Security
Headlines
HeadlinesLatestCVEs

Headline

Threat Roundup for July 1 to July 8

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between July 1 and July 8. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics,…

[[ This is only the beginning! Please visit the blog for the complete entry ]]

TALOS
#sql#vulnerability#web#mac#windows#google#microsoft#js#git#intel#samba#botnet#acer#chrome#firefox

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between July 1 and July 8. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name

Type

Description

Win.Trojan.Miner-9954173-0

Trojan

This malware installs and executes cryptocurrency mining software. You can read more about this kind of threat on our blog https://blog.talosintelligence.com/2018/07/blocking-cryptomining.html.

Win.Trojan.Qakbot-9954811-1

Trojan

Qakbot, aka Qbot, has been around since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.

Win.Packed.Tofsee-9954338-0

Packed

Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages to infect additional systems and increase the size of the botnet under the operator’s control.

Win.Malware.TinyBanker-9954340-1

Malware

TinyBanker, also known as Zusy or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as “explorer.exe” and “winver.exe.” When the user accesses a banking website, it displays a form to trick the user into submitting personal information.

Win.Dropper.Kuluoz-9954356-0

Dropper

Kuluoz, sometimes known as “Asprox,” is a modular remote access trojan that is also known to download and execute follow-on malware, such as fake antivirus software. Kuluoz is often delivered via spam emails pretending to be shipment delivery notifications or flight booking confirmations.

Win.Ransomware.Cerber-9954874-0

Ransomware

Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension “.cerber,” although in more recent campaigns, other file extensions are used.

Win.Dropper.DarkComet-9954765-1

Dropper

DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user’s machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.

Win.Dropper.Remcos-9954770-0

Dropper

Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam and capture screenshots. This malware is commonly delivered through Microsoft Office documents with macros sent as attachments on malicious emails.

Win.Packed.Phorpiex-9954771-1

Packed

Phorpiex is a trojan and worm that infects machines to deliver follow-on malware. Phorpiex has been known to drop a wide range of payloads, including ransomwar to ransomware and cryptocurrency miners.

Threat Breakdown****Win.Trojan.Miner-9954173-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 15 samples

Mutexes

Occurrences

4pC39Ev2yuzFY8izw76DGDJR

15

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

185[.]10[.]68[.]123

7

109[.]71[.]252[.]45

5

185[.]10[.]68[.]220

3

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

eu[.]minerpool[.]pw

15

File Hashes

    22c5f484c0ca54377b53db45a2356ea10ae6b7542e8ca41a57bc95409850e3b4

    3316abe9a785cd3d249d454133034643a52c263872cea118e8cfe77b5631c65f

    3c37f061b8ca7856947695208a3caa689f0c2baf3150d099b21c03da3a392338

    4ad373e04374bf5c238af3eec178216a4ba3b7eb01f4af0e7dcb32fd84280837

    699b6990ef08b12cf0be3c2031dee69f22c44ba99cd96b37f6bf2c7fe753281d

    6c6346ab8f6745af5251b5836328979eb18e21f92e9fbf6779a3709f829412ac

    77efce26a18fd5cff7b6166a14f6ecdee0882d832235bd0a71bb05cdf02b7002

    783af063a11a09e61ed53bca2326d3df6dea2ea70525b9f16ecc20230ba12709

    7c62dbcb7afae510afd9917b954754abd5bd14fef14b77b9a2be6ae683ba378f

    a7fffe45935cec3d3e9d0a002b1cb93bd19d32e8d7220ec1a5cafb5fe644a5e6

    c6c668d616d42a63e86492eac5f0804501b408d8ed5850fc68ea7b6c08f3c1ea

    ca970c9576c222ca9a80849fe51c088091f5274f1ebde51ffd41408d36d3776a

    cc17eb63de7984359668d1efa58d8004864522b9bba92763ec4385beebe39241

    ed8631c2234b9034018796218dac327b7474135427d9247682f458ab5a7ca0c2

    ede98b6626ad617ab6e4bfbe02d2a1b87dee8084c6c7ea6591818bc47875ffa4

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

WSA

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Trojan.Qakbot-9954811-1****Indicators of Compromise

  • IOCs collected from dynamic analysis of 22 samples

Registry Keys

Occurrences

<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK

22

<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK

        Value Name: bd63ad6b

22

<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK

        Value Name: bf228d17

22

<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK

        Value Name: f7b512d3

22

<HKU>.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO

22

<HKU>.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO

        Value Name: ff0b3567

22

<HKU>.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO

        Value Name: fd4a151b

22

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS

        Value Name: C:\ProgramData\Microsoft\Ecrirfryzd

22

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS

        Value Name: C:\Users\Administrator\AppData\Roaming\Microsoft\Xtuou

22

<HKU>.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO

        Value Name: b5dd8adf

22

<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK

        Value Name: 79eea72

22

<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK

        Value Name: 7a96a5f8

22

<HKU>.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO

        Value Name: 45f6727e

22

<HKU>.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO

        Value Name: 38fe3df4

22

<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK

        Value Name: c22ac29d

22

<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK

        Value Name: 5dfca0e

22

<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK

        Value Name: 88fc7d25

22

<HKU>.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO

        Value Name: 80425a91

22

<HKU>.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO

        Value Name: 47b75202

22

<HKU>.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO

        Value Name: ca94e529

22

Mutexes

Occurrences

Global{06253ADC-953E-436E-8695-87FADA31FDFB}

22

{06253ADC-953E-436E-8695-87FADA31FDFB}

22

{357206BB-1CE6-4313-A3FA-D21258CBCDE6}

22

Global{280C5EDE-5A47-4F1C-97D3-B8CFE4CF258D}

22

{280C5EDE-5A47-4F1C-97D3-B8CFE4CF258D}

22

Files and or directories created

Occurrences

%APPDATA%\Microsoft\Xtuou

22

%ProgramData%\Microsoft\Ecrirfryzd

22

%System32%\Tasks\rrwdbpxgz

2

\TEMP\314ad4819a3e020885ed7fc1e952135e.dll

1

%System32%\Tasks\whzonuyzye

1

%System32%\Tasks\ksjwhajlq

1

%System32%\Tasks\jyqpwyc

1

%System32%\Tasks\ujfnhbf

1

%System32%\Tasks\bhafmhi

1

%System32%\Tasks\xhpbgymjwx

1

%System32%\Tasks\jubfqwgt

1

%System32%\Tasks\gptecaa

1

%System32%\Tasks\ejildfvgb

1

%System32%\Tasks\qjthztfzr

1

%System32%\Tasks\ieodxvl

1

%System32%\Tasks\ctsbuzalje

1

%System32%\Tasks\dmptvbes

1

%System32%\Tasks\phkhoifgs

1

%System32%\Tasks\axgdpda

1

%System32%\Tasks\utaigbhdrp

1

%System32%\Tasks\xoxwuzijwh

1

%System32%\Tasks\dystgbh

1

%System32%\Tasks\ocsgwzoyy

1

%System32%\Tasks\mhsgfbj

1

File Hashes

    06189f067e73cf345a9a648552dc8043256a3cf27843002944c8e9c37747f56c

    13fa83c2bda9fe9d15d49e985328091baa07c7e45f3b05a605a7313aed2035e8

    192035e53ade26cfc8178f6ae6b623bdd66227353d61878a24034429c3c3d0c8

    2e897bda81c18be469f2a321bbe91a6f8c6bd6d21672bce80db2fa2110067071

    357c49437126845a41004121fa25dbbbad5b6c1c601baad3ec26764dd954605e

    3d20f9b85e5ff0c27fe70cc03754190622837aaf35f7b66761a19d57864e2dea

    4b890be585b6ce3ef66e04026503861ea4d00085517281b4e44968a8ceb7835d

    4e3f8a89957996a57bc7d5e0ca90f7e1caf057c9030cada96338a65cb5de7ac1

    4edb644a2ddb6e1cf87086dfe164f23287506502b74c8532fd361b4001cadee0

    52d415a09858a5497fdc294ad059d57cb66ed0a10206b6b29a5b0590b61f4209

    538f15667cb104d39d62d2b12812d6ea5dff49fe19a9e8cbcb6e6026de469f6d

    54adb9a03c513c70ddd84880125d5db548342541971d0bcd22a726d710a5f214

    5d8e71daf5e0e335b141da1c77a09f3f6b58e99ed2620e1b2d1e70aff3c13980

    7545962b3804663b5037e4f779c116197980f3ed8afd548438f08472ff54ce8e

    862836ae9a7f49b7587bf8b287fa28831f3bb1063d2841c152523a68e77620f9

    a3520cb61c5d36770e63a146e1239c661d809d4201756fdbf6e12c12405c25c0

    b31ef58067047f8c4cef4e3bd2d8ab1b298cc456f59d09da5eb357c519fa45fe

    c646951c696c25ccbf62170bf2df69a4964448ee24de9a6df70f2d74b0ac42bf

    e144275a75426e2f93bae0373c2a22695b4ce31d7955fe76d4154d1d4655544e

    e6d8af42a5e72f1986cc0a653a525b90320dc73763318c4ecdac22f45cf428fe

    ec3423a1ab95edda57631d7a382ce87d4d92ff61bbfe53468000aa2569129496

    f70fba2b5df0f88e0112890f99256d8dc6e9b1b702c2f989d3dfeb5402ddfeb0

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Packed.Tofsee-9954338-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 16 samples

Registry Keys

Occurrences

<HKLM>\SYSTEM\CONTROLSET001\SERVICES<random, matching '[A-Z0-9]{8}’>

16

<HKLM>\SYSTEM\CONTROLSET001\SERVICES<random, matching '[A-Z0-9]{8}’>

        Value Name: Type

16

<HKLM>\SYSTEM\CONTROLSET001\SERVICES<random, matching '[A-Z0-9]{8}’>

        Value Name: Start

16

<HKLM>\SYSTEM\CONTROLSET001\SERVICES<random, matching '[A-Z0-9]{8}’>

        Value Name: ErrorControl

16

<HKLM>\SYSTEM\CONTROLSET001\SERVICES<random, matching '[A-Z0-9]{8}’>

        Value Name: DisplayName

16

<HKLM>\SYSTEM\CONTROLSET001\SERVICES<random, matching '[A-Z0-9]{8}’>

        Value Name: WOW64

16

<HKLM>\SYSTEM\CONTROLSET001\SERVICES<random, matching '[A-Z0-9]{8}’>

        Value Name: ObjectName

16

<HKLM>\SYSTEM\CONTROLSET001\SERVICES<random, matching '[A-Z0-9]{8}’>

        Value Name: Description

16

<HKLM>\SYSTEM\CONTROLSET001\SERVICES<random, matching '[A-Z0-9]{8}’>

        Value Name: ImagePath

12

<HKU>.DEFAULT\CONTROL PANEL\BUSES

        Value Name: Config4

8

<HKU>.DEFAULT\CONTROL PANEL\BUSES

8

<HKU>.DEFAULT\CONTROL PANEL\BUSES

        Value Name: Config0

8

<HKU>.DEFAULT\CONTROL PANEL\BUSES

        Value Name: Config1

8

<HKU>.DEFAULT\CONTROL PANEL\BUSES

        Value Name: Config2

8

<HKU>.DEFAULT\CONTROL PANEL\BUSES

        Value Name: Config3

8

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS

        Value Name: C:\Windows\SysWOW64\mwytphgc

2

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS

        Value Name: C:\Windows\SysWOW64\tdfawonj

2

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS

        Value Name: C:\Windows\SysWOW64\xhjeasrn

2

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS

        Value Name: C:\Windows\SysWOW64\lvxsogfb

2

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS

        Value Name: C:\Windows\SysWOW64\nxzuqihd

1

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS

        Value Name: C:\Windows\SysWOW64\yikfbtso

1

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS

        Value Name: C:\Windows\SysWOW64\jtvqmedz

1

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS

        Value Name: C:\Windows\SysWOW64\gqsnjbaw

1

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS

        Value Name: C:\Windows\SysWOW64\kuwrnfea

1

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS

        Value Name: C:\Windows\SysWOW64\rbdyumlh

1

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

31[.]41[.]244[.]82

8

31[.]41[.]244[.]85

8

89[.]223[.]120[.]217

8

80[.]66[.]75[.]254

8

80[.]66[.]75[.]4

8

31[.]41[.]244[.]128

8

31[.]41[.]244[.]126/31

8

74[.]208[.]5[.]20

7

192[.]0[.]47[.]59

7

144[.]160[.]235[.]143

7

31[.]13[.]65[.]174

7

117[.]53[.]116[.]15

7

51[.]81[.]61[.]70

7

64[.]136[.]44[.]37

6

194[.]25[.]134[.]8

6

202[.]137[.]234[.]30

6

212[.]54[.]56[.]11

6

212[.]77[.]101[.]4

6

67[.]231[.]149[.]140

6

67[.]231[.]152[.]94

6

212[.]227[.]15[.]40/31

6

142[.]250[.]80[.]36

6

197[.]234[.]175[.]114

6

121[.]53[.]85[.]11

6

146[.]112[.]61[.]105

6

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

microsoft-com[.]mail[.]protection[.]outlook[.]com

16

microsoft[.]com

16

svartalfheim[.]top

16

249[.]5[.]55[.]69[.]bl[.]spamcop[.]net

8

249[.]5[.]55[.]69[.]cbl[.]abuseat[.]org

8

249[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net

8

249[.]5[.]55[.]69[.]in-addr[.]arpa

8

249[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org

8

249[.]5[.]55[.]69[.]zen[.]spamhaus[.]org

8

www[.]google[.]com

8

jotunheim[.]name

8

www[.]instagram[.]com

7

whois[.]arin[.]net

7

whois[.]iana[.]org

7

aspmx[.]l[.]google[.]com

7

mta5[.]am0[.]yahoodns[.]net

7

mx-aol[.]mail[.]gm0[.]yahoodns[.]net

7

earthlink[.]net

7

verizon[.]net

7

mail[.]com

7

mx01[.]oxsus-vadesecure[.]net

7

ameritrade[.]com

7

mxa-000cb501[.]gslb[.]pphosted[.]com

7

nate[.]com

7

mx1[.]nate[.]com

7

*See JSON for more IOCs

Files and or directories created

Occurrences

%SystemRoot%\SysWOW64<random, matching '[a-z]{8}’>

16

%TEMP%<random, matching '[a-z]{8}’>.exe

16

%SystemRoot%\SysWOW64\config\systemprofile

8

%SystemRoot%\SysWOW64\config\systemprofile:.repos

8

File Hashes

    0370c3e6ca311c5938d4c2b42ac911389078246d8d28820db03489869c627952

    06d8e104d37d9d0d417f3bc3e39ea1c23da058657dbdf9dc3c0ee2ee9f4dd6b1

    073e064f0d51351f78f280215a905f2e6b8ab1fe92f1e15e5d066e065e744fcb

    0b9c9b284ea2c7f4f1d2fcece1850e6073808c37e81f0325627e7c82e6887746

    1909314fc39c4af7a83beaf815cf48be782f35570174ba59542529df5c8504a3

    343385423be7f0f77cbbc56cca7a078c8f0c152e8cba3e9d73025c971969cfbe

    3cdb65fad9847f108615c8710510baea74b1de245bc806222438c7f0b4501a2b

    4bd96c267d22dd38a0e99409c88afe8f19362015a2b26c6b56d858037283dd33

    7c11fc1112da725e144b717938170a2767dc36ac7a12407799b2e035d1a455bf

    7dca4276c1af8f6620dd3772d8375d6d0428f871fcecbab460fae99cd0f07f57

    81f48cf29d01ee96748b42179adcea0d68a3900e4f0d49cc9726f6f409d4eb79

    ab9261b2c258a63dd4563f0ab2150927ee0b18a3fbb26bc7031b938f26245b89

    c65201021ea6f0d0e6ff91a98788d62dbd80e789a6e2468d8bf06ac06d3a10ba

    d94eb5f31f67f2b361c50dd7d88f13b94fea03233e327777486e1263bcab4626

    e589ca07439b86d88a5820b00535a1fac141bd022c904fff4b80c914d5d67862

    e89f3fba9d27b3804df4472b9d8a5d77cea098e0714d2d514a3329c0db5f4121

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

WSA

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Malware.TinyBanker-9954340-1****Indicators of Compromise

  • IOCs collected from dynamic analysis of 339 samples

Registry Keys

Occurrences

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: DA81EF4C

339

Mutexes

Occurrences

DA81EF4C

339

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

www[.]google[.]com

13

insamertojertoq[.]cc

13

Files and or directories created

Occurrences

%HOMEPATH%\AppData\LocalLow\DA81EF4C

339

%APPDATA%\DA81EF4C

339

%APPDATA%\DA81EF4C\bin.exe

339

File Hashes

    0009b8d023a72b5d50473cf4596ba8f8f84e987d2e0d9b28e822361e59977351

    00a5388c61811a760e86eb28bc3cc2b76c5c9010668186226435f5978dfdd35a

    018aa683eb001071159e48ed00c28de1a5693ddbd2d72a9cd5d382965cd6b7a2

    01d5de917963186957ca3bbcfb596897e8877f3956d88d3ff08308550f084548

    02150c6f1f8df4d8363fcbb7e8a411bedee1175ec85b330856de2e694cc396f2

    0264e06fdc681bef2e32d8ecfec426ac3cda80132b42cef2e1cade5beb6c9257

    02c457445a98193228680bb9ef465d10f7b5fe36ff9426d6e55a2d27d0d407dc

    0309af9f10598fb0efa863d89c3ebafd7c828868ce3c7cfc4cd8ba401575c18f

    038a7a8602eadb8f7662ae8ce49787bf46d546f5e860c22323c586c3cfdbf479

    039e9feb31370347e563f81dbbdc90009f9bff708641fe410a3a15f332d97904

    0449640b54babd0fc80e93115277588e9b153c95b37562df8ef9cbf940c5923e

    049325f04dbd42764f439185d12b5ec45aae18096cd8b2d85ef917e54386e0de

    04e84f8d588d4d82276a4c1f243379ffdcc2aae07e325733976e3bae047685a8

    05a558635de9e89a23d3277f14b0c8e07b158a5501615a3852f2b46a1fdfca88

    0608cc8b120093bf2bf4b6af8f5b8497dc92db814a28b808605c7ebc40d0b3b2

    0640709e8b7d9dbce59f2ae2bfc2903d5be95160c01e99a48719a8c166f597e1

    0678fe42384e0abea7f348e1a4f22af729de51795d7e84e99e97b5fa8e21ee94

    0737aeaa1ddd4df4376ed82560bdf533bbdb31e4eb04f0ecb6fafbd0b7224f73

    0808fdbb771b74fe9e0ea7c1dfd33d1d87ff3689cd0a96cbc3e04b9b1c35410e

    0828f87ebfe0c7a4dd7abbc79310477ce355d597d952a8283a57200fffeeae67

    084376f113e40bc11645818e591af6bef28b4b37a102992aa8a5355a80f87cf1

    0893c79987b29bc28e603470cb207ad93dcfcf824a33061ca2aa40ba61210327

    08edb8d0a5bfd645447606ca0b3c17c8c6fb8d294c93672e230a9045fe4fbf6f

    09ad6c30f487590d6461f24ef682635ac0fa311919c4c80e07bf617b803736fa

    0a80024f1a3a2ea97035b95381091b38384754d3f5151417641312dd528c734b

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

WSA

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

Umbrella

MITRE ATT&CK

Win.Dropper.Kuluoz-9954356-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 109 samples

Registry Keys

Occurrences

<HKCU>\SOFTWARE<random, matching '[a-zA-Z0-9]{5,9}’>

109

<HKCU>\SOFTWARE\MDMCUKPX

        Value Name: uqducguu

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: paneesca

1

<HKCU>\SOFTWARE\DWFIFUWS

        Value Name: bafvewrr

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: eitorrpk

1

<HKCU>\SOFTWARE\UKERJJEJ

        Value Name: vtbnghrg

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: sholjmhe

1

<HKCU>\SOFTWARE\VSQLQAON

        Value Name: bgqeshvc

1

<HKCU>\SOFTWARE\FDMOXXFS

        Value Name: cbgefnqa

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: lohbehwk

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: lnibtlam

1

<HKCU>\SOFTWARE\HAFWCQSW

        Value Name: nfrutvji

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: glgncfng

1

<HKCU>\SOFTWARE\NXNIVOQA

        Value Name: ctxfkkqk

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: qhuomnlb

1

<HKCU>\SOFTWARE\RRWNRLAN

        Value Name: ujtkjncg

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: bpvxshbl

1

<HKCU>\SOFTWARE\RJAPWLXO

        Value Name: xumksvqw

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: vjhaddrx

1

<HKCU>\SOFTWARE\DCOFPBLK

        Value Name: dvurcpmi

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: ihdgdplg

1

<HKCU>\SOFTWARE\WIMUAMID

        Value Name: mtkehigx

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: ufnjusnb

1

<HKCU>\SOFTWARE\EHUFRLXG

        Value Name: vpskebau

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: oidjmcex

1

Mutexes

Occurrences

2GVWNQJz1

109

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

173[.]192[.]72[.]226

84

196[.]211[.]170[.]187

73

113[.]53[.]247[.]147

70

76[.]74[.]184[.]127

66

81[.]177[.]22[.]90

66

91[.]142[.]223[.]136

65

198[.]0[.]216[.]35

64

151[.]3[.]8[.]106

63

91[.]121[.]177[.]88

63

Files and or directories created

Occurrences

%LOCALAPPDATA%<random, matching '[a-z]{8}’>.exe

109

File Hashes

    0009c4f78503252df2b9cfcd30289822d10eeb06a450786bd88b976d2c3fbfa5

    02554836f2ac11e2d47b06ad1930ae763e739b6a115b2703088a2c757be97e6e

    0a9d9fd522eb5c3e23bdabcbd08a60b7cdb6fe677c975b804d74c59729dba731

    0b0032a05dbe18f6990c85b16ee2fc0f6d31b947b19041e63cf8080728cb5886

    0c2e8a800b55f433feb14eac47cd2679c014ede8c2036921e0830d6df19c7cc8

    0c932f3db91da0a7a57776e706a63272cfd8080d5806537bb5e6542344f9cd95

    0e7e9ea70bde379db6c0aab287b044360cda95d00d97bbc7a588c9691fbbfb3b

    0ec369b719e46d50a3dfa6f338148cecbf05f772b74eb218fb53436981386eda

    0f7184c6a98b066d8c3e8dd2d9abf6e6ac506e038df9a288e215e3857dbd9753

    1072829998e5a3655bc9efe6f469bd4175ebea6eaf7538f52a34898e56950b67

    11c7776cbadd8c8b35c2b36f7aaeff44dbe7db84ac10b05538b176be00583098

    140da0cdbd8bb1f8eaec5dc13de595ddf67e3b75ea2bd20c75eb3f9095781009

    15995ef76df1c95149c5fa7307d060eb238847d3a70b94512ace4d11e6f9ce28

    161bfb6d8dc760537041bf75438303a103a091cf1d24b6c55546ddf9643b3197

    189ef2087222c0506f681d4a0bc4b083b456979da0128c85cb5e506577dde97f

    1a2f5ef5c3e8918443be5f354a398bb8785b4493a172d32c73f7618b864965e5

    1dd65f1065bddb23f4d3aa4a883bcc116ee2d2ff71e8f9f117f54fb7fd85fcb7

    1ef6527a9a2257fec4ceda8b6beb340515e6359fc0ae482c42acd4f5a8650a75

    21456f7b331c3f9e3acae1d077d8c397199b0c245f0abfcc5e06a14d2c78da28

    24859d27ac3387ee5f815dd572f092e6ab1c9d13c464cb7dec968059f3d0e468

    299f217a4f2a423087bb2f4b601ac8f64e9b93eb09de16250c775f709c8ed288

    2e2b6751ae19e64349515267de372435332954611db86f422b46978de1783c78

    2fd5ed44eeacb2407a6aad7a8f1c17f38c4b2c3f92e4e4e7a0a09f0a025521df

    2fe7960dd79a50fa40e5215609ec2672474056781952aa873af8bd9113f6e3e0

    3358af4b18ecbf4e2e1e2bcb069babe6864f91a94b774a8adce4ed85a428017d

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Ransomware.Cerber-9954874-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 24 samples

Mutexes

Occurrences

debug.{8067AF37-05F3-E0A7-F91D-CF35012EB051}

23

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

19[.]48[.]17[.]0/27

23

77[.]12[.]57[.]0/27

23

87[.]98[.]176[.]0/22

23

172[.]67[.]2[.]88

9

104[.]20[.]21[.]251

8

178[.]128[.]255[.]179

7

104[.]20[.]20[.]251

6

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

api[.]blockcypher[.]com

23

qfjhpgbefuhenjp7[.]1bxzyr[.]top

16

bitaps[.]com

7

btc[.]blockr[.]io

7

Files and or directories created

Occurrences

\pc\users\public\recorded tv\sample media\win7_scenic-demoshort_raw.wtv

23

%TEMP%\d19ab989

23

%TEMP%\d19ab989\4710.tmp

23

%TEMP%\d19ab989\a35f.tmp

23

%LOCALAPPDATA%\Microsoft\Office\Groove1\System\CSMIPC.dat

23

%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp

23

%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.bmp

23

<dir>_R_E_A_D___T_H_I_S___<random, matching '[A-F0-9]{4,8}’>_.txt

23

<dir>_R_E_A_D___T_H_I_S___<random, matching '[A-F0-9]{4,8}’>_.hta

23

File Hashes

    036e575927b733037cd781d5628c4726ba2d0326270199d071c383462041a02a

    0edd6b6665c86628191d08bd5dd11e97140b959cc3fec017e3953c6cb4234edc

    1524a7b857fded713e633b3ffdc06e2de4d26d7db085461d247db4a8ba0866b5

    1e926712055dbbcc7b56f85db31580e1910ca1f82bf409657e69613c7b768a89

    1f6e379bd103ef8069d2dfab13565a25c92bd6ce1715936c934fceb6b565ae82

    2892281799a56b87e9bd13dbe0942e14ccdbc51a75e8267a2572be136b582051

    2f26e32b17d6bad5791f12f8e746bef4de6f442cc87b7416f53ad43fc858aaf4

    3752da71a1cec465d059ae8f768e6e3e875584647772244fc7172a4d91eb50dc

    447bef04ef76a10bb955b0063574232b53e45c77b5c166b85a3c493ed879969a

    59047aee37e18ea4fb27153d1e2f08ca93032482c6641ec69f8703ba2be005b4

    6d1b633d807cca17d7bef63e28fdc158a98cd5cc9db24f38febcdaf887a448de

    6ea1c10264608f9cbd3ab5f0d688703ac080c1a54df0c9cb16c38a7eb2180915

    7544d2bc1b097fdd141b59efdff27ebe050e9f004ef81d9d378c717f57caf983

    7d5160549ba6cf88fdb3b577d75f70558799ca8b320c9c9771dafb4e13f6298a

    82c5dde62779f84f36844175a9e1b1fd83c8a3c6e379823cf46c09c933d1b964

    88d234e22ec6b460c7d13aab86c81160848e5387f9f5194c12aa5c0cb48803bc

    900b50a3a7e3ed0bfe63ba0c141a10037dae3fd42045d47f7f9247d3453ab3cf

    985682ecdf5ba3aa46f28a391ba72d89d09fae801718d025c422478b7cffd1f6

    a7015c52575a754fd32a3c1a7f5ac4e763862f97b0f24bab53496e878fa2be46

    bcb1efddc68b520621aebab86a69981f0f45d30abac832a56132cc5e8906bd0c

    d026608f54bb7a0e503dd2ae6687e6f7134e7b74a9ee8b5b30041c964b3edab2

    d2efdbb24000478d1c547b0333fdfcadb93609f733657f3c5491d7742b24ed94

    eb2d15be3bada92a6ac785309ef5ab842be64b46482a6bb4446bf200d6922598

    f49905e5ec2f3829230579e29020a7b92cff6792ea1c94af53e65d5068b01780

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.DarkComet-9954765-1****Indicators of Compromise

  • IOCs collected from dynamic analysis of 11 samples

Registry Keys

Occurrences

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\RFC1156AGENT\CURRENTVERSION\PARAMETERS

        Value Name: TrapPollTimeMilliSecs

11

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\RFC1156AGENT

11

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\RFC1156AGENT\CURRENTVERSION

11

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\RFC1156AGENT\CURRENTVERSION\PARAMETERS

11

<HKLM>\SOFTWARE\WOW6432NODE\LICENSES

11

<HKLM>\SOFTWARE\WOW6432NODE\LICENSES

        Value Name: {K7C0DB872A3F777C0}

11

<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID{08DC0A16-DAEE-5740-EE63-C96A9095083C}

11

<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID{08DC0A16-DAEE-5740-EE63-C96A9095083C}

        Value Name: 0

11

<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID{08DC0A16-DAEE-5740-EE63-C96A9095083C}\INPROCSERVER32

10

<HKCU>\SOFTWARE\DC3_FEXEC

5

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON

        Value Name: UserInit

5

<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID{08DC0A16-DAEE-5740-EE63-C96A9095083C}\PROGID

5

<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID{08DC0A16-DAEE-5740-EE63-C96A9095083C}\AZSOCBAU

5

<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID{08DC0A16-DAEE-5740-EE63-C96A9095083C}\DKTJA

5

<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID{08DC0A16-DAEE-5740-EE63-C96A9095083C}\FJUZWK

5

<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID{08DC0A16-DAEE-5740-EE63-C96A9095083C}\YFLVCGLB

5

<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID{08DC0A16-DAEE-5740-EE63-C96A9095083C}\KMWRUOCEZXRVY

5

<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID{08DC0A16-DAEE-5740-EE63-C96A9095083C}\MXCH

5

<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID{08DC0A16-DAEE-5740-EE63-C96A9095083C}\HCUF

5

<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID{08DC0A16-DAEE-5740-EE63-C96A9095083C}\HBEGY

5

<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID{08DC0A16-DAEE-5740-EE63-C96A9095083C}

        Value Name: iJtYQjajh

5

<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID{08DC0A16-DAEE-5740-EE63-C96A9095083C}\AZSOCBAU

5

<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID{08DC0A16-DAEE-5740-EE63-C96A9095083C}\DKTJA

5

<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID{08DC0A16-DAEE-5740-EE63-C96A9095083C}\FJUZWK

5

<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID{08DC0A16-DAEE-5740-EE63-C96A9095083C}\MXCH

5

Mutexes

Occurrences

35561FD7::WK

11

RAL35561FD7

11

35561FD7:SIMULATEEXPIRED

11

DC_MUTEX-<random, matching [A-Z0-9]{7}>

5

6A0::DA5D0984AC

4

640::DA5D0984AC

3

63C::DA5D0984AC

2

x_X_BLOCKMOUSE_X_x

1

x_X_PASSWORDLIST_X_x

1

x_X_UPDATE_X_x

1

6BC::DA5D0984AC

1

784::DA5D0984AC

1

3E4::DA5D0984AC

1

758::DA5D0984AC

1

6F4::DA5D0984AC

1

310::DA5D0984AC

1

330::DA5D0984AC

1

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

23[.]65[.]245[.]250

3

104[.]104[.]80[.]110

2

13[.]107[.]21[.]200

1

184[.]85[.]70[.]179

1

88[.]232[.]223[.]176

1

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

docs[.]microsoft[.]com

3

go[.]microsoft[.]com

3

www[.]bing[.]com

3

berkeinthe[.]duckdns[.]org

2

sonucbir23[.]duckdns[.]org

1

deeplool22[.]ddns[.]net

1

wdwgberke[.]duckdns[.]org

1

Files and or directories created

Occurrences

%ProgramData%\TEMP

11

%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\699c4b9cdebca7aaea5193cae8a50098_d19ab989-a35f-4710-83df-7b2db7efe7c5

10

%APPDATA%\dclogs

5

%ProgramData%\TEMP:83CE2D1C

5

%HOMEPATH%\Documents\MSDCSC

4

%HOMEPATH%\Documents\MSDCSC\msdcsc.exe

4

%SystemRoot%\SysWOW64\MSDCSC

1

%SystemRoot%\SysWOW64\MSDCSC\chrome.exe

1

File Hashes

    0fbb6edb74acbd0e022fa384ff7c0b52dadaf048dba8e51f63764e0350d4ae89

    2466757393e898aabb39fb928697b6f4bd28cfdd4772197b1de6a43edcea2da5

    37c987cd047d9a4ebfce5f8819defc4970b7cd04c8e8d6408bc9cdd98da895c8

    420cb6e3d6aae656659d7548616319e2d00ad04eeb1f98dd54d5cfc8e8c8fe01

    5847e0b50f7279000e7335af0b0925b413718810cf5591d8ea253ae55893a197

    58fcde0ffab58fe13b2132b985ec3fbadd885f8a2fbe12a817fa1335fac68992

    9218f3fae5155c9c1dbfb8533dfb1b67fbffa2c37e112ac7ade5026674bedade

    92b72fdf536eaf825a93ba89a24c1f28b3d533cbf592c462022b914f7236e643

    b4ac6f1ba035fa7fb9428186acfef3426d7cd29725b4d74dcf949a6ba5883e99

    bc9f628dea0f4bdbcfa6b6dc44ea8913eefb31c9cede1fd2e87956875152a7aa

    cf7a2e6b31cf809ff7a32aa7be72db5d0f00449fdd57be16bfeeae74dfbd5a52

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Remcos-9954770-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 16 samples

Registry Keys

Occurrences

<HKCU>\Software\Remcos-<random, matching '[A-Z0-9]{6}’>

6

<HKCU>\Software\Remcos-<random, matching '[A-Z0-9]{6}’>

        Value Name: exepath

6

<HKCU>\Software\Remcos-<random, matching '[A-Z0-9]{6}’>

        Value Name: licence

6

<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\INTELLIFORMS\STORAGE2

2

<HKLM>\SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA FIREFOX

2

<HKLM>\SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA FIREFOX\20.0.1 (EN-US)\MAIN

2

<HKLM>\SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA THUNDERBIRD

2

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: Sepudffdow

1

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: XZWT4RBPT

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: Gnjxcchbvi

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: Glwxtqqztb

1

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: VFIHZLNHGZY8

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: Flccjqinyw

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: Gnbaqnyaxe

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: Tavpfjrjwd

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: Bjfxzjcask

1

Mutexes

Occurrences

Remcos_Mutex_Inj

6

Remcos-<random, matching [A-Z0-9]{6}>

6

O33049D-3XBEG18I

1

092440R786BXBxG4

1

004P450-G9CIB008

1

J6RABDT9B2C6Y6JH

1

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

13[.]107[.]42[.]12/31

5

172[.]64[.]149[.]82

3

37[.]0[.]14[.]195

3

162[.]159[.]129[.]233

2

162[.]159[.]135[.]233

2

3[.]64[.]163[.]50

2

104[.]18[.]38[.]174

2

199[.]192[.]23[.]166

2

103[.]114[.]104[.]219

2

209[.]99[.]40[.]222

1

192[.]0[.]78[.]24

1

198[.]54[.]117[.]215

1

198[.]54[.]117[.]211

1

93[.]89[.]226[.]17

1

52[.]72[.]49[.]79

1

194[.]58[.]112[.]174

1

198[.]251[.]81[.]30

1

162[.]159[.]133[.]233

1

162[.]159[.]130[.]233

1

198[.]54[.]117[.]244

1

3[.]13[.]31[.]214

1

79[.]134[.]225[.]9

1

34[.]102[.]136[.]180

1

23[.]227[.]38[.]74

1

142[.]250[.]80[.]83

1

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

cdn[.]discordapp[.]com

6

onedrive[.]live[.]com

5

cacerts[.]digicert[.]com

5

www[.]elanagro[.]online

1

www[.]gasurvivalgear[.]com

1

www[.]100shortvideos[.]com

1

r4tk6w[.]am[.]files[.]1drv[.]com

1

www[.]iden3s[.]com

1

www[.]augustamobilenotary[.]net

1

www[.]sinibelanja[.]website

1

www[.]vineabank[.]com

1

www[.]disintar[.]xyz

1

www[.]hayatcevredanismanlik[.]com

1

www[.]ezhuilike[.]com

1

keywea[.]db[.]files[.]1drv[.]com

1

www[.]timinis23[.]com

1

www[.]unitedoceanlogistics[.]com

1

www[.]hubinvoice[.]com

1

www[.]icarus-soft[.]com

1

www[.]tematemazo[.]com

1

www[.]assasa[.]net

1

www[.]duckholland[.]com

1

www[.]takeka[.]com

1

www[.]waydiscount3[.]xyz

1

www[.]letbeautifyus[.]com

1

*See JSON for more IOCs

Files and or directories created

Occurrences

%ProgramFiles%\Microsoft DN1

1

%ProgramFiles(x86)%\T2dt

1

%TEMP%\T2dt

1

%ProgramFiles(x86)%\Og0h

1

%TEMP%\Og0h

1

%PUBLIC%\Libraries\Cdex.bat

1

%PUBLIC%\Libraries\Null

1

%ProgramFiles(x86)%\Og0h\updateqlr0.exe

1

%PUBLIC%\Libraries\Sepudffdow.exe

1

%PUBLIC%\Libraries\SepudffdowO.bat

1

%PUBLIC%\Libraries\Sepudffdowt.bat

1

%PUBLIC%\Libraries\wodffdupeS.url

1

%TEMP%\Og0h\updateqlr0.exe

1

%PUBLIC%\Libraries\Gnjxcchbvi.exe

1

%PUBLIC%\Libraries\ivbhccxjnG.url

1

%ProgramFiles(x86)%\T2dt\colorcplrdi8n6.exe

1

%PUBLIC%\Libraries\Glwxtqqztb.exe

1

%PUBLIC%\Libraries\btzqqtxwlG.url

1

%TEMP%\T2dt\colorcplrdi8n6.exe

1

%PUBLIC%\Libraries\Flccjqinyw.exe

1

%PUBLIC%\Libraries\wyniqjcclF.url

1

%PUBLIC%\Libraries\Gnbaqnyaxe.exe

1

%PUBLIC%\Libraries\exaynqabnG.url

1

%PUBLIC%\Libraries\Tavpfjrjwd.exe

1

%PUBLIC%\Libraries\dwjrjfpvaT.url

1

*See JSON for more IOCs

File Hashes

    02c6faaf7dacbc44b08e16ccc94a37b1d91b330fe9c1d1c8c4190307d81b9f51

    24cc101a911dab4d60d216074891c71dfc3bc988c7a1cba584b80f6897d7b6db

    3b2011d7c0d7cff6661fd758752004db6c4431c337a40f5e7312675e15d17350

    3fcbe7a0e267613273776e6065ca9ea590672a8fcc98c72668d4feb3d94ded53

    4f45c0298ae00be039e62c02e8ae363b1403620f00c421dd32fd814475831d84

    581a7ac2c4bd76fff10c7e222319f7df696a1b33dc95a55dd62dd73b947cb305

    6de796281a2fa4f9661b9e980d98fe5ce7fdd7a80a09ca93ba2e7c69e6f95af5

    715b1f826c3de9d3b38097292155815a7a224855c966a4ecbfef311397a375a6

    b03d98d7167c602853bcb43aaab9e926d00fc0babeaa51405efe6c5364a1102f

    bf4dbf3c3658eafedb37aa070761a8877166b5401341594cd052e8b75f83bce0

    cb197482888713f270c003760e0ce64a252bab8697b36231aa87e41ee33466e7

    d25d2c22b3843c1e8aaecec11b29d4ebb6fbe5b67a6f5a345abf0709516920d3

    d313893673c0d4f03315f7346d2df1fcc0ba7624234360b2e2aae9af359adc1a

    e7d9370ccf6b4e33c6c28d7e1a2cdcddceac1f5545ebc064a4130cf3d4be0d47

    f587d7f192093dfaa3afd3169abd75cc1f5476e617e486df3dd507613eafeffb

    f5fcd1c154f0ad8e635cef464f0f28ba6fbabf07f9379aa2a1cfec9ea59a173d

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

WSA

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Packed.Phorpiex-9954771-1****Indicators of Compromise

  • IOCs collected from dynamic analysis of 15 samples

Registry Keys

Occurrences

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER

        Value Name: AntiVirusOverride

11

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER

        Value Name: AntiVirusDisableNotify

11

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER

        Value Name: FirewallDisableNotify

11

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER

        Value Name: FirewallOverride

11

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER

        Value Name: UpdatesDisableNotify

11

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER

        Value Name: UpdatesOverride

11

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER

        Value Name: AutoUpdateDisableNotify

11

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: Microsoft Windows Driver

11

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: Microsoft Windows Driver

11

Mutexes

Occurrences

59304

11

enote/Administrator

1

ACz8pRIPSWo1ZpimjrSzfSASZMyYdusS

1

Global\73cc6b21-fbd1-11ec-b5f8-00501e3ae7b6

1

Global{B4DA2783-5567-F63E-A7E4-4C2053E64169}

1

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

92[.]63[.]197[.]190

11

146[.]112[.]61[.]105

10

163[.]66[.]216[.]177

1

102[.]228[.]233[.]31

1

164[.]112[.]134[.]199

1

58[.]74[.]224[.]218

1

119[.]89[.]97[.]243

1

100[.]72[.]177[.]40

1

128[.]178[.]176[.]234

1

81[.]21[.]140[.]143

1

168[.]205[.]174[.]125

1

103[.]98[.]79[.]11

1

60[.]162[.]101[.]123

1

170[.]100[.]37[.]250

1

80[.]216[.]89[.]38

1

124[.]206[.]131[.]143

1

20[.]206[.]235[.]31

1

35[.]45[.]98[.]140

1

159[.]164[.]206[.]29

1

194[.]201[.]144[.]47

1

194[.]6[.]12[.]158

1

57[.]197[.]27[.]187

1

120[.]207[.]149[.]8

1

123[.]82[.]190[.]187

1

78[.]148[.]145[.]239

1

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

tldrbox[.]top

11

drive[.]google[.]com

1

www[.]tldrbox[.]top

1

Files and or directories created

Occurrences

\autorun.inf

11

.lnk

11

__\DriveMgr.exe

11

E:\autorun.inf

11

E:__\DriveMgr.exe

11

E:.lnk

11

E:__

11

E:__$RECYCLE.BIN

11

E:__$RECYCLE.BIN\S-1-5-21-2580483871-590521980-3826313501-500

11

E:__\System Volume Information

11

%APPDATA%\winsvcs.txt

11

%TEMP%\1235929499.exe

1

%TEMP%\1568320431.exe

1

%TEMP%\2121133818.exe

1

%TEMP%\2204625615.exe

1

%TEMP%\2635321236.exe

1

%TEMP%\2572339688.exe

1

%TEMP%\3149511422.exe

1

%TEMP%\1231911167.exe

1

%TEMP%\1276121491.exe

1

%TEMP%\1428828012.exe

1

%TEMP%\2697522266.exe

1

%TEMP%\3586714917.exe

1

%TEMP%\1732128979.exe

1

%TEMP%\1017410538.exe

1

*See JSON for more IOCs

File Hashes

    017d9b3ad3d3fc1de31e4d121c499721882b0eb8a1abf38c71929fdd44f1e45f

    03d85fea6867024b35caa3246247dd80c285eff9a2386b3bef30b72f475e7b13

    40a6fb569e0abd218106b96ea9f7f6e74e094937c63ed4fcd44bdd754542228a

    556af1554c00ca438d3a6db46125c296e34704f4811231b6e719969b7d622dd8

    6f177fb753eadcd5ae20054b2db2e04a3661d8967f53f44118fc1074c5f4a0aa

    75f7a0659a2ae87e013d5160dd84948a9e6b73794d7d7fdb68b44ef49e17fe00

    78c8de63886867675d4c22ef0dcb904bed8b580a1c3421c0d339888d8c172cd9

    7c16255833c42f715f7229b5c1c79074404a9f18fe592462f00a458d558c3f77

    829bd1b0536915c3dbf00d2e376cdfba58246db2583d628bbaedd22205f0df4d

    86d2ab9fdc91814a2ef5e8c97da80caaa81e47a3e7f650234166d82bd46ebd56

    886f906ff2e8c2ae89543a138542b59395e6bd771ba161411363809f6272317f

    96126ca08928a42b573dd72065f88182b9b0aef970d0b71eb70cb918edef38a0

    c8c3acea8fcb0656671ba22414cd12f6425fd55ad4116558be1b4eb644ffc751

    ee0dd59a307ed3d10d870c40bf3bb2c8d9ae6ed0015d7806eb500da505597db2

    ef199978d755dae99fa2d70d2634eb0113a28e42a0bea7e2f12a1dc0b2a1188e

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

WSA

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

TALOS: Latest News

New PXA Stealer targets government and education sectors for sensitive information