Headline
Threat Round up for November 11 to 18
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Nov. 11 and Nov. 18. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key
Friday, November 18, 2022 12:11
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Nov. 11 and Nov. 18. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.
The most prevalent threats highlighted in this roundup are:
Threat Name
Type
Description
Win.Downloader.Upatre-9977362-0
Downloader
Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.
Win.Dropper.Emotet-9977383-0
Dropper
Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Trojan.Winwebsec-9977467-0
Trojan
Winwebsec installs itself to a compromised system as “anti-malware” software with desktop links and various persistence techniques (Windows service, Registry Run key, etc.). This family is known for using fake alerts for malware found on the system to deceive users into buying services before the “malware” can be removed.
Win.Trojan.Hupigon-9977585-0
Trojan
Hupigon is a trojan that installs itself as a backdoor on a victim’s machine.
Win.Trojan.Qakbot-9977748-1
Trojan
Qakbot, aka Qbot, has been around since at least 2008. Qbot primarily targets sensitive information like banking credentials but can steal FTP credentials and spread across a network using SMB.
Win.Malware.Zbot-9977753-0
Malware
Zbot, also known as Zeus, is trojan that steals information such as banking credentials using methods like key-logging and form-grabbing.
Win.Packed.Razy-9977758-0
Packed
Razy is oftentimes a generic detection name for a Windows trojan. It collects sensitive information from the infected host and encrypt the data, and send it to a command and control (C2) server. Information collected might include screenshots. The samples modify auto-execute functionality by setting and creating a value in the registry for persistence.
Win.Dropper.Formbook-9977759-0
Dropper
Formbook is an information stealer that attempts to collect sensitive information from an infected machine by logging keystrokes, stealing saved web browser credentials, and monitoring information copied to the clipboard.
Win.Dropper.XtremeRAT-9977807-1
Dropper
XtremeRAT is a remote access trojan active since 2010 that allows the attacker to eavesdrop on users and modify the running system. The source code for XtremeRAT, written in Delphi, was leaked online and has since been used by similar RATs.
Threat Breakdown****Win.Downloader.Upatre-9977362-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 14 samples
Registry Keys
Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\STARTPAGE
Value Name: StartMenu_Balloon_Time
5
Files and or directories created
Occurrences
%TEMP%\xwjfk.exe
14
File Hashes
0ce28aeedff22a0e55bce0f016084d447194a425bfc57a1742bb3b001cbbf133
0ed0c8332a8548cfe20569bc8b88c183765c4a88c59635e97e79ec954beae3e2
2ce1d892aa886a3373786219d99d46a28df634cfa064ef24d14eb44ce5ab4155
3248e557cdc359b6c89756027eb63024e109756c4ddf503c84992cdbfb88c5b0
35f11555b1becf3eaa7473c4e56a79cce67222141e7bf86312ce5eaaa23f3afc
4499aa8e1de46ee210121562d5ffd13eb50ed2af4d16736a97e5675d506509e0
52431eb3908465b9c9286e9fe21cba8f8c684dc92842a9374b8f34654f3b271d
5e23dc2d0bf866f139fa6ee6b95cf391e915cb4ee9c29cd79aa01bc9ef97da8c
711fbfe4245a9865b17e9a61d7c5cfc6664823bbbb9d8f4c859f8f122b9f0729
750beaa4d43b84e5c2c9d0f8d7207b74af65d8dbeb3080f1b47dee70bbca5219
93b86b7a74458678d0d9438089a2f187a14d41a02458c4171be9cbf6966d920b
a5bf30478a9b46d3eb6e38713f10c1f1e05ced7616a7401d09343eb0eec97425
a5e5ebb80873575a9d1a524118ac2ca072753baf760153d4b3637f2a67155ae0
dc53e0268eff4a996409ba19d1b55df385dfd00ce6cbeda093991f1967aa0277
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Emotet-9977383-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 26 samples
Registry Keys
Occurrences
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES{0633EE93-D776-472F-A0FF-E1416B8B2E3A}
Value Name: FaviconPath
15
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES{0633EE93-D776-472F-A0FF-E1416B8B2E3A}
Value Name: Deleted
15
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES
Value Name: DefaultScope
15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
15
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVED EXTENSIONS
Value Name: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
14
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
13[.]107[.]21[.]200
9
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
www[.]bing[.]com
15
cyanteread[.]com
15
hq92lmdlcdnandwuq[.]com
14
File Hashes
003d724d91ea724259e57e81c1c2236060ead1591eaa4b2afb20ab0b41e0b4ff
0715018a8f89c3885ba377f91425d42d1695aa423534b3d1b51d9af17fba9505
08b991c330e72320ce4e56777a8704964b321b16252ba135c372d378257d000c
0f0c41bb5a586c913d2ea5cad4fe4b0b3f381e80b9efe2657f94a024303d64c2
11edc1b99293a2f603d02802ced72b1167cd434d3d8aa631037347214f150541
120cd11824305fe9f6a55710741164a80d5fb8c26888073cec3ffb84ac0c9553
1a80809e1f36f446829cd44ed8658dc6ea44a11d57dc39f9450d13d429d6c5eb
1ae3e6c08e544fe78b5703521773b57a8fa64d20ec1c50d99414eb910b917858
2c738465fb32aed74b6b8b961eba819c683eae5a44262d686bd1c465cbaf6cb7
2e094ac541cbb2c1f509c1c12b352661582ae983a6316b6724a01a018ac59943
2ee9a3cfe4d921358e5b506678ffc8e2fb1e8b4759dab278607151bf47645530
39ff15f0d980885538a327a291305e63ff44ec63f508f44f7989adbc562d886f
3afb9cb9b19a5d420914950f125f104c1e030a58c0ede92606bb15f1b9123b13
4687cc2e93ec5e9f5b80c8f2b3b34650bda86d15ccd1fe5da6d8157b4276b63b
48f1b41e40630b02a6c28f3ccf7c2cd21008ad4c61177878edc206fd16342ea5
492818d79e1374c9167af43f6d4b20fd506e5c502a7b12d726bb220647a1c6a6
4dbfa6ab3115876b6c099aff4a463fa5b636f8f458ef94959738059280dd44de
560a09676c1ce3d3fa574b922bbfdb4bb30281ad513d4540945d809efdc7bc87
6a5596a06528eb8fafa813a90a9da1c144570f54c71111041f2a71b3b71a6c83
6cc6c9c50e495679bac11e2ea84fe6fd210a8185253127dabce4be98fc8e7b41
7d6ae74b0fd5a239d0179d087939a4a0a6db6f9acfdc5d5f969e5fa987429932
85c4c56f7393370a8c7cda68d51135e57d36193073f37b5fbe4c9998978a8c58
8a26339ebb413ccd632588fc2a003c4f39797d24721be1a039dbc54c92e3e006
8b18c983993f5ea0653e33ef89b801cf5c3bb56b06782b1d6e87cb86d0882cfb
8fc30d5ef233c3ef7c8f313cb9cd4b31992676a0ccad5ab68487717b7c92d816
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Trojan.Winwebsec-9977467-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 13 samples
Registry Keys
Occurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusOverride
13
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify
13
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallDisableNotify
13
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallOverride
13
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify
13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
13
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
13
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
13
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: HideSCAHealth
13
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV
Value Name: Start
13
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\LUAFV
Value Name: Start
13
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SYSTEMRESTORE
Value Name: RPSessionInterval
13
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS DEFENDER
Value Name: DisableAntiSpyware
13
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: 7812A3CE2B17D97900000313F875EF60
13
Mutexes
Occurrences
7812A3CE2B17D97900000313F875EF60
13
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
112[.]121[.]178[.]190
13
Files and or directories created
Occurrences
%ProgramData%\7812A3CE2B17D97900000313F875EF60
13
%ProgramData%\7812A3CE2B17D97900000313F875EF60\7812A3CE2B17D97900000313F875EF60.exe
13
%ProgramData%\7812A3CE2B17D97900000313F875EF60\7812A3CE2B17D97900000313F875EF60.ico
13
File Hashes
15da981b1c9220e7be7a9bab45086c54c6abf5ca3f67f516d725aba78663a117
28c0acdb4802add547be567598804823073f989255dc968de71bdacc0d1d150c
48c44dd30bc5fc5618086f46a2d68d25f7ea2a180f1a3d9a063b9b8fbd66d1b6
4f56a26eff59d45fb967b577873438cb1d9b220c42c776af8ae4f99538a83d19
6ba6713b8c260e8a8010e3cadb3ae6943bdc786a06133314a5142d8c4692beec
707b4b357151fdc654994e63f11104e360f937d200b2ef86d07e7f7e5ccc7681
7674d67e74b82a75d4aeb4d69199ad702b8c811081aa93736b4cf6e378c0d2cb
79bb080b2b89c40d866e6d28551b6414ebbd604aea5097413714ce06cdfbd9ee
8c5b085f532f6c82f7dd2e2a59333f69ec7729751ac0cb24b34a1e58ce96a456
8feadf32687dd1b0ec8a243c59c0d2b894fff34b5a96684da21652aec85e6b9f
adf42137ad48c2c6a63978bad6d14c5bc5d4156952dc818aa3a355fef1ead750
e653a3adcae1506103a930f39ef8bcb5f7a9e215f60c89cca67c3b7b7ad9ec1e
e6f2a5efdfc6795767941b3087576ebf715657baf1344e4547eb64c16bbf04ff
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Trojan.Hupigon-9977585-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 25 samples
Registry Keys
Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FRUNDLLL
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FRUNDLLL
Value Name: Type
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FRUNDLLL
Value Name: Start
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FRUNDLLL
Value Name: ErrorControl
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FRUNDLLL
Value Name: DisplayName
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FRUNDLLL
Value Name: WOW64
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FRUNDLLL
Value Name: ObjectName
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FRUNDLLL
Value Name: ImagePath
17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FRUNDLLL
Value Name: Description
17
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\SETUP
Value Name: Beizhu
12
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\WINOLDAPP
Value Name: NoRealMode
12
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\WINOLDAPP
12
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\LANMANSERVER
Value Name: Start
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\LANMANSERVER
Value Name: DeleteFlag
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SVCHOSTS
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RUND1L
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RUND1L
Value Name: Type
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RUND1L
Value Name: Start
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RUND1L
Value Name: ErrorControl
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RUND1L
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RUND1L
Value Name: DisplayName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RUND1L
Value Name: WOW64
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RUND1L
Value Name: ObjectName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RUND1L
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SVCHOSTS
Value Name: Type
1
Mutexes
Occurrences
Rwx_free
12
Global\b66d3b21-6365-11ed-9660-001517e7b43d
1
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
157[.]122[.]62[.]205
2
183[.]236[.]2[.]18
2
59[.]42[.]71[.]178
1
49[.]2[.]123[.]56
1
23[.]89[.]5[.]60
1
222[.]198[.]42[.]253
1
199[.]48[.]208[.]150
1
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
www[.]163[.]com
8
http
1
11984[.]gnway[.]net
1
yelaifeng2[.]3322[.]org
1
genius3016[.]pimp[.]fc2[.]com
1
lingfand[.]3322[.]org
1
fish2008[.]3322[.]org
1
z6366010[.]3322[.]org
1
ahah[.]3322[.]org
1
Files and or directories created
Occurrences
%SystemRoot%\SysWOW64\Deleteme.bat
12
%SystemRoot%\SysWOW64\FRundlll.exe
10
%SystemRoot%\SysWOW64\svhosts.exe
1
%SystemRoot%\SysWOW64\ÐÔ¸£ÁªÃ˵çÓ°²¥·¢Æ÷²å¼þ.exe
1
File Hashes
036f4e965137f92e4a23b68714ca07764dbef452fbe521a9ab436709ae2544e8
0556f362906bad908653298bb5859da2dcaafb7d3800bb3e8fb5ae0bd83183c9
10eb9ccf8455511663b12e65f9caeeba31500b13cb0a8cbd91bd142138fba92d
1e0071e523ae8094b1c94e0a98da912a8d027851554548af937dc1801828f042
2d5fec1d5b79d97a0c75420433543dad8b69cb5fbecdef425cc66bf20e0acf75
2e9c25ad8734a0fe91d142e2131e56ca38cc6c63e73010aba8650425fc417e02
30f8e398e5a4dee30fdf9768f32cbc1d0ae0565d1aee33d4060cc3f147f753c5
3e1cc765da65267b5918ca105de32f1402c4fde86475543cc106878ff11618e7
44f4640ffbe6909163a5742de105ce43ed6200ef2cf7c50b285b702e4b2073ab
4c6baba1332e86122a14864e31cddf7b49b3305e2e62c9895d62c49cc3c82bf4
5b2a993ef4e5078eb6692b341bcb44e73b41209500572b92dc926265b1dd1f5e
77e505dc53d30b4e03ceabb86a9fa7f0713724873a537594edcdfb6cf945beec
8937293e8af2d13a8a6b811d19e6f1fbddeedf8cfa4987dc06f9b50c932152e8
a6857ef8d31dc8d07d64be5cb7e8bfa05d4bf14dcdb41784bff4951c05b07466
a91b79c69652b130894b2e51ec0654933e4fbff3cdb3f4199f061e421450309a
aaf39fe00d7ac4fa5e2f2db7112226cae4119348681dab09c3e3aebf4f93cb9b
b03a151d39ec64eb056d910c39da13b40399a4f3d38e59c3736550076b72e6a8
b09d7d116e7af15e20af41f6991b60ece18f87e5c58849d5b28c800e51ca1e35
ba33dd844c2f52cd3ee025c61da51766e75debd58c9b849e1358a5b673a2bdcf
bc0247ef0af6afa87f00dff77888d5ab0ee3b9a12eb5852a57bfed49f1450539
c7e8d59a821c63d10024c427c684bace71589e6abd52b6696a143f0896a9bdb4
cc43c386d58ee5c6b5a2a8693e9a6b86ac98c24049981cd33bfbdda1e0ce19f8
d3fa1b573205ea85881f6a32dce9a40483b9ace3b67ca833a79c619b153c96a5
dc6bd088fbb4d37ed3ec578dcbeb235b02083dc2e554b77a800f9af3f2af5331
eb8d4c979fd1630a9b1e0db629aeb89ba0af2fd42352e88f0c908571a5aefbd0
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Trojan.Qakbot-9977748-1****Indicators of Compromise
- IOCs collected from dynamic analysis of 35 samples
Registry Keys
Occurrences
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
35
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: bd63ad6b
35
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: bf228d17
35
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: f7b512d3
35
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: 79eea72
35
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: 7a96a5f8
35
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: c22ac29d
35
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: 5dfca0e
35
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: 88fc7d25
35
Mutexes
Occurrences
Global{06253ADC-953E-436E-8695-87FADA31FDFB}
35
{06253ADC-953E-436E-8695-87FADA31FDFB}
35
{357206BB-1CE6-4313-A3FA-D21258CBCDE6}
35
Files and or directories created
Occurrences
%APPDATA%\Microsoft\Xtuou
35
File Hashes
029b9c4ca487978b74ce2556e59e1215509c7bb09e9b61c2cab7e2c4d3e9ec71
02d0b6a9c0b162554969082d2bba2f49127a5f4a64536123ba34fa7d81dc429a
0b3616ac4a71aa74173b336da9153f523f6053677af12eeefb24d0a89a0a892f
0dee39d387e2cbec11c99ccdf99ae016ae6d816d1e3f45fa61d2e2ea04f92479
0fa08984cf7b5be4ce4f88d85f577df912e531bc178a498679be2d1c868cc9d3
1331e1c43ea3422e707d26afae65656c39fd99f7662b558124e737e444c9d759
13dbac70a80b241a61a21b2e502d75f1b11e7479d1d11d9f18b364883d71456a
1443961958783cf6d2d854a83bea4b6cba4c5ce0db63f3ffc13545adf3e2935b
1538ad1d6923c5428ba86b809109f45c5f6e1c3e829549bc5a478d12b25ad703
164404d2c09c326eb00d6aaf6e54516f17703610814bdcb280ddebd534682c1d
16602d90ee3a42ab680de52eb9e702b6bb86694361bf59654fbbb30b8565ee11
167d3327a1d3b48e991626a6985a5a8e29830d409419fa2ec9f8a742ae605afa
1aafbdd50cd79775d2f6a141a8f92e66ae3a4b6313f5bbd885caa378d4338c97
212add05616a4386bf4f3a67fd98aad30c56dcc75362f74ac86454bb96e55b03
217ed037185127b19651401953b69bd03fd0303004bbd6808313040a586a4344
221b5cb284b9b80756eda21cbc33cf5d9b5096bd21d3fb36669e7eb3bc9bda90
229a4e97b2761e39775890882b837be457df8f2835163f115d99e698d8d9a903
2b75842ccbea7eec737fccb72ea4475b586db66bbd057d47eb086a912c3294da
2b7bff2744783e8a824da19960cd2c66820dd980f712ad52654d4d5dabc862a5
2ef08045a1c4f1a43e78388cabb152f4ee20fe52954f9570735ebfe393334b8e
2f5504350fe8c88ef4b5ab92c3401b0c4d70e9894bc4684256058278cc8893bc
314958084e6fb7708fb06410236e0132d26cf54c26f6ee9aafa10f8c60e16d04
32123200969bbc95dfc0d16cfb6409e5d7d91351fd0340120bca5a2bb72caa84
360e29803c92d6271531e87d9025f59db7a1546786e4013a072280d29e01428b
3905804a6dba4a25bcc469bbd18dee15e6731cbf47c233997b1829f8dac36276
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Malware.Zbot-9977753-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 35 samples
Registry Keys
Occurrences
<HKCU>\SOFTWARE\MATRIX
31
<HKCU>\SOFTWARE\MATRIX\RECENT FILE LIST
31
<HKCU>\SOFTWARE\MATRIX\SETTINGS
31
<HKLM>\SOFTWARE\CLASSES\MATRIX.DOCUMENT
31
<HKLM>\SOFTWARE\CLASSES\MATRIX.DOCUMENT\DEFAULTICON
31
<HKLM>\SOFTWARE\CLASSES\MATRIX.DOCUMENT\SHELL
31
<HKLM>\SOFTWARE\CLASSES\MATRIX.DOCUMENT\SHELL\OPEN
31
<HKLM>\SOFTWARE\CLASSES\MATRIX.DOCUMENT\SHELL\OPEN\COMMAND
31
<HKLM>\SOFTWARE\CLASSES\MATRIX.DOCUMENT\SHELL\PRINT
31
<HKLM>\SOFTWARE\CLASSES\MATRIX.DOCUMENT\SHELL\PRINT\COMMAND
31
<HKLM>\SOFTWARE\CLASSES\MATRIX.DOCUMENT\SHELL\PRINTTO
31
<HKLM>\SOFTWARE\CLASSES\MATRIX.DOCUMENT\SHELL\PRINTTO\COMMAND
31
<HKLM>\SOFTWARE\CLASSES.MAX
31
<HKLM>\SOFTWARE\CLASSES.MAX\SHELLNEW
31
<HKLM>\SOFTWARE\CLASSES\MATRIX.DOCUMENT
31
<HKLM>\SOFTWARE\CLASSES.MAX
31
<HKLM>\SOFTWARE\CLASSES.MAX\SHELLNEW
Value Name: NullFile
31
<HKLM>\SOFTWARE\CLASSES\MATRIX.DOCUMENT\DEFAULTICON
31
<HKLM>\SOFTWARE\CLASSES\MATRIX.DOCUMENT\SHELL\OPEN\COMMAND
31
<HKLM>\SOFTWARE\CLASSES\MATRIX.DOCUMENT\SHELL\PRINT\COMMAND
31
<HKLM>\SOFTWARE\CLASSES\MATRIX.DOCUMENT\SHELL\PRINTTO\COMMAND
31
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: Start
3
Mutexes
Occurrences
Global<random guid>
9
1FF35F9D14B75F818C01D1BD93F28E2098B68E3C
3
GLOBAL{<random GUID>}
2
Local{<random GUID>}
2
ltcminerd_0.1.1
1
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
95[.]211[.]144[.]68
4
204[.]79[.]197[.]203
3
34[.]102[.]136[.]180
3
20[.]109[.]209[.]108
3
37[.]139[.]47[.]108
3
62[.]76[.]40[.]177
3
81[.]169[.]145[.]153
2
80[.]150[.]6[.]138
2
195[.]78[.]66[.]120
2
184[.]87[.]164[.]111
2
23[.]218[.]129[.]107
2
193[.]200[.]81[.]172
2
185[.]137[.]168[.]95
2
109[.]123[.]223[.]77
2
219[.]87[.]140[.]139
2
103[.]131[.]74[.]32
2
119[.]59[.]104[.]13
2
23[.]221[.]227[.]169
2
34[.]160[.]73[.]230
2
104[.]244[.]99[.]132/30
2
76[.]64[.]213[.]21
1
154[.]23[.]86[.]170
1
23[.]231[.]93[.]174
1
91[.]216[.]151[.]56
1
89[.]140[.]72[.]106
1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
www[.]msn[.]com
3
x1[.]i[.]lencr[.]org
3
wiatraki1panele[.]com
3
williamsburgsoccertrainer[.]com
3
yangzhouwebs[.]com
3
whucprotections[.]com
3
yghqlyz[.]com
3
wirtualny1zamosc[.]com
3
gondalarmes[.]com
2
onedann[.]com
2
howardsgroveboosters[.]com
2
tenlightingsl[.]com
2
www[.]glamone[.]eu
2
imm1bkk[.]com
2
sweetmata[.]com
2
alt[.]hrgsm[.]com
2
esserv[.]com
2
52869881[.]de[.]strato-hosting[.]eu
2
www[.]aktion-fernsehturmspitze[.]de
2
slobstyle[.]com
2
www[.]dorakawycz[.]de
2
elmextrans[.]cba[.]pl
2
yannick-strototte[.]de
2
nach1900[.]homepage[.]t-online[.]de
2
restauracemalahrastice[.]cz
2
*See JSON for more IOCs
Files and or directories created
Occurrences
%APPDATA%{a2a8f052-eba1-4da4-14b7-5f81a2a8f052}
4
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup{a2a8f052-eba1-4da4-14b7-5f81a2a8f052}.exe
4
%TEMP%<random, matching '[a-z]{3}[A-F0-9]{3,4}’>.tmp
4
%APPDATA%\bwwdfwju
3
%APPDATA%\bwwdfwju\jisgivdt.exe
3
%APPDATA%\svchost.exe
1
%TEMP%\libcurl-4.dll
1
%TEMP%\pthreadGC2.dll
1
%APPDATA%\rundll32.exe
1
%SystemRoot%\SysWOW64\csrss.exe
1
%TEMP%\minerd.exe
1
%TEMP%\mssF951.exe
1
%TEMP%\mss405F.exe
1
%TEMP%\mss203.exe
1
%TEMP%\mss20F1.exe
1
%TEMP%\mssA3D6.exe
1
%TEMP%\mss408.exe
1
%TEMP%\mss7D67.exe
1
%TEMP%\mss43B9.exe
1
%TEMP%\mss9897.exe
1
%TEMP%\JLLA196.bat
1
%HOMEPATH%\AppData\LocalLow\rexe.ajr
1
%TEMP%\Hynyaq
1
%TEMP%\mssDCB.exe
1
%TEMP%\Hynyaq\yhopz.exe
1
*See JSON for more IOCs
File Hashes
007bbed783770609db3a14b6dfbae7dec15af21a433688dbebd70bf169092502
026471be0093c51f875831775547db043d4142ded28cc14c9584c4321082a135
048b669f3b888816c889da0b0b8f70af4bd520aa31e08088bb3acd0439732512
089fdfc6590b3f05862d34a5caf88139f8bbbbbdee17ac65efebe0fb0a269b88
0fd494d931d4f3253389d77d635037354493df1867bcbccac1d44fb10714fc70
144dea9d435a7cb3088be366ec3ea8e923aeff931664721779de980344e4acfc
1565e8085f833a11cd48e6fce7a98e5903bd8e91c72abde0c4df1c12e3fabff8
1713787353d3c3230842910efc916369ee732e18903777f5241f23e0ed587e22
183c509e3cb7250452e89f0ef166087e5e84a3a205b554bfa208cfdc52c8b04e
18b045aef6cc597fb3c13c1d15b8780f24372eddbb781ad86bd185d16f5aaf87
1bfdcd9b98d0127586e9daac5ab588d03f9d0f1430e9a8a54463e091f0c4b7d5
2501d1316553e09c71ba45f4f6b9d82659ce111b03aa1276d34084473545f1bb
26dfd88fc6bbb40f6ccc9379160a6a65931eab1ba70734ba1f06cb4056cb56e7
29ef3e12750fb6052c69a9a7a0320500c086fefb2906bd8f2bdf76202155e908
2a84c8a7ec388c99551f626d0d4b119fa3d60b028754bdabe7229869baa5c5a7
2f214a2e7ed3c0758d9b701dced0626ccdcdf2de540e3777bdf28a3e0f7cfade
349eaffc46c7d936a7fa38d23e04a195d5ab88cea61a943215b64d44ba90057a
3c6a863a4ad047c0e618f3eec1661a6879243c8e3f25cff1a6cd497a79c85733
3d56b2b9aadd13e523115e559e74c721a89d2184f2b3531487265f76cabb608b
465901d3fb9827b1fd5c1e41628a9004a8b6ed410d97750b0c65f74937e2a59d
46c0b59f0aa232643a1b4b6380e8a235e7e80605236cab2832b3029f2cae69f9
47409ab190e17b1f8daa3d1c74dc21df22a5722562020313f802aff0297f4232
48aa870faca9e24489633c7b3bcf3369d18cc81984f7954750e8d32f3615f399
4a452f56d965c14bb5f63ab9c5bf487c05216b22446bf845125f15fe297b638e
4bec69cf6bb6f7224d8178831bf5c6c433827fe3aec27045f24bc9e555880b9f
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Packed.Razy-9977758-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 25 samples
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
35[.]227[.]197[.]36
25
45[.]32[.]181[.]138
25
23[.]221[.]227[.]169
16
23[.]221[.]227[.]186
9
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
apps[.]identrust[.]com
25
infacom[.]co[.]uk
25
flowersinparadise[.]co[.]uk
25
Files and or directories created
Occurrences
%TEMP%\finc.exe
25
File Hashes
0175d9d196d36cb772c4cafef83b6215de0dd35cee939d1df133ce740b4ab3b5
045154cff7d3f9d97d9afd40d9dd635dd5ef07da0c3180f3eadfc03ecf785ee0
10616b845ffe5d716feff93cadcb7f7997511e53450d1ed385ce1810621e582c
1e2724326801060137e8d663843541aa1b39053c4e0ef5625bf82e128768e056
22ba433714e313ef103e8ad63d6e7e5b52c620c5ea75188790c87bb238b8fe51
26553309ce2fc1e233d4fc6500fdf444f63133b203c733d327c7237f97ccc735
27e8bfb480ac07b81d718a9d47cd21397a00cc7d86c5bc94c08e17b585e79bc2
2939525931f070688b77f285bbb6622512e1c59b6c8940cd88c9dd0d4fa810ce
3118f3ef507a09d79bace50ac5a65e66ffb0ae48dbfa186d0ca546047c6c50df
3288a59d52c01dedf6840e13a0f1da64917caff7cc7d57aa1202e83cdf13f6a1
32dc1b28c7801bdffce2cefcd0847a836a660c937fa174e5313cce5767cd4dc5
336a9ff27d4ba7d098dfc868aaaf1c3b89bb7f32bba93e78f1099cb053ddc958
35c04ab20b9dbb2c4cc1690dbd5bb03502b5c8ea78f89ec49449d9ed35cae15c
36c58990cac473b32a557f7c8a48626cd7461185b28c88ed7ba4cd4da67f9037
3fd634470f5ab28653df7602b79db0bff83d0f004305fffeccdb677c22519427
4e2f9c24419d95d08d901326bbd54670c389f010128b90b9e681543c19875acd
510119f03e583221fbe6fc4800910a22ec8dd8b135a00a15f761357ccedc848c
53e9fabd45528ca20a95314dc89f364edf8005354677d014d7f1714b8099565b
5a530b3e0d2c5332a182bb83eecf3d9efdfc5d55494a297138f911e7a0e0a57d
6227d4828c9148347ff4a08b7bd9f7232555b0b5a897b8c6f4322ac3db0e0fb1
62d20b635b51c75c17090a421ebb39510f1773274f5df3a795be7c10174b2c6b
6814013b6be0296d581cfcfde7290da67e865a6cc77d4d43ac41f389dc86a385
68fcc59af4ce75c0c41114240c29668ade49d3b806fad36106506fe4cd378ec3
6ed8b2cb2d8650c1e69706918b33a5499256128f5db94079c1b6ca4a96cdc3c7
7afdb254aa725081a88b97256ba756ffb7eb343d9010696fbe5f24c9542e0ea7
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Formbook-9977759-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 26 samples
Registry Keys
Occurrences
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
23
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\ICM
4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\ICM\PROFILEASSOCIATIONS
4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\ICM\PROFILEASSOCIATIONS\DISPLAY
4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\ICM\PROFILEASSOCIATIONS\DISPLAY{4D36E96E-E325-11CE-BFC1-08002BE10318}
4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\ICM\PROFILEASSOCIATIONS\DISPLAY{4D36E96E-E325-11CE-BFC1-08002BE10318}\0002
4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\ICM\PROFILEASSOCIATIONS\DISPLAY{4D36E96E-E325-11CE-BFC1-08002BE10318}\0002
Value Name: UsePerUserProfiles
4
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\INTELLIFORMS\STORAGE2
1
<HKLM>\SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA FIREFOX
1
<HKLM>\SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA FIREFOX\20.0.1 (EN-US)\MAIN
1
<HKLM>\SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA THUNDERBIRD
1
<HKCU>\SOFTWARE\RMC-F7UBS5
1
<HKCU>\SOFTWARE\RMC-F7UBS5
Value Name: exepath
1
<HKCU>\SOFTWARE\RMC-F7UBS5
Value Name: licence
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Myqbdrvh
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Mwdwkwmv
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Dogyigqz
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Epngszrl
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Ozybvueo
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Yiziaslk
1
Mutexes
Occurrences
Local\Color CPL Startup Mutex
4
8-3503835SZBFHHZ
1
S-1-5-21-2580483-12441612417194
1
Rmc-F7UBS5
1
Global\bdd59e71-6121-11ed-9660-001517802c61
1
NP9N804-4HUZ1-6M
1
S-1-5-21-2580483-20004206527674
1
Global\9dd66881-6490-11ed-9660-0015177db5a4
1
Global\70925d71-6490-11ed-9660-00151791cf12
1
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
13[.]107[.]42[.]12/31
11
104[.]18[.]38[.]174
10
172[.]64[.]149[.]82
6
85[.]187[.]132[.]177
4
104[.]250[.]134[.]50
3
5[.]230[.]74[.]233
2
204[.]188[.]203[.]154
1
34[.]102[.]136[.]180
1
23[.]227[.]38[.]74
1
198[.]12[.]126[.]210
1
23[.]221[.]227[.]169
1
216[.]250[.]254[.]209
1
202[.]79[.]169[.]33
1
172[.]67[.]144[.]169
1
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
onedrive[.]live[.]com
16
cacerts[.]digicert[.]com
16
strassenburgpharma[.]biz
4
aljassimaluminium[.]com
3
apps[.]identrust[.]com
1
cncooksware[.]com
1
uyoman[.]duckdns[.]org
1
www[.]jsneibuquangf[.]com
1
www[.]niaxnhmy[.]top
1
bqkqug[.]db[.]files[.]1drv[.]com
1
www[.]comfortableleaves[.]top
1
oywkla[.]ph[.]files[.]1drv[.]com
1
clhulg[.]ph[.]files[.]1drv[.]com
1
54jjza[.]am[.]files[.]1drv[.]com
1
oyvg6a[.]ph[.]files[.]1drv[.]com
1
www[.]aibrey[.]com
1
www[.]cooperlawnservice[.]dev
1
www[.]tenoneintelligence[.]com
1
www[.]l37insights[.]com
1
www[.]cendla[.]xyz
1
Files and or directories created
Occurrences
%ProgramFiles%\Microsoft DN1
1
%SystemRoot%
1
%SystemRoot% \System32
1
%SystemRoot% \System32\KDECO.bat
1
%SystemRoot% \System32\easinvoker.exe
1
%SystemRoot% \System32\netutils.dll
1
%PUBLIC%\Libraries\Null
1
%APPDATA%\NP9N804-
1
%APPDATA%\NP9N804-\NP9log.ini
1
%PUBLIC%\Libraries\Myqbdrvh
1
%APPDATA%\NP9N804-\NP9logim.jpeg
1
%PUBLIC%\Libraries\Mwdwkwmv
1
%PUBLIC%\Libraries\Myqbdrvh.exe
1
%APPDATA%\NP9N804-\NP9logrc.ini
1
%PUBLIC%\Libraries\Mwdwkwmv.exe
1
%PUBLIC%\Libraries\hvrdbqyM.url
1
%APPDATA%\NP9N804-\NP9logri.ini
1
%PUBLIC%\Libraries\vmwkwdwM.url
1
%APPDATA%\NP9N804-\NP9logrv.ini
1
%PUBLIC%\Libraries\Dogyigqz
1
%PUBLIC%\Libraries\Dogyigqz.exe
1
%PUBLIC%\Libraries\zqgiygoD.url
1
%PUBLIC%\Libraries\Epngszrl
1
%PUBLIC%\Libraries\Epngszrl.exe
1
%PUBLIC%\Libraries\lrzsgnpE.url
1
*See JSON for more IOCs
File Hashes
0ee0f5bdc3de668920fb08715703eec62d967df44aeb8f87e7fbdfba1263d718
1d160af25e96ec1d33d50216a3eafdc16a1df90a6c62929e25f626dae138015b
1fcfeaf389a913d7f1a1aec60316b8b2b23c226d14764a6c2f2b5d393f0790c4
201bf83ddcbdf1880827e16099f5880cb500b84401e03513ec843c063ca473b0
2755f422c2fa4735f3eccbe0dc93aee31ec00d95c6692bb2fb41c2214c8bf24f
41597718a8b253d08ee21ceb7f6c529b7391a3b592bfa21c38fd4cdfe68d77f1
4b29834ae85fbe65a8d98050a0b9cd1a58a05fd00c6b3b4f21b3a31587a2c613
4c7b8c559d810145e6f98132d65c614ad8581d373dda1f4c717f571840182741
64d32e120cf032517e274b448258444f67eb71cafe3b613d7a80e85b7836e5eb
69c1794447fd793df47198ea31e77a87cee5a7d558803de5ce28001a17193179
6eefd52a0c37864ccfdebc013a387bcfc549875f3e0d18b15d11de6ecfd847cf
6ffcc5061fbafa5eeee756b0292d6ec83109623b786b8e2f5ca5ecbd92a816c0
7bdc0d9213924f353a5f7d63292cdf7d5cfbff6d732f8b8d2e087705ffe6e9c9
8baa18efb525b31848e655555712186dfc249e9e7bc288fc2b4c3672ffc26566
9507dfa379dc81b7c5c0bb780cd7282d1afbbfb35382cb50e647dcee1ded95fa
a721505426152ac7dc3b8db59c0c8b0958c9ba3d0801c0cba9dfdd2f707cdfeb
c2fddeddc5cc83dfdf29996689cb419697dab7588015ff0f14c579daa0799ab1
c71639f403e5e817ccde3cf251e94d59d6ffd3ab277249ab248bde8ae649e762
c7c58aec8e57886b1549faadb1cb7630698f9981a337aaad04a5d90e4a0373dc
cb5aae9535660a2fd396d43bea84e7ea5e8155ebb2cff8de91298345193e9432
d5827c128fceb9ce4e21534e7904ac75f26a8024fc1657bb8da3311e39130d07
e0db15a4f81c59402dfd7dab6fb7676e914c2496760d430c7fcaf1ad284744c0
e3e9372493eda8c15ef90b26f497b77d9b90498f73ca149fc3aca58cf45c841d
e4f882faf23f8a28c47b0cc1dd560161c73d9c2c71cc43925b9c166aec6bb05b
e9dce2c1d4f82eda9f6944903734e87a0871bbbde5c44f1fb8e49bb1f27b3875
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.XtremeRAT-9977807-1****Indicators of Compromise
- IOCs collected from dynamic analysis of 10 samples
Registry Keys
Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: EnableBalloonTips
10
<HKCU>\ENVIRONMENT
Value Name: ProgramData
10
<HKCU>\SOFTWARE<random, matching '[a-zA-Z0-9]{5,9}’>
10
<HKCU>\SOFTWARE<random, matching '[a-zA-Z0-9]{5,9}’>
Value Name: InstalledServer
9
<HKCU>\SOFTWARE<random, matching '[a-zA-Z0-9]{5,9}’>
Value Name: ServerStarted
6
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS
Value Name: Path
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS
Value Name: Hash
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS
Value Name: Triggers
1
Mutexes
Occurrences
XTREMEUPDATE
10
<random, matching [a-zA-Z0-9]{5,9}>PERSIST
10
<random, matching [a-zA-Z0-9]{5,9}EXIT>
10
<random, matching [a-zA-Z0-9]{5,9}>
10
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
cooempresas10[.]ddns[.]net
4
soporteshp[.]ddns[.]net
2
amairadearmasmena[.]ddns[.]net
2
isagarlo[.]ddns[.]net
1
pocoyo[.]ddns[.]net
1
Files and or directories created
Occurrences
%APPDATA%\Microsoft\Windows<random, matching '[a-zA-Z0-9]{5,9}’>.dat
10
%APPDATA%\Microsoft\Windows<random, matching '[a-zA-Z0-9]{5,9}’>.cfg
10
%SystemRoot%\SysWOW64\Drivers\System.exe
6
%System32%\Tasks\tmp8976
2
%APPDATA%{DE5Y-YTKY-3SBJ-94CJ-4SR8-PB88}
1
%APPDATA%{DE5Y-YTKY-3SBJ-94CJ-4SR8-PB88}\tmp7439.exe
1
%APPDATA%{5T5R-RLLB-E42B-SL9R-TBRY-I3EJ}
1
%APPDATA%{5T5R-RLLB-E42B-SL9R-TBRY-I3EJ}\tmp3925.exe
1
%APPDATA%{Y8UF-BKXQ-FSSP-J5M7-9C9X-LPBF}
1
%System32%\Tasks\tmp7439
1
%APPDATA%{Y8UF-BKXQ-FSSP-J5M7-9C9X-LPBF}\tmp4295.exe
1
%System32%\Tasks\tmp3925
1
%System32%\Tasks\tmp4295
1
%APPDATA%{W2EY-JOO2-LFEQ-SPKJ-MG38-9WC8}
1
%APPDATA%{W2EY-JOO2-LFEQ-SPKJ-MG38-9WC8}\tmp5932.exe
1
%System32%\Tasks\tmp5932
1
%APPDATA%{MERT-928T-CSXK-J96E-DSL4-YGU4}
1
%APPDATA%{MERT-928T-CSXK-J96E-DSL4-YGU4}\tmp1586.exe
1
%System32%\Tasks\tmp1586
1
%APPDATA%{PPY7-CD87-E6XQ-RE6Q-M6L9-9L39}
1
%APPDATA%{PPY7-CD87-E6XQ-RE6Q-M6L9-9L39}\tmp8628.exe
1
%System32%\Tasks\tmp8628
1
%APPDATA%{LSE7-8BS8-B3JR-OIKQ-C829-XPGB}
1
%APPDATA%{LSE7-8BS8-B3JR-OIKQ-C829-XPGB}\tmp8976.exe
1
%APPDATA%{CPXJ-X6EK-2X4B-EDB4-85RR-TL2S}
1
*See JSON for more IOCs
File Hashes
1b1a7ef5d900e80a85f6e02a2f432d112a6f85787a53bb2a422ed3647310d604
1b6d4b2ea651082ef0295ce85770d10e7fa997fa56e96788f4d6173933a060ae
3bdb5349f4f238b621f85a5173ceb6d0db7fa02ac9cc6679d5507c0c4ab34899
4a9702f24c7f9efa64351c584520cf55f8bfaecd885e839cc47e3b5601325ca3
5ea2731f93008205c3c52a2e4c45ef0848bbe1071ae090cd3a9d7b9fd96fd306
7ce2b584bbac53f871b56f80ee9d17508712a0ecf64919045102d784adf8f7e9
7f836c438ac1da1cb625df75302eea31aaf136d51db79757060adb5cc0859dde
804891c67f42b39ecf4e388b925b172f4f3a9a25e03e07a87368cf6fcbedf017
b1667c3d39402772e4981081ed31115976e99a0b7d420c5faf47c5d66efb70e3
cb9f0d60960a2548b84aa50cc9828548f37fa91c395395ad394db0cfac45ad39
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK