
<dir>_READ_THIS_FILE_<random, matching [A-F0-9]{4,8}>_.txt
24
<dir>_READ_THIS_FILE_<random, matching [A-F0-9]{4,8}>_.jpeg
24
File Hashes
05602feb977139c96c226969997d8bc55bd47b1d142252d3ec4067591dda85f2
06cba247d80b0c6c4f5865e34ad3c33fc1ef5ffd0a285f3009d64109b0ee3d22
09768afcaa8eae74f05841e49ece1ac338318c0d5f0153c2db6cecf169718698
0fb820719ef10ee032dbb69607c6fc222fa70b64844af4f04f6eecafc08345a7
2738e1df3421ba011f912c22e19bdae3b29d1fb1092be51174da6dbbbc72df8d
3c6776dd10054cad73b50c96d62e3b7a1e807ef1f8e6355d097cac12ddccb8c8
3eb0b591eb274fa052c4a7cdfcb6c943361c9a199ca33679678791399e8b8988
4505a343015d3ef0ad624e61ecfc61e2fc499a11fc5a52911c424de5ccd99d9e
52573c863390fde5244133cc965bf2501f0eb28e7d76a9996bc300070d41941b
5ce6f26a04a5bf871018eecafb8e9f8f7284ebbd134230574da1574830d4646e
5ed48cdf13e9681085390956e25883680a6b1b4600d99608d84c126d57832025
61a051fabbf66383709e43bf77fb49c6a645f2f479eaddffa6769010cb690eea
74c864c6b31afa1db6c8d6fb2bb8860b655d3554c8d309a91d894fd210351b7e
8642a1c54c99774f7ffc1ade073f2ccc90b6e2fcacb0118f1eca20b20018d590
9d14c9d7fca8e623607986ac1c27a149dfa9a82ac267475bed080636a5870269
a8d9f9469418516807ac7ce3dbf50de0ef3e0d2ef122b2932ba908cdadc3a5bb
b289bcb40e6ee16638ae7bdadb95ebbebae75568e751820d261959394d7e7f02
b86d1564a606793a4427d5795a37825eeb11296b01cae339da01ab64feb73922
c4698b067e10ecf2ac5a4e318703d46b33cbdcd9803ffabc4a9da147e5d271f1
dee4d4d3b765fc0ad7ba88d69104b5cf90a448eaf1623445033a0f671e44ffd1
e50306b8c8b4bfd52da321a30e3e28bbef41b333e5803a303791f27798a1299c
e5af2faef6688bf5e5889e78357bf993e13a1d21086dfb8a4ae268ae2004068f
f330c988680055316a3aa2bc341e409096517381395469a32aa369a1940e9e5c
ff2c3f6c56786af4fea96c55bb7877094ea482a162050721397dda1d82246ea0
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Packed.Gamarue-9970619-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 25 samples
Registry Keys
Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: apdsdtsh
25
<HKCU>\SOFTWARE\APPDATALOW\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5
25
<HKCU>\SOFTWARE\APPDATALOW\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5
Value Name: Install
25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\system32\Authias.exe
25
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
25
<HKCU>\SOFTWARE\APPDATALOW\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5
Value Name: Client
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.106
Value Name: CheckSetting
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{01979C6A-42FA-414C-B8AA-EEE2C8202018}.CHECK.100
Value Name: CheckSetting
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{852FB1F8-5CC6-4567-9C0E-7C330F8807C2}.CHECK.100
Value Name: CheckSetting
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{852FB1F8-5CC6-4567-9C0E-7C330F8807C2}.CHECK.101
Value Name: CheckSetting
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\SHELL
Value Name: NodeSlots
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\SHELL
Value Name: MRUListEx
1
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL
Value Name: NodeSlots
1
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL
Value Name: MRUListEx
1
Mutexes
Occurrences
Local{7FD07DA6-D223-0971-D423-264D4807BAD1}
25
{<random GUID>}
25
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
alrthesecuritywith[.]su
25
Files and or directories created
Occurrences
{4BC230AC-2EB3-B560-90AF-42B9C45396FD}
25
%LOCALAPPDATA%\Microsoft\Windows\WER\ERC\statecache.lock
25
%System32%\Authias.exe
25
File Hashes
04deccd24c8ba2a38462b2fbe8bbdfc70484892cbc0acdb28345de60b381f17c
07f1a829b39eb8df6754b4dbed45a71d4aac24c073702254b867113661423831
10bbe562791a00906cfcf42ce12046233438aedd689b92081c546f038fd23194
12981607682dab89979727d0ec582315b1565bf94a54cb5a08a876345c8c4dd7
17692c251e7257d3ab0db70615d9b30eeaddaf6958dcbd949bbaef0ded9e5d1e
23349c88ef430438af6b527e241074c7b2d6809337879da50b098c1a809cf814
25e0618244af804051450a99c664772473615c351714ce5a3d8912573ba964df
28b34665550780af293c665483967e1ba6be39b50bf1dd5d89c716990b67df4a
292139a3d2e6ac70015b05a225072c3f9d9d0b8ac39448e12733e33dbcb8add0
3662025e620ac8a337cb2e4a53d8953de01a92ee1439c2bac9b72de592dca969
3dca218d2bb5c419d0f92c5c5b8e9a891c817bc4c52f465fc89980f9c55551e6
4a2e7161239b8f9f3f9a3fcf868aa0fca6ca4890eceb629886062b6ff729385a
5535c54c6922219bf1ed1049b5e00c5a838f632b618b80eef36ccb10852f3de2
587713ec906ea8c3e5fee650abace23a1396ca69dd183253b8a6244bdfa3d5df
5e9f652ff2720dec825edb85e2abe9466e944287b35db49ac80e9adf95df165c
66196b18fcce2381b23c5575822a79542d009f039ec872eeaa199dbe97bbb26f
67f172a5505a404b8817a9f6dabb11a7d5c0bb4cc22d60e13a38d9a70a4d8e97
855033ed08a2ab3e8e157ba89696d9d9eab207a98fde70a60752f88607394b98
8cc1dcb771e5d781e5fa805cbfc349b768996cb363ee311b97a56b7a485c50c3
8e2761a959dbf166a680e0865438238f3f857a25466fc497bb5c25c1ce7f31c6
957881f71c8988d70b6d9aef095a70bae4256adefc160374ef4db1a09cf526b7
965e0adee6460a5bf1724e9b9c37542cff44abc50a7c8cf1a7b027bd0a3c8885
99584a5853ee407a4924921589e995dbbc135014c2f7a09e0887f45dfb0ce1c4
9b6b29ddd0789e95a73c9ea48d7335555dbf20064b8459549729332044c341c2
a917ac90f8a680731d543c6f93cdb7968d750fda8a36e8f531c01b5849150cb2
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Packed.Nanocore-9970631-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 16 samples
Registry Keys
Occurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: AGP Manager
16
Mutexes
Occurrences
Global{5f88600c-86da-4b30-b45c-8e6d9614baec}
16
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
176[.]136[.]210[.]152
16
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
foobosmy[.]duckdns[.]org
16
Files and or directories created
Occurrences
%ProgramFiles(x86)%\AGP Manager
16
%ProgramFiles(x86)%\AGP Manager\agpmgr.exe
16
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5
16
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs
16
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs\Administrator
16
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\run.dat
16
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\task.dat
16
%System32%\Tasks\AGP Manager
16
%System32%\Tasks\AGP Manager Task
16
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\vftwrxguvulmqhj.eu.url
16
%APPDATA%\zvgrxunhzg
16
%APPDATA%\zvgrxunhzg\vftwrxguvulmqhj.exe
16
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp
16
File Hashes
134e0430e528508da28d81b2b4ece6c9273fb568a561dd507f26d666a9eb06b3
168455cbc98ae29cafcd0dc1587c449e208e5c4f8ca59420b3667c9f698a7c51
18d834d0819c859ca179e182dfb1cdedac88857124024bfce1d0368b414f50c0
3974f625f1fb08a2174021705db11ae31aa326357728ae0b1cdf102b80eb5763
3a7b0af05b1e41786cc3ff6d99d723418b89340df9ae67837001c6a31cafb4e5
6ffff5899e1086659ba7b24a72212c8531c334643757c46d4c837460c5380693
82defa5374685563056b630ef12a46f21408cace520e72af239b47afea32e8f8
8eb183d70b6842a68d17c3950b22fabbc4f2e6de8129afddcd2fb25d03fc7df9
8fe07daa7730dc17d3fdf7134e85da268a10ce447b4c3d810d433285a35cc9e6
9b46ecd089a55744c52ac2df7882a507dd1f97a3fd40805d9eccbdbbb6aed463
9dcfa90e87d3e281a4f42d3253b1ae3386930985c0ae5f9fb29e32284d7924ce
aa4adb36cd79f611579e74bc562fb5f6282bce4d9cc5699e1db2aeb7a92151de
b2eb77614315a5d51d44911016d2a235324af0d403de6a55262c9b1e3e74130f
dc6284d0afde4a6fb81efdb496149c6b708af0f3497e96a63162131a839879c1
dff727df396c8c954148fa078980de5e7d35a2fc000bb75905b94e6a2b7f5ff0
fd70c1b68017c46b3050ee7932d3494bca6216151ddb7fcabc36f1a0649112d3
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Formbook-9970817-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 15 samples
Registry Keys
Occurrences
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: QWbqZbz
1
Mutexes
Occurrences
8-3503835SZBFHHZ
1
S-1-5-21-2580483-12441345692046
1
KP30NU33–DvY01Z
1
Global\5292ba81-3a39-11ed-9660-001517e40972
1
aenDyAN
1
Global\46b1a361-3a9e-11ed-9660-001517a459ad
1
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
132[.]226[.]247[.]73
2
198[.]185[.]159[.]145
1
149[.]154[.]167[.]220
1
34[.]102[.]136[.]180
1
193[.]122[.]6[.]168
1
193[.]122[.]130[.]0
1
34[.]194[.]149[.]67
1
104[.]18[.]115[.]97
1
199[.]59[.]243[.]222
1
8[.]130[.]101[.]174
1
154[.]86[.]16[.]11
1
5[.]2[.]84[.]51
1
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
checkip[.]dyndns[.]org
4
icanhazip[.]com
1
api[.]telegram[.]org
1
www[.]locallywhitstable[.]co[.]uk
1
www[.]fftblogs[.]com
1
www[.]lanyuelou[.]com
1
www[.]icishopping[.]com
1
www[.]mooreandsonsak[.]net
1
www[.]junaidsubhani[.]tech
1
mail[.]boyyem[.]com[.]tr
1
Files and or directories created
Occurrences
%System32%\Tasks\Updates
3
%APPDATA%\QWbqZbz
1
%APPDATA%\QWbqZbz\QWbqZbz.exe
1
%TEMP%\tmp67A.tmp
1
%APPDATA%\Hmcuym.exe
1
%System32%\Tasks\Updates\Hmcuym
1
%TEMP%\tmpBA86.tmp
1
%APPDATA%\hmlkDX.exe
1
%System32%\Tasks\Updates\hmlkDX
1
%TEMP%\tmpA204.tmp
1
%APPDATA%\idnepTZUXvdc.exe
1
%System32%\Tasks\Updates\idnepTZUXvdc
1
File Hashes
23ed86473177a66d71540c3d3ac737aa5a4d30644af5710a54ebbb5e348fa2ee
2f2e0f257103ce5edb8051b532f00204bf882cbdec68de38c6fe8ea18390f9d2
33f83dffcd247e3fefedefb2b591598eda89c7a47892d45d3051df760b60a74a
39dd36743f55ee7885cd4033e9705a0bdf2dea44416bbdc6ec6d8384c3d4e20d
53a95222b2d47e3b44240183d0eafbc7f64bcbd88bbe61af3580ab00c5f0ff85
75ce7e84cc5c6682354ceb8edc7f0b77be3ecdda500d1b0178accd0c6158f980
9da14f5b4c27946dc53283a1773e0de7246b170e11b06be9fd8c27d095054d5b
a8b84e503c11cce5530fb019cd43a0306656dd22e78eac4279a332b00430ed8d
a933028fe3b25879543cc98653b7cf66d5b2ef8dfbae539bb8d284a5f9cd4c9e
c1226a8fab28514368ebf700c5bb48e993c05e019e86a6db8c7ccc6105696a21
ca3afdd3df6970f8026481a1d7800d86ba9852aa6a12325330a91f05aa60fb32
da67541015af6ddee5bad1432ecc3efbf85cde69c494fd1635edbae606c4a628
e7612d60681cabff03ff3bbcb0a3985a94430375e941fd8dc58e1df8151930b1
e7cbf5001db95b997003f00bcac7ca10231130e2127470ead43f6563ebcda5fc
f46e6b0438003a0daeec5461f9f01dd676b39243be432365a9c59116dc6613b5
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Ransomware.BlackMatter-9970818-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 18 samples
Registry Keys
Occurrences
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
18
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER
Value Name: GlobalAssocChangedCounter
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VSS
Value Name: DeleteFlag
16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VSS
Value Name: Start
16
<HKLM>\SOFTWARE\CLASSES\ISTTBGKAF\DEFAULTICON
1
<HKLM>\SOFTWARE\CLASSES.YYBUFJ3PN
1
<HKLM>\SOFTWARE\CLASSES\YYBUFJ3PN
1
<HKLM>\SOFTWARE\CLASSES\YYBUFJ3PN\DEFAULTICON
1
<HKLM>\SOFTWARE\CLASSES.YYBUFJ3PN
1
<HKLM>\SOFTWARE\CLASSES\YYBUFJ3PN\DEFAULTICON
1
<HKLM>\SOFTWARE\CLASSES.WQCENFTHJ
1
<HKLM>\SOFTWARE\CLASSES\WQCENFTHJ
1
<HKLM>\SOFTWARE\CLASSES\WQCENFTHJ\DEFAULTICON
1
<HKLM>\SOFTWARE\CLASSES.EL7OOPHD2
1
<HKLM>\SOFTWARE\CLASSES.WQCENFTHJ
1
<HKLM>\SOFTWARE\CLASSES\EL7OOPHD2
1
<HKLM>\SOFTWARE\CLASSES\WQCENFTHJ\DEFAULTICON
1
<HKLM>\SOFTWARE\CLASSES\EL7OOPHD2\DEFAULTICON
1
<HKLM>\SOFTWARE\CLASSES.EL7OOPHD2
1
<HKLM>\SOFTWARE\CLASSES\EL7OOPHD2\DEFAULTICON
1
<HKLM>\SOFTWARE\CLASSES.PF4SBMUII
1
<HKLM>\SOFTWARE\CLASSES\PF4SBMUII
1
<HKLM>\SOFTWARE\CLASSES\PF4SBMUII\DEFAULTICON
1
<HKLM>\SOFTWARE\CLASSES.PF4SBMUII
1
<HKLM>\SOFTWARE\CLASSES\PF4SBMUII\DEFAULTICON
1
Mutexes
Occurrences
Global{649F4E29-16CB-DD42-8922-9FFF0592856B}
1
Global\dc0d7207879493a1bb8d21571501a3c6
1
Global\03b84b750e7b0c183e81917fcc29ae2b
1
Global\68d784f599b693adb48d474d1722e8e9
1
Global\10b5e1850ed6703d7665a1adf3e368f4
1
Global\b36e0b827c995460aa570434a5517221
1
Global\2f26f3d09ccaf40de88c7029b61a3701
1
Global\9edc1729071cfeb8f9fe5f019ce0054a
1
Global\459bf63110ce888f28d3fd21adc5b730
1
Global\391396896a2cb3a40a83c4fbbe4675f3
1
Global\4c3e3cb8c6ed0804dcd51ba2638722cd
1
Global\0b32ca9dec339d33dd1bd5908acf4ce2
1
Global\4fe0268a70e4d52b0350071e277b194f
1
Global\ee7e1dcdc809584b5f8189eb071d9f66
1
Global\dfd07220109cd1dfb3c5268b025a72f3
1
Global\aa1f32bc8faeb8bbba36c0d7ccb5c0a0
1
Global\2c43957a37f865be08b53665ca3386d7
1
Global\d40e39e3314b8106bbc67d7dd3c2c4f4
1
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
test[.]white-datasheet[.]com
1
Files and or directories created
Occurrences
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-1002\desktop.ini
18
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$I08BO8F.xlsx
18
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$I11KHR4.doc
18
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$I5QKHLN.doc
18
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$I62TWBD.ppt
18
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$I6FZORX.doc
18
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IABMX83.pdf
18
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IAJ2Y6R.pdf
18
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IALGTCS.xlsx
18
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IAPSNOM.tsv
18
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IGORSF7.xsn
18
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IGTBBSA.accdb
18
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IH49RPF.ppt
18
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IH71GGR.ppt
18
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IJKODPH.pdf
18
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IJP965K.accdb
18
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IKY5R3M.pdf
18
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IMYCSIT.pdf
18
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$ISLP722.doc
18
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IXLC77A.pdf
18
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IXUL2U1.doc
18
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IYSR1FU.ppt
18
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IZ2GMJW.XLSX
18
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$R08BO8F.xlsx
18
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$R11KHR4.doc
18
*See JSON for more IOCs
File Hashes
072d0633006eeafc77c0b0144fdac84a57fa1e4f8b96d9aa33d377bd789bc533
0c4c93e6d8473b76a094a158b6dd045904bdc78e92a0bbc6faffa222df7acb6b
12b6fead37cca9d8ca4c00c2a9d56c0a402e760ab309356f078587acb7f33396
4b8fbb8a6e46b9db78bdf5ac1aa924f901270fe369411bf431fce8a46c48ca2a
50fad26d726e0af6dbed3225267934ae9ef22b31e48fc623ce93ba582a7e6110
58729cd09a74e3f69d26653b71412f9c9285ffaba52a9beb5b6d634014c98e1a
5f4ce514d8624a72d78cae3837a197ccb44cee28d4334a7641c02beb5496b3d0
6a255e2ee08490123fa594de4fe0dac977579deb541afcf455b59de2dbe05831
7d7357e4963c7d6f087a11e22d683cacf614dc7f269c2907bbb12ae30f2b007d
84d0154234d274d9188f3f1cf1852c58cfa8020a23f99812bced94d94b7f7fe5
97002e942beed0aff194d817e98fe9fa46abb30de87e893f328f01e638bbeed1
97320395d90b28ad3d5cd0ed0416b0fe379cc0cc3d65f0b27e50db4da5902ec2
b1f44fbe839e4f53bdcf5448b637ffcab3167dc931f7f7fd39738f83ae827f5e
cb537a122fb0531f14c76dfd0a87cc304c26a9ab01aec46a5fd17f268ac80854
e609bf8406b61613f3e605d277cf445059974a4c71c3edd09fffae86a3c5dbfe
ece96607ae4f56f49d06aa2d790f21837beec9dfcb4aeabf69f6a80965c54fdd
f02cf38d417fc6e3d5f9fc05ebf49ca37e6106ffc62ce21145888338598e0c70
f1ecb57988caf26216683b1314607f06f8bf051632ff7ba73f17c2dc9b3aafcc
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.DarkKomet-9970824-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 269 samples
Registry Keys
Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWSDRIVER
268
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWSDRIVER
Value Name: Type
268
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWSDRIVER
Value Name: Start
268
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWSDRIVER
Value Name: ErrorControl
268
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWSDRIVER
Value Name: ImagePath
268
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWSDRIVER
Value Name: DisplayName
268
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWSDRIVER
Value Name: WOW64
268
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWSDRIVER
Value Name: ObjectName
268
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWSDRIVER\PARAMETERS
268
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SVCHOST
Value Name: WindowsDriver
268
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDOWSDRIVER\PARAMETERS
Value Name: ServiceDll
268
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
19
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @explorer.exe,-7001
10
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\system32\DeviceCenter.dll,-2000
5
<HKU>.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CACHE\CONTENT
Value Name: CachePrefix
2
<HKU>.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CACHE\COOKIES
Value Name: CachePrefix
2
<HKU>.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CACHE\HISTORY
Value Name: CachePrefix
2
Mutexes
Occurrences
IEo.txt
268
quansg
265
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
183[.]110[.]225[.]61
265
112[.]175[.]100[.]207
265
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
kanmay[.]cafe24[.]com
265
Files and or directories created
Occurrences
%SystemRoot%\SysWOW64\IEn.txt
268
%SystemRoot%\SysWOW64\WindowsDriver.dll
268
File Hashes
00eb6c2df37113f0e4003b628ee1a475c9f0400829b77299c299b1e9c95c418d
01794606a7a92c15bc8ba6502162976c823ba5d4ebc3a88467791a9db3778ef7
022f8be735d9e9d3997908a93196a52a87732dad299536c069ea85feeeea160f
02b9cd9c9154a18666fd00ed905d6da9b12009853cb9f8ce2e0cf92f87bd4135
02bad02ca69901b56f664e2885bafb295121452b5e109a3874f91f1ff4ffe23e
03412cef90bb6952d8c8972f197ee6b1ea28d295c4974d1a72b3b6d9095c1269
03906939f8b5a5ed4144066225b7386aec74d4c06b5e7cb81a2974e2c687f4da
04982dc42efe67ff4158e9fd73e30d728a29c0aaddafb6ba0e6fb0985bf89098
04b5517c234f42019237157847c6f66a9f3cdb90c218516f570bd82f259884da
0726d0dfa08cff2b64c73fcd9c62f0d422f9ad79ba8cedb571a4a01cbc821604
0801823675ac75c805fa9539faffaad12984ff7b5ca048ad246b75f3f23714c0
0920c8647741aa522efbc0f346802eb49d53364de493957d1f0e8690cbcff11c
0981457a5d19d389ff9add2ab40483b1e404ef8a08576125d602533619ef5d12
0bc073e7c6861c4cfab2a4c9beb7384bb78e102902874703ee0ccef855154155
0ca9110869dd63e0118be5c519c9e143010f4cf0ba2b1101aba59249f1285b52
0dfd8aae9b3535191eeb81ec4705625e9e57a6aa135a6c782b65ba169a80f656
0e099e281e6e3032165764a030ac73046c26b488f1fd803b64fef1fafddf2775
0eaae85e998d1617c34bc7d05db597c222f5a9fe863d995234ca7d591c8fa2fc
1131ba25f0df80d98481e1e669c5fef1e3ce0b6699e6ff0bbd40c20d0649d090
117afd55818106d5d5aad61f30f5d289666244243a41f42d7a224a89588f850b
12d5290c46b571ce5724937e85afb7d7146cbedb42c295243a55c8157fd07111
12edd2a6b213d68f391c831d4fbe706d077f01efea62a2a16db47c68df21768b
1352e8b45f865f8f5069d6c0e5e0e8239229a8bfbe000b32e6614a2d764e90ff
13d20eefb6ec5d8f0f688039c40e084665f82dc528c922c6f93a758a47befed1
14a0ae7aaf08ca98ec301d106c439cf81fbb5fb074720f2a902aa867dc91cc30
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK