Headline
Threat Roundup for October 7 to October 14
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Oct. 7 and Oct. 14. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found herethat includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files. The most prevalent threats highlighted in this roundup are:
Threat Name Type Description
Win.Malware.Zusy-9973747-0 Malware Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as “explorer.exe” and “winver.exe.” When the user accesses a banking website, it displays a form to trick the user into submitting personal information. Win.Dropper.Formbook-9973755-0 Dropper Formbook is an information stealer that attempts to collect sensitive information from an infected machine by logging keystrokes, stealing saved web browser credentials, and monitoring information copied to the clipboard. Win.Dropper.Kuluoz-9973986-0 Dropper Kuluoz, sometimes known as “Asprox,” is a modular remote access trojan that is also known to download and execute follow-on malware, such as fake antivirus software. Kuluoz is often delivered via spam emails pretending to be shipment delivery notifications or flight booking confirmations. Win.Dropper.DarkComet-9973855-1 Dropper DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user’s machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system. Win.Trojan.Zbot-9973944-0 Trojan Zbot, also known as Zeus, is a trojan that steals information, such as banking credentials, using methods such as key-logging and form-grabbing. Win.Trojan.Ruskill-9973960-0 Trojan Ruskill, also known as Dorkbot, is a botnet client aimed at stealing credentials and facilitating distributed denial-of-service (DDoS) attacks. It spreads via removable media and instant messaging applications. Win.Virus.Xpiro-9973982-1 Virus Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks. Win.Dropper.Shiz-9973992-0 Dropper Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information. It is commonly spread via droppers or by visiting a malicious site. Win.Dropper.Cerber-9974272-0 Dropper Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware replaces files with encrypted versions and adds the file extension “.cerber,” although in more recent campaigns, other file extensions are used.
Threat Breakdown
Win.Malware.Zusy-9973747-0
Indicators of Compromise
IOCs collected from dynamic analysis of 19 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList 16
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @explorer.exe,-7001 16
Mutexes Occurrences
Global\<random guid> 10
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
193[.]17[.]41[.]135 19
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
www[.]dobreprogramy[.]pl 19
Files and or directories created Occurrences
%TEMP%\<random, matching [A-F0-9]{1,4}>.tmp 19
File Hashes
018693f3703405c76aac97d46f7fa9aa40e8270e798b8c5dfa87f10efcf1764a 15ade8a55344f7854903db45e862188337180698db199ec8b26d9afb69198036 26b4b80aef18a3aba37b2515ba826fbb03f6259ad064004c684c8c069328123b 4cd2c390b9b8cbe152a71c0e5cf4a7ee011b588ac6d1938af8e3aab1fdb76cf8 5e4282b78b16a6d926d43e01fc9ee59765d207f7dd4ad79865f47c8b825dd49a 6ee686c1b1661b38dc4a4eb6159d8095d5b923b1ea53340ff4adf6c371b47654 70a096eb8993f66225f6ce83173faab8be687fc3d8771940183e27aed1ab3568 8285cee0991c04e9bff0c1a6dda3406af07457c0047cd246a3a6d662b92dbb61 84dcf3b312fb14f59bad6a3eba9dac1c640f706ce72cad91ee0e3d8041417a57 8500f8204f7d5ceb6f32971e83cec19dbf7169ad20ffb678e712daf8e8dd9dce 89c93cc362e5f56845f57d97801f0eeadeb72b795f5e341df65cdffd0144869c 89db9f47c37cbeae1096959c113aa675218905406f310f8d481b8c7ed5589883 8ea4fb8900771e1997e7738987720a3571454bd135ac4ac1d8d4a97c931fbf03 955d50b05b43b40c06eb40ff19e4b172f6791865569d07d784397be6f3366ee0 9fe41112b846fb67b2ecdd58058cf087b7cbfe39335feb6664f1cf689c2707af a7d67a5329b5d806a78872a3c672f4806dcee8701c4cd25e0b830b1a7589bad4 ece4ded478d803d6ac2a3618a894d210dc7e891a77d080a8b76d5f7bc853db05 f83249b44e474d4b4cdc52f88e1f7ef5cabb152c0a6445667d15c9e12eb3de2b fe88aa8aa5b6e3a34b28d9e1ee9bff3c7c052643f98ac042ddc7f5eecd51bd3d
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella N/A
WSA N/A
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Formbook-9973755-0
Indicators of Compromise
IOCs collected from dynamic analysis of 14 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList 7
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: AGP Manager 6
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: WindowsUpdate 5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: AutoUpdate 5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableTaskMgr 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM 1
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\INTELLIFORMS\STORAGE2 1
<HKLM>\SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA FIREFOX 1
<HKLM>\SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA FIREFOX\20.0.1 (EN-US)\MAIN 1
<HKLM>\SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA THUNDERBIRD 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\DISCARDABLE\POSTSETUP\COMPONENT CATEGORIES\{56FFCC30-D398-11D0-B2AE-00A0C908FA49} 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\DISCARDABLE\POSTSETUP\COMPONENT CATEGORIES\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\ENUM 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\DISCARDABLE\POSTSETUP\COMPONENT CATEGORIES\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\ENUM
Value Name: Implementing 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: 2_45 1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Chrome 1
Mutexes Occurrences
8-3503835SZBFHHZ 7
Global\{d0691a45-4fc4-42f8-9eb9-754e345ceb2c} 3
73M9N-T0-UB83K6J 2
S-1-5-21-2580483-12441695089072 2
1N6PO-QCTT825WY- 2
Global\{042723c4-0804-4212-bf56-4b1b2669ca7c} 2
S-1-5-21-2580483-12443106840201 1
S-1-5-21-2580483-124423447652 1
S-1-5-21-2580483-12443999912674 1
073A3D-6T418-C-B 1
0Q85PR27T0CZAGEI 1
S-1-5-21-2580483-1244296580714 1
L25P799FU97057X8 1
O5L2BA2WRAFEx2MB 1
7P2MN2S27-74YFZB 1
Global\{610ae494-e655-4dd4-94de-7786c0b53ce3} 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
34[.]102[.]136[.]180 7
194[.]5[.]98[.]213 3
23[.]227[.]38[.]74 2
209[.]17[.]116[.]163 2
194[.]5[.]98[.]219 2
45[.]77[.]55[.]161 2
198[.]54[.]117[.]212 1
195[.]110[.]124[.]133 1
216[.]92[.]3[.]120 1
194[.]5[.]98[.]9 1
66[.]96[.]160[.]130 1
192[.]64[.]119[.]254 1
192[.]254[.]235[.]221 1
217[.]19[.]248[.]132 1
172[.]217[.]164[.]179 1
192[.]169[.]69[.]26 1
75[.]2[.]115[.]196 1
75[.]2[.]26[.]18 1
103[.]224[.]212[.]221 1
103[.]224[.]182[.]210 1
104[.]21[.]83[.]149 1
34[.]117[.]168[.]233 1
64[.]190[.]63[.]111 1
35[.]164[.]33[.]0 1
31[.]31[.]196[.]51 1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
nexaustin[.]ddns[.]net 3
www[.]northpierangling[.]info 2
411speed[.]duckdns[.]org 2
lowaspeed[.]ddnsfree[.]com 2
www[.]fbo[.]app 2
www[.]fabricsandfashion[.]com 2
www[.]hootcaster[.]com 2
www[.]bbobbo[.]one 1
www[.]ndppoc[.]info 1
www[.]palccoyotour[.]com 1
www[.]groupable[.]net 1
www[.]qbfstopp[.]com 1
www[.]confurn[.]net 1
www[.]gqimw[.]click 1
www[.]nyhedsbrev671[.]shop 1
www[.]ekkogroupmoment[.]com 1
www[.]blast4me[.]com 1
www[.]hzllaw[.]com 1
www[.]3egcfl[.]cyou 1
www[.]highqualityincense[.]com 1
www[.]highenergyquiz[.]com 1
www[.]fistfulofeuros[.]org 1
www[.]kaycfit[.]com 1
www[.]8065yp[.]com 1
www[.]uucloud[.]press 1
*See JSON for more IOCs
Files and or directories created Occurrences
%HOMEPATH%\temp 14
%ProgramFiles(x86)%\AGP Manager 6
%ProgramFiles(x86)%\AGP Manager\agpmgr.exe 6
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5 6
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs 6
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs\Administrator 6
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\run.dat 6
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\task.dat 6
%System32%\Tasks\AGP Manager 6
%System32%\Tasks\AGP Manager Task 6
%TEMP%\RegSvcs.exe 6
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp 6
%HOMEPATH%\2_84\vtiseh.ico 1
%APPDATA%\3_93\veuahftjpf.mp3 1
%HOMEPATH%\2_84\xvvxu.bin 1
%HOMEPATH%\2_45\mqrjl.jpg 1
%APPDATA%\3_93\wnof.docx 1
%HOMEPATH%\2_45\opcicmqv.dll 1
%APPDATA%\3_93\wpekxvo.xl 1
%APPDATA%\2_25\aipxfwbpk.ico 1
%HOMEPATH%\2_45\peawrnndd.pif 1
%APPDATA%\3_93\xsgsrogco.xl 1
%HOMEPATH%\2_45\pqhol.dat 1
%APPDATA%\2_25\clgtn.unh 1
%HOMEPATH%\2_45\pvmnha.mlm 1
*See JSON for more IOCs
File Hashes
0015048adbf3c3c9e4d685430113d63866e2a2f44d68cb3ee84274b4e2936638 1fab9185160e6fe51f4346a3e3db204ce5720e01f17d5be4b766be677652c1de 2100af0d356f5a776ae83f2e79e7c473343f2f9779188a672a313db19ba2f24b 34d9b74ea17021de8a99aa53c25294f91dab4e936b9df8a34b4374e3aa7918a9 41344e5c95b80aaec71e1399c38731319a4151c0408f5709c2f973b430418a50 62b5227656a58b1358c35100d0b5e8116ebe5b891a69f0a6f3ece869305e3193 67e6fd61e128d5649045a4fc55fc6c287722b5c92e65eef35ce0838d6210d901 6a4d2f72c82049aaec9996ed5de2756862f32678c33751e1ce449036cd66bf67 6ef54172371d62f47ca10add5d4e16991c08ab1c43effec3d1caf25718d2ed08 7cd5d3d08b5baa37925bbcac0fc1a5d6c72bcbf72d134b20d2fec7a19ea04e4b 927d0ba12659ceffb9d3f45ad9eb34bc9f8a9b6931499cf08a2d94be0dbf8019 9e7ba2f837a1a2a4f88823fdfb2fb9fa619fc088005b0b67a43d5d328ea66a9a b1f692dd52aae8317db7cfd262a4bcc053cf721fc7a00bf66f4acc7cb5cc6cbc f8ddc46b03f741a383da261761ed44b95fa58135b64a7b4577f8e08443d9f4bb
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Kuluoz-9973986-0
Indicators of Compromise
IOCs collected from dynamic analysis of 26 samples
Mutexes Occurrences
2GVWNQJz1 26
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
178[.]79[.]186[.]35 16
192[.]254[.]197[.]210 15
74[.]208[.]246[.]250 14
78[.]47[.]145[.]72 14
209[.]217[.]246[.]160 11
37[.]26[.]108[.]41 10
Files and or directories created Occurrences
%LOCALAPPDATA%\<random, matching '[a-z]{8}'>.exe 26
File Hashes
0046e88cfe1adf8271efcb0ce178618731b0b483faeb455d345a5e8fd56f3781 006a44982356b91e01680f3001d6050f8248bb5e362acb309645bea7706d2eeb 015184bfa4c43e6e5a3da585670f26581dd92805f0d53c9be87359fb1db56937 01d34069d3888557895bfd9326b8a5728561bc1bd5d3ae250225daab0d7759da 01f969b06d38184b7859fc5f142c77632392fb54878b8c85d6862fbccbcb7537 028bf5ed8ae980c70a28b8dc3b76e1a4e0c1437065867e8354abde3a47de85f8 03220265e8667fc40e459ae7ebdeb214096aa78bf7aa7b5d92f1c458ef0e3ac5 0337bc1755ebd0b00c73072db6ea8268bd65bb00129f243efc391a39e630aa1e 0466f671201b26d231e5d1a0942aeff49418402ed73356be64e7964b47d9c501 0506c78788f1be0d44b52b3783ead988d85f070cdbc1dfd9d200b32635e9d542 05183429820f723406bfa9d17d7335bd7acee10021cdbe7baa44ce08a110bde3 05bca5efb182e2550969b05ee55f365bbfeca049e8fc27be6de82c0ec4dc335d 06526e4616e8303fe1ddb27a7513ef680356db8817f943548120e7fe6976d6af 080b1ff98e77c912319276323727dd24d3935165cca5451fd41e526226826bfc 0856871f0334955ca142de93144673be48544d2139e7837d294e7d236df02904 09514e299e378b4aea8ed3b4ed8d1feab860aebd4dfb47b165fd19ce4f7edfbe 0952a950ea71b57207c1a2823f8b817b3d4530827260db775f754e546455cfed 09fae9b36cf583a84f44d7d4e63e0dc4c556009502c9272c672607f9090048fc 0a259118fb24129563c6969818bdbfefe9f56f780cc96d363a44639e288f0e7d 0b400d8652706d0785a8da7355a28d8c27782b0ef666a9e3c5a09a69e69361bd 0d89fa6ee0b200335bdaa89fe480c3e5956305241b3282bc43fe8adbfc330180 0e28cda5b816911f393f781ee49d209de396d62fca1e2be3761081bc9663d1f8 0fbb81d5c4016ccfdabd3f63a8c52f7854f47be4559ac76ecaadb1322f32bbbb 107ff454e5fa7e7e8aaf87fceb731069b4126b298c7f72899fbc01c3bb9763e9 10b4435a4d47fe914cbfd2da989a4e030fa5cceafe5337f376143b5ff601cb20
*See JSON for more IOCs
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella N/A
WSA N/A
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.DarkComet-9973855-1
Indicators of Compromise
IOCs collected from dynamic analysis of 26 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\DC3_FEXEC 26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 1872050175 24
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 31333394 24
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: UserInit 2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 841679453 2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: MicroUpdate 1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Setup 1
Mutexes Occurrences
DC_MUTEX-<random, matching [A-Z0-9]{7}> 17
NV9-12 2
DCPERSFWBP 1
DCMIN_MUTEX-GJ9HPEB 1
RLG3J8R6JRP0QA 1
NV9-16 1
Protector 1
DCMIN_MUTEX-HMKE3W2 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
78[.]159[.]135[.]230 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
anonn96[.]no-ip[.]info 6
tltkbshades[.]no-ip[.]info 4
tltkemissary[.]no-ip[.]info 4
heyhey123[.]no-ip[.]org 2
ge[.]tt 1
biology251[.]no-ip[.]biz 1
mathieucg[.]no-ip[.]biz 1
kissmyarse[.]no-ip[.]biz 1
8s4[.]no-ip[.]info 1
xpertpro[.]no-ip[.]info 1
xpertbot[.]no-ip[.]biz 1
darkcomethf[.]no-ip[.]biz 1
anonn96[.]servehttp[.]com 1
darkcomet5[.]no-ip[.]org 1
dcharry[.]no-ip[.]org 1
jordan323[.]no-ip[.]biz 1
machinedreamz[.]no-ip[.]biz 1
pointless[.]no-ip[.]biz 1
Files and or directories created Occurrences
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp 26
%APPDATA%\dclogs 22
%HOMEPATH%\Documents\MSDCSC 2
%HOMEPATH%\Documents\MSDCSC\msdcsc.exe 2
%TEMP%\dclogs 2
%TEMP%\tmpC68A.tmp.exe 2
%TEMP%\tmpC948.tmp.exe 2
%TEMP%\281187923.exe 2
%TEMP%\IgfxIntel2.io 2
%TEMP%\tmp8535.tmp.exe 1
%TEMP%\tmpC8AC.tmp.exe 1
%TEMP%\tmpC6A9.tmp.exe 1
%TEMP%\tmpC65B.tmp.exe 1
%TEMP%\tmpCEF3.tmp.exe 1
%TEMP%\tmpCD0F.tmp.exe 1
%TEMP%\tmpCABF.tmp.exe 1
%TEMP%\tmpCC06.tmp.exe 1
%TEMP%\tmpC9A6.tmp.exe 1
%TEMP%\tmpCA71.tmp.exe 1
%TEMP%\tmpCBD7.tmp.exe 1
%TEMP%\tmpC7D2.tmp.exe 1
%TEMP%\tmpCCC1.tmp.exe 1
%TEMP%\tmpCB4B.tmp.exe 1
%TEMP%\tmpC784.tmp.exe 1
%TEMP%\tmpD45F.tmp.exe 1
*See JSON for more IOCs
File Hashes
05958428629f1050aa3d5997cad72f4c9912e67607a3ff05fe4c3bf7afb18216 0b65e317b9534a541cc863564b5a87e75f247614b8653ef41d625faf1b30dd73 1362e3f76b4878015a667e89be73dbfa372443d780a33c90e79d0b964cfbd587 19b750aa309e76232792bfffcbe62e6570e8b1e7a7d4b9a85d487dd0746275b9 230fbf6a3fcf5d6ee1f172b5fbd57358c9cf42541c8c6970c26f9e1fa65c183d 317b116d2123e3466009676c082a4fcaeac8f6f1e011a8e111a1f8b0b9921846 35b4c0d26417fa60712ed83a9debf3246835c7ccb2234a3c9b7494697aa12f44 36b28cfb056a5c68b631e5772e3dc2a5b9980e8f5674bf3736bdb642f1d763ae 4366d3ba8343a178f2d13ffb2a649cf621fbe78747d55c753a7030c79e01c8a1 44fec9f58a8b1568fbd41481f8890811067781e002e61735b3ad5194528b09ef 49c07cce6399e1466880a4f19a2c178cb80e3dcca1ac94ad1bed42b16a1d0cab 769b49d94ca060fc05655550578a537504b9ee633f184b555a9c3e5d27eef10a 7f84a5dc2c0a8717ab6273a2379bf2aaa8ed81f7c45303f0b90c74e7776eeb86 82624ccde9a53bc191e049f4bb9ad01f065dccadaf4be1af1e2e8902cd868a98 839235151130481fc830209442c1fd072cbfb411c6ba5450c6661b1ecd84fd30 84961a58122f158282ae9da793142bbb71ec284525faaaf42b0e72d9c9a9a011 86a14c810b41c41e20bf17a26bc3d381ecae0753f97718eea5e14bf0e6b96f09 8c2f38aa97c8cfb9484ebcb8ebb2596b351b52f35f6376cb946fcb7ca50660d5 a0f23841e0b5582b3f66c50e9ea25bc54712e096df1c5e241058c71053e9bf4e a0f5270dd1683dfe08745e2dea86319837db51a4c0afae27c900c7e8f39435b5 b9a33f6b47f874cc09844a9fab9b15d81a0d30858693c70a769bf336ecf6b04b c20b6a8ee2c70c05f6bfe6d2e8912695db192d9b04d79babcf5f05328dc8c641 cbdb0364d84f0e4a5bbffa7d582257184f9fcfc5019eed71694920ad52161a7b d0dad7478bea7b0040a58ab4b3adc6bd5f1961f8b6455a30b06e92c804f89842 d2e6ab9a799af021ab0e0186a3366661c2c1285739df797532d9283db93d817b
*See JSON for more IOCs
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella N/A
WSA N/A
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Trojan.Zbot-9973944-0
Indicators of Compromise
IOCs collected from dynamic analysis of 20 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Windows\SysWOW64\msiexec.exe 20
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Windows\SysWOW64\svchost.exe 20
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 20
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST 20
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: 36412 20
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 1
Mutexes Occurrences
Nibbana 20
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
20[.]109[.]209[.]108 17
20[.]72[.]235[.]82 13
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
crysis5[.]info 20
Files and or directories created Occurrences
\4091535952 20
%APPDATA%\FolderName 20
%APPDATA%\FolderName\dos.exe 20
%TEMP%\<random, matching '[A-Z]{5}'>.txt 20
%TEMP%\<random, matching '[A-Z]{5}'>.bat 20
%ProgramData%\dxewfuu.exe 1
%ProgramData%\dxeicbay.exe 1
%ProgramData%\dxguek.exe 1
%ProgramData%\dxoioh.exe 1
%ProgramData%\dxaioi.exe 1
%ProgramData%\dxjjvoi.exe 1
%ProgramData%\dxpwjrq.exe 1
%ProgramData%\dxpcrpnpw.exe 1
%ProgramData%\dxzpetw.exe 1
%ProgramData%\dxeqrs.exe 1
%ProgramData%\dxrmjjcx.exe 1
%ProgramData%\dxzhcum.exe 1
%ProgramData%\dxjezj.exe 1
%ProgramData%\dxuybobe.exe 1
%ProgramData%\dxusqydq.exe 1
%ProgramData%\dxzjqov.exe 1
%ProgramData%\dxjczveji.exe 1
%ProgramData%\dxjpxzvo.exe 1
%ProgramData%\dxavqeuh.exe 1
%ProgramData%\dxxiahhr.exe 1
File Hashes
041a35632360b261ebe5501fad9f8aa179c467c678559750ab147d208453a2ba 13e23f4a6742bf4efee305416fab08b07575698f823de2cdbc41233031507f91 17bd538bbc90e453ac7950b85816c01eba1f2630c3f818b641455efa9d0b2614 184e426800af04ffa9e72a1610601b45748b3a04bfcf9a5aad66851b207c0d64 19d00d24aab5f4a3628781b6cade9ca46632605c294dcc2006ca32cc34eed353 348cc29426fd56a026fb28bd2ed94971095e68e538ef104d13210b1447968ca4 4102e2f1523db968851104e58c7ff01c13dcc323683c24ae2cbecb8d67759e38 57c6466ac6caf168f54552c3e60005a233151c2510109b8a7bd325e7a60d5a48 5b508f3201e363379a9303dca98876f3d3a5d08adf3c86ad61876dee55b478f9 7beb01ac0fcfefca7d4fb942b52aa6272860bc646fadec18c132be2211bf1cc1 83457ea3067af2fc6f23836208cf28d267ac6da31e487ad152b0f00115cd649a 8436fe84ccaced972841d791294b65237851aaafbe8f2dcae4343b7431ff3fcc 879caac5b63d94ea68a947dd71e3763f81b70c51ccf4c0cb1b865a5096ac89df 87e2baa7dc22212c4cee18220e916e74934956ee599add771ae8c6aafb8ee674 8a1373f9975711b7c07b560854a322403baac26e0b85284caaa6f39145d3a426 988adf2aee2bdb9a2a3b4700a56f09870db8fed916c9e6d915ebdcca3b105fd9 a1084bf2e37d8aded9645767acd323d158e6aca3ad88b4590d798b1e7aba4144 bf029dda9874edaaa2fc08b97bacdde5c50a9108e0af50a63a09da1f493f752c e9b2e9e6e3c469ea794f470bb689d2e6dbdb0b64e370410f5de3bb74da5f082e f1921b88eebf3c371820b2eaa865ba67052212802649413dc7b9132c02744407
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Trojan.Ruskill-9973960-0
Indicators of Compromise
IOCs collected from dynamic analysis of 12 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}
Value Name: FaviconPath 12
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}
Value Name: Deleted 12
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES
Value Name: DefaultScope 12
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList 12
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} 12
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Ooawak 3
Mutexes Occurrences
FvLQ49IlzIyLjj6m 12
e621ca05-Mutex 12
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
13[.]107[.]21[.]200 4
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
www[.]bing[.]com 12
Files and or directories created Occurrences
%APPDATA%\Ooawak.exe 3
File Hashes
0007eb3d1377920345df240d14ef9edc22de9f045d1a33b3e946a5120048d9a0 1283e0eadc93f4397ae1665f24830f9b3cd5ee2a2773c4c3594862645da849ca 13b501e785cb402f08a1982354b3129120a5af15d77c23a0bfd5a489d9ee0a0b 17fab886fac900bf82006bccc6e6015b2eab10e7ccc74bf0db4bd8d5a0f1c6fc 2239b3f3ab0ea5145c1312b59f20eacb46c6d0485d46e9f134faef7cf3fe7d39 251ce18b4dfc7960f9abf0b0710824f44850c29b6bfc6d221fcefc4dc3199ed5 2b912b9ecab82e6e6f7e4d4ed6c17070211224cbce6ef4e4ee3aa043016d8046 3d46aa0d96a76a20a16ad4465ce9653cf0e09aa0f5973f11926e7b2a14cabad8 68c0726283bb2717f8f6e224bc14ca75722d47f21d2420848ebd639466be0394 6f9e2f3a54b0dd2c6e394754e49941a5b22d8a51fb02b32740b886713dddcb13 da7bd87151a7fbc235e081df8fbf0c88c92100e6d783ab2644830a9cc7705643 ed93b1000a4d05fc3c8684227ef7112acae0e1db9a668ea567954be2388b719a
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella N/A
WSA N/A
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Virus.Xpiro-9973982-1
Indicators of Compromise
IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: HideSCAHealth 25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32
Value Name: Type 25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64
Value Name: Type 25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32
Value Name: Type 25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32
Value Name: Start 25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_64
Value Name: Type 25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_64
Value Name: Start 25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\COMSYSAPP
Value Name: Type 25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\COMSYSAPP
Value Name: Start 25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IEETWCOLLECTORSERVICE
Value Name: Type 25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IEETWCOLLECTORSERVICE
Value Name: Start 25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MOZILLAMAINTENANCE
Value Name: Type 25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MOZILLAMAINTENANCE
Value Name: Start 25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSISERVER
Value Name: Type 25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSISERVER
Value Name: Start 25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\OSE
Value Name: Type 25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\OSE
Value Name: Start 25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\UI0DETECT
Value Name: Type 25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\UI0DETECT
Value Name: Start 25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VDS
Value Name: Type 25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VDS
Value Name: Start 25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VSS
Value Name: Type 25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VSS
Value Name: Start 25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WBENGINE
Value Name: Type 25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WBENGINE
Value Name: Start 25
Mutexes Occurrences
kkq-vx_mtx61 25
kkq-vx_mtx62 25
kkq-vx_mtx63 25
kkq-vx_mtx64 25
kkq-vx_mtx65 25
kkq-vx_mtx66 25
kkq-vx_mtx67 25
kkq-vx_mtx68 25
kkq-vx_mtx69 25
kkq-vx_mtx70 25
kkq-vx_mtx71 25
kkq-vx_mtx72 25
kkq-vx_mtx73 25
kkq-vx_mtx74 25
kkq-vx_mtx75 25
kkq-vx_mtx76 25
kkq-vx_mtx77 25
kkq-vx_mtx78 25
kkq-vx_mtx79 25
kkq-vx_mtx80 25
kkq-vx_mtx81 25
kkq-vx_mtx82 25
kkq-vx_mtx83 25
kkq-vx_mtx84 25
kkq-vx_mtx85 25
*See JSON for more IOCs
Files and or directories created Occurrences
%CommonProgramFiles%\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE 25
%CommonProgramFiles(x86)%\microsoft shared\Source Engine\OSE.EXE 25
%ProgramFiles(x86)%\Microsoft Office\Office14\GROOVE.EXE 25
%ProgramFiles(x86)%\Mozilla Maintenance Service\maintenanceservice.exe 25
%ProgramFiles%\Windows Media Player\wmpnetwk.exe 25
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe 25
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe 25
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 25
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 25
%System32%\FXSSVC.exe 25
%System32%\UI0Detect.exe 25
%System32%\VSSVC.exe 25
%System32%\alg.exe 25
%System32%\dllhost.exe 25
%System32%\ieetwcollector.exe 25
%System32%\msdtc.exe 25
%System32%\msiexec.exe 25
%System32%\snmptrap.exe 25
%System32%\sppsvc.exe 25
%System32%\vds.exe 25
%System32%\wbem\WmiApSrv.exe 25
%System32%\wbengine.exe 25
%SystemRoot%\ehome\ehrecvr.exe 25
%SystemRoot%\ehome\ehsched.exe 25
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.log 25
*See JSON for more IOCs
File Hashes
0474fbe26d539f9cf1ba7f3bf74669b0f4b405122b224b9ee4cc4cd9af791f96 0970da49a1590239da5e5163c56f57ddf4b7e63b0d9ed771d02d15e694409e3a 1048885e1ee51385f9c4e2c012a4fcb15ebbf4b2615e0939dadf6c916e103aef 14e8077f545ee31218c58d13fa7f2bace6b6db3a49d69e533beeb85b9c6ae768 2550c716aba03383febf9827fd76614a475d531393c1b664d4ef7b23e7e52012 25e8efcffc3d8c0220205d6ee07fcaa7f89e04db5ce898aa65bce616898fc61f 2a050d3946db4589ef0a2e87ae5292579da8928937db6e4cf325eb862a207ffc 2c01d8c9d2118aab4088f235289803bed7084a8efba3f0079a2f0ab2746a4cf4 3be1edfe10b1a17582f83e6cfcda1edb32026eb0c3f9b98673f13c509c747243 3c4b60003db87b4e2bccb99fa0765d24e1f5e8d6d52b6a4c2961afe6ddb4e871 42d7a6677c16c67123c281677afe0799f87c8773ec6a40aa3a8b638adc440baf 4f0ff6cc8552b0e04712aeff2ab5c0799daaa2707ef2305ea58fda99f49a6207 54a5e13954a77719285058b89aff37ce29b212fee651e62993e3b227e9853d47 6309de48f6616c1f37f2b735649d27433ff64f4dae1e8c8c2b7ab196b4b181f8 6331d9226e0d851f64733c47216a573db5b856b5d88f6604bc7f6414da2cbdf3 64f3029a1e46cbe8db37ab07f5491e9b511cd513ad6c21a4c0ab8cfb512b21c2 7367e2d1a0263f94bccf5ac1ca21cc441691c3a22fbb0293fd0d45740a13fd35 7482a6c642e78905e819eb5fcd466158c9bf6b70018d0a2bd7bd914767504073 76157f4585d213fdf6434ec9f6c03918d0b8c2d8012b12878904cc6f98aa8e2f 7aa96916781f20001a11b671c785e917d8515114bf3f3b282291e91ebefb6ca3 892c016ed3197f47ef713bac1441e736fe6973fdfb55ac0474639e15ded22771 94063fe3ba93a18f59b09ea63711eba67a6bbd05d8cfa82273642fd7f093c129 94f20ae719083e8fa2bc1bfab31556aea84ca3879abb86fec6d5bbb8a71f1325 9aa149500ced708279094c18e196f1d29b5ad69d0d66a01f49cb4538a547330b a6798fc40febcd20ec5aad809fa5eeb13097f9d517bb5b59ce1fabf59b610d16
*See JSON for more IOCs
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella N/A
WSA N/A
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Shiz-9973992-0
Indicators of Compromise
IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT
Value Name: 67497551a 23
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: 98b68e3c 23
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: userinit 23
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: System 23
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: load 23
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: run 23
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: userinit 23
Mutexes Occurrences
Global\674972E3a 23
Global\MicrosoftSysenterGate7 23
internal_wutex_0x000004b4 23
internal_wutex_0x<random, matching [0-9a-f]{8}> 23
internal_wutex_0x0000043c 23
internal_wutex_0x000004dc 22
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
13[.]107[.]21[.]200 10
45[.]56[.]79[.]23 7
45[.]79[.]19[.]196 6
198[.]58[.]118[.]167 5
45[.]33[.]2[.]79 5
45[.]33[.]20[.]235 5
72[.]14[.]185[.]43 5
96[.]126[.]123[.]244 3
173[.]255[.]194[.]134 3
45[.]33[.]18[.]44 2
45[.]33[.]30[.]197 2
85[.]94[.]194[.]169 1
72[.]14[.]178[.]174 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
xugelurisep[.]eu 23
fotaqizymig[.]eu 23
cidufitojex[.]eu 23
lyvywyduroq[.]eu 23
puvacigakog[.]eu 23
xuboninogyt[.]eu 23
cicezomaxyz[.]eu 23
dixyjohevon[.]eu 23
fokisohurif[.]eu 23
volugomymet[.]eu 23
maganomojer[.]eu 23
jefecajazif[.]eu 23
qedylaqecel[.]eu 23
nojotomipel[.]eu 23
gahoqohofib[.]eu 23
rytifaquwer[.]eu 23
kepujajynib[.]eu 23
lyrosajupid[.]eu 23
tuwaraqidek[.]eu 23
xuqeqejohiv[.]eu 23
pumebeqalew[.]eu 23
cinycekecid[.]eu 23
divulewybek[.]eu 23
vocijekyqiv[.]eu 23
foxofewuteq[.]eu 23
*See JSON for more IOCs
Files and or directories created Occurrences
%TEMP%\<random, matching [A-F0-9]{1,4}>.tmp 23
File Hashes
01276682d0c4d460a42cadae60479e4b2dd63b876c16d4d2ad878baeed93fa48 04c06913b652f1f8829288c67d622abf2584df7161b4b8d79a7251e09f73bca4 0b0e3c51fb70468b05d929a93dc784445b694458fceeece96ba3f6b5ac658772 0d7fea30af8ce75bad46d3730170d77af55ed8a06e4e05ece7e88c374024a54a 133084f23546f9a4ef8f16b0dc0bc45e796ada9c411209fcb935376b30af89fc 17e667585fe7ccaa66eb7e1823ea0e3a324210878f779d3b81a7e565cc606edb 18f867af38971dd96255b1cdac836a01bfd9f966177aa345cc35e440101abe84 1feecda0ec69f5f85c49b42d7b7cbc01cdd0ea971b672e50f36d4727895b4e97 253a3d8eac4ecd51a343877b44415a0db423a727bd599252603d2679d00be08e 2e590d7ba1ba8f76c0cf5e02aca43f6dbf55c1d7714588db5595a6d66111e431 3374d71ef9ef3d9c4a12b66ce1f7c641c0b3abe2ec0aae6de3384657d2713976 38fc6c34ef576b537fc0a7da2537354128764324d8786281411190d52e85a44c 3c5fa558acdaf402c6b55cf7c50727d5089354c3fb87bc45cf3ce35fe008b82e 3de5a71696672c7f63c1f7f524218575807d22ad17c7d96442da5be8b8020b06 4332e627562ecb5b65ff54226b813e16e757afba9b5151d54b51abdf5b20c071 46c1792208ae56acaf19dfdc42e6a960564fb5910f459d90df0339931808f9ce 4c611f8ce0b05fcdbaf09600ea1c9ca8412de3b1f10a339d85974920f6913e8a 4de074d19da1c10f02d13e433e22ef2e582573f84073724f83a7e765879a6a28 51ca430555e6bc7d321c3c73379a1a5005480c45c0057a07ece5bd0d3fb3bff5 5348b35a7fcb632df4a16c96b1b480f91326f90a43d057d5baf89cb735d19547 56f849e614b78959196bdd2cce89838f56bfbfeadb0e1ea271a40332f04b65c6 63db25b8a5383744c0bf9883847c3937aab8512439b5ec912d1806f585c7aad0 696ec52ac6c91ca697c65a61f37de6177d0bf05c1e282e7438c1a45921cf84cc 6981f0dc7bf1412961144490b24f430abdd364840cc008b0442f25673f0704f5 6bf4df5bdd90b7747069f2d92dba0f98fb11613217ea3008577b7959da2f139b
*See JSON for more IOCs
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Cerber-9974272-0
Indicators of Compromise
IOCs collected from dynamic analysis of 19 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Explorer.exe 1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList 1
<HKCU>\SOFTWARE\MICROSOFT\OTCI
Value Name: Hiorg 1
<HKCU>\Software\Microsoft\<random, matching '[A-Z][a-z]{3,11}'> 1
Mutexes Occurrences
shell.{381828AA-8B28-3374-1B67-35680555C5EF} 11
Frz_State 1
Sandboxie_SingleInstanceMutex_Control 1
MicrosoftVirtualPC7UserServiceMakeSureWe'reTheOnlyOneMutex 1
<32 random hex characters> 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
90[.]2[.]1[.]0/27 11
90[.]3[.]1[.]0/27 11
91[.]239[.]24[.]0/23 11
185[.]121[.]177[.]177 1
31[.]3[.]135[.]232 1
185[.]121[.]177[.]53 1
144[.]76[.]133[.]38 1
45[.]63[.]25[.]55 1
62[.]113[.]203[.]55 1
142[.]4[.]204[.]111 1
142[.]4[.]205[.]47 1
111[.]67[.]16[.]202 1
37[.]228[.]151[.]133 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
web[.]hotdogsllc[.]org 1
abrakadabra2017[.]com 1
cam-in[.]bit 1
Files and or directories created Occurrences
%TEMP%\d19ab989 11
%TEMP%\d19ab989\4710.tmp 11
%TEMP%\d19ab989\a35f.tmp 11
%APPDATA%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\Windows Explorer.exe 1
%TEMP%\updc1db691c.bat 1
%APPDATA%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\compatibility.owt 1
%APPDATA%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\desktop.qyh 1
%APPDATA%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\urlclassifierkey3.hoq 1
File Hashes
030ebe011a68eeeb971f7f34b0d49fca7863c8dd8d45b432ff8c8db0b199e865 0b04d4e4f1f4327f8922e195fb1bf61164fbc7ffcd189194e795bba8512fa314 106b7710af2eee925224683ef169cda7cc27ad69ea731b604db597d48a2c9fd7 1e70597b2dfa1c1857087adbf11ae6f5f325e0a22e566cce2bf0236e2ff35bde 2f678e804bda87b744a11c29d9fbfcc77daad1eaa78da9d795bb65d294773371 424dc2acf3f389cf7c4a6ad4d32ca7bfa52cff43ef58ef535204fa218a1be949 446cccd6080298032482a2b07be5dcb4400e9f4d3b9745c1bd1391fff618ee4f 54787dc4a764308e41ab20b297c28fede1bf857ffcaeda7d4a4c9924cd3f8526 669de97536a1447644706ccaeeb956bcecc8114f6b92cfbdc1b1ccf31f7ab06b 71e72229d7cad36593844fb69a1f4ee289feb4e090a5239905d319bebed85560 8006c5b425d60f8d2b3ca34e9a847331aed49cc84a16b4d0ca2f25374c78fb6d 93d001387af8cffe45f506d0ffbc87ff3bfdf4b98ce25189bcb34c460b79f4dc ad3db6873ee057313747e045dd8524d25d5e4e2788adb4560611a4cbf4b70f9f af939940bc2460941b77bbb51b2ebe72650a456725cbb743ce0301de1023200b ba787187b81a6737474ab667bdc1202968018d8c9094da83a05b48c550fb4628 d43da0e7fd29b3d6a55c7c4a116f1cc365fcd6b03b7e7fec2d15ee1d97918c31 d798ecc18b23dba6673bfbc075d150f04350b006e4053fa11c63c97ffde90582 e5512d7778f791e8c9fe65f3ecad21864ab074bf943bb9a16e4946120bce0b5c f1f57e19c9cc04fef27a127a58d853febdaee6b9e0f9e7a236aa6c0aaa089d21
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Oct. 7 and Oct. 14. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.
The most prevalent threats highlighted in this roundup are:
Threat Name
Type
Description
Win.Malware.Zusy-9973747-0
Malware
Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as “explorer.exe” and “winver.exe.” When the user accesses a banking website, it displays a form to trick the user into submitting personal information.
Win.Dropper.Formbook-9973755-0
Dropper
Formbook is an information stealer that attempts to collect sensitive information from an infected machine by logging keystrokes, stealing saved web browser credentials, and monitoring information copied to the clipboard.
Win.Dropper.Kuluoz-9973986-0
Dropper
Kuluoz, sometimes known as “Asprox,” is a modular remote access trojan that is also known to download and execute follow-on malware, such as fake antivirus software. Kuluoz is often delivered via spam emails pretending to be shipment delivery notifications or flight booking confirmations.
Win.Dropper.DarkComet-9973855-1
Dropper
DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user’s machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.
Win.Trojan.Zbot-9973944-0
Trojan
Zbot, also known as Zeus, is a trojan that steals information, such as banking credentials, using methods such as key-logging and form-grabbing.
Win.Trojan.Ruskill-9973960-0
Trojan
Ruskill, also known as Dorkbot, is a botnet client aimed at stealing credentials and facilitating distributed denial-of-service (DDoS) attacks. It spreads via removable media and instant messaging applications.
Win.Virus.Xpiro-9973982-1
Virus
Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.
Win.Dropper.Shiz-9973992-0
Dropper
Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information. It is commonly spread via droppers or by visiting a malicious site.
Win.Dropper.Cerber-9974272-0
Dropper
Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware replaces files with encrypted versions and adds the file extension “.cerber,” although in more recent campaigns, other file extensions are used.
Threat Breakdown****Win.Malware.Zusy-9973747-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 19 samples
Registry Keys
Occurrences
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
16
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @explorer.exe,-7001
16
Mutexes
Occurrences
Global<random guid>
10
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
193[.]17[.]41[.]135
19
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
www[.]dobreprogramy[.]pl
19
Files and or directories created
Occurrences
%TEMP%<random, matching [A-F0-9]{1,4}>.tmp
19
File Hashes
018693f3703405c76aac97d46f7fa9aa40e8270e798b8c5dfa87f10efcf1764a
15ade8a55344f7854903db45e862188337180698db199ec8b26d9afb69198036
26b4b80aef18a3aba37b2515ba826fbb03f6259ad064004c684c8c069328123b
4cd2c390b9b8cbe152a71c0e5cf4a7ee011b588ac6d1938af8e3aab1fdb76cf8
5e4282b78b16a6d926d43e01fc9ee59765d207f7dd4ad79865f47c8b825dd49a
6ee686c1b1661b38dc4a4eb6159d8095d5b923b1ea53340ff4adf6c371b47654
70a096eb8993f66225f6ce83173faab8be687fc3d8771940183e27aed1ab3568
8285cee0991c04e9bff0c1a6dda3406af07457c0047cd246a3a6d662b92dbb61
84dcf3b312fb14f59bad6a3eba9dac1c640f706ce72cad91ee0e3d8041417a57
8500f8204f7d5ceb6f32971e83cec19dbf7169ad20ffb678e712daf8e8dd9dce
89c93cc362e5f56845f57d97801f0eeadeb72b795f5e341df65cdffd0144869c
89db9f47c37cbeae1096959c113aa675218905406f310f8d481b8c7ed5589883
8ea4fb8900771e1997e7738987720a3571454bd135ac4ac1d8d4a97c931fbf03
955d50b05b43b40c06eb40ff19e4b172f6791865569d07d784397be6f3366ee0
9fe41112b846fb67b2ecdd58058cf087b7cbfe39335feb6664f1cf689c2707af
a7d67a5329b5d806a78872a3c672f4806dcee8701c4cd25e0b830b1a7589bad4
ece4ded478d803d6ac2a3618a894d210dc7e891a77d080a8b76d5f7bc853db05
f83249b44e474d4b4cdc52f88e1f7ef5cabb152c0a6445667d15c9e12eb3de2b
fe88aa8aa5b6e3a34b28d9e1ee9bff3c7c052643f98ac042ddc7f5eecd51bd3d
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Formbook-9973755-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 14 samples
Registry Keys
Occurrences
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
7
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: AGP Manager
6
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: WindowsUpdate
5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: AutoUpdate
5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableTaskMgr
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
1
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\INTELLIFORMS\STORAGE2
1
<HKLM>\SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA FIREFOX
1
<HKLM>\SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA FIREFOX\20.0.1 (EN-US)\MAIN
1
<HKLM>\SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA THUNDERBIRD
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\DISCARDABLE\POSTSETUP\COMPONENT CATEGORIES{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\DISCARDABLE\POSTSETUP\COMPONENT CATEGORIES{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\ENUM
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\DISCARDABLE\POSTSETUP\COMPONENT CATEGORIES{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\ENUM
Value Name: Implementing
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: 2_45
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Chrome
1
Mutexes
Occurrences
8-3503835SZBFHHZ
7
Global{d0691a45-4fc4-42f8-9eb9-754e345ceb2c}
3
73M9N-T0-UB83K6J
2
S-1-5-21-2580483-12441695089072
2
1N6PO-QCTT825WY-
2
Global{042723c4-0804-4212-bf56-4b1b2669ca7c}
2
S-1-5-21-2580483-12443106840201
1
S-1-5-21-2580483-124423447652
1
S-1-5-21-2580483-12443999912674
1
073A3D-6T418-C-B
1
0Q85PR27T0CZAGEI
1
S-1-5-21-2580483-1244296580714
1
L25P799FU97057X8
1
O5L2BA2WRAFEx2MB
1
7P2MN2S27-74YFZB
1
Global{610ae494-e655-4dd4-94de-7786c0b53ce3}
1
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
34[.]102[.]136[.]180
7
194[.]5[.]98[.]213
3
23[.]227[.]38[.]74
2
209[.]17[.]116[.]163
2
194[.]5[.]98[.]219
2
45[.]77[.]55[.]161
2
198[.]54[.]117[.]212
1
195[.]110[.]124[.]133
1
216[.]92[.]3[.]120
1
194[.]5[.]98[.]9
1
66[.]96[.]160[.]130
1
192[.]64[.]119[.]254
1
192[.]254[.]235[.]221
1
217[.]19[.]248[.]132
1
172[.]217[.]164[.]179
1
192[.]169[.]69[.]26
1
75[.]2[.]115[.]196
1
75[.]2[.]26[.]18
1
103[.]224[.]212[.]221
1
103[.]224[.]182[.]210
1
104[.]21[.]83[.]149
1
34[.]117[.]168[.]233
1
64[.]190[.]63[.]111
1
35[.]164[.]33[.]0
1
31[.]31[.]196[.]51
1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
nexaustin[.]ddns[.]net
3
www[.]northpierangling[.]info
2
411speed[.]duckdns[.]org
2
lowaspeed[.]ddnsfree[.]com
2
www[.]fbo[.]app
2
www[.]fabricsandfashion[.]com
2
www[.]hootcaster[.]com
2
www[.]bbobbo[.]one
1
www[.]ndppoc[.]info
1
www[.]palccoyotour[.]com
1
www[.]groupable[.]net
1
www[.]qbfstopp[.]com
1
www[.]confurn[.]net
1
www[.]gqimw[.]click
1
www[.]nyhedsbrev671[.]shop
1
www[.]ekkogroupmoment[.]com
1
www[.]blast4me[.]com
1
www[.]hzllaw[.]com
1
www[.]3egcfl[.]cyou
1
www[.]highqualityincense[.]com
1
www[.]highenergyquiz[.]com
1
www[.]fistfulofeuros[.]org
1
www[.]kaycfit[.]com
1
www[.]8065yp[.]com
1
www[.]uucloud[.]press
1
*See JSON for more IOCs
Files and or directories created
Occurrences
%HOMEPATH%\temp
14
%ProgramFiles(x86)%\AGP Manager
6
%ProgramFiles(x86)%\AGP Manager\agpmgr.exe
6
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5
6
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs
6
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs\Administrator
6
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\run.dat
6
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\task.dat
6
%System32%\Tasks\AGP Manager
6
%System32%\Tasks\AGP Manager Task
6
%TEMP%\RegSvcs.exe
6
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp
6
%HOMEPATH%\2_84\vtiseh.ico
1
%APPDATA%\3_93\veuahftjpf.mp3
1
%HOMEPATH%\2_84\xvvxu.bin
1
%HOMEPATH%\2_45\mqrjl.jpg
1
%APPDATA%\3_93\wnof.docx
1
%HOMEPATH%\2_45\opcicmqv.dll
1
%APPDATA%\3_93\wpekxvo.xl
1
%APPDATA%\2_25\aipxfwbpk.ico
1
%HOMEPATH%\2_45\peawrnndd.pif
1
%APPDATA%\3_93\xsgsrogco.xl
1
%HOMEPATH%\2_45\pqhol.dat
1
%APPDATA%\2_25\clgtn.unh
1
%HOMEPATH%\2_45\pvmnha.mlm
1
*See JSON for more IOCs
File Hashes
0015048adbf3c3c9e4d685430113d63866e2a2f44d68cb3ee84274b4e2936638
1fab9185160e6fe51f4346a3e3db204ce5720e01f17d5be4b766be677652c1de
2100af0d356f5a776ae83f2e79e7c473343f2f9779188a672a313db19ba2f24b
34d9b74ea17021de8a99aa53c25294f91dab4e936b9df8a34b4374e3aa7918a9
41344e5c95b80aaec71e1399c38731319a4151c0408f5709c2f973b430418a50
62b5227656a58b1358c35100d0b5e8116ebe5b891a69f0a6f3ece869305e3193
67e6fd61e128d5649045a4fc55fc6c287722b5c92e65eef35ce0838d6210d901
6a4d2f72c82049aaec9996ed5de2756862f32678c33751e1ce449036cd66bf67
6ef54172371d62f47ca10add5d4e16991c08ab1c43effec3d1caf25718d2ed08
7cd5d3d08b5baa37925bbcac0fc1a5d6c72bcbf72d134b20d2fec7a19ea04e4b
927d0ba12659ceffb9d3f45ad9eb34bc9f8a9b6931499cf08a2d94be0dbf8019
9e7ba2f837a1a2a4f88823fdfb2fb9fa619fc088005b0b67a43d5d328ea66a9a
b1f692dd52aae8317db7cfd262a4bcc053cf721fc7a00bf66f4acc7cb5cc6cbc
f8ddc46b03f741a383da261761ed44b95fa58135b64a7b4577f8e08443d9f4bb
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Kuluoz-9973986-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 26 samples
Mutexes
Occurrences
2GVWNQJz1
26
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
178[.]79[.]186[.]35
16
192[.]254[.]197[.]210
15
74[.]208[.]246[.]250
14
78[.]47[.]145[.]72
14
209[.]217[.]246[.]160
11
37[.]26[.]108[.]41
10
Files and or directories created
Occurrences
%LOCALAPPDATA%<random, matching '[a-z]{8}’>.exe
26
File Hashes
0046e88cfe1adf8271efcb0ce178618731b0b483faeb455d345a5e8fd56f3781
006a44982356b91e01680f3001d6050f8248bb5e362acb309645bea7706d2eeb
015184bfa4c43e6e5a3da585670f26581dd92805f0d53c9be87359fb1db56937
01d34069d3888557895bfd9326b8a5728561bc1bd5d3ae250225daab0d7759da
01f969b06d38184b7859fc5f142c77632392fb54878b8c85d6862fbccbcb7537
028bf5ed8ae980c70a28b8dc3b76e1a4e0c1437065867e8354abde3a47de85f8
03220265e8667fc40e459ae7ebdeb214096aa78bf7aa7b5d92f1c458ef0e3ac5
0337bc1755ebd0b00c73072db6ea8268bd65bb00129f243efc391a39e630aa1e
0466f671201b26d231e5d1a0942aeff49418402ed73356be64e7964b47d9c501
0506c78788f1be0d44b52b3783ead988d85f070cdbc1dfd9d200b32635e9d542
05183429820f723406bfa9d17d7335bd7acee10021cdbe7baa44ce08a110bde3
05bca5efb182e2550969b05ee55f365bbfeca049e8fc27be6de82c0ec4dc335d
06526e4616e8303fe1ddb27a7513ef680356db8817f943548120e7fe6976d6af
080b1ff98e77c912319276323727dd24d3935165cca5451fd41e526226826bfc
0856871f0334955ca142de93144673be48544d2139e7837d294e7d236df02904
09514e299e378b4aea8ed3b4ed8d1feab860aebd4dfb47b165fd19ce4f7edfbe
0952a950ea71b57207c1a2823f8b817b3d4530827260db775f754e546455cfed
09fae9b36cf583a84f44d7d4e63e0dc4c556009502c9272c672607f9090048fc
0a259118fb24129563c6969818bdbfefe9f56f780cc96d363a44639e288f0e7d
0b400d8652706d0785a8da7355a28d8c27782b0ef666a9e3c5a09a69e69361bd
0d89fa6ee0b200335bdaa89fe480c3e5956305241b3282bc43fe8adbfc330180
0e28cda5b816911f393f781ee49d209de396d62fca1e2be3761081bc9663d1f8
0fbb81d5c4016ccfdabd3f63a8c52f7854f47be4559ac76ecaadb1322f32bbbb
107ff454e5fa7e7e8aaf87fceb731069b4126b298c7f72899fbc01c3bb9763e9
10b4435a4d47fe914cbfd2da989a4e030fa5cceafe5337f376143b5ff601cb20
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.DarkComet-9973855-1****Indicators of Compromise
- IOCs collected from dynamic analysis of 26 samples
Registry Keys
Occurrences
<HKCU>\SOFTWARE\DC3_FEXEC
26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 1872050175
24
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 31333394
24
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: UserInit
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 841679453
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: MicroUpdate
1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Setup
1
Mutexes
Occurrences
DC_MUTEX-<random, matching [A-Z0-9]{7}>
17
NV9-12
2
DCPERSFWBP
1
DCMIN_MUTEX-GJ9HPEB
1
RLG3J8R6JRP0QA
1
NV9-16
1
Protector
1
DCMIN_MUTEX-HMKE3W2
1
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
78[.]159[.]135[.]230
1
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
anonn96[.]no-ip[.]info
6
tltkbshades[.]no-ip[.]info
4
tltkemissary[.]no-ip[.]info
4
heyhey123[.]no-ip[.]org
2
ge[.]tt
1
biology251[.]no-ip[.]biz
1
mathieucg[.]no-ip[.]biz
1
kissmyarse[.]no-ip[.]biz
1
8s4[.]no-ip[.]info
1
xpertpro[.]no-ip[.]info
1
xpertbot[.]no-ip[.]biz
1
darkcomethf[.]no-ip[.]biz
1
anonn96[.]servehttp[.]com
1
darkcomet5[.]no-ip[.]org
1
dcharry[.]no-ip[.]org
1
jordan323[.]no-ip[.]biz
1
machinedreamz[.]no-ip[.]biz
1
pointless[.]no-ip[.]biz
1
Files and or directories created
Occurrences
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp
26
%APPDATA%\dclogs
22
%HOMEPATH%\Documents\MSDCSC
2
%HOMEPATH%\Documents\MSDCSC\msdcsc.exe
2
%TEMP%\dclogs
2
%TEMP%\tmpC68A.tmp.exe
2
%TEMP%\tmpC948.tmp.exe
2
%TEMP%\281187923.exe
2
%TEMP%\IgfxIntel2.io
2
%TEMP%\tmp8535.tmp.exe
1
%TEMP%\tmpC8AC.tmp.exe
1
%TEMP%\tmpC6A9.tmp.exe
1
%TEMP%\tmpC65B.tmp.exe
1
%TEMP%\tmpCEF3.tmp.exe
1
%TEMP%\tmpCD0F.tmp.exe
1
%TEMP%\tmpCABF.tmp.exe
1
%TEMP%\tmpCC06.tmp.exe
1
%TEMP%\tmpC9A6.tmp.exe
1
%TEMP%\tmpCA71.tmp.exe
1
%TEMP%\tmpCBD7.tmp.exe
1
%TEMP%\tmpC7D2.tmp.exe
1
%TEMP%\tmpCCC1.tmp.exe
1
%TEMP%\tmpCB4B.tmp.exe
1
%TEMP%\tmpC784.tmp.exe
1
%TEMP%\tmpD45F.tmp.exe
1
*See JSON for more IOCs
File Hashes
05958428629f1050aa3d5997cad72f4c9912e67607a3ff05fe4c3bf7afb18216
0b65e317b9534a541cc863564b5a87e75f247614b8653ef41d625faf1b30dd73
1362e3f76b4878015a667e89be73dbfa372443d780a33c90e79d0b964cfbd587
19b750aa309e76232792bfffcbe62e6570e8b1e7a7d4b9a85d487dd0746275b9
230fbf6a3fcf5d6ee1f172b5fbd57358c9cf42541c8c6970c26f9e1fa65c183d
317b116d2123e3466009676c082a4fcaeac8f6f1e011a8e111a1f8b0b9921846
35b4c0d26417fa60712ed83a9debf3246835c7ccb2234a3c9b7494697aa12f44
36b28cfb056a5c68b631e5772e3dc2a5b9980e8f5674bf3736bdb642f1d763ae
4366d3ba8343a178f2d13ffb2a649cf621fbe78747d55c753a7030c79e01c8a1
44fec9f58a8b1568fbd41481f8890811067781e002e61735b3ad5194528b09ef
49c07cce6399e1466880a4f19a2c178cb80e3dcca1ac94ad1bed42b16a1d0cab
769b49d94ca060fc05655550578a537504b9ee633f184b555a9c3e5d27eef10a
7f84a5dc2c0a8717ab6273a2379bf2aaa8ed81f7c45303f0b90c74e7776eeb86
82624ccde9a53bc191e049f4bb9ad01f065dccadaf4be1af1e2e8902cd868a98
839235151130481fc830209442c1fd072cbfb411c6ba5450c6661b1ecd84fd30
84961a58122f158282ae9da793142bbb71ec284525faaaf42b0e72d9c9a9a011
86a14c810b41c41e20bf17a26bc3d381ecae0753f97718eea5e14bf0e6b96f09
8c2f38aa97c8cfb9484ebcb8ebb2596b351b52f35f6376cb946fcb7ca50660d5
a0f23841e0b5582b3f66c50e9ea25bc54712e096df1c5e241058c71053e9bf4e
a0f5270dd1683dfe08745e2dea86319837db51a4c0afae27c900c7e8f39435b5
b9a33f6b47f874cc09844a9fab9b15d81a0d30858693c70a769bf336ecf6b04b
c20b6a8ee2c70c05f6bfe6d2e8912695db192d9b04d79babcf5f05328dc8c641
cbdb0364d84f0e4a5bbffa7d582257184f9fcfc5019eed71694920ad52161a7b
d0dad7478bea7b0040a58ab4b3adc6bd5f1961f8b6455a30b06e92c804f89842
d2e6ab9a799af021ab0e0186a3366661c2c1285739df797532d9283db93d817b
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Trojan.Zbot-9973944-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 20 samples
Registry Keys
Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Windows\SysWOW64\msiexec.exe
20
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Windows\SysWOW64\svchost.exe
20
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
20
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
20
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: 36412
20
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159
1
Mutexes
Occurrences
Nibbana
20
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
20[.]109[.]209[.]108
17
20[.]72[.]235[.]82
13
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
crysis5[.]info
20
Files and or directories created
Occurrences
\4091535952
20
%APPDATA%\FolderName
20
%APPDATA%\FolderName\dos.exe
20
%TEMP%<random, matching '[A-Z]{5}’>.txt
20
%TEMP%<random, matching '[A-Z]{5}’>.bat
20
%ProgramData%\dxewfuu.exe
1
%ProgramData%\dxeicbay.exe
1
%ProgramData%\dxguek.exe
1
%ProgramData%\dxoioh.exe
1
%ProgramData%\dxaioi.exe
1
%ProgramData%\dxjjvoi.exe
1
%ProgramData%\dxpwjrq.exe
1
%ProgramData%\dxpcrpnpw.exe
1
%ProgramData%\dxzpetw.exe
1
%ProgramData%\dxeqrs.exe
1
%ProgramData%\dxrmjjcx.exe
1
%ProgramData%\dxzhcum.exe
1
%ProgramData%\dxjezj.exe
1
%ProgramData%\dxuybobe.exe
1
%ProgramData%\dxusqydq.exe
1
%ProgramData%\dxzjqov.exe
1
%ProgramData%\dxjczveji.exe
1
%ProgramData%\dxjpxzvo.exe
1
%ProgramData%\dxavqeuh.exe
1
%ProgramData%\dxxiahhr.exe
1
File Hashes
041a35632360b261ebe5501fad9f8aa179c467c678559750ab147d208453a2ba
13e23f4a6742bf4efee305416fab08b07575698f823de2cdbc41233031507f91
17bd538bbc90e453ac7950b85816c01eba1f2630c3f818b641455efa9d0b2614
184e426800af04ffa9e72a1610601b45748b3a04bfcf9a5aad66851b207c0d64
19d00d24aab5f4a3628781b6cade9ca46632605c294dcc2006ca32cc34eed353
348cc29426fd56a026fb28bd2ed94971095e68e538ef104d13210b1447968ca4
4102e2f1523db968851104e58c7ff01c13dcc323683c24ae2cbecb8d67759e38
57c6466ac6caf168f54552c3e60005a233151c2510109b8a7bd325e7a60d5a48
5b508f3201e363379a9303dca98876f3d3a5d08adf3c86ad61876dee55b478f9
7beb01ac0fcfefca7d4fb942b52aa6272860bc646fadec18c132be2211bf1cc1
83457ea3067af2fc6f23836208cf28d267ac6da31e487ad152b0f00115cd649a
8436fe84ccaced972841d791294b65237851aaafbe8f2dcae4343b7431ff3fcc
879caac5b63d94ea68a947dd71e3763f81b70c51ccf4c0cb1b865a5096ac89df
87e2baa7dc22212c4cee18220e916e74934956ee599add771ae8c6aafb8ee674
8a1373f9975711b7c07b560854a322403baac26e0b85284caaa6f39145d3a426
988adf2aee2bdb9a2a3b4700a56f09870db8fed916c9e6d915ebdcca3b105fd9
a1084bf2e37d8aded9645767acd323d158e6aca3ad88b4590d798b1e7aba4144
bf029dda9874edaaa2fc08b97bacdde5c50a9108e0af50a63a09da1f493f752c
e9b2e9e6e3c469ea794f470bb689d2e6dbdb0b64e370410f5de3bb74da5f082e
f1921b88eebf3c371820b2eaa865ba67052212802649413dc7b9132c02744407
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Trojan.Ruskill-9973960-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 12 samples
Registry Keys
Occurrences
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES{0633EE93-D776-472F-A0FF-E1416B8B2E3A}
Value Name: FaviconPath
12
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES{0633EE93-D776-472F-A0FF-E1416B8B2E3A}
Value Name: Deleted
12
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES
Value Name: DefaultScope
12
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
12
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
12
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Ooawak
3
Mutexes
Occurrences
FvLQ49IlzIyLjj6m
12
e621ca05-Mutex
12
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
13[.]107[.]21[.]200
4
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
www[.]bing[.]com
12
Files and or directories created
Occurrences
%APPDATA%\Ooawak.exe
3
File Hashes
0007eb3d1377920345df240d14ef9edc22de9f045d1a33b3e946a5120048d9a0
1283e0eadc93f4397ae1665f24830f9b3cd5ee2a2773c4c3594862645da849ca
13b501e785cb402f08a1982354b3129120a5af15d77c23a0bfd5a489d9ee0a0b
17fab886fac900bf82006bccc6e6015b2eab10e7ccc74bf0db4bd8d5a0f1c6fc
2239b3f3ab0ea5145c1312b59f20eacb46c6d0485d46e9f134faef7cf3fe7d39
251ce18b4dfc7960f9abf0b0710824f44850c29b6bfc6d221fcefc4dc3199ed5
2b912b9ecab82e6e6f7e4d4ed6c17070211224cbce6ef4e4ee3aa043016d8046
3d46aa0d96a76a20a16ad4465ce9653cf0e09aa0f5973f11926e7b2a14cabad8
68c0726283bb2717f8f6e224bc14ca75722d47f21d2420848ebd639466be0394
6f9e2f3a54b0dd2c6e394754e49941a5b22d8a51fb02b32740b886713dddcb13
da7bd87151a7fbc235e081df8fbf0c88c92100e6d783ab2644830a9cc7705643
ed93b1000a4d05fc3c8684227ef7112acae0e1db9a668ea567954be2388b719a
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Virus.Xpiro-9973982-1****Indicators of Compromise
- IOCs collected from dynamic analysis of 25 samples
Registry Keys
Occurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: HideSCAHealth
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32
Value Name: Type
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64
Value Name: Type
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32
Value Name: Type
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32
Value Name: Start
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_64
Value Name: Type
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_64
Value Name: Start
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\COMSYSAPP
Value Name: Type
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\COMSYSAPP
Value Name: Start
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IEETWCOLLECTORSERVICE
Value Name: Type
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IEETWCOLLECTORSERVICE
Value Name: Start
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MOZILLAMAINTENANCE
Value Name: Type
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MOZILLAMAINTENANCE
Value Name: Start
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSISERVER
Value Name: Type
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSISERVER
Value Name: Start
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\OSE
Value Name: Type
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\OSE
Value Name: Start
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\UI0DETECT
Value Name: Type
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\UI0DETECT
Value Name: Start
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VDS
Value Name: Type
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VDS
Value Name: Start
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VSS
Value Name: Type
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VSS
Value Name: Start
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WBENGINE
Value Name: Type
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WBENGINE
Value Name: Start
25
Mutexes
Occurrences
kkq-vx_mtx61
25
kkq-vx_mtx62
25
kkq-vx_mtx63
25
kkq-vx_mtx64
25
kkq-vx_mtx65
25
kkq-vx_mtx66
25
kkq-vx_mtx67
25
kkq-vx_mtx68
25
kkq-vx_mtx69
25
kkq-vx_mtx70
25
kkq-vx_mtx71
25
kkq-vx_mtx72
25
kkq-vx_mtx73
25
kkq-vx_mtx74
25
kkq-vx_mtx75
25
kkq-vx_mtx76
25
kkq-vx_mtx77
25
kkq-vx_mtx78
25
kkq-vx_mtx79
25
kkq-vx_mtx80
25
kkq-vx_mtx81
25
kkq-vx_mtx82
25
kkq-vx_mtx83
25
kkq-vx_mtx84
25
kkq-vx_mtx85
25
*See JSON for more IOCs
Files and or directories created
Occurrences
%CommonProgramFiles%\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
25
%CommonProgramFiles(x86)%\microsoft shared\Source Engine\OSE.EXE
25
%ProgramFiles(x86)%\Microsoft Office\Office14\GROOVE.EXE
25
%ProgramFiles(x86)%\Mozilla Maintenance Service\maintenanceservice.exe
25
%ProgramFiles%\Windows Media Player\wmpnetwk.exe
25
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
25
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
25
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
25
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
25
%System32%\FXSSVC.exe
25
%System32%\UI0Detect.exe
25
%System32%\VSSVC.exe
25
%System32%\alg.exe
25
%System32%\dllhost.exe
25
%System32%\ieetwcollector.exe
25
%System32%\msdtc.exe
25
%System32%\msiexec.exe
25
%System32%\snmptrap.exe
25
%System32%\sppsvc.exe
25
%System32%\vds.exe
25
%System32%\wbem\WmiApSrv.exe
25
%System32%\wbengine.exe
25
%SystemRoot%\ehome\ehrecvr.exe
25
%SystemRoot%\ehome\ehsched.exe
25
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
25
*See JSON for more IOCs
File Hashes
0474fbe26d539f9cf1ba7f3bf74669b0f4b405122b224b9ee4cc4cd9af791f96
0970da49a1590239da5e5163c56f57ddf4b7e63b0d9ed771d02d15e694409e3a
1048885e1ee51385f9c4e2c012a4fcb15ebbf4b2615e0939dadf6c916e103aef
14e8077f545ee31218c58d13fa7f2bace6b6db3a49d69e533beeb85b9c6ae768
2550c716aba03383febf9827fd76614a475d531393c1b664d4ef7b23e7e52012
25e8efcffc3d8c0220205d6ee07fcaa7f89e04db5ce898aa65bce616898fc61f
2a050d3946db4589ef0a2e87ae5292579da8928937db6e4cf325eb862a207ffc
2c01d8c9d2118aab4088f235289803bed7084a8efba3f0079a2f0ab2746a4cf4
3be1edfe10b1a17582f83e6cfcda1edb32026eb0c3f9b98673f13c509c747243
3c4b60003db87b4e2bccb99fa0765d24e1f5e8d6d52b6a4c2961afe6ddb4e871
42d7a6677c16c67123c281677afe0799f87c8773ec6a40aa3a8b638adc440baf
4f0ff6cc8552b0e04712aeff2ab5c0799daaa2707ef2305ea58fda99f49a6207
54a5e13954a77719285058b89aff37ce29b212fee651e62993e3b227e9853d47
6309de48f6616c1f37f2b735649d27433ff64f4dae1e8c8c2b7ab196b4b181f8
6331d9226e0d851f64733c47216a573db5b856b5d88f6604bc7f6414da2cbdf3
64f3029a1e46cbe8db37ab07f5491e9b511cd513ad6c21a4c0ab8cfb512b21c2
7367e2d1a0263f94bccf5ac1ca21cc441691c3a22fbb0293fd0d45740a13fd35
7482a6c642e78905e819eb5fcd466158c9bf6b70018d0a2bd7bd914767504073
76157f4585d213fdf6434ec9f6c03918d0b8c2d8012b12878904cc6f98aa8e2f
7aa96916781f20001a11b671c785e917d8515114bf3f3b282291e91ebefb6ca3
892c016ed3197f47ef713bac1441e736fe6973fdfb55ac0474639e15ded22771
94063fe3ba93a18f59b09ea63711eba67a6bbd05d8cfa82273642fd7f093c129
94f20ae719083e8fa2bc1bfab31556aea84ca3879abb86fec6d5bbb8a71f1325
9aa149500ced708279094c18e196f1d29b5ad69d0d66a01f49cb4538a547330b
a6798fc40febcd20ec5aad809fa5eeb13097f9d517bb5b59ce1fabf59b610d16
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Shiz-9973992-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 25 samples
Registry Keys
Occurrences
<HKLM>\SOFTWARE\MICROSOFT
Value Name: 67497551a
23
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: 98b68e3c
23
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: userinit
23
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: System
23
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: load
23
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: run
23
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: userinit
23
Mutexes
Occurrences
Global\674972E3a
23
Global\MicrosoftSysenterGate7
23
internal_wutex_0x000004b4
23
internal_wutex_0x<random, matching [0-9a-f]{8}>
23
internal_wutex_0x0000043c
23
internal_wutex_0x000004dc
22
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
13[.]107[.]21[.]200
10
45[.]56[.]79[.]23
7
45[.]79[.]19[.]196
6
198[.]58[.]118[.]167
5
45[.]33[.]2[.]79
5
45[.]33[.]20[.]235
5
72[.]14[.]185[.]43
5
96[.]126[.]123[.]244
3
173[.]255[.]194[.]134
3
45[.]33[.]18[.]44
2
45[.]33[.]30[.]197
2
85[.]94[.]194[.]169
1
72[.]14[.]178[.]174
1
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
xugelurisep[.]eu
23
fotaqizymig[.]eu
23
cidufitojex[.]eu
23
lyvywyduroq[.]eu
23
puvacigakog[.]eu
23
xuboninogyt[.]eu
23
cicezomaxyz[.]eu
23
dixyjohevon[.]eu
23
fokisohurif[.]eu
23
volugomymet[.]eu
23
maganomojer[.]eu
23
jefecajazif[.]eu
23
qedylaqecel[.]eu
23
nojotomipel[.]eu
23
gahoqohofib[.]eu
23
rytifaquwer[.]eu
23
kepujajynib[.]eu
23
lyrosajupid[.]eu
23
tuwaraqidek[.]eu
23
xuqeqejohiv[.]eu
23
pumebeqalew[.]eu
23
cinycekecid[.]eu
23
divulewybek[.]eu
23
vocijekyqiv[.]eu
23
foxofewuteq[.]eu
23
*See JSON for more IOCs
Files and or directories created
Occurrences
%TEMP%<random, matching [A-F0-9]{1,4}>.tmp
23
File Hashes
01276682d0c4d460a42cadae60479e4b2dd63b876c16d4d2ad878baeed93fa48
04c06913b652f1f8829288c67d622abf2584df7161b4b8d79a7251e09f73bca4
0b0e3c51fb70468b05d929a93dc784445b694458fceeece96ba3f6b5ac658772
0d7fea30af8ce75bad46d3730170d77af55ed8a06e4e05ece7e88c374024a54a
133084f23546f9a4ef8f16b0dc0bc45e796ada9c411209fcb935376b30af89fc
17e667585fe7ccaa66eb7e1823ea0e3a324210878f779d3b81a7e565cc606edb
18f867af38971dd96255b1cdac836a01bfd9f966177aa345cc35e440101abe84
1feecda0ec69f5f85c49b42d7b7cbc01cdd0ea971b672e50f36d4727895b4e97
253a3d8eac4ecd51a343877b44415a0db423a727bd599252603d2679d00be08e
2e590d7ba1ba8f76c0cf5e02aca43f6dbf55c1d7714588db5595a6d66111e431
3374d71ef9ef3d9c4a12b66ce1f7c641c0b3abe2ec0aae6de3384657d2713976
38fc6c34ef576b537fc0a7da2537354128764324d8786281411190d52e85a44c
3c5fa558acdaf402c6b55cf7c50727d5089354c3fb87bc45cf3ce35fe008b82e
3de5a71696672c7f63c1f7f524218575807d22ad17c7d96442da5be8b8020b06
4332e627562ecb5b65ff54226b813e16e757afba9b5151d54b51abdf5b20c071
46c1792208ae56acaf19dfdc42e6a960564fb5910f459d90df0339931808f9ce
4c611f8ce0b05fcdbaf09600ea1c9ca8412de3b1f10a339d85974920f6913e8a
4de074d19da1c10f02d13e433e22ef2e582573f84073724f83a7e765879a6a28
51ca430555e6bc7d321c3c73379a1a5005480c45c0057a07ece5bd0d3fb3bff5
5348b35a7fcb632df4a16c96b1b480f91326f90a43d057d5baf89cb735d19547
56f849e614b78959196bdd2cce89838f56bfbfeadb0e1ea271a40332f04b65c6
63db25b8a5383744c0bf9883847c3937aab8512439b5ec912d1806f585c7aad0
696ec52ac6c91ca697c65a61f37de6177d0bf05c1e282e7438c1a45921cf84cc
6981f0dc7bf1412961144490b24f430abdd364840cc008b0442f25673f0704f5
6bf4df5bdd90b7747069f2d92dba0f98fb11613217ea3008577b7959da2f139b
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Cerber-9974272-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 19 samples
Registry Keys
Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Explorer.exe
1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
1
<HKCU>\SOFTWARE\MICROSOFT\OTCI
Value Name: Hiorg
1
<HKCU>\Software\Microsoft<random, matching '[A-Z][a-z]{3,11}’>
1
Mutexes
Occurrences
shell.{381828AA-8B28-3374-1B67-35680555C5EF}
11
Frz_State
1
Sandboxie_SingleInstanceMutex_Control
1
MicrosoftVirtualPC7UserServiceMakeSureWe’reTheOnlyOneMutex
1
<32 random hex characters>
1
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
90[.]2[.]1[.]0/27
11
90[.]3[.]1[.]0/27
11
91[.]239[.]24[.]0/23
11
185[.]121[.]177[.]177
1
31[.]3[.]135[.]232
1
185[.]121[.]177[.]53
1
144[.]76[.]133[.]38
1
45[.]63[.]25[.]55
1
62[.]113[.]203[.]55
1
142[.]4[.]204[.]111
1
142[.]4[.]205[.]47
1
111[.]67[.]16[.]202
1
37[.]228[.]151[.]133
1
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
web[.]hotdogsllc[.]org
1
abrakadabra2017[.]com
1
cam-in[.]bit
1
Files and or directories created
Occurrences
%TEMP%\d19ab989
11
%TEMP%\d19ab989\4710.tmp
11
%TEMP%\d19ab989\a35f.tmp
11
%APPDATA%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\Windows Explorer.exe
1
%TEMP%\updc1db691c.bat
1
%APPDATA%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\compatibility.owt
1
%APPDATA%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\desktop.qyh
1
%APPDATA%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\urlclassifierkey3.hoq
1
File Hashes
030ebe011a68eeeb971f7f34b0d49fca7863c8dd8d45b432ff8c8db0b199e865
0b04d4e4f1f4327f8922e195fb1bf61164fbc7ffcd189194e795bba8512fa314
106b7710af2eee925224683ef169cda7cc27ad69ea731b604db597d48a2c9fd7
1e70597b2dfa1c1857087adbf11ae6f5f325e0a22e566cce2bf0236e2ff35bde
2f678e804bda87b744a11c29d9fbfcc77daad1eaa78da9d795bb65d294773371
424dc2acf3f389cf7c4a6ad4d32ca7bfa52cff43ef58ef535204fa218a1be949
446cccd6080298032482a2b07be5dcb4400e9f4d3b9745c1bd1391fff618ee4f
54787dc4a764308e41ab20b297c28fede1bf857ffcaeda7d4a4c9924cd3f8526
669de97536a1447644706ccaeeb956bcecc8114f6b92cfbdc1b1ccf31f7ab06b
71e72229d7cad36593844fb69a1f4ee289feb4e090a5239905d319bebed85560
8006c5b425d60f8d2b3ca34e9a847331aed49cc84a16b4d0ca2f25374c78fb6d
93d001387af8cffe45f506d0ffbc87ff3bfdf4b98ce25189bcb34c460b79f4dc
ad3db6873ee057313747e045dd8524d25d5e4e2788adb4560611a4cbf4b70f9f
af939940bc2460941b77bbb51b2ebe72650a456725cbb743ce0301de1023200b
ba787187b81a6737474ab667bdc1202968018d8c9094da83a05b48c550fb4628
d43da0e7fd29b3d6a55c7c4a116f1cc365fcd6b03b7e7fec2d15ee1d97918c31
d798ecc18b23dba6673bfbc075d150f04350b006e4053fa11c63c97ffde90582
e5512d7778f791e8c9fe65f3ecad21864ab074bf943bb9a16e4946120bce0b5c
f1f57e19c9cc04fef27a127a58d853febdaee6b9e0f9e7a236aa6c0aaa089d21
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK