Security
Headlines
HeadlinesLatestCVEs

Headline

Threat Roundup for July 22 - 29

Talos is publishing a glimpse into the most prevalent threats we’ve observed from July 22 - 29. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise and discussing how our customers are automatically protected from these threats. As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found herethat includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files. The most prevalent threats highlighted in this roundup are:

Threat Name    Type    Description

Win.Dropper.Shiz-9957065-0 Dropper Shiz is a remote access trojan that allows an attacker to access an infected machine in order to harvest sensitive information. It is commonly spread via droppers or by visiting a malicious site. Win.Dropper.Tofsee-9957067-0 Dropper Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages to infect additional systems and increase the size of the botnet under the operator’s control. Win.Ransomware.TeslaCrypt-9957356-0 Ransomware TeslaCrypt is a well-known ransomware family that encrypts a user’s files with strong encryption and demands Bitcoin in exchange for a file decryption service. A flaw in the encryption algorithm was discovered that allowed files to be decrypted without paying the ransomware, and eventually, the malware developers released the master key allowing all encrypted files to be recovered easily. Win.Virus.Expiro-9957505-0 Virus Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks. Win.Dropper.Kuluoz-9957187-0 Dropper Kuluoz, sometimes known as “Asprox,” is a modular remote access trojan that is also known to download and execute follow-on malware, such as fake antivirus software. Kuluoz is often delivered via spam emails pretending to be shipment delivery notifications or flight booking confirmations. Win.Dropper.DarkComet-9957280-1 Dropper DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. This malware can download files from a user’s machine and contains mechanisms for persistence and hiding. It also sends back usernames and passwords from the infected system. Win.Trojan.Sality-9957294-1 Trojan Sality is a file infector that establishes a peer-to-peer botnet. Although it’s been prevalent for over a decade, we continue to see new samples that require marginal attention to remain consistent with detection. Once perimeter security has been bypassed by a Sality client, the end goal is to execute a downloader component capable of executing additional malware.

Threat Breakdown

Win.Dropper.Shiz-9957065-0

Indicators of Compromise

IOCs collected from dynamic analysis of 27 samples

        Registry Keys            Occurrences        
                             
    <HKLM>\SOFTWARE\MICROSOFT                          
        Value Name: 67497551a                            27        
             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON                          
        Value Name: 98b68e3c                            27        
             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON                          
        Value Name: userinit                            27        
             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON                          
        Value Name: System                            27        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS                          
        Value Name: load                            27        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS                          
        Value Name: run                            27        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: userinit                            27        
                     
                
            
        Mutexes            Occurrences        
                                 
        Global\674972E3a            27            
                 
        Global\MicrosoftSysenterGate7            27            
                 
        internal_wutex_0x000000e0            27            
                 
        internal_wutex_0x0000038c            27            
                 
        internal_wutex_0x00000448            27            
                 
        internal_wutex_0x<random, matching [0-9a-f]{8}>            15            
                 
        internal_wutex_0x00000640            12            
                     
                         
            
        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        13[.]107[.]21[.]200            19            
                 
        45[.]79[.]19[.]196            8            
                 
        72[.]14[.]185[.]43            7            
                 
        96[.]126[.]123[.]244            5            
                 
        45[.]33[.]23[.]183            5            
                 
        45[.]33[.]18[.]44            5            
                 
        45[.]56[.]79[.]23            4            
                 
        45[.]33[.]2[.]79            4            
                 
        45[.]33[.]20[.]235            4            
                 
        198[.]58[.]118[.]167            3            
                 
        45[.]33[.]30[.]197            3            
                 
        85[.]94[.]194[.]169            2            
                 
        173[.]255[.]194[.]134            2            
                 
        72[.]14[.]178[.]174            2            
                     
                          
            
        Domain Names contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        vocijekyqiv[.]eu            27            
                 
        foxofewuteq[.]eu            27            
                 
        nozapekidis[.]eu            27            
                 
        makymykakic[.]eu            27            
                 
        galerywogej[.]eu            27            
                 
        qeguxylevus[.]eu            27            
                 
        rydohyluruc[.]eu            27            
                 
        lysafurisam[.]eu            27            
                 
        kefilyrymaj[.]eu            27            
                 
        purumulazux[.]eu            27            
                 
        ciqivutevam[.]eu            27            
                 
        vopycyfutoc[.]eu            27            
                 
        fotulybidyq[.]eu            27            
                 
        norijyfohop[.]eu            27            
                 
        mamasufexix[.]eu            27            
                 
        gaqofubakeh[.]eu            27            
                 
        jenerunybem[.]eu            27            
                 
        qebequgyqip[.]eu            27            
                 
        kevybunureh[.]eu            27            
                 
        rycucugisix[.]eu            27            
                 
        tulojigakit[.]eu            27            
                 
        lyxilunogem[.]eu            27            
                 
        xukafinezeg[.]eu            27            
                 
        pujepigeviz[.]eu            27            
                 
        cihyrimymen[.]eu            27            

*See JSON for more IOCs

        Files and or directories created            Occurrences        
                                 
        %TEMP%\<random, matching [A-F0-9]{1,4}>.tmp            27            

File Hashes

             0067560aba08824dfeb770ca27e3d0e1ece982b8460187f8d9b5a141436577d8              00b97ecd94f57d5a56cdf81df2b5031886913dc017b0d089ea453db9fbf84a41              00e5836b518919f036f5757d5d7fb19b8deec74d1b9f4974e832e72d24158620              019e5844590d1519e9e75d605dac69e3216eab3395d64edae9682f522a02680e              054c5a47542510462512167f374d1bca1ad18d04c26cb7d94a2fce9d7646438a              072b0b3d68b21de76ceb5296f3dba4cb9741f59dacf8b1e7d7bc06976da86149              0772ed398daf5d48a638ad446bb989c5ce74319f9c364c933ab5917572123388              09825454a9f3e88b69f21307efa2e6093f2394d9e5a246ba87547e15a2d4ac86              09fce5411ee6353ddaa268c2e49a3557546dc2c83fcba0a6292a640498facf82              0a07532300d240f7346be75bc5e44d130f7dab376de86ea2ea385bc8cf86d425              0b2b2c70f849d8edbc124f00879fd5ed3ed6c86253bc3c4851885467974fd567              0c22d4fe5ddbecded7048875e9a7e0cdddd5198350aa8dfc7048b9cb24d49022              0d36aa152877523190d50d72eb7c383e27312286cda6eedc3feaaa9c7b407a8c              0d53b772610ba18ea4b296d94b33730e1f16f82e81719d887b303d5ffd0bb724              0d9e7df2c3f7ee39261b2b5af1e70d924ff931473bdc795b0cad29fbcf65d22b              0db7fb425f0e5fe4fe7cc0e9f155a1bb6fa36469487274418e0cf10350264248              0e54984099f81c595ff7ced76bef3bc8547731f8f0e12c298437f08774fffcb4              139be07d5ad7673637d6249789061171692738737023c86a35e9332000f8cac2              1517de689fc7d424de67c20031ee04cff3fc878e1ebe0e8545df14efb159a98b              15f23b0f7665d6092eaee9b28bcbc43086e652cb35633cfaa2f061d9d5b4b3b0              1905329fc88cff0c323d75d844050dddf71f085b1b031cd78eb286e3b49aa30a              198d9692d11bffc2a5c5dd4504f7fa13743a25d785e08d0cab9073142900c45e              19e233e3a11bcc6916977b99cb89df850230812a7087fb9b11b9b4ed0f33c2f3              1eed66a3938ff9a7dd07a443c0922b54d71877463ad0429123e902e97acc3523              213fe1fdb10d80b6abd770e2020913ad6a1872411224fccff3aa58d334414040              

*See JSON for more IOCs

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                                                                              
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                                                                              
             
        WSA                                                                                                                              

Screenshots of Detection Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Tofsee-9957067-0

Indicators of Compromise

IOCs collected from dynamic analysis of 17 samples

        Registry Keys            Occurrences        
                             
    <HKU>\.DEFAULT\CONTROL PANEL\BUSES                          
        Value Name: Config4                            4        
             
    <HKU>\.DEFAULT\CONTROL PANEL\BUSES                             4        
             
    <HKU>\.DEFAULT\CONTROL PANEL\BUSES                          
        Value Name: Config0                            4        
             
    <HKU>\.DEFAULT\CONTROL PANEL\BUSES                          
        Value Name: Config1                            4        
             
    <HKU>\.DEFAULT\CONTROL PANEL\BUSES                          
        Value Name: Config2                            4        
             
    <HKU>\.DEFAULT\CONTROL PANEL\BUSES                          
        Value Name: Config3                            4        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD                             1        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD                          
        Value Name: Type                            1        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD                          
        Value Name: Start                            1        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD                          
        Value Name: ErrorControl                            1        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD                          
        Value Name: DisplayName                            1        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD                          
        Value Name: WOW64                            1        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD                          
        Value Name: ObjectName                            1        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD                          
        Value Name: Description                            1        
             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS                          
        Value Name: C:\Windows\SysWOW64\nxzuqihd                            1        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\EOQLHZYU                             1        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\EOQLHZYU                          
        Value Name: Type                            1        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\EOQLHZYU                          
        Value Name: Start                            1        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\EOQLHZYU                          
        Value Name: ErrorControl                            1        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\EOQLHZYU                          
        Value Name: DisplayName                            1        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\EOQLHZYU                          
        Value Name: WOW64                            1        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\EOQLHZYU                          
        Value Name: ObjectName                            1        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\EOQLHZYU                          
        Value Name: Description                            1        
             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS                          
        Value Name: C:\Windows\SysWOW64\eoqlhzyu                            1        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TDFAWONJ                             1        
                     
                
            
        Mutexes            Occurrences        
                                 
        Global\07ada3c1-08f4-11ed-b5f8-00501e3ae7b6            1            
                 
        Global\067cf3c1-08f4-11ed-b5f8-00501e3ae7b6            1            
                 
        Global\08e8d341-08f4-11ed-b5f8-00501e3ae7b6            1            
                     
                         
            
        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        212[.]77[.]101[.]4            4            
                 
        142[.]250[.]72[.]100            4            
                 
        31[.]41[.]244[.]82            4            
                 
        31[.]41[.]244[.]85            4            
                 
        80[.]66[.]75[.]254            4            
                 
        80[.]66[.]75[.]4            4            
                 
        31[.]41[.]244[.]128            4            
                 
        31[.]41[.]244[.]126/31            4            
                 
        185[.]165[.]123[.]13            4            
                 
        208[.]71[.]35[.]137            3            
                 
        208[.]76[.]51[.]51            3            
                 
        216[.]146[.]35[.]35            3            
                 
        199[.]5[.]157[.]131            3            
                 
        208[.]76[.]50[.]50            3            
                 
        195[.]46[.]39[.]39            3            
                 
        23[.]90[.]4[.]6            3            
                 
        194[.]25[.]134[.]8            3            
                 
        144[.]160[.]235[.]143            3            
                 
        193[.]222[.]135[.]150            3            
                 
        209[.]244[.]0[.]3            3            
                 
        119[.]205[.]212[.]219            3            
                 
        67[.]231[.]152[.]94            3            
                 
        31[.]13[.]65[.]174            3            
                 
        117[.]53[.]116[.]15            3            
                 
        172[.]253[.]115[.]26/31            3            

*See JSON for more IOCs

        Domain Names contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        249[.]5[.]55[.]69[.]bl[.]spamcop[.]net            4            
                 
        249[.]5[.]55[.]69[.]cbl[.]abuseat[.]org            4            
                 
        249[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net            4            
                 
        249[.]5[.]55[.]69[.]in-addr[.]arpa            4            
                 
        249[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org            4            
                 
        249[.]5[.]55[.]69[.]zen[.]spamhaus[.]org            4            
                 
        microsoft-com[.]mail[.]protection[.]outlook[.]com            4            
                 
        microsoft[.]com            4            
                 
        www[.]google[.]com            4            
                 
        whois[.]arin[.]net            4            
                 
        whois[.]iana[.]org            4            
                 
        aspmx[.]l[.]google[.]com            4            
                 
        wp[.]pl            4            
                 
        ameritrade[.]com            4            
                 
        mxa-000cb501[.]gslb[.]pphosted[.]com            4            
                 
        mx[.]wp[.]pl            4            
                 
        svartalfheim[.]top            4            
                 
        www[.]instagram[.]com            3            
                 
        mta5[.]am0[.]yahoodns[.]net            3            
                 
        hanmail[.]net            3            
                 
        freenet[.]de            3            
                 
        korea[.]com            3            
                 
        t-online[.]de            3            
                 
        o2[.]pl            3            
                 
        nate[.]com            3            

*See JSON for more IOCs

        Files and or directories created            Occurrences        
                                 
        %SystemRoot%\SysWOW64\config\systemprofile            4            
                 
        %SystemRoot%\SysWOW64\config\systemprofile:.repos            4            
                 
        %SystemRoot%\SysWOW64\nxzuqihd            1            
                 
        %SystemRoot%\SysWOW64\eoqlhzyu            1            
                 
        %SystemRoot%\SysWOW64\tdfawonj            1            
                 
        %SystemRoot%\SysWOW64\hrtokcbx            1            
                 
        %TEMP%\oacsevkh.exe            1            
                 
        %TEMP%\htrzurov.exe            1            
                 
        %TEMP%\rzwntxyj.exe            1            
                 
        %TEMP%\mcilsztg.exe            1            

File Hashes

             1b64011f2f80b0ded096cbdb81c2bdac9786dc8a4ea7425b15547bdca34e043f              34c17bb102b2ed718471668da1ddc7daf397175979582942bf89d8e272cfa141              59bdcd1599938f1c5c2845d1fef198a0d97b03744432fc6705c9c67f13eedab4              64d6709c3cfbf8765e9434abfe6fc8bad67d87a3e4fe0622e68aa1d15aac8d6b              6857bce2c5f73e1d1bc4b14cb7b281beb33fed8cb580a43f236460c2af0e65e2              6eb7dd7f943a22822b0aaef6301d32b54eb43e432070c41b7d3c6a3d041ec8b3              6f3ef01ce9f2896b54c06fe4cd5e5769dda3a958868557a20469feb21c7e1273              79699aa58081b925c0b75140f0110f3ebf9a47e9bc8ba1699d53d7b14cb49591              7e2975f6cb11bb324bd49ec6fd4b77478e3488bf99fe623851a29f06e9b1fb37              89974e5d8be578da3cc6c0a33398659aabb160cdb03f7158066969f430dab796              9449f5dd9a6728664a3be973ccb91adbf64ffe980ff96de05a0419eb0a77bbd7              b77c2b3942f50e8fef2440481de894d506418f7a7c35fb29d40cfa8ce795ebf4              cbbc899843ca8f5908c27645960a33952fbecbf3d5cefc5054ab1dd023bb8582              d0596ec9d08cdd81f86e07d5ab70b518c6ca23a9ed4f557d041d3307b3ca7020              d518bbcb40208cfd7cbb6965e1647fabd5f65f2f1c1520e1217996957a1ada8d              e6411e18f8a1096f9b5d7528a24f6acdf1f97d120dd0dae4d76703c8eb5e4040              efced050e17235d050db86e0d763a07cfff375771d586736bbd17520725f1ebf              

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                                                                              
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                     N/A                                                          
             
        WSA                                                                                                                              

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Ransomware.TeslaCrypt-9957356-0

Indicators of Compromise

IOCs collected from dynamic analysis of 25 samples

        Registry Keys            Occurrences        
                             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM                          
        Value Name: EnableLinkedConnections                            25        
             
    <HKCU>\SOFTWARE\XXXSYS                             25        
             
    <HKCU>\SOFTWARE\XXXSYS                          
        Value Name: ID                            25        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0                          
        Value Name: CheckSetting                            25        
             
    <HKCU>\Software\<random, matching '[A-Z0-9]{14,16}'>                             24        
             
    <HKCU>\Software\<random, matching '[A-Z0-9]{14,16}'>                          
        Value Name: data                            24        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: hdtjbroygvvb                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: owvhajogulen                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: pyfepfifrjwi                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: xbmnkkfnowvh                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: gulenopvybnq                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: tbqdqvojagik                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: hajogulenopv                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: mgtbqdqvcoqj                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: ulenopvybnqj                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: lpyfepfifrjw                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: epfifrjwiqou                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: ifrjwiqouteu                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: teumgtbqdqvo                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: nrxbmnkkfnow                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: whmtlmoxvcsc                            1        
             
    <HKCU>\SOFTWARE\159643D83772F                             1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: bmnkkfnowvha                            1        
             
    <HKCU>\SOFTWARE\159643D83772F                          
        Value Name: data                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: vcscusnnmyjx                            1        
                     
                
            
        Mutexes            Occurrences        
                                 
        ityeofm9234-23423            25            
                     
                         
            
        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        107[.]6[.]161[.]162            25            
                     
                          
            
        Domain Names contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        jessforkicks[.]com            25            
                 
        heizhuangym[.]com            25            
                 
        infotlogomas[.]malangkota[.]go[.]id            25            
                 
        csucanuevo[.]csuca[.]org            25            
                 
        snibi[.]se            25            
                 
        danecobain[.]com            25            
                 
        www[.]danecobain[.]com            25            
                     
                          
            
        Files and or directories created            Occurrences        
                                 
        %ProgramFiles%\7-Zip\Lang\ka.txt            25            
                 
        %ProgramFiles%\7-Zip\Lang\kaa.txt            25            
                 
        %ProgramFiles%\7-Zip\Lang\kab.txt            25            
                 
        %ProgramFiles%\7-Zip\Lang\kk.txt            25            
                 
        %ProgramFiles%\7-Zip\Lang\ko.txt            25            
                 
        %ProgramFiles%\7-Zip\Lang\ku-ckb.txt            25            
                 
        %ProgramFiles%\7-Zip\Lang\ku.txt            25            
                 
        %ProgramFiles%\7-Zip\Lang\ky.txt            25            
                 
        %ProgramFiles%\7-Zip\Lang\lij.txt            25            
                 
        %ProgramFiles%\7-Zip\Lang\lt.txt            25            
                 
        %ProgramFiles%\7-Zip\Lang\lv.txt            25            
                 
        %ProgramFiles%\7-Zip\Lang\mk.txt            25            
                 
        %ProgramFiles%\7-Zip\Lang\mn.txt            25            
                 
        %ProgramFiles%\7-Zip\Lang\mng.txt            25            
                 
        %ProgramFiles%\7-Zip\Lang\mng2.txt            25            
                 
        %ProgramFiles%\7-Zip\Lang\mr.txt            25            
                 
        %ProgramFiles%\7-Zip\Lang\ms.txt            25            
                 
        %ProgramFiles%\7-Zip\Lang\nb.txt            25            
                 
        %ProgramFiles%\7-Zip\Lang\ne.txt            25            
                 
        %ProgramFiles%\7-Zip\Lang\nl.txt            25            
                 
        %ProgramFiles%\7-Zip\Lang\nn.txt            25            
                 
        %ProgramFiles%\7-Zip\Lang\pa-in.txt            25            
                 
        %ProgramFiles%\7-Zip\Lang\pl.txt            25            
                 
        %ProgramFiles%\7-Zip\Lang\ps.txt            25            
                 
        %ProgramFiles%\7-Zip\Lang\pt-br.txt            25            

*See JSON for more IOCs

File Hashes

             11bf02df58d00bf7dfc22e46b27db8a2cfcb9c8d03ad38b2e3baafa193bbbd89              1a4a1e76c6d2dc585ce77c9be7163163c0d614d5668a0c83601bb3d6f91376a0              1c2ddbf956ee1e2b40472b70603371ed21817fbf95d5825b2f75bbf6f9728089              1d4114c8ee19f343f3dcf80a542295af29df63d9745ad77cce43562c909551c5              2f1f927c219ccfcffeb997c9433733a04200ae35a2fc0c48fc07cb49062cddc7              3ef3021ce3ffdffcfba2bd590c4186c3a3ecdd3b6ce40d51d2500897fb55ffb0              41ab6446df889a5a24e4e859146c0225d13a2ba8553c83cb93e45017212884b2              4bae8a4e0124724e695c10202a94eec99cf5990507fbc94ec3f08e11de3ce2c2              4dc12416bf7c3be9d573c8fa07847050307bd05cb67480e3c3874696614b73e9              4fa8c1eaa4846a8a06fb2480a746d5526f743cee314f7101db0508577bdd3776              5207a70e0e818741279d7c25c0d9cb6be136a4fc8ca8fe6f48112c4d0572d64f              5aaad74cb36db78ad6da4d499a75c41d2ace8b97ff8f88c5bc7f738ad353d3d7              67e2caf00dd0293080cb5b45d2db11d4f567ce9a3d6fd5c9723358d18da80e71              6a9e6e5c50b3b90376530ee4e9e81cdf5cdc9b7c07cdb71207b3a1799f77ec7a              6ab8f9569a70beb0f96bf4e030381e70bcce7703b308a05542f4ccf1b6002af9              71f0f23220cb0f5d8b31fce30f08bc1687acd675b7c3a8ae7e0538bacb0d3eec              a3a6b4f405f2175af97128c64d9ad68700e05e22d66c43dad966add8436af79f              a760b60722cfa7c719e79b5c97cfe789720c6300a200421c846e13287cdb160a              d8be6b950a872b1b7c752cc83a5440b4cfe62870097df78794f10986fb7fcb63              dd6483183967845c18a3d5cc6154233aa8f3a48acb4e9cccd3606afe7d4d7eef              de5dc2aed0e06894e0bb1292fb68343fadc46b489e6c85e6cca56cf5bad70c09              e1a00e6beb02475b4bdd8d821ccac3e67bbafd182332cbf35a45c6766ad83b87              e8c460f171e964db6fff16eb38684b9ec82134c4fd1a1cdc64ba338941ef1199              f69edf352cdca309c7faa71f87a429daf2b46e4ae6ed85a25ff03aa34b4702c4              fbcec257455e5546a294ec1534f7e11f05d144c73ef583a0e891e14759e133eb              

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                     N/A                                                          
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                                                                              
             
        WSA                                                                                                                              

Screenshots of Detection Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Virus.Expiro-9957505-0

Indicators of Compromise

IOCs collected from dynamic analysis of 97 samples

        Registry Keys            Occurrences        
                             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32                          
        Value Name: Start                            97        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_64                          
        Value Name: Start                            97        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\COMSYSAPP                          
        Value Name: Start                            97        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\IEETWCOLLECTORSERVICE                          
        Value Name: Start                            97        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\MOZILLAMAINTENANCE                          
        Value Name: Start                            97        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSISERVER                          
        Value Name: Start                            97        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32                          
        Value Name: Start                            97        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\ALG                          
        Value Name: Start                            97        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\EHRECVR                          
        Value Name: Start                            97        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\EHSCHED                          
        Value Name: Start                            97        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\FAX                          
        Value Name: Start                            97        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\MICROSOFT SHAREPOINT WORKSPACE AUDIT SERVICE                          
        Value Name: Start                            97        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSDTC                          
        Value Name: Start                            97        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64                          
        Value Name: Start                            97        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\FAX                          
        Value Name: ObjectName                            97        
             
    <HKLM>\SOFTWARE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATE                          
        Value Name: AccumulatedWaitIdleTime                            97        
             
    <HKLM>\SOFTWARE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\LISTENEDSTATE                          
        Value Name: RootstoreDirty                            97        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATE                          
        Value Name: AccumulatedWaitIdleTime                            97        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\LISTENEDSTATE                          
        Value Name: RootstoreDirty                            97        
             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MEDIA CENTER\SERVICE\SCHEDULER                             97        
             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MEDIA CENTER\SERVICE\SCHEDULER                          
        Value Name: ServiceFailures                            97        
             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MEDIA CENTER\SERVICE\SCHEDULER                          
        Value Name: ServiceStarted                            97        
             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MEDIA CENTER\SERVICE\SCHEDULER                          
        Value Name: Heartbeat                            97        
             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MEDIA CENTER\SERVICE\SCHEDULER                          
        Value Name: WaitingForShutdown                            97        
             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MEDIA CENTER\SERVICE\SCHEDULER                          
        Value Name: HeartbeatIntervalMs                            97        
                     
                
            
        Mutexes            Occurrences        
                                 
        http://www.microsoft.com/windowsxp/mediacenter/ehtray.exe/singleinstancemutex            97            
                 
        Global\MCStoreCreateTable_a1d78cdcc411921ce3b07770aa2a0e0745789b11            97            
                 
        Global\MCStoreOpen_b4cae1f9a3aead62bebb934ca33cadb730c8d3ed            97            
                 
        Global\MCStoreSyncMem_02004a9f865399b5c2a02973d5e53544ed4ce2ea            97            
                 
        Global\MCStoreSyncMem_5ea381292eeb3ed3e61dc84a3dbd4d7f59767eca            97            
                 
        Global\MCStoreSyncMem_71bdfe29063ac557a4e7b3205ed180408457fcd4            97            
                 
        Global\MCStoreSyncMem_7715dc857070a1523dea43f32f1fe67c1ce58e0b            97            
                 
        Global\__?_c:_programdata_microsoft_ehome_mcepg2-0.db            97            
                 
        Global\__?_c:_programdata_microsoft_ehome_mcepg2-0.db:x            97            
                 
        Global\eHome_DbMutex_1            97            
                 
        Global\eHome_DbMutex_2            97            
                 
        Global\eHome_DbRWMutex_1            97            
                 
        Global\Multiarch.m0yv-98b68e3c311dcc78-inf            97            
                 
        Global\Multiarch.m0yv-98b68e3c311dcc78493cd690-b            97            
                 
        Global\Multiarch.m0yv-98b68e3c311dcc789ea72c54-b            97            
                 
        Global\MCStoreAddStoredType_a1d78cdcc411921ce3b07770aa2a0e0745789b11            94            
                 
        Global\eHome_DbMutex_3            94            
                 
        Global\OfficeSourceEngineMutex            92            
                 
        Global\Media Center Tuner Request            70            
                 
        Global\eHome_DbMutex_4            69            
                 
        Global\eHome_DbMutex_5            69            
                 
        Global\PVRLibraryLock_a1d78cdcc411921ce3b07770aa2a0e0745789b11            57            
                 
        Global\eHome_DbRWMutex_2            54            
                 
        Global\__?_c:_programdata_microsoft_ehome_mcepg2-0.db:splk:1036            8            
                 
        Global\__?_c:_programdata_microsoft_ehome_mcepg2-0.db:splk:924            5            

*See JSON for more IOCs

        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        172[.]105[.]27[.]61            95            
                 
        167[.]99[.]35[.]88            70            
                 
        206[.]191[.]152[.]58            66            
                 
        63[.]251[.]106[.]25            62            
                 
        178[.]162[.]217[.]107            20            
                 
        85[.]17[.]31[.]82            16            
                 
        178[.]162[.]203[.]202            15            
                 
        5[.]79[.]71[.]205            14            
                 
        85[.]17[.]31[.]122            14            
                 
        173[.]231[.]184[.]124            11            
                 
        63[.]251[.]126[.]10            11            
                 
        178[.]162[.]203[.]226            10            
                 
        178[.]162[.]203[.]211            9            
                 
        5[.]79[.]71[.]225            7            
                 
        35[.]234[.]136[.]13            6            
                 
        185[.]185[.]69[.]77            2            
                 
        82[.]112[.]184[.]197            1            
                     
                          
            
        Domain Names contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        pywolwnvd[.]biz            97            
                 
        ssbzmoy[.]biz            97            
                 
        cvgrf[.]biz            78            
                 
        npukfztj[.]biz            75            
                 
        przvgke[.]biz            71            
                 
        zlenh[.]biz            68            
                 
        knjghuig[.]biz            8            
                 
        uhxqin[.]biz            8            
                 
        anpmnmxo[.]biz            1            
                 
        lpuegx[.]biz            1            
                     
                          
            
        Files and or directories created            Occurrences        
                                 
        %ProgramFiles(x86)%\Microsoft Office\Office14\GROOVE.EXE            97            
                 
        %ProgramFiles(x86)%\Mozilla Maintenance Service\maintenanceservice.exe            97            
                 
        %SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe            97            
                 
        %SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe            97            
                 
        %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe            97            
                 
        %SystemRoot%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe            97            
                 
        %System32%\FXSSVC.exe            97            
                 
        %System32%\alg.exe            97            
                 
        %System32%\dllhost.exe            97            
                 
        %System32%\ieetwcollector.exe            97            
                 
        %System32%\msdtc.exe            97            
                 
        %System32%\msiexec.exe            97            
                 
        %SystemRoot%\ehome\ehrecvr.exe            97            
                 
        %SystemRoot%\ehome\ehsched.exe            97            
                 
        %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.log            97            
                 
        %SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log            97            
                 
        %SystemRoot%\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{33EC2C09-9668-4DE7-BCC0-EFC69D7355D7}.crmlog            97            
                 
        %SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log            97            
                 
        %SystemRoot%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log            97            
                 
        %SystemRoot%\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat            97            
                 
        %SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat            97            
                 
        %SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat            97            
                 
        %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock            97            
                 
        %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat            97            
                 
        %SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock            97            

*See JSON for more IOCs

File Hashes

             003197ab7aab0056ef0fbeb11dd4b6762216c3d27540ca4825f181fab330a832              01b59d7b8d9e128753e33b88705d6b0ee2be945fd4bd95c92c25fe160bcc2a28              01c2d4cecc87e39c6c08db505065e5ef9d4927fac599f0e1e752407e15c4e633              024c5d8975e9e34be65107327c05e119c8b595c954eadb25b07cbf55cbc898a9              032794dc64b0ac4b893561771732bd67ae0962f1f381c53bdef1be6a5155df3e              03d2208d010c08559d1625142d2efc90b48bd94cc19f33123b8b665e6e607b34              03d83413d2881f01a23c0794d66d0d29510ce12ccb66f1005ab64910cd4e7f07              03db00a2082925d5504e4d46eeab2dab8d9ef3a18c96eb9b8ab8717fd0ccbe8d              03f7b3af2bf5e87b1c975459f64756b7a79baa18d42d90f0e0cae4599d08fe90              043c30b9943b579599eb43e475c1d25ede670783c187700a3e7bbdb26bfeea63              04eb47a0bd5b0f3cc4eee02186545267cfed907b9eb9c496b771e95b48554060              058f0d75c3422806327c0a7d4834481e69b1e92b080aa260361c3702e5469e7b              0648fd62ac4c8b83f30aba65893b6b9598a7186a1ad55c39b4c7055d17702053              06bc99dec80527c04d4c623ab723f162d794c019b426a017d7ad41d83e055357              074729717198ab9a66bf4da155e5d4fdc5c430c60f344e64b7de97e57f344c4d              0763bb050181bab831d844067d18dc1492d0500a491664c3f9b90e19e6d2b781              08094e18e7913ca6c8eaf4cd94927fbd099c45c889cd65e4fd67ce2009c97725              095a0557fade67da6e340307af110014f915168df9b124a9fec1f197d52c4640              0a570f1ebd5fe52d306ce5a3b4bd19d399f2fcbe7002dff34a3d6bfff905e584              0b68ddbf260f48f30b24dd0f11e76572c5b10cf48abdb8f99de3d1d1c2e841de              0c37b22edd74cda6accb4f7a2325f149a78ccf5cb81af509714c202729815020              0c80ed840ae70061a0cc5ccd1f3c12832e3a51a5e937a5be3319c6fbbb47360e              0dbcd43911ae093ae0fb18adbe4488c7260e7dc8f4217241fd3ae5de7b795b9f              1022b2e11bd77dd96b27522ec5c889746c75c9a8eadf58e5396fa87da10e8331              10abdec91ee97c257bfe44b29232ea57a485d3d1cc72f8f706f3ed586910434b              

*See JSON for more IOCs

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                                                                              
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                     N/A                                                          
             
        WSA                                                                                                                              

Screenshots of Detection Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Kuluoz-9957187-0

Indicators of Compromise

IOCs collected from dynamic analysis of 15 samples

        Registry Keys            Occurrences        
                             
    <HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'>                             15        
             
    <HKCU>\SOFTWARE\FVXBJPWU                          
        Value Name: vcariano                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: llqjxikf                            1        
             
    <HKCU>\SOFTWARE\PWWTTVLV                          
        Value Name: twekalil                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: xxdfmerx                            1        
             
    <HKCU>\SOFTWARE\EWMGTFIM                          
        Value Name: anxufehi                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: nqrwcsef                            1        
             
    <HKCU>\SOFTWARE\WFPJGFQR                          
        Value Name: vjiwxwuh                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: wddfjook                            1        
             
    <HKCU>\SOFTWARE\DRBVCKTP                          
        Value Name: lpeeclca                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: igudfpld                            1        
             
    <HKCU>\SOFTWARE\TBTCBEWS                          
        Value Name: qbdbpkdf                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: ddgljbjp                            1        
             
    <HKCU>\SOFTWARE\ATTOEKEN                          
        Value Name: euvumrrn                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: kxadigun                            1        
             
    <HKCU>\SOFTWARE\NWOLGMSD                          
        Value Name: okhudfoo                            1        
             
    <HKCU>\SOFTWARE\SXPMECNO                          
        Value Name: vbuvphur                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: bshrfueu                            1        
             
    <HKCU>\SOFTWARE\NAFNCVOV                          
        Value Name: iatqgcgc                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: lnxhasuw                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: oxviaxao                            1        
             
    <HKCU>\SOFTWARE\BPLLBGMG                          
        Value Name: aqonboar                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: iurwprlq                            1        
             
    <HKCU>\SOFTWARE\BEOHVVNC                          
        Value Name: mujhuapl                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: qsmriksl                            1        
                     
                
            
        Mutexes            Occurrences        
                                 
        aaAdministrator            15            
                     
                         
            
        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        162[.]209[.]14[.]32            12            
                 
        222[.]124[.]143[.]12            10            
                 
        176[.]123[.]0[.]160            9            
                 
        173[.]255[.]197[.]31            9            
                 
        46[.]105[.]117[.]13            8            
                 
        195[.]5[.]208[.]87            8            
                 
        195[.]65[.]173[.]133            5            
                 
        64[.]128[.]16[.]144            5            
                     
                                 
            
        Files and or directories created            Occurrences        
                                 
        %LOCALAPPDATA%\<random, matching '[a-z]{8}'>.exe            15            

File Hashes

             060286b4d0f8a14abe1ef08c1b3298eedd6ca8d7136514cbd28a64a80e4e5dd3              0dd7adbeab2b75d5d1e9d00ac3f59ac9e67dd4a7e2ac763e2de683d368b9f7ef              150f82c49d0a42de8a82632bb18077078076e9ba378291e5654e6cf0b14fb351              2c00d6f49dcc5bafbd868cf5c3894ddb21aa2216c54bfe148a7b861723c47a65              34f0305175ea18e197c488b450535c0cd8db1eccebdd6ecb2a2996fc813f14e7              4f4ccbcab032d9c6b8c97b452027d976b6dca4dd3c4237b8a3532f3d11bebd64              6ac1fa955677a1012e17bb3f35acf922f50d1f8810e94939ba2074756948aeae              81ce4d06b1af27b542e809e4e9f8e188782d4d14edf2a2dc94d9c857fe0c0560              8ef2563081b7dfd5e6c7c5d502b06e0d4c9fdf405b0fddbd60aff47a688e3a68              933f42380d718778039317a56fea346fbca1b07353edf46a97692ca4a6e20ba6              c9d671789d74e64450c9f33c2bb45a3337ce40ba06eb5632471fe624e2872616              cbf0ec5ad28bc4c6d44057398b3232fd519229ead06b88260b7b2d50bd5d95ac              d178feddad4373a848f2fe9361b96ef7a907e1b1bd5127a5bb74926bb270d1a1              f22ba989587086403663558e7912a43b3a339f67ad42654b93c95e9120532de9              f3e21ed6c8cfc19a65076b58eddfe69683268b704649a47b513f5ef61368fe38              

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                     N/A                                                          
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                     N/A                                                          
             
        WSA                                                                     N/A

Screenshots of Detection Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.DarkComet-9957280-1

Indicators of Compromise

IOCs collected from dynamic analysis of 12 samples

        Registry Keys            Occurrences        
                             
    <HKCU>\SOFTWARE\DC3_FEXEC                             10        
                     
                
            
        Mutexes            Occurrences        
                                 
        DC_MUTEX-F75JL20            10            
                     
                                       
            
        Files and or directories created            Occurrences        
                                 
        %TEMP%\Crypted.exe            12            

File Hashes

             0753d1475d7a3779684afe69f76ff81d7da01766fd34d85a23c1455008546108              0c7c5afce5165fd6be988f7aabe03abdbfdd8f0671dfe7f4b9fa73f243c9a9f1              238022cdf5b4fc75ecbb0db1654586b4686b43fcbabbcb17fec891879cdf3ba8              27bbe0f40ecf946a841f727101d707d57aadc31e4e5ca8699fe67aa61568c9b3              318eb4c14be4777bb921bbe44c1f7512d910c344fe4dbdfa373746cc7e767b1b              5631d5b53191510f47896a6fc0e9ba21e973cd35f25b21d26b984c1a46a7aca5              b45c2ab96c70d2beb2fda40032e1695324278c39918b0a8dfa3474a667c6312d              b8adaf25ff8faa4c00b08993080daad260a6ba124199c020deabc8e38e636a3f              c5469b740d9c2c7ffde2ea1e606fe044b87c4b21b4a502fdf63a7fd02aabc426              e36abaab1b6871ccb3ea2331168c7f04627f6861964b87b047241d79d56e664b              e5daaf2b2c3c03711c622d482e0274ff1d4dbe3909969992864f2ea73c77ea8a              ff107b513ffcf70490a9cef3e594bc15aba3c3f573e7b792d257f6e3188bf236              

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                     N/A                                                          
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                     N/A                                                          
             
        WSA                                                                     N/A                                                          

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Trojan.Sality-9957294-1

Indicators of Compromise

IOCs collected from dynamic analysis of 23 samples

        Registry Keys            Occurrences        
                             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED                          
        Value Name: Hidden                            23        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER                          
        Value Name: AntiVirusOverride                            23        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER                          
        Value Name: AntiVirusDisableNotify                            23        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER                          
        Value Name: FirewallDisableNotify                            23        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER                          
        Value Name: FirewallOverride                            23        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER                          
        Value Name: UpdatesDisableNotify                            23        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER                          
        Value Name: UacDisableNotify                            23        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC                          
        Value Name: AntiVirusOverride                            23        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC                          
        Value Name: AntiVirusDisableNotify                            23        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC                          
        Value Name: FirewallDisableNotify                            23        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC                          
        Value Name: FirewallOverride                            23        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC                          
        Value Name: UpdatesDisableNotify                            23        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC                          
        Value Name: UacDisableNotify                            23        
             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM                          
        Value Name: EnableLUA                            23        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE                          
        Value Name: EnableFirewall                            23        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE                          
        Value Name: DoNotAllowExceptions                            23        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE                          
        Value Name: DisableNotifications                            23        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST                          
        Value Name: C:\Windows\SysWOW64\msiexec.exe                            23        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST                          
        Value Name: C:\Windows\SysWOW64\svchost.exe                            23        
             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN                             23        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST                             23        
             
    <HKCU>\SOFTWARE\AASPPAPMMXKVS\-993627007                          
        Value Name: -757413758                            21        
             
    <HKCU>\SOFTWARE\AASPPAPMMXKVS\-993627007                          
        Value Name: 1011363011                            21        
             
    <HKCU>\SOFTWARE\AASPPAPMMXKVS\-993627007                          
        Value Name: -1514827516                            21        
             
    <HKCU>\SOFTWARE\AASPPAPMMXKVS\-993627007                          
        Value Name: 253949253                            21        
                     
                
            
        Mutexes            Occurrences        
                                 
        uxJLpe1m            23            
                 
        smss.exeM_204_            15            
                 
        <process name>.exeM_<pid>_            3            
                     
                         
            
        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        20[.]72[.]235[.]82            14            
                 
        23[.]207[.]52[.]109            13            
                 
        23[.]207[.]56[.]109            10            
                 
        20[.]109[.]209[.]108            9            
                 
        20[.]103[.]85[.]33            9            
                 
        20[.]81[.]111[.]85            8            
                 
        20[.]84[.]181[.]62            5            
                 
        20[.]53[.]203[.]50            1            
                     
                          
            
        Domain Names contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        support[.]microsoft[.]com            23            
                 
        updatewindows[.]net            23            
                     
                          
            
        Files and or directories created            Occurrences        
                                 
        \4091535952            23            
                 
        %SystemRoot%\system.ini            19            
                 
        %ProgramData%\dxwaolen.exe            1            
                 
        %ProgramData%\dxfbqp.exe            1            
                 
        %ProgramData%\dxpxcwowo.exe            1            
                 
        %ProgramData%\dxdaph.exe            1            
                 
        %ProgramData%\dxiybfjm.exe            1            
                 
        %ProgramData%\dxuiyaear.exe            1            
                 
        %ProgramData%\dxrflamrh.exe            1            
                 
        %ProgramData%\dxiaolh.exe            1            
                 
        %ProgramData%\dxczvbx.exe            1            
                 
        %ProgramData%\dxezxtat.exe            1            
                 
        %ProgramData%\dxayaahen.exe            1            
                 
        %ProgramData%\dxvdovort.exe            1            
                 
        %ProgramData%\dxupnglb.exe            1            
                 
        %ProgramData%\dxzliuhie.exe            1            
                 
        %ProgramData%\dxvros.exe            1            
                 
        %ProgramData%\dxxakx.exe            1            
                 
        %ProgramData%\dxueoa.exe            1            
                 
        %ProgramData%\dxoupe.exe            1            
                 
        %ProgramData%\dxhbtsa.exe            1            
                 
        %ProgramData%\dxquorfdh.exe            1            
                 
        %ProgramData%\dxyjlzmr.exe            1            
                 
        %ProgramData%\dxwetlif.exe            1            
                 
        %ProgramData%\dxcmiazi.exe            1            

File Hashes

             155b235838bb38a009d3959a22afeefe29990bf08b886d450d5523a1e8ef52e9              1ab9fcb9422511f11ce386dd89602256b4423cc13df20d8cae15cf74ac96899c              1ebee245aa20139a5c0d78869e42cb7700b2c746fe554000dc24fd6d79b2dc7a              37ef12da9294aa84a551a49705c9aaeffa3e440ac9183e670aaae18de6f0cee9              38690107fc5ab4fc661469ab6d179f6a8f98ffc6abeeae8e8fb879fa24c92818              3c73ee4a0a2a9d2f78dd95d11df24a3d27c3a14ff2e6f56e014f10d0832bb869              4888ce37000aa2d5029dcdf080efb7ccf3b4ba347ee24103df15a3cb9be4dc5b              4d9868767a8260a2c0f663eb424f491de8cc1706ade137c59ce84c9da5e15e50              541a54f29dbcd3412f244a16098acf87f466699a5832270e4d7d642b067c32a1              56ecf33836287e107f9bda8a3522fddf9cc699f6e291990ab66753d692ac92b2              605c9f1b05b0b47ed4e99a34a526adfed8eb56ce724815fd207708c94313883e              6e99fec151c58577d9360fd6f846a0e436907258ad24b0117be07ab438b89abb              79e56d2705ee36750de0b2b521777d73ea3fec9faca7ca78a39c06ac5e689b0a              7bd446737e62430c0ed764392c1573c8b3b81ac3c969a473a7cab9849302eff4              83f4e46b5dd1811bd62b184710cb206ab7ac5ae0a52a797745fe400cde4ed2f4              8a99d2f8e63dc8bdfe9c10be15e65a881e473afa45dc349ad8a9bf387cb90e91              8f618126cfbdd291e149f978420a885cbc31876de6771c78a32b60edf47225a6              9c447450d5f5767d268341ebd7fdf3e50b302bae87d7ea1ca7ffc45d81b271ac              aca2c69def78f145126fd8f2a9e88326ee74c80e59b704dd5a48a3de91effe94              c9216a18da434cd1d24b0e57e2f1236d3ebcd9d38d4b772153db4bb60a661b54              da3ee20e162f6ee44397e737ca1f7c3d371f41075414c959ddbdbb4d06dfbd94              e15c93bf9e1f8ad217103c0d9156cabc5a923ba3bf177b7cde178854a1efb243              f254301a5209750c391375336d9b93e19b45e557e0cd97a504df6b22d52facce              

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                                                                              
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                     N/A                                                          
             
        WSA                                                                     N/A                                                          

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

TALOS
#xss#vulnerability#mac#windows#google#microsoft#nodejs#js#botnet#auth#sap

Talos is publishing a glimpse into the most prevalent threats we’ve observed from July 22 - 29. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name

Type

Description

Win.Dropper.Shiz-9957065-0

Dropper

Shiz is a remote access trojan that allows an attacker to access an infected machine in order to harvest sensitive information. It is commonly spread via droppers or by visiting a malicious site.

Win.Dropper.Tofsee-9957067-0

Dropper

Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages to infect additional systems and increase the size of the botnet under the operator’s control.

Win.Ransomware.TeslaCrypt-9957356-0

Ransomware

TeslaCrypt is a well-known ransomware family that encrypts a user’s files with strong encryption and demands Bitcoin in exchange for a file decryption service. A flaw in the encryption algorithm was discovered that allowed files to be decrypted without paying the ransomware, and eventually, the malware developers released the master key allowing all encrypted files to be recovered easily.

Win.Virus.Expiro-9957505-0

Virus

Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.

Win.Dropper.Kuluoz-9957187-0

Dropper

Kuluoz, sometimes known as “Asprox,” is a modular remote access trojan that is also known to download and execute follow-on malware, such as fake antivirus software. Kuluoz is often delivered via spam emails pretending to be shipment delivery notifications or flight booking confirmations.

Win.Dropper.DarkComet-9957280-1

Dropper

DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. This malware can download files from a user’s machine and contains mechanisms for persistence and hiding. It also sends back usernames and passwords from the infected system.

Win.Trojan.Sality-9957294-1

Trojan

Sality is a file infector that establishes a peer-to-peer botnet. Although it’s been prevalent for over a decade, we continue to see new samples that require marginal attention to remain consistent with detection. Once perimeter security has been bypassed by a Sality client, the end goal is to execute a downloader component capable of executing additional malware.

Threat Breakdown****Win.Dropper.Shiz-9957065-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 27 samples

Registry Keys

Occurrences

<HKLM>\SOFTWARE\MICROSOFT

        Value Name: 67497551a

27

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON

        Value Name: 98b68e3c

27

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON

        Value Name: userinit

27

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON

        Value Name: System

27

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS

        Value Name: load

27

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS

        Value Name: run

27

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: userinit

27

Mutexes

Occurrences

Global\674972E3a

27

Global\MicrosoftSysenterGate7

27

internal_wutex_0x000000e0

27

internal_wutex_0x0000038c

27

internal_wutex_0x00000448

27

internal_wutex_0x<random, matching [0-9a-f]{8}>

15

internal_wutex_0x00000640

12

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

13[.]107[.]21[.]200

19

45[.]79[.]19[.]196

8

72[.]14[.]185[.]43

7

96[.]126[.]123[.]244

5

45[.]33[.]23[.]183

5

45[.]33[.]18[.]44

5

45[.]56[.]79[.]23

4

45[.]33[.]2[.]79

4

45[.]33[.]20[.]235

4

198[.]58[.]118[.]167

3

45[.]33[.]30[.]197

3

85[.]94[.]194[.]169

2

173[.]255[.]194[.]134

2

72[.]14[.]178[.]174

2

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

vocijekyqiv[.]eu

27

foxofewuteq[.]eu

27

nozapekidis[.]eu

27

makymykakic[.]eu

27

galerywogej[.]eu

27

qeguxylevus[.]eu

27

rydohyluruc[.]eu

27

lysafurisam[.]eu

27

kefilyrymaj[.]eu

27

purumulazux[.]eu

27

ciqivutevam[.]eu

27

vopycyfutoc[.]eu

27

fotulybidyq[.]eu

27

norijyfohop[.]eu

27

mamasufexix[.]eu

27

gaqofubakeh[.]eu

27

jenerunybem[.]eu

27

qebequgyqip[.]eu

27

kevybunureh[.]eu

27

rycucugisix[.]eu

27

tulojigakit[.]eu

27

lyxilunogem[.]eu

27

xukafinezeg[.]eu

27

pujepigeviz[.]eu

27

cihyrimymen[.]eu

27

*See JSON for more IOCs

Files and or directories created

Occurrences

%TEMP%<random, matching [A-F0-9]{1,4}>.tmp

27

File Hashes

    0067560aba08824dfeb770ca27e3d0e1ece982b8460187f8d9b5a141436577d8

    00b97ecd94f57d5a56cdf81df2b5031886913dc017b0d089ea453db9fbf84a41

    00e5836b518919f036f5757d5d7fb19b8deec74d1b9f4974e832e72d24158620

    019e5844590d1519e9e75d605dac69e3216eab3395d64edae9682f522a02680e

    054c5a47542510462512167f374d1bca1ad18d04c26cb7d94a2fce9d7646438a

    072b0b3d68b21de76ceb5296f3dba4cb9741f59dacf8b1e7d7bc06976da86149

    0772ed398daf5d48a638ad446bb989c5ce74319f9c364c933ab5917572123388

    09825454a9f3e88b69f21307efa2e6093f2394d9e5a246ba87547e15a2d4ac86

    09fce5411ee6353ddaa268c2e49a3557546dc2c83fcba0a6292a640498facf82

    0a07532300d240f7346be75bc5e44d130f7dab376de86ea2ea385bc8cf86d425

    0b2b2c70f849d8edbc124f00879fd5ed3ed6c86253bc3c4851885467974fd567

    0c22d4fe5ddbecded7048875e9a7e0cdddd5198350aa8dfc7048b9cb24d49022

    0d36aa152877523190d50d72eb7c383e27312286cda6eedc3feaaa9c7b407a8c

    0d53b772610ba18ea4b296d94b33730e1f16f82e81719d887b303d5ffd0bb724

    0d9e7df2c3f7ee39261b2b5af1e70d924ff931473bdc795b0cad29fbcf65d22b

    0db7fb425f0e5fe4fe7cc0e9f155a1bb6fa36469487274418e0cf10350264248

    0e54984099f81c595ff7ced76bef3bc8547731f8f0e12c298437f08774fffcb4

    139be07d5ad7673637d6249789061171692738737023c86a35e9332000f8cac2

    1517de689fc7d424de67c20031ee04cff3fc878e1ebe0e8545df14efb159a98b

    15f23b0f7665d6092eaee9b28bcbc43086e652cb35633cfaa2f061d9d5b4b3b0

    1905329fc88cff0c323d75d844050dddf71f085b1b031cd78eb286e3b49aa30a

    198d9692d11bffc2a5c5dd4504f7fa13743a25d785e08d0cab9073142900c45e

    19e233e3a11bcc6916977b99cb89df850230812a7087fb9b11b9b4ed0f33c2f3

    1eed66a3938ff9a7dd07a443c0922b54d71877463ad0429123e902e97acc3523

    213fe1fdb10d80b6abd770e2020913ad6a1872411224fccff3aa58d334414040

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

WSA

**Screenshots of Detection****Secure Endpoint****

****Secure Malware Analytics****

****MITRE ATT&CK****

**

Win.Dropper.Tofsee-9957067-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 17 samples

Registry Keys

Occurrences

<HKU>.DEFAULT\CONTROL PANEL\BUSES

        Value Name: Config4

4

<HKU>.DEFAULT\CONTROL PANEL\BUSES

4

<HKU>.DEFAULT\CONTROL PANEL\BUSES

        Value Name: Config0

4

<HKU>.DEFAULT\CONTROL PANEL\BUSES

        Value Name: Config1

4

<HKU>.DEFAULT\CONTROL PANEL\BUSES

        Value Name: Config2

4

<HKU>.DEFAULT\CONTROL PANEL\BUSES

        Value Name: Config3

4

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD

        Value Name: Type

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD

        Value Name: Start

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD

        Value Name: ErrorControl

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD

        Value Name: DisplayName

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD

        Value Name: WOW64

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD

        Value Name: ObjectName

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD

        Value Name: Description

1

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS

        Value Name: C:\Windows\SysWOW64\nxzuqihd

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EOQLHZYU

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EOQLHZYU

        Value Name: Type

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EOQLHZYU

        Value Name: Start

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EOQLHZYU

        Value Name: ErrorControl

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EOQLHZYU

        Value Name: DisplayName

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EOQLHZYU

        Value Name: WOW64

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EOQLHZYU

        Value Name: ObjectName

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EOQLHZYU

        Value Name: Description

1

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS

        Value Name: C:\Windows\SysWOW64\eoqlhzyu

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TDFAWONJ

1

Mutexes

Occurrences

Global\07ada3c1-08f4-11ed-b5f8-00501e3ae7b6

1

Global\067cf3c1-08f4-11ed-b5f8-00501e3ae7b6

1

Global\08e8d341-08f4-11ed-b5f8-00501e3ae7b6

1

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

212[.]77[.]101[.]4

4

142[.]250[.]72[.]100

4

31[.]41[.]244[.]82

4

31[.]41[.]244[.]85

4

80[.]66[.]75[.]254

4

80[.]66[.]75[.]4

4

31[.]41[.]244[.]128

4

31[.]41[.]244[.]126/31

4

185[.]165[.]123[.]13

4

208[.]71[.]35[.]137

3

208[.]76[.]51[.]51

3

216[.]146[.]35[.]35

3

199[.]5[.]157[.]131

3

208[.]76[.]50[.]50

3

195[.]46[.]39[.]39

3

23[.]90[.]4[.]6

3

194[.]25[.]134[.]8

3

144[.]160[.]235[.]143

3

193[.]222[.]135[.]150

3

209[.]244[.]0[.]3

3

119[.]205[.]212[.]219

3

67[.]231[.]152[.]94

3

31[.]13[.]65[.]174

3

117[.]53[.]116[.]15

3

172[.]253[.]115[.]26/31

3

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

249[.]5[.]55[.]69[.]bl[.]spamcop[.]net

4

249[.]5[.]55[.]69[.]cbl[.]abuseat[.]org

4

249[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net

4

249[.]5[.]55[.]69[.]in-addr[.]arpa

4

249[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org

4

249[.]5[.]55[.]69[.]zen[.]spamhaus[.]org

4

microsoft-com[.]mail[.]protection[.]outlook[.]com

4

microsoft[.]com

4

www[.]google[.]com

4

whois[.]arin[.]net

4

whois[.]iana[.]org

4

aspmx[.]l[.]google[.]com

4

wp[.]pl

4

ameritrade[.]com

4

mxa-000cb501[.]gslb[.]pphosted[.]com

4

mx[.]wp[.]pl

4

svartalfheim[.]top

4

www[.]instagram[.]com

3

mta5[.]am0[.]yahoodns[.]net

3

hanmail[.]net

3

freenet[.]de

3

korea[.]com

3

t-online[.]de

3

o2[.]pl

3

nate[.]com

3

*See JSON for more IOCs

Files and or directories created

Occurrences

%SystemRoot%\SysWOW64\config\systemprofile

4

%SystemRoot%\SysWOW64\config\systemprofile:.repos

4

%SystemRoot%\SysWOW64\nxzuqihd

1

%SystemRoot%\SysWOW64\eoqlhzyu

1

%SystemRoot%\SysWOW64\tdfawonj

1

%SystemRoot%\SysWOW64\hrtokcbx

1

%TEMP%\oacsevkh.exe

1

%TEMP%\htrzurov.exe

1

%TEMP%\rzwntxyj.exe

1

%TEMP%\mcilsztg.exe

1

File Hashes

    1b64011f2f80b0ded096cbdb81c2bdac9786dc8a4ea7425b15547bdca34e043f

    34c17bb102b2ed718471668da1ddc7daf397175979582942bf89d8e272cfa141

    59bdcd1599938f1c5c2845d1fef198a0d97b03744432fc6705c9c67f13eedab4

    64d6709c3cfbf8765e9434abfe6fc8bad67d87a3e4fe0622e68aa1d15aac8d6b

    6857bce2c5f73e1d1bc4b14cb7b281beb33fed8cb580a43f236460c2af0e65e2

    6eb7dd7f943a22822b0aaef6301d32b54eb43e432070c41b7d3c6a3d041ec8b3

    6f3ef01ce9f2896b54c06fe4cd5e5769dda3a958868557a20469feb21c7e1273

    79699aa58081b925c0b75140f0110f3ebf9a47e9bc8ba1699d53d7b14cb49591

    7e2975f6cb11bb324bd49ec6fd4b77478e3488bf99fe623851a29f06e9b1fb37

    89974e5d8be578da3cc6c0a33398659aabb160cdb03f7158066969f430dab796

    9449f5dd9a6728664a3be973ccb91adbf64ffe980ff96de05a0419eb0a77bbd7

    b77c2b3942f50e8fef2440481de894d506418f7a7c35fb29d40cfa8ce795ebf4

    cbbc899843ca8f5908c27645960a33952fbecbf3d5cefc5054ab1dd023bb8582

    d0596ec9d08cdd81f86e07d5ab70b518c6ca23a9ed4f557d041d3307b3ca7020

    d518bbcb40208cfd7cbb6965e1647fabd5f65f2f1c1520e1217996957a1ada8d

    e6411e18f8a1096f9b5d7528a24f6acdf1f97d120dd0dae4d76703c8eb5e4040

    efced050e17235d050db86e0d763a07cfff375771d586736bbd17520725f1ebf

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

**Secure Endpoint****

****Secure Malware Analytics****

****MITRE ATT&CK****

**

Win.Ransomware.TeslaCrypt-9957356-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples

Registry Keys

Occurrences

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM

        Value Name: EnableLinkedConnections

25

<HKCU>\SOFTWARE\XXXSYS

25

<HKCU>\SOFTWARE\XXXSYS

        Value Name: ID

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0

        Value Name: CheckSetting

25

<HKCU>\Software<random, matching '[A-Z0-9]{14,16}’>

24

<HKCU>\Software<random, matching '[A-Z0-9]{14,16}’>

        Value Name: data

24

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: hdtjbroygvvb

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: owvhajogulen

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: pyfepfifrjwi

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: xbmnkkfnowvh

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: gulenopvybnq

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: tbqdqvojagik

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: hajogulenopv

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: mgtbqdqvcoqj

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: ulenopvybnqj

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: lpyfepfifrjw

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: epfifrjwiqou

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: ifrjwiqouteu

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: teumgtbqdqvo

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: nrxbmnkkfnow

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: whmtlmoxvcsc

1

<HKCU>\SOFTWARE\159643D83772F

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: bmnkkfnowvha

1

<HKCU>\SOFTWARE\159643D83772F

        Value Name: data

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: vcscusnnmyjx

1

Mutexes

Occurrences

ityeofm9234-23423

25

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

107[.]6[.]161[.]162

25

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

jessforkicks[.]com

25

heizhuangym[.]com

25

infotlogomas[.]malangkota[.]go[.]id

25

csucanuevo[.]csuca[.]org

25

snibi[.]se

25

danecobain[.]com

25

www[.]danecobain[.]com

25

Files and or directories created

Occurrences

%ProgramFiles%\7-Zip\Lang\ka.txt

25

%ProgramFiles%\7-Zip\Lang\kaa.txt

25

%ProgramFiles%\7-Zip\Lang\kab.txt

25

%ProgramFiles%\7-Zip\Lang\kk.txt

25

%ProgramFiles%\7-Zip\Lang\ko.txt

25

%ProgramFiles%\7-Zip\Lang\ku-ckb.txt

25

%ProgramFiles%\7-Zip\Lang\ku.txt

25

%ProgramFiles%\7-Zip\Lang\ky.txt

25

%ProgramFiles%\7-Zip\Lang\lij.txt

25

%ProgramFiles%\7-Zip\Lang\lt.txt

25

%ProgramFiles%\7-Zip\Lang\lv.txt

25

%ProgramFiles%\7-Zip\Lang\mk.txt

25

%ProgramFiles%\7-Zip\Lang\mn.txt

25

%ProgramFiles%\7-Zip\Lang\mng.txt

25

%ProgramFiles%\7-Zip\Lang\mng2.txt

25

%ProgramFiles%\7-Zip\Lang\mr.txt

25

%ProgramFiles%\7-Zip\Lang\ms.txt

25

%ProgramFiles%\7-Zip\Lang\nb.txt

25

%ProgramFiles%\7-Zip\Lang\ne.txt

25

%ProgramFiles%\7-Zip\Lang\nl.txt

25

%ProgramFiles%\7-Zip\Lang\nn.txt

25

%ProgramFiles%\7-Zip\Lang\pa-in.txt

25

%ProgramFiles%\7-Zip\Lang\pl.txt

25

%ProgramFiles%\7-Zip\Lang\ps.txt

25

%ProgramFiles%\7-Zip\Lang\pt-br.txt

25

*See JSON for more IOCs

File Hashes

    11bf02df58d00bf7dfc22e46b27db8a2cfcb9c8d03ad38b2e3baafa193bbbd89

    1a4a1e76c6d2dc585ce77c9be7163163c0d614d5668a0c83601bb3d6f91376a0

    1c2ddbf956ee1e2b40472b70603371ed21817fbf95d5825b2f75bbf6f9728089

    1d4114c8ee19f343f3dcf80a542295af29df63d9745ad77cce43562c909551c5

    2f1f927c219ccfcffeb997c9433733a04200ae35a2fc0c48fc07cb49062cddc7

    3ef3021ce3ffdffcfba2bd590c4186c3a3ecdd3b6ce40d51d2500897fb55ffb0

    41ab6446df889a5a24e4e859146c0225d13a2ba8553c83cb93e45017212884b2

    4bae8a4e0124724e695c10202a94eec99cf5990507fbc94ec3f08e11de3ce2c2

    4dc12416bf7c3be9d573c8fa07847050307bd05cb67480e3c3874696614b73e9

    4fa8c1eaa4846a8a06fb2480a746d5526f743cee314f7101db0508577bdd3776

    5207a70e0e818741279d7c25c0d9cb6be136a4fc8ca8fe6f48112c4d0572d64f

    5aaad74cb36db78ad6da4d499a75c41d2ace8b97ff8f88c5bc7f738ad353d3d7

    67e2caf00dd0293080cb5b45d2db11d4f567ce9a3d6fd5c9723358d18da80e71

    6a9e6e5c50b3b90376530ee4e9e81cdf5cdc9b7c07cdb71207b3a1799f77ec7a

    6ab8f9569a70beb0f96bf4e030381e70bcce7703b308a05542f4ccf1b6002af9

    71f0f23220cb0f5d8b31fce30f08bc1687acd675b7c3a8ae7e0538bacb0d3eec

    a3a6b4f405f2175af97128c64d9ad68700e05e22d66c43dad966add8436af79f

    a760b60722cfa7c719e79b5c97cfe789720c6300a200421c846e13287cdb160a

    d8be6b950a872b1b7c752cc83a5440b4cfe62870097df78794f10986fb7fcb63

    dd6483183967845c18a3d5cc6154233aa8f3a48acb4e9cccd3606afe7d4d7eef

    de5dc2aed0e06894e0bb1292fb68343fadc46b489e6c85e6cca56cf5bad70c09

    e1a00e6beb02475b4bdd8d821ccac3e67bbafd182332cbf35a45c6766ad83b87

    e8c460f171e964db6fff16eb38684b9ec82134c4fd1a1cdc64ba338941ef1199

    f69edf352cdca309c7faa71f87a429daf2b46e4ae6ed85a25ff03aa34b4702c4

    fbcec257455e5546a294ec1534f7e11f05d144c73ef583a0e891e14759e133eb

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

WSA

**Screenshots of Detection****Secure Endpoint****

****Secure Malware Analytics****

****MITRE ATT&CK****

**

Win.Virus.Expiro-9957505-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 97 samples

Registry Keys

Occurrences

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32

        Value Name: Start

97

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_64

        Value Name: Start

97

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\COMSYSAPP

        Value Name: Start

97

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IEETWCOLLECTORSERVICE

        Value Name: Start

97

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MOZILLAMAINTENANCE

        Value Name: Start

97

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSISERVER

        Value Name: Start

97

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32

        Value Name: Start

97

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ALG

        Value Name: Start

97

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EHRECVR

        Value Name: Start

97

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EHSCHED

        Value Name: Start

97

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FAX

        Value Name: Start

97

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MICROSOFT SHAREPOINT WORKSPACE AUDIT SERVICE

        Value Name: Start

97

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSDTC

        Value Name: Start

97

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64

        Value Name: Start

97

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FAX

        Value Name: ObjectName

97

<HKLM>\SOFTWARE\MICROSOFT.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATE

        Value Name: AccumulatedWaitIdleTime

97

<HKLM>\SOFTWARE\MICROSOFT.NETFRAMEWORK\V2.0.50727\NGENSERVICE\LISTENEDSTATE

        Value Name: RootstoreDirty

97

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATE

        Value Name: AccumulatedWaitIdleTime

97

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT.NETFRAMEWORK\V2.0.50727\NGENSERVICE\LISTENEDSTATE

        Value Name: RootstoreDirty

97

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MEDIA CENTER\SERVICE\SCHEDULER

97

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MEDIA CENTER\SERVICE\SCHEDULER

        Value Name: ServiceFailures

97

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MEDIA CENTER\SERVICE\SCHEDULER

        Value Name: ServiceStarted

97

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MEDIA CENTER\SERVICE\SCHEDULER

        Value Name: Heartbeat

97

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MEDIA CENTER\SERVICE\SCHEDULER

        Value Name: WaitingForShutdown

97

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MEDIA CENTER\SERVICE\SCHEDULER

        Value Name: HeartbeatIntervalMs

97

Mutexes

Occurrences

http://www.microsoft.com/windowsxp/mediacenter/ehtray.exe/singleinstancemutex

97

Global\MCStoreCreateTable_a1d78cdcc411921ce3b07770aa2a0e0745789b11

97

Global\MCStoreOpen_b4cae1f9a3aead62bebb934ca33cadb730c8d3ed

97

Global\MCStoreSyncMem_02004a9f865399b5c2a02973d5e53544ed4ce2ea

97

Global\MCStoreSyncMem_5ea381292eeb3ed3e61dc84a3dbd4d7f59767eca

97

Global\MCStoreSyncMem_71bdfe29063ac557a4e7b3205ed180408457fcd4

97

Global\MCStoreSyncMem_7715dc857070a1523dea43f32f1fe67c1ce58e0b

97

Global__?_c:_programdata_microsoft_ehome_mcepg2-0.db

97

Global__?_c:_programdata_microsoft_ehome_mcepg2-0.db:x

97

Global\eHome_DbMutex_1

97

Global\eHome_DbMutex_2

97

Global\eHome_DbRWMutex_1

97

Global\Multiarch.m0yv-98b68e3c311dcc78-inf

97

Global\Multiarch.m0yv-98b68e3c311dcc78493cd690-b

97

Global\Multiarch.m0yv-98b68e3c311dcc789ea72c54-b

97

Global\MCStoreAddStoredType_a1d78cdcc411921ce3b07770aa2a0e0745789b11

94

Global\eHome_DbMutex_3

94

Global\OfficeSourceEngineMutex

92

Global\Media Center Tuner Request

70

Global\eHome_DbMutex_4

69

Global\eHome_DbMutex_5

69

Global\PVRLibraryLock_a1d78cdcc411921ce3b07770aa2a0e0745789b11

57

Global\eHome_DbRWMutex_2

54

Global__?_c:_programdata_microsoft_ehome_mcepg2-0.db:splk:1036

8

Global__?_c:_programdata_microsoft_ehome_mcepg2-0.db:splk:924

5

*See JSON for more IOCs

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

172[.]105[.]27[.]61

95

167[.]99[.]35[.]88

70

206[.]191[.]152[.]58

66

63[.]251[.]106[.]25

62

178[.]162[.]217[.]107

20

85[.]17[.]31[.]82

16

178[.]162[.]203[.]202

15

5[.]79[.]71[.]205

14

85[.]17[.]31[.]122

14

173[.]231[.]184[.]124

11

63[.]251[.]126[.]10

11

178[.]162[.]203[.]226

10

178[.]162[.]203[.]211

9

5[.]79[.]71[.]225

7

35[.]234[.]136[.]13

6

185[.]185[.]69[.]77

2

82[.]112[.]184[.]197

1

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

pywolwnvd[.]biz

97

ssbzmoy[.]biz

97

cvgrf[.]biz

78

npukfztj[.]biz

75

przvgke[.]biz

71

zlenh[.]biz

68

knjghuig[.]biz

8

uhxqin[.]biz

8

anpmnmxo[.]biz

1

lpuegx[.]biz

1

Files and or directories created

Occurrences

%ProgramFiles(x86)%\Microsoft Office\Office14\GROOVE.EXE

97

%ProgramFiles(x86)%\Mozilla Maintenance Service\maintenanceservice.exe

97

%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

97

%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

97

%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

97

%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

97

%System32%\FXSSVC.exe

97

%System32%\alg.exe

97

%System32%\dllhost.exe

97

%System32%\ieetwcollector.exe

97

%System32%\msdtc.exe

97

%System32%\msiexec.exe

97

%SystemRoot%\ehome\ehrecvr.exe

97

%SystemRoot%\ehome\ehsched.exe

97

%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

97

%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

97

%SystemRoot%\Registration{02D4B3F1-FD88-11D1-960D-00805FC79235}.{33EC2C09-9668-4DE7-BCC0-EFC69D7355D7}.crmlog

97

%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

97

%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log

97

%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat

97

%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat

97

%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat

97

%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock

97

%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat

97

%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock

97

*See JSON for more IOCs

File Hashes

    003197ab7aab0056ef0fbeb11dd4b6762216c3d27540ca4825f181fab330a832

    01b59d7b8d9e128753e33b88705d6b0ee2be945fd4bd95c92c25fe160bcc2a28

    01c2d4cecc87e39c6c08db505065e5ef9d4927fac599f0e1e752407e15c4e633

    024c5d8975e9e34be65107327c05e119c8b595c954eadb25b07cbf55cbc898a9

    032794dc64b0ac4b893561771732bd67ae0962f1f381c53bdef1be6a5155df3e

    03d2208d010c08559d1625142d2efc90b48bd94cc19f33123b8b665e6e607b34

    03d83413d2881f01a23c0794d66d0d29510ce12ccb66f1005ab64910cd4e7f07

    03db00a2082925d5504e4d46eeab2dab8d9ef3a18c96eb9b8ab8717fd0ccbe8d

    03f7b3af2bf5e87b1c975459f64756b7a79baa18d42d90f0e0cae4599d08fe90

    043c30b9943b579599eb43e475c1d25ede670783c187700a3e7bbdb26bfeea63

    04eb47a0bd5b0f3cc4eee02186545267cfed907b9eb9c496b771e95b48554060

    058f0d75c3422806327c0a7d4834481e69b1e92b080aa260361c3702e5469e7b

    0648fd62ac4c8b83f30aba65893b6b9598a7186a1ad55c39b4c7055d17702053

    06bc99dec80527c04d4c623ab723f162d794c019b426a017d7ad41d83e055357

    074729717198ab9a66bf4da155e5d4fdc5c430c60f344e64b7de97e57f344c4d

    0763bb050181bab831d844067d18dc1492d0500a491664c3f9b90e19e6d2b781

    08094e18e7913ca6c8eaf4cd94927fbd099c45c889cd65e4fd67ce2009c97725

    095a0557fade67da6e340307af110014f915168df9b124a9fec1f197d52c4640

    0a570f1ebd5fe52d306ce5a3b4bd19d399f2fcbe7002dff34a3d6bfff905e584

    0b68ddbf260f48f30b24dd0f11e76572c5b10cf48abdb8f99de3d1d1c2e841de

    0c37b22edd74cda6accb4f7a2325f149a78ccf5cb81af509714c202729815020

    0c80ed840ae70061a0cc5ccd1f3c12832e3a51a5e937a5be3319c6fbbb47360e

    0dbcd43911ae093ae0fb18adbe4488c7260e7dc8f4217241fd3ae5de7b795b9f

    1022b2e11bd77dd96b27522ec5c889746c75c9a8eadf58e5396fa87da10e8331

    10abdec91ee97c257bfe44b29232ea57a485d3d1cc72f8f706f3ed586910434b

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

**Screenshots of Detection****Secure Endpoint****

****Secure Malware Analytics****

****MITRE ATT&CK****

**

Win.Dropper.Kuluoz-9957187-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 15 samples

Registry Keys

Occurrences

<HKCU>\SOFTWARE<random, matching '[a-zA-Z0-9]{5,9}’>

15

<HKCU>\SOFTWARE\FVXBJPWU

        Value Name: vcariano

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: llqjxikf

1

<HKCU>\SOFTWARE\PWWTTVLV

        Value Name: twekalil

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: xxdfmerx

1

<HKCU>\SOFTWARE\EWMGTFIM

        Value Name: anxufehi

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: nqrwcsef

1

<HKCU>\SOFTWARE\WFPJGFQR

        Value Name: vjiwxwuh

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: wddfjook

1

<HKCU>\SOFTWARE\DRBVCKTP

        Value Name: lpeeclca

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: igudfpld

1

<HKCU>\SOFTWARE\TBTCBEWS

        Value Name: qbdbpkdf

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: ddgljbjp

1

<HKCU>\SOFTWARE\ATTOEKEN

        Value Name: euvumrrn

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: kxadigun

1

<HKCU>\SOFTWARE\NWOLGMSD

        Value Name: okhudfoo

1

<HKCU>\SOFTWARE\SXPMECNO

        Value Name: vbuvphur

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: bshrfueu

1

<HKCU>\SOFTWARE\NAFNCVOV

        Value Name: iatqgcgc

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: lnxhasuw

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: oxviaxao

1

<HKCU>\SOFTWARE\BPLLBGMG

        Value Name: aqonboar

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: iurwprlq

1

<HKCU>\SOFTWARE\BEOHVVNC

        Value Name: mujhuapl

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: qsmriksl

1

Mutexes

Occurrences

aaAdministrator

15

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

162[.]209[.]14[.]32

12

222[.]124[.]143[.]12

10

176[.]123[.]0[.]160

9

173[.]255[.]197[.]31

9

46[.]105[.]117[.]13

8

195[.]5[.]208[.]87

8

195[.]65[.]173[.]133

5

64[.]128[.]16[.]144

5

Files and or directories created

Occurrences

%LOCALAPPDATA%<random, matching '[a-z]{8}’>.exe

15

File Hashes

    060286b4d0f8a14abe1ef08c1b3298eedd6ca8d7136514cbd28a64a80e4e5dd3

    0dd7adbeab2b75d5d1e9d00ac3f59ac9e67dd4a7e2ac763e2de683d368b9f7ef

    150f82c49d0a42de8a82632bb18077078076e9ba378291e5654e6cf0b14fb351

    2c00d6f49dcc5bafbd868cf5c3894ddb21aa2216c54bfe148a7b861723c47a65

    34f0305175ea18e197c488b450535c0cd8db1eccebdd6ecb2a2996fc813f14e7

    4f4ccbcab032d9c6b8c97b452027d976b6dca4dd3c4237b8a3532f3d11bebd64

    6ac1fa955677a1012e17bb3f35acf922f50d1f8810e94939ba2074756948aeae

    81ce4d06b1af27b542e809e4e9f8e188782d4d14edf2a2dc94d9c857fe0c0560

    8ef2563081b7dfd5e6c7c5d502b06e0d4c9fdf405b0fddbd60aff47a688e3a68

    933f42380d718778039317a56fea346fbca1b07353edf46a97692ca4a6e20ba6

    c9d671789d74e64450c9f33c2bb45a3337ce40ba06eb5632471fe624e2872616

    cbf0ec5ad28bc4c6d44057398b3232fd519229ead06b88260b7b2d50bd5d95ac

    d178feddad4373a848f2fe9361b96ef7a907e1b1bd5127a5bb74926bb270d1a1

    f22ba989587086403663558e7912a43b3a339f67ad42654b93c95e9120532de9

    f3e21ed6c8cfc19a65076b58eddfe69683268b704649a47b513f5ef61368fe38

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.DarkComet-9957280-1****Indicators of Compromise

  • IOCs collected from dynamic analysis of 12 samples

Registry Keys

Occurrences

<HKCU>\SOFTWARE\DC3_FEXEC

10

Mutexes

Occurrences

DC_MUTEX-F75JL20

10

Files and or directories created

Occurrences

%TEMP%\Crypted.exe

12

File Hashes

    0753d1475d7a3779684afe69f76ff81d7da01766fd34d85a23c1455008546108

    0c7c5afce5165fd6be988f7aabe03abdbfdd8f0671dfe7f4b9fa73f243c9a9f1

    238022cdf5b4fc75ecbb0db1654586b4686b43fcbabbcb17fec891879cdf3ba8

    27bbe0f40ecf946a841f727101d707d57aadc31e4e5ca8699fe67aa61568c9b3

    318eb4c14be4777bb921bbe44c1f7512d910c344fe4dbdfa373746cc7e767b1b

    5631d5b53191510f47896a6fc0e9ba21e973cd35f25b21d26b984c1a46a7aca5

    b45c2ab96c70d2beb2fda40032e1695324278c39918b0a8dfa3474a667c6312d

    b8adaf25ff8faa4c00b08993080daad260a6ba124199c020deabc8e38e636a3f

    c5469b740d9c2c7ffde2ea1e606fe044b87c4b21b4a502fdf63a7fd02aabc426

    e36abaab1b6871ccb3ea2331168c7f04627f6861964b87b047241d79d56e664b

    e5daaf2b2c3c03711c622d482e0274ff1d4dbe3909969992864f2ea73c77ea8a

    ff107b513ffcf70490a9cef3e594bc15aba3c3f573e7b792d257f6e3188bf236

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Trojan.Sality-9957294-1****Indicators of Compromise

  • IOCs collected from dynamic analysis of 23 samples

Registry Keys

Occurrences

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED

        Value Name: Hidden

23

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER

        Value Name: AntiVirusOverride

23

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER

        Value Name: AntiVirusDisableNotify

23

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER

        Value Name: FirewallDisableNotify

23

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER

        Value Name: FirewallOverride

23

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER

        Value Name: UpdatesDisableNotify

23

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER

        Value Name: UacDisableNotify

23

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC

        Value Name: AntiVirusOverride

23

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC

        Value Name: AntiVirusDisableNotify

23

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC

        Value Name: FirewallDisableNotify

23

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC

        Value Name: FirewallOverride

23

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC

        Value Name: UpdatesDisableNotify

23

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC

        Value Name: UacDisableNotify

23

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM

        Value Name: EnableLUA

23

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE

        Value Name: EnableFirewall

23

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE

        Value Name: DoNotAllowExceptions

23

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE

        Value Name: DisableNotifications

23

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST

        Value Name: C:\Windows\SysWOW64\msiexec.exe

23

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST

        Value Name: C:\Windows\SysWOW64\svchost.exe

23

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN

23

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST

23

<HKCU>\SOFTWARE\AASPPAPMMXKVS-993627007

        Value Name: -757413758

21

<HKCU>\SOFTWARE\AASPPAPMMXKVS-993627007

        Value Name: 1011363011

21

<HKCU>\SOFTWARE\AASPPAPMMXKVS-993627007

        Value Name: -1514827516

21

<HKCU>\SOFTWARE\AASPPAPMMXKVS-993627007

        Value Name: 253949253

21

Mutexes

Occurrences

uxJLpe1m

23

smss.exeM_204_

15

<process name>.exeM_<pid>_

3

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

20[.]72[.]235[.]82

14

23[.]207[.]52[.]109

13

23[.]207[.]56[.]109

10

20[.]109[.]209[.]108

9

20[.]103[.]85[.]33

9

20[.]81[.]111[.]85

8

20[.]84[.]181[.]62

5

20[.]53[.]203[.]50

1

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

support[.]microsoft[.]com

23

updatewindows[.]net

23

Files and or directories created

Occurrences

\4091535952

23

%SystemRoot%\system.ini

19

%ProgramData%\dxwaolen.exe

1

%ProgramData%\dxfbqp.exe

1

%ProgramData%\dxpxcwowo.exe

1

%ProgramData%\dxdaph.exe

1

%ProgramData%\dxiybfjm.exe

1

%ProgramData%\dxuiyaear.exe

1

%ProgramData%\dxrflamrh.exe

1

%ProgramData%\dxiaolh.exe

1

%ProgramData%\dxczvbx.exe

1

%ProgramData%\dxezxtat.exe

1

%ProgramData%\dxayaahen.exe

1

%ProgramData%\dxvdovort.exe

1

%ProgramData%\dxupnglb.exe

1

%ProgramData%\dxzliuhie.exe

1

%ProgramData%\dxvros.exe

1

%ProgramData%\dxxakx.exe

1

%ProgramData%\dxueoa.exe

1

%ProgramData%\dxoupe.exe

1

%ProgramData%\dxhbtsa.exe

1

%ProgramData%\dxquorfdh.exe

1

%ProgramData%\dxyjlzmr.exe

1

%ProgramData%\dxwetlif.exe

1

%ProgramData%\dxcmiazi.exe

1

File Hashes

    155b235838bb38a009d3959a22afeefe29990bf08b886d450d5523a1e8ef52e9

    1ab9fcb9422511f11ce386dd89602256b4423cc13df20d8cae15cf74ac96899c

    1ebee245aa20139a5c0d78869e42cb7700b2c746fe554000dc24fd6d79b2dc7a

    37ef12da9294aa84a551a49705c9aaeffa3e440ac9183e670aaae18de6f0cee9

    38690107fc5ab4fc661469ab6d179f6a8f98ffc6abeeae8e8fb879fa24c92818

    3c73ee4a0a2a9d2f78dd95d11df24a3d27c3a14ff2e6f56e014f10d0832bb869

    4888ce37000aa2d5029dcdf080efb7ccf3b4ba347ee24103df15a3cb9be4dc5b

    4d9868767a8260a2c0f663eb424f491de8cc1706ade137c59ce84c9da5e15e50

    541a54f29dbcd3412f244a16098acf87f466699a5832270e4d7d642b067c32a1

    56ecf33836287e107f9bda8a3522fddf9cc699f6e291990ab66753d692ac92b2

    605c9f1b05b0b47ed4e99a34a526adfed8eb56ce724815fd207708c94313883e

    6e99fec151c58577d9360fd6f846a0e436907258ad24b0117be07ab438b89abb

    79e56d2705ee36750de0b2b521777d73ea3fec9faca7ca78a39c06ac5e689b0a

    7bd446737e62430c0ed764392c1573c8b3b81ac3c969a473a7cab9849302eff4

    83f4e46b5dd1811bd62b184710cb206ab7ac5ae0a52a797745fe400cde4ed2f4

    8a99d2f8e63dc8bdfe9c10be15e65a881e473afa45dc349ad8a9bf387cb90e91

    8f618126cfbdd291e149f978420a885cbc31876de6771c78a32b60edf47225a6

    9c447450d5f5767d268341ebd7fdf3e50b302bae87d7ea1ca7ffc45d81b271ac

    aca2c69def78f145126fd8f2a9e88326ee74c80e59b704dd5a48a3de91effe94

    c9216a18da434cd1d24b0e57e2f1236d3ebcd9d38d4b772153db4bb60a661b54

    da3ee20e162f6ee44397e737ca1f7c3d371f41075414c959ddbdbb4d06dfbd94

    e15c93bf9e1f8ad217103c0d9156cabc5a923ba3bf177b7cde178854a1efb243

    f254301a5209750c391375336d9b93e19b45e557e0cd97a504df6b22d52facce

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

TALOS: Latest News

New PXA Stealer targets government and education sectors for sensitive information