Headline
Threat Roundup for October 14 to October 21
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Oct. 14 and Oct. 21. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found herethat includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files. The most prevalent threats highlighted in this roundup are:
Threat Name Type Description
Win.Dropper.Shiz-9974680-0 Dropper Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information. It is commonly spread via droppers or if a user visits a malicious site. Win.Dropper.DarkComet-9974770-1 Dropper DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user’s machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system. Win.Virus.Xpiro-9975154-1 Virus Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks. Win.Packed.Fareit-9974907-0 Packed The Fareit trojan is primarily an information stealer with functionality to download and install other malware. Win.Dropper.Kovter-9975143-1 Dropper Kovter is known for its fileless persistence mechanism. This family of malware creates several malicious registry entries which store its malicious code. Kovter can reinfect a system, even if the file system has been cleaned of the infection. Kovter has been used in the past to spread ransomware and click-fraud malware. Win.Dropper.Razy-9975201-0 Dropper Razy is often a generic detection name for a Windows trojan. It collects sensitive information from the infected host and encrypts the data, eventually sending it to a command and control (C2) server. Information collected may include screenshots. The samples modify auto-execute functionality by setting and creating a value in the registry for persistence. Win.Dropper.Zegost-9975205-0 Dropper Zegost is a remote access trojan designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam and uploading/executing follow-on malware. It appears to be derived from Gh0stRAT, which is a well-known remote access trojan that had its source code leaked, significantly lowering the barrier to entry for actors looking to modify and reuse the code in new attacks.
Threat Breakdown
Win.Dropper.Shiz-9974680-0
Indicators of Compromise
IOCs collected from dynamic analysis of 66 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT
Value Name: 67497551a 63
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: 98b68e3c 63
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: userinit 63
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: System 63
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: load 63
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: run 63
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: userinit 63
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList 1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @explorer.exe,-7001 1
Mutexes Occurrences
Global\674972E3a 63
Global\MicrosoftSysenterGate7 63
internal_wutex_0x000004b4 63
internal_wutex_0x<random, matching [0-9a-f]{8}> 63
internal_wutex_0x0000043c 63
internal_wutex_0x000004dc 63
Global\4552e841-4aec-11ed-9660-0015175fc6e6 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
13[.]107[.]21[.]200 31
72[.]14[.]185[.]43 15
45[.]33[.]2[.]79 14
45[.]33[.]23[.]183 11
45[.]56[.]79[.]23 11
45[.]33[.]20[.]235 11
45[.]33[.]30[.]197 11
96[.]126[.]123[.]244 10
72[.]14[.]178[.]174 10
45[.]79[.]19[.]196 9
198[.]58[.]118[.]167 8
45[.]33[.]18[.]44 5
173[.]255[.]194[.]134 5
85[.]94[.]194[.]169 4
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
fotaqizymig[.]eu 63
cidufitojex[.]eu 63
xukuxaxidub[.]eu 63
digofasexal[.]eu 63
gatuvesisak[.]eu 63
lyvywyduroq[.]eu 63
puvacigakog[.]eu 63
xuboninogyt[.]eu 63
cicezomaxyz[.]eu 63
dixyjohevon[.]eu 63
fokisohurif[.]eu 63
volugomymet[.]eu 63
maganomojer[.]eu 63
jefecajazif[.]eu 63
qedylaqecel[.]eu 63
nojotomipel[.]eu 63
gahoqohofib[.]eu 63
rytifaquwer[.]eu 63
kepujajynib[.]eu 63
lyrosajupid[.]eu 63
tuwaraqidek[.]eu 63
xuqeqejohiv[.]eu 63
pumebeqalew[.]eu 63
cinycekecid[.]eu 63
divulewybek[.]eu 63
*See JSON for more IOCs
Files and or directories created Occurrences
%TEMP%\<random, matching [A-F0-9]{1,4}>.tmp 63
File Hashes
0fd54a3752516ae74445ba9ba0415ca66b5a97e259c65a288e9f535036a3f6c2 1305af84cd40461bdf053a9e3e9e130dd40cb082587d32b4f2dabc1aa9f55ab5 1700243813648c3620961cc1ebc8fe1bee29db2dd683a9256fbdaffb2c2d3402 1bf4f0d47af94c3e428f3c50510ca420161a6cc36cd044c85db915586da580f0 208b2d3afe6ac66a93f79172ea2e11418b54b5d183e056920129db58e1d7cada 259992be0fa7c7a6471eea5323da77c73dce5f6c4d09339d67cdf54101eb49bf 299cc54b9efd0ba263f4b709d2f65ffad4b3bec567fdaadf79df531a0ef548b6 2caf161a22e4a9e5ee81b07349ef63ab9b01c058ec1bc6c3e7423c5d2621c475 2f5cb0db00e4070a56755a2a79ed5bbd9366dd440f04d269e02d4e0d745195dd 2fbf9be9d28838774f7ff984d54b14b2edbdaaf0133642ad62b58f650d9c838c 360c2da9a5e7b93c1c33b6fb355fbf9b39fce16c80b8260793c15cda636f06d8 3779c8df35e040a8663bd887106c7e68bc2c74abf4d731cb23a1c2c37fe92108 3a01e6f5f0252c5f029faa6ba1a978571a9321d2c1e170e6738846b3c1da153b 3c62093f5be8563dfd2acacbe3dfea0aff14f2bbe7aff863083709921675f5ba 3e042ac3114ead5db3666c001c5a136cb3abc8afa2d9608d86d76232ad47533b 4202970a30e26081bf5151e3ebb1609ec50c9db9dcac1516629656e74ab72292 492ebd011baccdc01e3b6caa42722949a623aa40dd07351681a8a30851504097 4b12cc54948f1a66af4e5c1d6fdc7a3151748fda937b5c7e3a4ce0da32f282b9 4cdaef88227d8e39e9fd8011901ca0de0d9f39f9288160ca8029262e3cb85576 4cf8fb57162c78d93382a75651dd0f4dd32d15e624bd7f205cec46bbec6af6c4 56945e7aea4d8d7eb9629bc72d4e192c720357e5b4d1e11337081ef1e41c37d5 57213b49222d15abc6c759544c50c96bc8e368568701223552725e1fcbb5fbad 5e46885a1e5c8aaf32992bae85afd6513117d6c38df122af9925185914793b7f 5ecdfbbe0acf003531b7329afeedef24939beb3cf97bf7aacef8b9cca39af7f4 626300915d8c7dec6be5f5a7e5959b6f4b0b72fbfed068a86e4c405d05908417
*See JSON for more IOCs
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.DarkComet-9974770-1
Indicators of Compromise
IOCs collected from dynamic analysis of 41 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\WOW6432NODE\THE SILICON REALMS TOOLWORKS 41
<HKLM>\SOFTWARE\WOW6432NODE\THE SILICON REALMS TOOLWORKS\ARMADILLO 41
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649} 41
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}\VERSION 41
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{C771E660-2111-13D1-B2E4-0060975B8649}\VERSION 41
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 12
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 12
<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'> 11
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList 10
<HKCU>\SOFTWARE\DC3_FEXEC 9
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: HKCU 8
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: Policies 7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: Policies 7
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: HKLM 7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA 3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{Y604YT5M-IS04-2A48-225F-2HB7V6B7W50M} 3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: ctfmon.exe 3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: ctfmon.exe 3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{Y604YT5M-IS04-2A48-225F-2HB7V6B7W50M}
Value Name: StubPath 3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: MicroUpdate 2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VSS\DIAG\VSSAPIPUBLISHER 2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{13R07N2B-6QLO-B5WO-1EX2-8BTL6INCM2WY} 2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{13R07N2B-6QLO-B5WO-1EX2-8BTL6INCM2WY}
Value Name: StubPath 2
<HKCU>\SOFTWARE\MICROSOFT
Value Name: PIDprocess 2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: MicroUpdateashiyan 1
Mutexes Occurrences
RN7159F566 41
_x_X_BLOCKMOUSE_X_x_ 15
_x_X_PASSWORDLIST_X_x_ 15
_x_X_UPDATE_X_x_ 15
4A8::DAAEACF2A8 10
***MUTEX*** 8
***MUTEX***_SAIR 7
7B4:DAF 7
7B4::DAAEACF2A8 7
DC_MUTEX-<random, matching [A-Z0-9]{7}> 7
7C0:DAF 6
7C0::DAAEACF2A8 6
334:DAF 5
7BC:DAF 5
7A0::DAAEACF2A8 5
6B4::DAAEACF2A8 5
334::DAAEACF2A8 5
7BC::DAAEACF2A8 5
730::DAAEACF2A8 5
<random, matching '[A-Z0-9]{14}'> 4
34C:DAF 4
730:DAF 4
4A4::DAAEACF2A8 4
34C::DAAEACF2A8 4
238::DAAEACF2A8 4
*See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
52[.]8[.]126[.]80 2
51[.]89[.]107[.]116 2
13[.]107[.]21[.]200 1
153[.]92[.]0[.]100 1
3[.]64[.]163[.]50 1
78[.]175[.]232[.]186 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
sadeghdng[.]no-ip[.]org 4
dagevleri18[.]zapto[.]org 3
www[.]server[.]com 2
microupdate[.]sytes[.]net 2
joyless[.]persiangig[.]com 2
jetfadil[.]zapto[.]org 2
www[.]bing[.]com 1
bykacak470101[.]zapto[.]org 1
slasherist[.]zapto[.]org 1
images1[.]net46[.]net 1
metalcix5[.]dyndns[.]org 1
dinamik[.]no-ip[.]org 1
mehmetsam1997[.]zapto[.]org 1
www[.]dllindir[.]com 1
managed[.]redirectme[.]net 1
darkhacker33[.]no-ip[.]org 1
baransiker[.]no-ip[.]org 1
Files and or directories created Occurrences
%TEMP%\F827973E.TMP 41
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\699c4b9cdebca7aaea5193cae8a50098_d19ab989-a35f-4710-83df-7b2db7efe7c5 40
%TEMP%\XX--XX--XX.txt 12
%TEMP%\UuU.uUu 12
%TEMP%\XxX.xXx 12
%APPDATA%\logs.dat 12
%TEMP%\x.html 8
%APPDATA%\dclogs 5
%SystemRoot%\SysWOW64\driver 4
%SystemRoot%\SysWOW64\driver\ctfmon.exe 3
%HOMEPATH%\Documents\MSDCSC\msdcsc.exe 2
\TEMP\cmsetac.dll 2
\TEMP\ntdtcstp.dll 2
%TEMP%\DOR.EXE 2
%TEMP%\SMSLOG.EXE 2
\Downloaded.exe 2
%SystemRoot%\SysWOW64\smss\smss.exe 2
%APPDATA%\Microsoft\Windows\((Mutex)).cfg 1
\TEMP\m2k Mod\nocooltime.tga 1
\TEMP\m2k Mod\nofog.tga 1
\TEMP\m2k Mod\noskill.tga 1
\TEMP\m2k Mod\off_0.tga 1
\TEMP\m2k Mod\off_1.tga 1
\TEMP\m2k Mod\off_2.tga 1
\TEMP\m2k Mod\on_0.tga 1
*See JSON for more IOCs
File Hashes
004d9f0b4964ca5529695c3bcfed64c8a5f5004c69cc51940d788f25e842c89f 025db75dd8d43e99090aca0b8b891d1f748e34a8dd164f895e1ddac88cfbea65 04fd3f937baa6b110b8f83577f3eed5470d5ad3f76b77bbed0ed93fe0392936e 0684b108700092d84817509a685b666c0654cdb6abe3240811cc1b4692ede70a 07d5cec6b790243a1af8994c7889b26fb55ea779a31d9911c75f138057298d05 0b95b31db9ebf66c5aafdc5801a4e3f651ad3425f7a42156132da900b582392c 0ee01faf9ed1259b48150317ed4b39199135a917154ac2b161bbc345b03a42f3 1950125c79a4db59cf391297ed0f00a2106d4dab2442ac7cbff5b2257d9e0e2b 1a2e40328a13c1497cd166518ff51e1d7fed74490563d47e29fe45f26e97a05d 1db26d83143a5b1625405f48282b83170fbd2644bacbcca7f51afc10a3e9b035 1e6e592a95806c637aea7b54a9d5cb5236b81af341be18a1a9346b6bbe6571a7 224f4711335c4c0c792d3af80cf5cff14ee6a0a1c3fc6a1eab76eaf1176734d7 2fe3b395c368f1346b1f38e55dadbda2a2c3fb8bfafec9130d99694b13f63fb4 34b775e900f7ebd00b0e8b4f7372cfc55c01ea9e3b424dcba1c9aaa89e1535aa 3536ce470cd6fd310c99c8768cd09cce4eb362e0446dba39ea0faea3ac9837fe 40881ef73d0b9085f256d945aeaeb222d69dca69d584517fa13291811b89925d 473a323f38f889c092e45f1f5c99af8aec175fbd00cb1ea0c00f2db0ea9aef84 47bee0c1952eea7077e47b2c843e7506782727d3f0d8d7d11fb787a73db888e5 548a2e8f5b58857585ad98161fcc86970e2f3f0b70e2610a536df3640de82cd4 58d942e35c3148c20e2dfb6877602a96a39a18b75315bc22972b6ff884bbb33e 5a5f99829e620fe4c98ad9fceb44c4b81087a8b1dac50db37cf2356c018f0493 5d7c90c03d6582b8b067ee14328b93bb08680d12f32d503a308ec0ff410f3dfb 5fe931cef0f656a43daaad1e913d928b6b71c1994b0ab0720c02e786fb79f415 6596911e29d5c531a5454c15da0c39afe35a6adb7b773d1806a99cff6f39c374 696f0c7650dd7b4cdf7bb9884c6a501cb3174f7202de349ef81ed3000262557c
*See JSON for more IOCs
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella N/A
WSA N/A
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Virus.Xpiro-9975154-1
Indicators of Compromise
IOCs collected from dynamic analysis of 52 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32
Value Name: Type 52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64
Value Name: Type 52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32
Value Name: Type 52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32
Value Name: Start 52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_64
Value Name: Type 52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_64
Value Name: Start 52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\COMSYSAPP
Value Name: Type 52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\COMSYSAPP
Value Name: Start 52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IDSVC
Value Name: Type 52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IDSVC
Value Name: Start 52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IEETWCOLLECTORSERVICE
Value Name: Type 52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IEETWCOLLECTORSERVICE
Value Name: Start 52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32
Value Name: Start 52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ALG
Value Name: Start 52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EHRECVR
Value Name: Start 52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EHSCHED
Value Name: Start 52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FAX
Value Name: Start 52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MICROSOFT SHAREPOINT WORKSPACE AUDIT SERVICE
Value Name: Start 52
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELL FOLDERS
Value Name: Startup 52
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\USER SHELL FOLDERS
Value Name: Startup 52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64
Value Name: Start 52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FAX
Value Name: ObjectName 52
<HKLM>\SOFTWARE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATE
Value Name: AccumulatedWaitIdleTime 52
<HKLM>\SOFTWARE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\LISTENEDSTATE
Value Name: RootstoreDirty 52
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATE
Value Name: AccumulatedWaitIdleTime 52
Mutexes Occurrences
Global\mlbjlegc 52
Dmrc_mtx_409a9db1-a045-4296-8d2c-9d71016c846b 1
Files and or directories created Occurrences
%ProgramFiles(x86)%\Microsoft Office\Office14\GROOVE.EXE 52
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe 52
%SystemRoot%\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe 52
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe 52
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 52
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 52
%System32%\FXSSVC.exe 52
%System32%\alg.exe 52
%System32%\dllhost.exe 52
%System32%\ieetwcollector.exe 52
%System32%\msdtc.exe 52
%SystemRoot%\ehome\ehrecvr.exe 52
%SystemRoot%\ehome\ehsched.exe 52
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.log 52
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log 52
%SystemRoot%\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{33EC2C09-9668-4DE7-BCC0-EFC69D7355D7}.crmlog 52
%SystemRoot%\SysWOW64\dllhost.exe 52
%SystemRoot%\SysWOW64\svchost.exe 52
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log 52
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat 52
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat 52
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock 52
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat 52
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock 52
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat 52
*See JSON for more IOCs
File Hashes
0fa71a514b5e2312d782e683c7b8b82ebd67b0065a152b76441ff91b83e6da23 145c2d4b353f28be9b78e5513214b14852fc8a99d7cced2f37bacce230daaffd 14f042ac5b66e562ea9c6ea184c617e34d799f60595e4659f6864e3338a07742 15d8be67493a89397947a1ea5cfef908d1d9961045247ecb62641a5431f6325a 170f4d50e891b04ecff879fd70c80f453617f1df099b2f194e5e68a0abaa95f3 19eab5f0d7753da5d593e00ae183789da3ae9da813f5b0152d81929cc15c18cf 1f84a81265207ed407a4722a74e26272b2e262975c8ca2db70cba557d00a2dee 20f04f98cc2ffabe3a76828ebdc3490209a7e4cf04c628b7786044614f5f923f 274c3133ff51e57baeab008511de7c1f04a312629bf78c6807786da85f4850bc 2758752656221d5eefb68a5067efe930606daa7fa3de0a8f9230dc2609c7e435 292cef0a846fa9c856fb1238cff8aa076c68468c79b65c67b9a444d141592664 2cc9ee1f70633239916fd0c2e6a777ba55f32df18f91e6f08fb3086906953ce9 2ea82cd8c864e59d33a7b4b546b1c3ab2d53e60cce0d5303acb2f282afea22f8 39c29cab4461c3380306315b54ac430d2464458dfb8f3d06a201096667ead6e1 3af8c6cc8d2f40eac1ebd681dcbf72e56f196e364d91be09b7354f65ecd2747c 3d5f8a7db9144123fec5d12cf74d734a440a4aa8a9802f3730dbfd97b69ff4e0 3d6e0c0c4b91715fbc87f73cf02cbfed998b4c2a474222024b47ac3083ddf8e0 41793c107f735657decaf15e1e11fb65261a1a7d6c17d3e1875ab8c0d89860fb 41e80a7842e4686929cd67b7759e6cd3ca51d40ee8be38df7bbc3be42fbd5b47 4b2d6dffa968075b0b61d379680a47d460139fe9bb98195cccbd76671106741c 4e757bb7ef118852b2a9e656d274e857ba009c7e70900ae6415d3d517343ef39 509247e400344991745409d7e21e135979d7b1d2d2b23337788e9df4999b81a1 57bf93718385db7f8cd92a97e1fb35cd48e6a19fb824042d74e21d1272acaccb 6216ec0710801a257aa0d7ca22f513d788f6b0c3cac3aaeac91daa18ab11662c 663bb05df8963e00a346b97dab00a9bee82ddff3a3219450f6fe4e63382e9cfa
*See JSON for more IOCs
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella N/A
WSA N/A
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Packed.Fareit-9974907-0
Indicators of Compromise
IOCs collected from dynamic analysis of 28 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\WINRAR 28
<HKCU>\SOFTWARE\WINRAR
Value Name: HWID 28
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003E9
Value Name: F 28
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000001F5
Value Name: F 28
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003EC
Value Name: F 28
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList 2
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
115[.]47[.]49[.]181 28
Files and or directories created Occurrences
%TEMP%\1587335618.bat 1
%TEMP%\1863428481.bat 1
%TEMP%\-257830400.bat 1
%TEMP%\59942841.bat 1
%TEMP%\59944853.bat 1
%TEMP%\59917069.bat 1
%TEMP%\59931858.bat 1
%TEMP%\60017815.bat 1
%TEMP%\59939612.bat 1
%TEMP%\59939799.bat 1
%TEMP%\59924292.bat 1
%TEMP%\59916258.bat 1
%TEMP%\59914464.bat 1
%TEMP%\60012370.bat 1
%TEMP%\60036395.bat 1
%TEMP%\60038766.bat 1
%TEMP%\60042915.bat 1
%TEMP%\60048469.bat 1
%TEMP%\60018813.bat 1
%TEMP%\60025615.bat 1
%TEMP%\60031590.bat 1
%TEMP%\60109122.bat 1
%TEMP%\60023525.bat 1
%TEMP%\60033399.bat 1
%TEMP%\60111369.bat 1
*See JSON for more IOCs
File Hashes
011a710edb4c7031e145557964c984a8a76d9a58c7f098535e02ba64d2337793 017ff3be15c68dc8bac00f394c06f043e59806208d4f30f94369aab69c11ea0b 0199c2c9eeee554e41e105cf27bd1443f2be823ae5c3896dff6f4b43ffe3d05d 01ce3324eb5cfcb42a793adda8287ccf804af615adac9b2566456da8a31eb4c0 028b27a48376a3809ea1cbbc1a692f3a900dd744f1e7fd48e3c32221e464f330 0336e429ace80150e2fab8032461539701d47d600e57bfb628f65f14a86fec69 03765100f9a8a5e1326d6605ad3ae160a9de07187bb3d3d4317b27e197b56202 0453139aa9789369f9f5737e7d0fe71dd2f7ec46cf7bf20004be3ad3b74bfd74 050caffa4c1cbef758c3768d3ed431ef37e24936da4fad602c2277ba16e3f985 06fe5d203b5b06267ec79e4f790e490018b7a193c9eb367d5a87f263e12b0f2c 0710a90c59b4a0c8c6df827825917d3338603085d4671a2e5b3e3d7f2a4579e1 071d7639419488989c7ba8954e62b1cb8a90b34546deaff192a815f651bf8f12 07910236de058c15cb69df25a5b41061608929c6dacfd6af2f220291b7afa405 095c8d34ff1f7c58db4a5049f9996a071f3e5cc3d3f1e5afefeae644fd6dda89 0a12252ba956422114ffa0ebad1928fe3b5304a1dd55b7ee682635f90e4401be 0acb97162fee61e564807eef753b64705031bf7a256cdd039ad0c685015a7f79 0b7f9d704ffa2a3ad2cf4e5cbc645124f315ffe7580217f02e0df0bf154c4a2a 0c5dcaac2d8cfc42e6a1ab310c5e3dc8333b58addb40cd70d13928bf4641f9e8 0c8cffe638c88dd917111b00b1f1fae6187a953e968f20d7090b64d0050ca5e8 0d645a9bca980d5a1300c104b5e2381439cfcc57d2e3b0d49cc2566883cccc50 0dfba8f0960b4018d8f8b933f3eb9b15f68311cb84ab1d0c18724feb9c1bf2b1 0e8b3e1bd1bffc0691a663bb3c836d44e515c3442af621e1bd2516b5e249342c 0ebe31bf70d96da6be6851cacea1576bfb73b2c202a2e6f228f2726d5f9dd99b 0f0abc8495fdaddfeb6d7ec55fa92718c00b2d842f6f656f64000561c4d7b5c1 0f3a7226d1b0db73f44a6eeec9abcca4f97832f72fe7d257d653bbd66c9dc545
*See JSON for more IOCs
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella N/A
WSA N/A
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Kovter-9975143-1
Indicators of Compromise
IOCs collected from dynamic analysis of 69 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_BROWSER_EMULATION
Value Name: explorer.exe 69
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_BROWSER_EMULATION
Value Name: iexplore.exe 69
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_BROWSER_EMULATION
Value Name: explorer.exe 69
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_BROWSER_EMULATION
Value Name: iexplore.exe 69
<HKLM>\SOFTWARE\WOW6432NODE\07771B47
Value Name: 18f8f764 69
<HKCU>\SOFTWARE\07771B47
Value Name: 18f8f764 69
<HKLM>\SOFTWARE\WOW6432NODE\07771B47
Value Name: 8de2c2e8 69
<HKCU>\SOFTWARE\07771B47
Value Name: 8de2c2e8 69
<HKLM>\SOFTWARE\WOW6432NODE\07771B47 69
<HKCU>\SOFTWARE\07771B47 69
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_BROWSER_EMULATION
Value Name: dllhost.exe 69
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_BROWSER_EMULATION
Value Name: dllhost.exe 69
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 69
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList 69
<HKLM>\SOFTWARE\WOW6432NODE\07771B47
Value Name: 013c41ca 21
<HKCU>\SOFTWARE\07771B47
Value Name: 013c41ca 21
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\system32\DeviceCenter.dll,-2000 7
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @explorer.exe,-7001 2
<HKLM>\SOFTWARE\WOW6432NODE
Value Name: 23FD5485F667201E 1
<HKLM>\SOFTWARE\WOW6432NODE
Value Name: 13AC3218A55801940237 1
<HKLM>\SOFTWARE\WOW6432NODE
Value Name: BFBE24101FC216F38AD 1
<HKLM>\SOFTWARE\WOW6432NODE
Value Name: 7350F47C4881E3522AA 1
<HKLM>\SOFTWARE\WOW6432NODE
Value Name: 75A5B2D6C31DFACECF3 1
<HKLM>\SOFTWARE\WOW6432NODE
Value Name: 1E49AA067DDD6606D6C 1
<HKLM>\SOFTWARE\WOW6432NODE
Value Name: B93BF1A5F52C340B 1
Mutexes Occurrences
C77D0F25 69
Global\07771b47 69
244F2418 69
906A2669 69
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
104[.]72[.]157[.]175 69
23[.]32[.]144[.]26 21
20[.]112[.]52[.]29 17
23[.]197[.]176[.]20 17
20[.]84[.]181[.]62 16
20[.]81[.]111[.]85 15
20[.]103[.]85[.]33 12
104[.]102[.]115[.]212 10
20[.]53[.]203[.]50 9
184[.]28[.]60[.]167 9
23[.]78[.]211[.]217 6
173[.]223[.]180[.]106 4
23[.]192[.]26[.]212 2
38[.]222[.]8[.]117 1
216[.]144[.]169[.]140 1
190[.]151[.]91[.]220 1
195[.]77[.]218[.]54 1
90[.]253[.]157[.]248 1
54[.]118[.]131[.]121 1
63[.]7[.]42[.]244 1
134[.]31[.]30[.]191 1
212[.]168[.]17[.]243 1
96[.]7[.]239[.]29 1
12[.]117[.]214[.]13 1
191[.]218[.]35[.]96 1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
microsoft[.]com 69
nitrado[.]net 1
server[.]nitrado[.]net 1
Files and or directories created Occurrences
%TEMP%\install_flash_player_18_active_x.exe 69
File Hashes
0402d9277848f056fd1be4f2aa46ff0638210fd7c365b72068ada36d3e868a8b 0602ff1b8146d5726873600ca0b98dee171f9d3daad20bcc5f79b12248a8d71b 08a52aebf083e7937a90e49e0325287548cb1d8d239ba2de485a53b08e007925 0987c0072b99845d53ae11a875ed8ada3de619652a56e7f91400cc9539059111 115d0a7d170d5d515817118f6ec73a311d3978b04a36a7cf9bba49635d65fb47 11eef232e25b5adfe66de44f535bc9eca11ad53b721aa28d4d447bad26ad71f3 1a96139e6e4d78793c8ca8704f40c3b81dcd43daa875dc9a26f04aa548df8c12 1c5813bbf48871f0ad8320cb6c506840fdd806373de4eda38b03d100e0eff8a7 28d74e5d38dffa594421147811283d9575b17494292bdc2d0a181a9707735116 2919cf8ca913e1f1f8d0f9446dfc6b695e0ea16cd030e422b043819e43815b99 2c8bf08a5cf49fff65b5c0d2592ddb53d846b2f3e158c43117e608e3c34ee994 2e40814652f29db096196953ed3da0c4d998a5133ca2079a5a99b34f9c70904f 33a5c0dd485389660211aab696fe6c943bdf949cdcaf26669adcd9427d1b3a11 3de2a2cfbbcb35bada5669ed5e45368a7b8f1b3792135ce70a74dc1f7ee193eb 4419deafa48e210f15075383ee8a1519f47e707440677fce6bd92ee98eb63072 452599d355d0a3fd5c4fd649762b506b07cf4d98abde9dee9e6ac251b7c541f9 482ff7364de8ad4008c9b7103ce84db4770e0577d3b55248f99cd6c454408e34 4a9aa3bf94487a6b2ba50e8c1275e2007a2a2675c3323d06985739914158d781 4d013e135cfc338203c02b8336c7f6df965d9da91a18b3c964fbf7657b8970f2 4dc044c541903a6407b32535d7d2b2efd45c42f43899c26a22ce5dea254f89e1 52f19b82c010b2b1af726318b13d2e05af13b4a4bd741735643fb8a4c78c6667 53ed26da481ee96d7013ff82885e9a11cfe8e763387e580bc362a614a9273962 56e25f94fc8bec2e7e47b6938496ae2c3754c744238b30cdaa78766148d8bc76 62f929b0aa291c6fd8ffdf994a901c7e3046c5bd1d88f00208e187c02e0efd66 69eef0fb8b6dd17d4c5e5e1b1018b0537eb3135c3e30c7b18e7aff95f5a20613
*See JSON for more IOCs
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella N/A
WSA
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Razy-9975201-0
Indicators of Compromise
IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\EVENTSUBSYSTEM 17
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList 17
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\mlang.dll,-4386 17
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
207[.]36[.]232[.]49 17
Files and or directories created Occurrences
%TEMP%\~36011.tmp 17
%TEMP%\bm87F8.tmp 1
%TEMP%\bm8F1A.tmp 1
%TEMP%\bm8D84.tmp 1
%TEMP%\bm8FD5.tmp 1
%TEMP%\bm9004.tmp 1
%TEMP%\bm8EBC.tmp 1
%TEMP%\bm8B24.tmp 1
%TEMP%\bm86FF.tmp 1
File Hashes
00c25a55c907f4da64d6e80fdd43f670a30bc5fd37ca5112286671adc7277c26 077013b955f429dcee49d7572bc61de3bcc09fea450f8d0ae2cf44a0e160c573 0d2e9fa8818793b6ce7cb85c736f1a5e350b3d9c6d9d86871a5d9f935c4bb6d4 20a91d99298ebb3c71130170cb1efc77ee89f3245695ae71c68c7d5175b5db28 267490d54389d4e6357ac76d4d7beb906f17d5be6d065c2effbff7520dd08f3b 2cbd4e9ba35fc75a6a59af3ecf741573d030a4176916844aa0df7ba5ad23e282 33d5252173b0a5d5530df15fec6a996aacd9368ac1548a7a9a2161880493d6fb 3c895d4f706c5b25ff8e1ba2bac5fbbf5f117551c0981b6d44897cc69521bd97 4c00a38a25a43169c9dac7bd06fa210669f376214e798eb004cffabfaba205ea 4fbc12d1135c2b8bc1697652cf8b32988cd53e6625788b3af5ac08eb0b66e78e 504c71380d5ccac1437dbde8bfa5ed3951e27f60376df761f480b5d24c1160c5 57a70425ff4b8332746ff0b4c67990787735995b7cd6a0e030537affe4275d31 6076ad86cc68fd7fad06f0974bafa6742054f7122b9053a5e8604ff836f1e2b7 6ec9c6bb85241d7a23857f0920fb3092d6a9495e7137ce1ebe73484cc6fa699c 721532d828ee4255e5ba70800e17c1f9bb8e1672b149e6a5b6cc6dd43247da68 76c542ae9f6344a40c6b2ef3cffecaa4dd16f64742a7b766b632aea435a29b19 7734f8c023a134fe40b1d7172ae214966cf24f7b6d58192a8cfbd33ae8808e2b 7ace8603560bfdff49bb444ae08243cedd2dc76b63225be62591cfe37126a78a 7b23d913179f18bb5ed0a3780f0e81525c87dedb45cd752a4d225f9032590528 7c2fae30bee39b849f46a3fa8a3cef0d02b4c2904d814828e8203f47f9d1a4c2 7f78d993bdf895d93903df7ef9b0d463564d09eb1c1553406ca39c7823df3f8a 89441930859acffed2ff63fa63dacb2d2faf9922ef541930e16ec0b4d8025779 923aa17644c5247b9a30137239d64b145cc6875a8aaa46590d1198fed13c194e 96ca0e3695c55a242e1afe22960d784bc04a38bb41bafba4f79a72b2a18dca11 99631681dac2dd1a8ab30f8c581ec68d15c098aee84526b5ea954ff5efff7b69
*See JSON for more IOCs
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella N/A
WSA N/A
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Zegost-9975205-0
Indicators of Compromise
IOCs collected from dynamic analysis of 14 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\STARTPAGE
Value Name: StartMenu_Balloon_Time 1
Mutexes Occurrences
sephardi.f3322.org127.0.0.1127.0.0.1 6
127.0.0.1127.0.0.1127.0.0.1 3
1061683991.3322.org127.0.0.1127.0.0.1 3
Global\46b90721-4e87-11ed-9660-001517ce65a8 1
113.0.208.111127.0.0.1127.0.0.1 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
59[.]53[.]63[.]103 6
113[.]244[.]66[.]10 3
113[.]0[.]208[.]111 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
sephardi[.]f3322[.]org 6
1061683991[.]3322[.]org 3
File Hashes
07a56c13165e20e7a6a8b3c854e01da46ebd88f62e4f21c2078bbab5a4625607 250e8013cd21bffebeeaa7b0cfdcab804e19cac6f87b29fe619308cf4094c33f 3d2ff86702776be8b3febe91c0fdf2364a8d1e115f3341d69d9ec62891da58f4 4d023d552abf14a8c09f0e10f23ab9237cce09668a5ecce28b46ef9a725f4bee 56478049b4d28ec287831b1cbd0dc9d61a9da417649296cf3ed8ed80e41bd1cd 7c6a4350f302a10856246b9fcb1e6c1ceccede4e226e0be9c7a7d61cb576b5e0 7c8f76f149d6b2d9b629ac7875a6595aab0088f7befe13426f1de74eb2dd67be 85753277c9dcc1b39cf228005242113bf6c60554ee93e567f3e84f5d8312e5c5 8ad2aa565365bf7e5b2bc4563c726231be2b10929e6e4f132e5a70479efa81c0 922bb3e1ee1e0952b6dfc692d5b1abdb0476387cefb2d76c033885ba15a5f13c a1794b1ef65b2d507e0b789a5e061d72a7f79360d2e622c26f29be812f8813eb b7b16d0c057f20753cb9918ccf0cb7118d9c6e2458a694f4a2392ee088d8a98f d19a82bdf1b5fb3681ee7b8012aaaaf537faad13efa9c30e9590731f29aa0d71 eb2bb807bb0de7631e7c66655915a8a6b26aa07292842ea9d95544c6f1397278
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella N/A
WSA N/A
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Oct. 14 and Oct. 21. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.
The most prevalent threats highlighted in this roundup are:
Threat Name
Type
Description
Win.Dropper.Shiz-9974680-0
Dropper
Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information. It is commonly spread via droppers or if a user visits a malicious site.
Win.Dropper.DarkComet-9974770-1
Dropper
DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user’s machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.
Win.Virus.Xpiro-9975154-1
Virus
Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.
Win.Packed.Fareit-9974907-0
Packed
The Fareit trojan is primarily an information stealer with functionality to download and install other malware.
Win.Dropper.Kovter-9975143-1
Dropper
Kovter is known for its fileless persistence mechanism. This family of malware creates several malicious registry entries which store its malicious code. Kovter can reinfect a system, even if the file system has been cleaned of the infection. Kovter has been used in the past to spread ransomware and click-fraud malware.
Win.Dropper.Razy-9975201-0
Dropper
Razy is often a generic detection name for a Windows trojan. It collects sensitive information from the infected host and encrypts the data, eventually sending it to a command and control (C2) server. Information collected may include screenshots. The samples modify auto-execute functionality by setting and creating a value in the registry for persistence.
Win.Dropper.Zegost-9975205-0
Dropper
Zegost is a remote access trojan designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam and uploading/executing follow-on malware. It appears to be derived from Gh0stRAT, which is a well-known remote access trojan that had its source code leaked, significantly lowering the barrier to entry for actors looking to modify and reuse the code in new attacks.
Threat Breakdown****Win.Dropper.Shiz-9974680-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 66 samples
Registry Keys
Occurrences
<HKLM>\SOFTWARE\MICROSOFT
Value Name: 67497551a
63
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: 98b68e3c
63
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: userinit
63
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: System
63
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: load
63
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: run
63
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: userinit
63
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @explorer.exe,-7001
1
Mutexes
Occurrences
Global\674972E3a
63
Global\MicrosoftSysenterGate7
63
internal_wutex_0x000004b4
63
internal_wutex_0x<random, matching [0-9a-f]{8}>
63
internal_wutex_0x0000043c
63
internal_wutex_0x000004dc
63
Global\4552e841-4aec-11ed-9660-0015175fc6e6
1
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
13[.]107[.]21[.]200
31
72[.]14[.]185[.]43
15
45[.]33[.]2[.]79
14
45[.]33[.]23[.]183
11
45[.]56[.]79[.]23
11
45[.]33[.]20[.]235
11
45[.]33[.]30[.]197
11
96[.]126[.]123[.]244
10
72[.]14[.]178[.]174
10
45[.]79[.]19[.]196
9
198[.]58[.]118[.]167
8
45[.]33[.]18[.]44
5
173[.]255[.]194[.]134
5
85[.]94[.]194[.]169
4
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
fotaqizymig[.]eu
63
cidufitojex[.]eu
63
xukuxaxidub[.]eu
63
digofasexal[.]eu
63
gatuvesisak[.]eu
63
lyvywyduroq[.]eu
63
puvacigakog[.]eu
63
xuboninogyt[.]eu
63
cicezomaxyz[.]eu
63
dixyjohevon[.]eu
63
fokisohurif[.]eu
63
volugomymet[.]eu
63
maganomojer[.]eu
63
jefecajazif[.]eu
63
qedylaqecel[.]eu
63
nojotomipel[.]eu
63
gahoqohofib[.]eu
63
rytifaquwer[.]eu
63
kepujajynib[.]eu
63
lyrosajupid[.]eu
63
tuwaraqidek[.]eu
63
xuqeqejohiv[.]eu
63
pumebeqalew[.]eu
63
cinycekecid[.]eu
63
divulewybek[.]eu
63
*See JSON for more IOCs
Files and or directories created
Occurrences
%TEMP%<random, matching [A-F0-9]{1,4}>.tmp
63
File Hashes
0fd54a3752516ae74445ba9ba0415ca66b5a97e259c65a288e9f535036a3f6c2
1305af84cd40461bdf053a9e3e9e130dd40cb082587d32b4f2dabc1aa9f55ab5
1700243813648c3620961cc1ebc8fe1bee29db2dd683a9256fbdaffb2c2d3402
1bf4f0d47af94c3e428f3c50510ca420161a6cc36cd044c85db915586da580f0
208b2d3afe6ac66a93f79172ea2e11418b54b5d183e056920129db58e1d7cada
259992be0fa7c7a6471eea5323da77c73dce5f6c4d09339d67cdf54101eb49bf
299cc54b9efd0ba263f4b709d2f65ffad4b3bec567fdaadf79df531a0ef548b6
2caf161a22e4a9e5ee81b07349ef63ab9b01c058ec1bc6c3e7423c5d2621c475
2f5cb0db00e4070a56755a2a79ed5bbd9366dd440f04d269e02d4e0d745195dd
2fbf9be9d28838774f7ff984d54b14b2edbdaaf0133642ad62b58f650d9c838c
360c2da9a5e7b93c1c33b6fb355fbf9b39fce16c80b8260793c15cda636f06d8
3779c8df35e040a8663bd887106c7e68bc2c74abf4d731cb23a1c2c37fe92108
3a01e6f5f0252c5f029faa6ba1a978571a9321d2c1e170e6738846b3c1da153b
3c62093f5be8563dfd2acacbe3dfea0aff14f2bbe7aff863083709921675f5ba
3e042ac3114ead5db3666c001c5a136cb3abc8afa2d9608d86d76232ad47533b
4202970a30e26081bf5151e3ebb1609ec50c9db9dcac1516629656e74ab72292
492ebd011baccdc01e3b6caa42722949a623aa40dd07351681a8a30851504097
4b12cc54948f1a66af4e5c1d6fdc7a3151748fda937b5c7e3a4ce0da32f282b9
4cdaef88227d8e39e9fd8011901ca0de0d9f39f9288160ca8029262e3cb85576
4cf8fb57162c78d93382a75651dd0f4dd32d15e624bd7f205cec46bbec6af6c4
56945e7aea4d8d7eb9629bc72d4e192c720357e5b4d1e11337081ef1e41c37d5
57213b49222d15abc6c759544c50c96bc8e368568701223552725e1fcbb5fbad
5e46885a1e5c8aaf32992bae85afd6513117d6c38df122af9925185914793b7f
5ecdfbbe0acf003531b7329afeedef24939beb3cf97bf7aacef8b9cca39af7f4
626300915d8c7dec6be5f5a7e5959b6f4b0b72fbfed068a86e4c405d05908417
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.DarkComet-9974770-1****Indicators of Compromise
- IOCs collected from dynamic analysis of 41 samples
Registry Keys
Occurrences
<HKLM>\SOFTWARE\WOW6432NODE\THE SILICON REALMS TOOLWORKS
41
<HKLM>\SOFTWARE\WOW6432NODE\THE SILICON REALMS TOOLWORKS\ARMADILLO
41
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID{C771E660-2111-13D1-B2E4-0060975B8649}
41
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID{C771E660-2111-13D1-B2E4-0060975B8649}\VERSION
41
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID{C771E660-2111-13D1-B2E4-0060975B8649}\VERSION
41
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
12
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
12
<HKCU>\SOFTWARE<random, matching '[a-zA-Z0-9]{5,9}’>
11
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
10
<HKCU>\SOFTWARE\DC3_FEXEC
9
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: HKCU
8
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: Policies
7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: Policies
7
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: HKLM
7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS{Y604YT5M-IS04-2A48-225F-2HB7V6B7W50M}
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: ctfmon.exe
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: ctfmon.exe
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS{Y604YT5M-IS04-2A48-225F-2HB7V6B7W50M}
Value Name: StubPath
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: MicroUpdate
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VSS\DIAG\VSSAPIPUBLISHER
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS{13R07N2B-6QLO-B5WO-1EX2-8BTL6INCM2WY}
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS{13R07N2B-6QLO-B5WO-1EX2-8BTL6INCM2WY}
Value Name: StubPath
2
<HKCU>\SOFTWARE\MICROSOFT
Value Name: PIDprocess
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: MicroUpdateashiyan
1
Mutexes
Occurrences
RN7159F566
41
x_X_BLOCKMOUSE_X_x
15
x_X_PASSWORDLIST_X_x
15
x_X_UPDATE_X_x
15
4A8::DAAEACF2A8
10
MUTEX
8
MUTEX_SAIR
7
7B4:DAF
7
7B4::DAAEACF2A8
7
DC_MUTEX-<random, matching [A-Z0-9]{7}>
7
7C0:DAF
6
7C0::DAAEACF2A8
6
334:DAF
5
7BC:DAF
5
7A0::DAAEACF2A8
5
6B4::DAAEACF2A8
5
334::DAAEACF2A8
5
7BC::DAAEACF2A8
5
730::DAAEACF2A8
5
<random, matching '[A-Z0-9]{14}’>
4
34C:DAF
4
730:DAF
4
4A4::DAAEACF2A8
4
34C::DAAEACF2A8
4
238::DAAEACF2A8
4
*See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
52[.]8[.]126[.]80
2
51[.]89[.]107[.]116
2
13[.]107[.]21[.]200
1
153[.]92[.]0[.]100
1
3[.]64[.]163[.]50
1
78[.]175[.]232[.]186
1
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
sadeghdng[.]no-ip[.]org
4
dagevleri18[.]zapto[.]org
3
www[.]server[.]com
2
microupdate[.]sytes[.]net
2
joyless[.]persiangig[.]com
2
jetfadil[.]zapto[.]org
2
www[.]bing[.]com
1
bykacak470101[.]zapto[.]org
1
slasherist[.]zapto[.]org
1
images1[.]net46[.]net
1
metalcix5[.]dyndns[.]org
1
dinamik[.]no-ip[.]org
1
mehmetsam1997[.]zapto[.]org
1
www[.]dllindir[.]com
1
managed[.]redirectme[.]net
1
darkhacker33[.]no-ip[.]org
1
baransiker[.]no-ip[.]org
1
Files and or directories created
Occurrences
%TEMP%\F827973E.TMP
41
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\699c4b9cdebca7aaea5193cae8a50098_d19ab989-a35f-4710-83df-7b2db7efe7c5
40
%TEMP%\XX–XX–XX.txt
12
%TEMP%\UuU.uUu
12
%TEMP%\XxX.xXx
12
%APPDATA%\logs.dat
12
%TEMP%\x.html
8
%APPDATA%\dclogs
5
%SystemRoot%\SysWOW64\driver
4
%SystemRoot%\SysWOW64\driver\ctfmon.exe
3
%HOMEPATH%\Documents\MSDCSC\msdcsc.exe
2
\TEMP\cmsetac.dll
2
\TEMP\ntdtcstp.dll
2
%TEMP%\DOR.EXE
2
%TEMP%\SMSLOG.EXE
2
\Downloaded.exe
2
%SystemRoot%\SysWOW64\smss\smss.exe
2
%APPDATA%\Microsoft\Windows((Mutex)).cfg
1
\TEMP\m2k Mod\nocooltime.tga
1
\TEMP\m2k Mod\nofog.tga
1
\TEMP\m2k Mod\noskill.tga
1
\TEMP\m2k Mod\off_0.tga
1
\TEMP\m2k Mod\off_1.tga
1
\TEMP\m2k Mod\off_2.tga
1
\TEMP\m2k Mod\on_0.tga
1
*See JSON for more IOCs
File Hashes
004d9f0b4964ca5529695c3bcfed64c8a5f5004c69cc51940d788f25e842c89f
025db75dd8d43e99090aca0b8b891d1f748e34a8dd164f895e1ddac88cfbea65
04fd3f937baa6b110b8f83577f3eed5470d5ad3f76b77bbed0ed93fe0392936e
0684b108700092d84817509a685b666c0654cdb6abe3240811cc1b4692ede70a
07d5cec6b790243a1af8994c7889b26fb55ea779a31d9911c75f138057298d05
0b95b31db9ebf66c5aafdc5801a4e3f651ad3425f7a42156132da900b582392c
0ee01faf9ed1259b48150317ed4b39199135a917154ac2b161bbc345b03a42f3
1950125c79a4db59cf391297ed0f00a2106d4dab2442ac7cbff5b2257d9e0e2b
1a2e40328a13c1497cd166518ff51e1d7fed74490563d47e29fe45f26e97a05d
1db26d83143a5b1625405f48282b83170fbd2644bacbcca7f51afc10a3e9b035
1e6e592a95806c637aea7b54a9d5cb5236b81af341be18a1a9346b6bbe6571a7
224f4711335c4c0c792d3af80cf5cff14ee6a0a1c3fc6a1eab76eaf1176734d7
2fe3b395c368f1346b1f38e55dadbda2a2c3fb8bfafec9130d99694b13f63fb4
34b775e900f7ebd00b0e8b4f7372cfc55c01ea9e3b424dcba1c9aaa89e1535aa
3536ce470cd6fd310c99c8768cd09cce4eb362e0446dba39ea0faea3ac9837fe
40881ef73d0b9085f256d945aeaeb222d69dca69d584517fa13291811b89925d
473a323f38f889c092e45f1f5c99af8aec175fbd00cb1ea0c00f2db0ea9aef84
47bee0c1952eea7077e47b2c843e7506782727d3f0d8d7d11fb787a73db888e5
548a2e8f5b58857585ad98161fcc86970e2f3f0b70e2610a536df3640de82cd4
58d942e35c3148c20e2dfb6877602a96a39a18b75315bc22972b6ff884bbb33e
5a5f99829e620fe4c98ad9fceb44c4b81087a8b1dac50db37cf2356c018f0493
5d7c90c03d6582b8b067ee14328b93bb08680d12f32d503a308ec0ff410f3dfb
5fe931cef0f656a43daaad1e913d928b6b71c1994b0ab0720c02e786fb79f415
6596911e29d5c531a5454c15da0c39afe35a6adb7b773d1806a99cff6f39c374
696f0c7650dd7b4cdf7bb9884c6a501cb3174f7202de349ef81ed3000262557c
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Virus.Xpiro-9975154-1****Indicators of Compromise
- IOCs collected from dynamic analysis of 52 samples
Registry Keys
Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32
Value Name: Type
52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64
Value Name: Type
52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32
Value Name: Type
52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32
Value Name: Start
52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_64
Value Name: Type
52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_64
Value Name: Start
52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\COMSYSAPP
Value Name: Type
52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\COMSYSAPP
Value Name: Start
52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IDSVC
Value Name: Type
52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IDSVC
Value Name: Start
52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IEETWCOLLECTORSERVICE
Value Name: Type
52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IEETWCOLLECTORSERVICE
Value Name: Start
52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32
Value Name: Start
52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ALG
Value Name: Start
52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EHRECVR
Value Name: Start
52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EHSCHED
Value Name: Start
52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FAX
Value Name: Start
52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MICROSOFT SHAREPOINT WORKSPACE AUDIT SERVICE
Value Name: Start
52
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELL FOLDERS
Value Name: Startup
52
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\USER SHELL FOLDERS
Value Name: Startup
52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64
Value Name: Start
52
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FAX
Value Name: ObjectName
52
<HKLM>\SOFTWARE\MICROSOFT.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATE
Value Name: AccumulatedWaitIdleTime
52
<HKLM>\SOFTWARE\MICROSOFT.NETFRAMEWORK\V2.0.50727\NGENSERVICE\LISTENEDSTATE
Value Name: RootstoreDirty
52
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATE
Value Name: AccumulatedWaitIdleTime
52
Mutexes
Occurrences
Global\mlbjlegc
52
Dmrc_mtx_409a9db1-a045-4296-8d2c-9d71016c846b
1
Files and or directories created
Occurrences
%ProgramFiles(x86)%\Microsoft Office\Office14\GROOVE.EXE
52
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
52
%SystemRoot%\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe
52
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
52
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
52
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
52
%System32%\FXSSVC.exe
52
%System32%\alg.exe
52
%System32%\dllhost.exe
52
%System32%\ieetwcollector.exe
52
%System32%\msdtc.exe
52
%SystemRoot%\ehome\ehrecvr.exe
52
%SystemRoot%\ehome\ehsched.exe
52
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
52
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log
52
%SystemRoot%\Registration{02D4B3F1-FD88-11D1-960D-00805FC79235}.{33EC2C09-9668-4DE7-BCC0-EFC69D7355D7}.crmlog
52
%SystemRoot%\SysWOW64\dllhost.exe
52
%SystemRoot%\SysWOW64\svchost.exe
52
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log
52
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat
52
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat
52
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock
52
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat
52
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock
52
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat
52
*See JSON for more IOCs
File Hashes
0fa71a514b5e2312d782e683c7b8b82ebd67b0065a152b76441ff91b83e6da23
145c2d4b353f28be9b78e5513214b14852fc8a99d7cced2f37bacce230daaffd
14f042ac5b66e562ea9c6ea184c617e34d799f60595e4659f6864e3338a07742
15d8be67493a89397947a1ea5cfef908d1d9961045247ecb62641a5431f6325a
170f4d50e891b04ecff879fd70c80f453617f1df099b2f194e5e68a0abaa95f3
19eab5f0d7753da5d593e00ae183789da3ae9da813f5b0152d81929cc15c18cf
1f84a81265207ed407a4722a74e26272b2e262975c8ca2db70cba557d00a2dee
20f04f98cc2ffabe3a76828ebdc3490209a7e4cf04c628b7786044614f5f923f
274c3133ff51e57baeab008511de7c1f04a312629bf78c6807786da85f4850bc
2758752656221d5eefb68a5067efe930606daa7fa3de0a8f9230dc2609c7e435
292cef0a846fa9c856fb1238cff8aa076c68468c79b65c67b9a444d141592664
2cc9ee1f70633239916fd0c2e6a777ba55f32df18f91e6f08fb3086906953ce9
2ea82cd8c864e59d33a7b4b546b1c3ab2d53e60cce0d5303acb2f282afea22f8
39c29cab4461c3380306315b54ac430d2464458dfb8f3d06a201096667ead6e1
3af8c6cc8d2f40eac1ebd681dcbf72e56f196e364d91be09b7354f65ecd2747c
3d5f8a7db9144123fec5d12cf74d734a440a4aa8a9802f3730dbfd97b69ff4e0
3d6e0c0c4b91715fbc87f73cf02cbfed998b4c2a474222024b47ac3083ddf8e0
41793c107f735657decaf15e1e11fb65261a1a7d6c17d3e1875ab8c0d89860fb
41e80a7842e4686929cd67b7759e6cd3ca51d40ee8be38df7bbc3be42fbd5b47
4b2d6dffa968075b0b61d379680a47d460139fe9bb98195cccbd76671106741c
4e757bb7ef118852b2a9e656d274e857ba009c7e70900ae6415d3d517343ef39
509247e400344991745409d7e21e135979d7b1d2d2b23337788e9df4999b81a1
57bf93718385db7f8cd92a97e1fb35cd48e6a19fb824042d74e21d1272acaccb
6216ec0710801a257aa0d7ca22f513d788f6b0c3cac3aaeac91daa18ab11662c
663bb05df8963e00a346b97dab00a9bee82ddff3a3219450f6fe4e63382e9cfa
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Packed.Fareit-9974907-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 28 samples
Registry Keys
Occurrences
<HKCU>\SOFTWARE\WINRAR
28
<HKCU>\SOFTWARE\WINRAR
Value Name: HWID
28
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003E9
Value Name: F
28
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000001F5
Value Name: F
28
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003EC
Value Name: F
28
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
2
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
115[.]47[.]49[.]181
28
Files and or directories created
Occurrences
%TEMP%\1587335618.bat
1
%TEMP%\1863428481.bat
1
%TEMP%-257830400.bat
1
%TEMP%\59942841.bat
1
%TEMP%\59944853.bat
1
%TEMP%\59917069.bat
1
%TEMP%\59931858.bat
1
%TEMP%\60017815.bat
1
%TEMP%\59939612.bat
1
%TEMP%\59939799.bat
1
%TEMP%\59924292.bat
1
%TEMP%\59916258.bat
1
%TEMP%\59914464.bat
1
%TEMP%\60012370.bat
1
%TEMP%\60036395.bat
1
%TEMP%\60038766.bat
1
%TEMP%\60042915.bat
1
%TEMP%\60048469.bat
1
%TEMP%\60018813.bat
1
%TEMP%\60025615.bat
1
%TEMP%\60031590.bat
1
%TEMP%\60109122.bat
1
%TEMP%\60023525.bat
1
%TEMP%\60033399.bat
1
%TEMP%\60111369.bat
1
*See JSON for more IOCs
File Hashes
011a710edb4c7031e145557964c984a8a76d9a58c7f098535e02ba64d2337793
017ff3be15c68dc8bac00f394c06f043e59806208d4f30f94369aab69c11ea0b
0199c2c9eeee554e41e105cf27bd1443f2be823ae5c3896dff6f4b43ffe3d05d
01ce3324eb5cfcb42a793adda8287ccf804af615adac9b2566456da8a31eb4c0
028b27a48376a3809ea1cbbc1a692f3a900dd744f1e7fd48e3c32221e464f330
0336e429ace80150e2fab8032461539701d47d600e57bfb628f65f14a86fec69
03765100f9a8a5e1326d6605ad3ae160a9de07187bb3d3d4317b27e197b56202
0453139aa9789369f9f5737e7d0fe71dd2f7ec46cf7bf20004be3ad3b74bfd74
050caffa4c1cbef758c3768d3ed431ef37e24936da4fad602c2277ba16e3f985
06fe5d203b5b06267ec79e4f790e490018b7a193c9eb367d5a87f263e12b0f2c
0710a90c59b4a0c8c6df827825917d3338603085d4671a2e5b3e3d7f2a4579e1
071d7639419488989c7ba8954e62b1cb8a90b34546deaff192a815f651bf8f12
07910236de058c15cb69df25a5b41061608929c6dacfd6af2f220291b7afa405
095c8d34ff1f7c58db4a5049f9996a071f3e5cc3d3f1e5afefeae644fd6dda89
0a12252ba956422114ffa0ebad1928fe3b5304a1dd55b7ee682635f90e4401be
0acb97162fee61e564807eef753b64705031bf7a256cdd039ad0c685015a7f79
0b7f9d704ffa2a3ad2cf4e5cbc645124f315ffe7580217f02e0df0bf154c4a2a
0c5dcaac2d8cfc42e6a1ab310c5e3dc8333b58addb40cd70d13928bf4641f9e8
0c8cffe638c88dd917111b00b1f1fae6187a953e968f20d7090b64d0050ca5e8
0d645a9bca980d5a1300c104b5e2381439cfcc57d2e3b0d49cc2566883cccc50
0dfba8f0960b4018d8f8b933f3eb9b15f68311cb84ab1d0c18724feb9c1bf2b1
0e8b3e1bd1bffc0691a663bb3c836d44e515c3442af621e1bd2516b5e249342c
0ebe31bf70d96da6be6851cacea1576bfb73b2c202a2e6f228f2726d5f9dd99b
0f0abc8495fdaddfeb6d7ec55fa92718c00b2d842f6f656f64000561c4d7b5c1
0f3a7226d1b0db73f44a6eeec9abcca4f97832f72fe7d257d653bbd66c9dc545
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Kovter-9975143-1****Indicators of Compromise
- IOCs collected from dynamic analysis of 69 samples
Registry Keys
Occurrences
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_BROWSER_EMULATION
Value Name: explorer.exe
69
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_BROWSER_EMULATION
Value Name: iexplore.exe
69
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_BROWSER_EMULATION
Value Name: explorer.exe
69
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_BROWSER_EMULATION
Value Name: iexplore.exe
69
<HKLM>\SOFTWARE\WOW6432NODE\07771B47
Value Name: 18f8f764
69
<HKCU>\SOFTWARE\07771B47
Value Name: 18f8f764
69
<HKLM>\SOFTWARE\WOW6432NODE\07771B47
Value Name: 8de2c2e8
69
<HKCU>\SOFTWARE\07771B47
Value Name: 8de2c2e8
69
<HKLM>\SOFTWARE\WOW6432NODE\07771B47
69
<HKCU>\SOFTWARE\07771B47
69
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_BROWSER_EMULATION
Value Name: dllhost.exe
69
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_BROWSER_EMULATION
Value Name: dllhost.exe
69
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
69
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
69
<HKLM>\SOFTWARE\WOW6432NODE\07771B47
Value Name: 013c41ca
21
<HKCU>\SOFTWARE\07771B47
Value Name: 013c41ca
21
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\system32\DeviceCenter.dll,-2000
7
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @explorer.exe,-7001
2
<HKLM>\SOFTWARE\WOW6432NODE
Value Name: 23FD5485F667201E
1
<HKLM>\SOFTWARE\WOW6432NODE
Value Name: 13AC3218A55801940237
1
<HKLM>\SOFTWARE\WOW6432NODE
Value Name: BFBE24101FC216F38AD
1
<HKLM>\SOFTWARE\WOW6432NODE
Value Name: 7350F47C4881E3522AA
1
<HKLM>\SOFTWARE\WOW6432NODE
Value Name: 75A5B2D6C31DFACECF3
1
<HKLM>\SOFTWARE\WOW6432NODE
Value Name: 1E49AA067DDD6606D6C
1
<HKLM>\SOFTWARE\WOW6432NODE
Value Name: B93BF1A5F52C340B
1
Mutexes
Occurrences
C77D0F25
69
Global\07771b47
69
244F2418
69
906A2669
69
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
104[.]72[.]157[.]175
69
23[.]32[.]144[.]26
21
20[.]112[.]52[.]29
17
23[.]197[.]176[.]20
17
20[.]84[.]181[.]62
16
20[.]81[.]111[.]85
15
20[.]103[.]85[.]33
12
104[.]102[.]115[.]212
10
20[.]53[.]203[.]50
9
184[.]28[.]60[.]167
9
23[.]78[.]211[.]217
6
173[.]223[.]180[.]106
4
23[.]192[.]26[.]212
2
38[.]222[.]8[.]117
1
216[.]144[.]169[.]140
1
190[.]151[.]91[.]220
1
195[.]77[.]218[.]54
1
90[.]253[.]157[.]248
1
54[.]118[.]131[.]121
1
63[.]7[.]42[.]244
1
134[.]31[.]30[.]191
1
212[.]168[.]17[.]243
1
96[.]7[.]239[.]29
1
12[.]117[.]214[.]13
1
191[.]218[.]35[.]96
1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
microsoft[.]com
69
nitrado[.]net
1
server[.]nitrado[.]net
1
Files and or directories created
Occurrences
%TEMP%\install_flash_player_18_active_x.exe
69
File Hashes
0402d9277848f056fd1be4f2aa46ff0638210fd7c365b72068ada36d3e868a8b
0602ff1b8146d5726873600ca0b98dee171f9d3daad20bcc5f79b12248a8d71b
08a52aebf083e7937a90e49e0325287548cb1d8d239ba2de485a53b08e007925
0987c0072b99845d53ae11a875ed8ada3de619652a56e7f91400cc9539059111
115d0a7d170d5d515817118f6ec73a311d3978b04a36a7cf9bba49635d65fb47
11eef232e25b5adfe66de44f535bc9eca11ad53b721aa28d4d447bad26ad71f3
1a96139e6e4d78793c8ca8704f40c3b81dcd43daa875dc9a26f04aa548df8c12
1c5813bbf48871f0ad8320cb6c506840fdd806373de4eda38b03d100e0eff8a7
28d74e5d38dffa594421147811283d9575b17494292bdc2d0a181a9707735116
2919cf8ca913e1f1f8d0f9446dfc6b695e0ea16cd030e422b043819e43815b99
2c8bf08a5cf49fff65b5c0d2592ddb53d846b2f3e158c43117e608e3c34ee994
2e40814652f29db096196953ed3da0c4d998a5133ca2079a5a99b34f9c70904f
33a5c0dd485389660211aab696fe6c943bdf949cdcaf26669adcd9427d1b3a11
3de2a2cfbbcb35bada5669ed5e45368a7b8f1b3792135ce70a74dc1f7ee193eb
4419deafa48e210f15075383ee8a1519f47e707440677fce6bd92ee98eb63072
452599d355d0a3fd5c4fd649762b506b07cf4d98abde9dee9e6ac251b7c541f9
482ff7364de8ad4008c9b7103ce84db4770e0577d3b55248f99cd6c454408e34
4a9aa3bf94487a6b2ba50e8c1275e2007a2a2675c3323d06985739914158d781
4d013e135cfc338203c02b8336c7f6df965d9da91a18b3c964fbf7657b8970f2
4dc044c541903a6407b32535d7d2b2efd45c42f43899c26a22ce5dea254f89e1
52f19b82c010b2b1af726318b13d2e05af13b4a4bd741735643fb8a4c78c6667
53ed26da481ee96d7013ff82885e9a11cfe8e763387e580bc362a614a9273962
56e25f94fc8bec2e7e47b6938496ae2c3754c744238b30cdaa78766148d8bc76
62f929b0aa291c6fd8ffdf994a901c7e3046c5bd1d88f00208e187c02e0efd66
69eef0fb8b6dd17d4c5e5e1b1018b0537eb3135c3e30c7b18e7aff95f5a20613
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Razy-9975201-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 25 samples
Registry Keys
Occurrences
<HKCU>\SOFTWARE\MICROSOFT\EVENTSUBSYSTEM
17
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
17
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\mlang.dll,-4386
17
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
207[.]36[.]232[.]49
17
Files and or directories created
Occurrences
%TEMP%~36011.tmp
17
%TEMP%\bm87F8.tmp
1
%TEMP%\bm8F1A.tmp
1
%TEMP%\bm8D84.tmp
1
%TEMP%\bm8FD5.tmp
1
%TEMP%\bm9004.tmp
1
%TEMP%\bm8EBC.tmp
1
%TEMP%\bm8B24.tmp
1
%TEMP%\bm86FF.tmp
1
File Hashes
00c25a55c907f4da64d6e80fdd43f670a30bc5fd37ca5112286671adc7277c26
077013b955f429dcee49d7572bc61de3bcc09fea450f8d0ae2cf44a0e160c573
0d2e9fa8818793b6ce7cb85c736f1a5e350b3d9c6d9d86871a5d9f935c4bb6d4
20a91d99298ebb3c71130170cb1efc77ee89f3245695ae71c68c7d5175b5db28
267490d54389d4e6357ac76d4d7beb906f17d5be6d065c2effbff7520dd08f3b
2cbd4e9ba35fc75a6a59af3ecf741573d030a4176916844aa0df7ba5ad23e282
33d5252173b0a5d5530df15fec6a996aacd9368ac1548a7a9a2161880493d6fb
3c895d4f706c5b25ff8e1ba2bac5fbbf5f117551c0981b6d44897cc69521bd97
4c00a38a25a43169c9dac7bd06fa210669f376214e798eb004cffabfaba205ea
4fbc12d1135c2b8bc1697652cf8b32988cd53e6625788b3af5ac08eb0b66e78e
504c71380d5ccac1437dbde8bfa5ed3951e27f60376df761f480b5d24c1160c5
57a70425ff4b8332746ff0b4c67990787735995b7cd6a0e030537affe4275d31
6076ad86cc68fd7fad06f0974bafa6742054f7122b9053a5e8604ff836f1e2b7
6ec9c6bb85241d7a23857f0920fb3092d6a9495e7137ce1ebe73484cc6fa699c
721532d828ee4255e5ba70800e17c1f9bb8e1672b149e6a5b6cc6dd43247da68
76c542ae9f6344a40c6b2ef3cffecaa4dd16f64742a7b766b632aea435a29b19
7734f8c023a134fe40b1d7172ae214966cf24f7b6d58192a8cfbd33ae8808e2b
7ace8603560bfdff49bb444ae08243cedd2dc76b63225be62591cfe37126a78a
7b23d913179f18bb5ed0a3780f0e81525c87dedb45cd752a4d225f9032590528
7c2fae30bee39b849f46a3fa8a3cef0d02b4c2904d814828e8203f47f9d1a4c2
7f78d993bdf895d93903df7ef9b0d463564d09eb1c1553406ca39c7823df3f8a
89441930859acffed2ff63fa63dacb2d2faf9922ef541930e16ec0b4d8025779
923aa17644c5247b9a30137239d64b145cc6875a8aaa46590d1198fed13c194e
96ca0e3695c55a242e1afe22960d784bc04a38bb41bafba4f79a72b2a18dca11
99631681dac2dd1a8ab30f8c581ec68d15c098aee84526b5ea954ff5efff7b69
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Zegost-9975205-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 14 samples
Registry Keys
Occurrences
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\STARTPAGE
Value Name: StartMenu_Balloon_Time
1
Mutexes
Occurrences
sephardi.f3322.org127.0.0.1127.0.0.1
6
127.0.0.1127.0.0.1127.0.0.1
3
1061683991.3322.org127.0.0.1127.0.0.1
3
Global\46b90721-4e87-11ed-9660-001517ce65a8
1
113.0.208.111127.0.0.1127.0.0.1
1
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
59[.]53[.]63[.]103
6
113[.]244[.]66[.]10
3
113[.]0[.]208[.]111
1
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
sephardi[.]f3322[.]org
6
1061683991[.]3322[.]org
3
File Hashes
07a56c13165e20e7a6a8b3c854e01da46ebd88f62e4f21c2078bbab5a4625607
250e8013cd21bffebeeaa7b0cfdcab804e19cac6f87b29fe619308cf4094c33f
3d2ff86702776be8b3febe91c0fdf2364a8d1e115f3341d69d9ec62891da58f4
4d023d552abf14a8c09f0e10f23ab9237cce09668a5ecce28b46ef9a725f4bee
56478049b4d28ec287831b1cbd0dc9d61a9da417649296cf3ed8ed80e41bd1cd
7c6a4350f302a10856246b9fcb1e6c1ceccede4e226e0be9c7a7d61cb576b5e0
7c8f76f149d6b2d9b629ac7875a6595aab0088f7befe13426f1de74eb2dd67be
85753277c9dcc1b39cf228005242113bf6c60554ee93e567f3e84f5d8312e5c5
8ad2aa565365bf7e5b2bc4563c726231be2b10929e6e4f132e5a70479efa81c0
922bb3e1ee1e0952b6dfc692d5b1abdb0476387cefb2d76c033885ba15a5f13c
a1794b1ef65b2d507e0b789a5e061d72a7f79360d2e622c26f29be812f8813eb
b7b16d0c057f20753cb9918ccf0cb7118d9c6e2458a694f4a2392ee088d8a98f
d19a82bdf1b5fb3681ee7b8012aaaaf537faad13efa9c30e9590731f29aa0d71
eb2bb807bb0de7631e7c66655915a8a6b26aa07292842ea9d95544c6f1397278
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK