Headline
Threat Roundup for September 9 to September 16
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Sept. 9 and Sept. 16. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found herethat includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files. The most prevalent threats highlighted in this roundup are:
Threat Name Type Description
Win.Dropper.LokiBot-9969312-0 Dropper Lokibot is an information-stealing malware designed to siphon sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from several popular applications. It is commonly pushed via malicious documents delivered via spam emails. Win.Dropper.Zeus-9969310-0 Dropper Zeus is a trojan that steals information such as banking credentials using methods such as key-logging and form-grabbing. Win.Dropper.Nanocore-9969309-0 Dropper Nanocore is a .NET remote access trojan. Its source code has been leaked several times, making it widely available. Like other RATs, it allows full control of the system, including recording video and audio, stealing passwords, downloading files and recording keystrokes. Win.Ransomware.Cerber-9969274-0 Ransomware Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension “.cerber.” In more recent campaigns, other file extensions are used. Win.Dropper.DarkKomet-9969269-0 Dropper DarkKomet is a freeware remote access trojan released by an independent software developer. It provides the same functionality expected from a trojan, such as keylogging, webcam access, microphone access, remote desktop, URL download and program execution. Win.Dropper.Ramnit-9969260-0 Dropper Ramnit is a banking trojan that monitors web browser activity on an infected machine and collects login information from financial websites. It can also steal browser cookies and hides from popular antivirus software. Win.Dropper.Kuluoz-9969050-0 Dropper Kuluoz, sometimes known as “Asprox,” is a modular remote access trojan known to download and execute follow-on malware, such as fake antivirus software. Kuluoz is often delivered via spam emails pretending to be shipment delivery notifications or flight booking confirmations. Win.Dropper.Remcos-9969014-0 Dropper Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam and capture screenshots. It is commonly delivered through Microsoft Office documents with macros sent as attachments on malicious emails.
Threat Breakdown
Win.Dropper.LokiBot-9969312-0
Indicators of Compromise
IOCs collected from dynamic analysis of 15 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList 3
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\INTELLIFORMS\STORAGE2 2
<HKLM>\SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA FIREFOX 2
<HKLM>\SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA FIREFOX\20.0.1 (EN-US)\MAIN 2
<HKLM>\SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA THUNDERBIRD 2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\system32\DeviceCenter.dll,-2000 2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\DISCARDABLE\POSTSETUP\COMPONENT CATEGORIES\{56FFCC30-D398-11D0-B2AE-00A0C908FA49} 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\DISCARDABLE\POSTSETUP\COMPONENT CATEGORIES\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\ENUM 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\OWUZ370WDG 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\DISCARDABLE\POSTSETUP\COMPONENT CATEGORIES\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\ENUM
Value Name: Implementing 1
Mutexes Occurrences
3749282D282E1E80C56CAE5A 1
-1L3OO7B8T5U3Hz8 1
86R24Q1820DI8G-5 1
0-RAP0BC8AFXV5YK 1
O926B232S79XBxBC 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
111[.]118[.]215[.]251 2
104[.]18[.]114[.]97 2
85[.]159[.]66[.]93 1
149[.]154[.]167[.]220 1
217[.]26[.]48[.]101 1
81[.]17[.]18[.]196 1
151[.]101[.]2[.]159 1
2[.]57[.]90[.]16 1
66[.]235[.]200[.]147 1
3[.]64[.]163[.]50 1
34[.]117[.]168[.]233 1
183[.]90[.]232[.]14 1
64[.]190[.]63[.]111 1
162[.]213[.]253[.]236 1
103[.]63[.]2[.]157 1
109[.]123[.]121[.]243 1
66[.]225[.]241[.]38 1
149[.]129[.]252[.]201 1
162[.]240[.]46[.]240 1
209[.]159[.]145[.]117 1
81[.]161[.]229[.]75 1
104[.]21[.]81[.]107 1
160[.]121[.]173[.]6 1
129[.]226[.]173[.]87 1
66[.]96[.]162[.]150 1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
icanhazip[.]com 2
mail[.]mayhighfilms[.]com 2
www[.]awesomegih[.]net 1
www[.]european-resilience[.]org 1
www[.]eminefendipsikoloji[.]xyz 1
www[.]solutionsdr[.]website 1
www[.]jeuxjetx[.]fr 1
www[.]mjmedia[.]online 1
www[.]ct666666[.]com 1
www[.]aceyourexams[.]org 1
www[.]famallcameroon[.]com 1
www[.]kevinandboots[.]com 1
www[.]grupoprius[.]com 1
www[.]6298vip15[.]com 1
www[.]goinuffies[.]com 1
www[.]strcktunkea[.]xyz 1
www[.]wettenunseam[.]xyz 1
www[.]998899[.]lc 1
www[.]gurilab[.]com 1
www[.]825766[.]com 1
www[.]agenlexispkr[.]xyz 1
www[.]randrconstruction[.]site 1
mail[.]nu-meqa[.]com 1
www[.]tbwtaobao[.]org 1
www[.]nineodesign[.]com 1
*See JSON for more IOCs
Files and or directories created Occurrences
%ProgramFiles%\Microsoft DN1 1
%LOCALAPPDATA%\Microsoft Vision 1
%APPDATA%\D282E1 1
%APPDATA%\D282E1\1E80C5.lck 1
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5 1
%APPDATA%\ndwgxitf.y2z 1
%APPDATA%\Microsoft\Windows\TEMPLA~1\fgfhgf.exe 1
%APPDATA%\ndwgxitf.y2z\Firefox 1
%APPDATA%\ndwgxitf.y2z\Firefox\Profiles 1
%APPDATA%\ndwgxitf.y2z\Firefox\Profiles\1lcuq8ab.default 1
%APPDATA%\ndwgxitf.y2z\Firefox\Profiles\1lcuq8ab.default\cookies.sqlite 1
%APPDATA%\A1EB383543D3F00657D7 1
%APPDATA%\Microsoft\Windows\Templates\BCRHYN5A.zip 1
\TEMP\f400n12e.0.cs 1
\TEMP\f400n12e.cmdline 1
\TEMP\f400n12e.err 1
\TEMP\f400n12e.out 1
\TEMP\f400n12e.tmp 1
\x5c\x55\x73\x65\x72\x73\x5c\x41\x64\x6d\x69\x6e\x69\x73\x74\x72\x61\x74\x6f\x72\x5c\x41\x70\x70\x44\x61\x74\x61\x5c\x52\x6f\x61\x6d\x69\x6e\x67\x5c\x4d\x69\x63\x72\x6f\x73\x6f\x66\x74\x5c\x57\x69\x6e\x64\x6f\x77\x73\x5c\x54\x65\x6d\x70\x6c\x61\x74\x65\x73\x5c\xac0e\xac27\xac09\xac17\xac18\xac18\xac10\xac0f\xac20\xac15\x2e\xac02\xac12\xac27\xac14\xac16\xac0d\xac05\xac1e\xac26\xac05 1
%APPDATA%\rxbyry3j.lyu 1
%APPDATA%\rxbyry3j.lyu\Firefox 1
%APPDATA%\rxbyry3j.lyu\Firefox\Profiles 1
%APPDATA%\rxbyry3j.lyu\Firefox\Profiles\1lcuq8ab.default 1
%APPDATA%\rxbyry3j.lyu\Firefox\Profiles\1lcuq8ab.default\cookies.sqlite 1
%APPDATA%\gmzjfop1.kr5 1
*See JSON for more IOCs
File Hashes
00fdc4ec48b20f242022329109dc1e46b881a9f044f8d3d2c41c5071f13f284f 0a3b4186c412949b09fb35b24d0b7cfaab2726008c9dfd9ded81042678656a79 0bcfde1f70aeca56465e84252d3fed352a44686c52f1201e4474d5c126888842 17c40b93caacb07d7cb74d9bc9613780f3d346f5211323baa996e6516f830761 209ae4bb19c3fa5f5fd635e0bf9488ffc1b996edca12dcbd3771c5f6c560f9f9 2f64045ea223d08dd7556ac4d77b48153a96f881a0809e1c8ead0db9f6233884 36b098518b9abac620afde7568f084a592d1b43d50abdd8c70e030bca546b0e9 385203173d2547ac9df7af8711b18f9bff87c085e578e09a9a0999e2410a8744 41779f5ac5669c9d785d8348ee0cd0c03b31e0b260325995734cf67196eaa335 46ef92bfc91030701e6b5518deb8aba193a86e07ab8c63c0502a22e8acd9bc15 477038c22b79299bdd29784b5fa4d666735b962011b70f86fb6576fb690614b9 60214bf0cf8621867b6c69ffe98b203b8bec0c8f4a2144874b01f9f8c8a1cee6 a7157198068ee89caac77d8174b1e75bd71a42e0b3bb66ecbf9cbf05533f2153 bfdf0c6aa301a9305c58a7f3c4ef2a6b5ae2b3125600368acb8d0fb677e1b8a3 e602d598e6a30b8a9970e32469a499576fdc8bb987995add758221aa63142ed0
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Zeus-9969310-0
Indicators of Compromise
IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PRIVACY
Value Name: CleanCookies 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100
Value Name: CheckSetting 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102
Value Name: CheckSetting 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104
Value Name: CheckSetting 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101
Value Name: CheckSetting 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103
Value Name: CheckSetting 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: {45E760AF-9D6C-3717-3BC0-7CBFD652F80C} 1
<HKCU>\SOFTWARE\MICROSOFT\HOESWE 1
<HKCU>\SOFTWARE\MICROSOFT\HOESWE
Value Name: Riiky 1
Mutexes Occurrences
Local\{825579BC-847F-F0A5-3BC0-7CBFD652F80C} 1
Local\{A3F31C8C-E14F-D103-3BC0-7CBFD652F80C} 1
Local\{A3F31C8D-E14E-D103-3BC0-7CBFD652F80C} 1
GLOBAL\{<random GUID>} 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
193[.]143[.]97[.]30 1
Files and or directories created Occurrences
%TEMP%\tmp100f6b7d.bat 1
%APPDATA%\Epxesy 1
%APPDATA%\Epxesy\veof.okx 1
%APPDATA%\Tioxp 1
%APPDATA%\Tioxp\quem.exe 1
File Hashes
06c09f8aaad2f106a4c64e96906b086bd033cebd96ca266d95bf729f8a68e3b8 0c45a6f787fcb67d8828be0a93b2e5cc9ff08d9a87e68bebc5d6d5d431e0b433 0edf80d5a575a23a2928a6ae7c4a97b2a11a1a9cb40c23521a6de75d8bcf39c8 1db78d1906bfc5ba8367a285c80fd8c67cea7acacd5eb116a7bbd18e77a59023 23905382d08a21e3611db1c290cc86cb22e0f1b493ea2a45f3ca44752a8303d7 2a1b0e3c895993130118782d79dd65b019c660e7b8a4c8af575cde7a5698ae00 2e985914ac0afb33fcbd4311383156af1a79bbe83f57e1225cb86583e6149966 38643489ca7412c15f8d7467d2e1fc622c00b3f6a93ef8ed574c70380de198a7 3e0092e6e6e825556a9e706fd8e3a083001bde9b8a08d8a1dd446ac9f0961cd8 5249e5dc425ceceb4ffd10e04be8fa78ffc8afc4d778fb2773c17f1aa695061c 59d35e5a1e59c4bf032381eeac422223979cbecbd8f668fd917d3bfcea3b7be2 5f897dd59f0621ccd91dfa1d2eb4f965da1b908d9553b4027cd774a18571d15f 65486a839b1c8ff2d4d008ccf33fab7e0404c6a4696fafc5c15961c3816862b8 6cab4306e33f527984b265383d0dea1d11a897b0924b015a2a62700af289edc0 712870bb11fc63cf3d4388668d0c0e707b47c4fc95ff7a0e9b737a50ea3b1c55 8507eafa7e63dc4095cf3424fba1d1a2674752fca8f1d452558d9cbfd0273500 8ac89088823963b316a78e2d5352c06126b1bf176d6a57ceed115cd91d45256b 8c32a4f95a5d1e3eaf9d0ce259f5eea51b4f4d5fb8d75b593e45bb7a776485ea 90c3de2ee8669c7b0cdb3fb57ad911dd40bc0825b32ca3df28687bf22c37098e 92e22ceaf491476477b5962eb64dd52bb7aff8a8e74ebb2dba253604df7525ad b2e2d4451bf745e602446d4d68e76aa1e2e05fde70bee1dcdd283e2f691fd420 b8b6845966466ac1f25c737e86025dc4f5e82fa03947637089ebae7e43c62617 d19a0a01af2ced3e486cf0497204a03fbf2894dca6ef44e680678eed0350b5e9 d515963a214ea51cb885d73263feb275efb94aea759ad92eb395f668f11e1b86 dc792ed152e13f16d0bb6da06dd41091d26d2ad6e724c188bee6c9895ab112ef
*See JSON for more IOCs
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella N/A
WSA N/A
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Nanocore-9969309-0
Indicators of Compromise
IOCs collected from dynamic analysis of 15 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: AGP Manager 3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList 3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @explorer.exe,-7001 3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: UqRhmjYGcw 2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: NoControlPanel 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: FmjwSAKZ\ 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: pdb 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: wMxdYNJI\ 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: kai 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ZeNNLCQY\ 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: TpuuyrDY\ 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: pbr 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: zSCGySDZ\ 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: CoZNunCT\ 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: zrVxOFxs\ 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: PntmHtOf\ 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: UzTQIQBw\ 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: HpnSIvIw\ 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: FPZeexxA\ 1
Mutexes Occurrences
GLOBAL\{<random GUID>} 9
54b220f4544a7115f31b 2
2AC1A572DB6944B0A65C38C4140AF2F46386E886134 1
Global\534b56e0-35b0-11ed-9660-00151795f450 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
107[.]191[.]99[.]95 2
107[.]191[.]99[.]221 2
192[.]198[.]87[.]78 2
132[.]226[.]247[.]73 2
216[.]38[.]7[.]236 2
95[.]140[.]125[.]73 1
185[.]101[.]34[.]84 1
158[.]101[.]44[.]242 1
95[.]140[.]125[.]64 1
95[.]140[.]125[.]105 1
162[.]248[.]244[.]15 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
checkip[.]dyndns[.]org 3
monerohash[.]com 2
Files and or directories created Occurrences
\<random, matching [a-z]{7,15}> 11
\<random, matching [a-z]{7,15}\[a-z]{7,25}>.exe 11
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5 9
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs 9
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs\Administrator 9
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\run.dat 9
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\task.dat 9
%System32%\Tasks\AGP Manager 9
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp 9
%ProgramFiles(x86)%\AGP Manager 3
%ProgramFiles(x86)%\AGP Manager\agpmgr.exe 3
%System32%\Tasks\AGP Manager Task 3
%TEMP%\test.vbs 2
%LOCALAPPDATA%\AIMDKitteh 2
%LOCALAPPDATA%\AIMDKitteh\mymonero.exe 2
%APPDATA%\pdb 1
%APPDATA%\pdb\pdb.exe 1
%TEMP%\Fp7.exe 1
%APPDATA%\Microsoft\Windows\Templates\4HIM1_BUR_CHOCK_RUBBER_SPACER.pdf 1
%APPDATA%\kai 1
%APPDATA%\kai\kai.exe 1
%APPDATA%\pbr 1
%APPDATA%\pbr\pbr.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\zGMpWbpk.exe.lnk 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\SyYwhHOl.exe.lnk 1
*See JSON for more IOCs
File Hashes
10da4db37896cf6b8caa342cf459b7d8f1c441395777bf91f08244d17781f303 1337715195d96f0e051b8da7c6bd4ceec714c780706d195cb44a7da8d8026bc3 24867d30ca0b7ff5aa56efad0007f2dd61f257d9c94f4f65104321756add8c5d 54a92443ad92b755492232393c79a650f38fbcc8e4c5e7edb4a740386be57685 54ef1dcdabc6abd29138ad60375b06c94e9adcf055668187ede39dd7af72d551 618fe651ef4c851931517d762d1d625d8a91dc8ec37c1b4cf1f810ee7107d4eb 652a8000a682aa0e6d66a81e88ebd2d16e67344a500223485e315b3d5b3725d5 8bc4a28c2ace03795a77a619fd9d1fe2b113852a65c5147fe76706549eecdd00 905518b072f0c8f6074a9ea3ef8b2571f949b2a2eec4be87d3d228575050db2e 9c7ddd3eb292885e83f583ee3a84d1a2750c85a62c5ef082f0e8adc45044ebe7 a31e5d93083043137148a1a50547f8f6812cf36e88211a1f371fab588238bd75 d225168def78f1460f3d9599b62267217eef5a36c5e816ee8e5cc0f9059fcf7b e43ed7e08d4b9724bc7653156794825f5a5c12952fdd864e4adcfa530c5f9528 f889ca5350f42fdffeeb49395d7fa2cacadb33e0a909d6a839d4148167ba6c7d f8d613ed7073e4c6aa721caa838af36e8a224eafe998b51dd065ec8745a9b289
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella N/A
WSA
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Ransomware.Cerber-9969274-0
Indicators of Compromise
IOCs collected from dynamic analysis of 26 samples
Mutexes Occurrences
shell.{381828AA-8B28-3374-1B67-35680555C5EF} 26
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
31[.]184[.]234[.]0/23 26
Files and or directories created Occurrences
%TEMP%\d19ab989 26
%TEMP%\d19ab989\4710.tmp 26
%TEMP%\d19ab989\a35f.tmp 26
File Hashes
001887448cac3a58f89bb4f1a8cc8ec45f628706da4e15ebe65429660b2cf825 0033255bc7041027253dc517866af84413f255c5552bcc47fd7e8e660838feed 039fc087b3471228b0be1f67091597e17f33e4cd04b0d2b4be5428657e314631 04097126ab04eef29679935eeaf4c411f04b7a9dfdf3f10bdb5ef7453e6b8692 056ad6d6e3bbd58774ed1ca65fd9b983504185993112a13c5aa54c65be2ca375 05dfa32796c95f0c0ea13074db213d53fab488fdde9afab36ed98c430bc1a930 06e837716cb81498c37c0b621c87acbd2e00d11cf60e27f628ce966702f1a11e 08ce2dac33264f90d5ad8d89bbe56ad0346fc32854a184ed23b15c1cfac81a63 09204adcfbb5041640705d9f80148a1b08ee206ba78d98e071dcdcea77aaf2ad 099ed53d97ba687736ae6e6bcf14c5cc39f65ee933115205c3237cfe19c81015 0b64ca7807d2836760e06c5b4f543d0ae52fa3029552a6e373656770f8eb53f7 109f7711ff16346888c05dbad80214832525d2f962456626e51b90675f4b5e4c 163ecfa1ca0dd985d0487bb496948eb43e2a37ff44a1f833ae1c92b38e269548 19fd3a451086711c12e345a717f0361db12cc8f4a88a3efa66bfa22c96c0e6d7 1a6f8c9f5ab69bfe50d01ab3c321468c6f7ae73091245efe5ec55a4e03f40002 1c09cbf3f181b08879c3cff05c31d0708a9331fddf0eba03e3bbe07ae220a8f8 1cf1dd029fff1b33bd7951e45b7304038c31547e082cabefa656b42e7349ae82 1f27597b0c1b7887511b302efc5fb94b8a241e9736295aeabf84f199f6ccee31 249d96a706928e747acaee7f2bbfa5650f58c957819c262b2cd25e6821f8ece0 270c413b723228cd91400050fbcd8c2eb549f17456f36ff8ad41b63deeb2870c 29598e11fac3a66758910e03c38bb17da6771141a968a1aaf99ae4520bf6c60c 2dde0afe1cf38036b2436a9ca80be179dce9371115ed882bbeb9278563f8d14a 301ca6accba0406fa35115716889892002e30ed8b9d84920b9c5cc2766b0c7f5 30d19efc5ed887ec148f4c280fe5daf01dd6b0098a81d99a864dce3bc8a5f8e4 3b4e4e8fc9b2bf6f7750cd8ed310f8bb4cd7d56ed9989e0fdd929aa5ee27debf
*See JSON for more IOCs
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella N/A
WSA N/A
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.DarkKomet-9969269-0
Indicators of Compromise
IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKU>\<User SID> 23
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101
Value Name: CheckSetting 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103
Value Name: CheckSetting 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100
Value Name: CheckSetting 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102
Value Name: CheckSetting 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104
Value Name: CheckSetting 1
<HKCU>\SOFTWARE\MICROSOFT\UNBUR 1
<HKCU>\SOFTWARE\MICROSOFT\UNBUR
Value Name: Ryuplucyc 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: hyybo.exe 1
<HKCU>\SOFTWARE\MICROSOFT\UNBUR
Value Name: Yqtayfxe 1
Mutexes Occurrences
Global\{08995C04-83FA-2613-1053-58F3B048D958} 23
Global\8bf66b81-fa0d-11ec-b5f8-00501e3ae7b6 1
GLOBAL\{<random GUID>} 1
Local\{<random GUID>} 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
alchemistrywork[.]com 1
Files and or directories created Occurrences
%TEMP%\tmp25673c86.bat 1
%APPDATA%\Otufux 1
%APPDATA%\Otufux\hyybo.exe 1
%APPDATA%\Vooqwo 1
%APPDATA%\Vooqwo\bayk.qua 1
File Hashes
01a66cc3487f0d7e2f27d5a8e69f0c234bdf3304b9ca06fd147fb004a50929f3 03f815c5390528e96c9abf400ce167582eadb1649589b00d39d29b433b03c7b0 2059a4cffd04bc3e04955e20fdd5df1d5d9908d6b9214f8e4c80e10321be77eb 2279feff7534923353197e71c57e3945b8a1efd80d66dcd8e146bcbf1f554a70 3948d73d942c6164c716b5d69041e0ecf9df653e6ece61555e507a745006a3fd 44b484fb9343f45c670e63f286313b09ae005edf5ca0168fb94229dcbd9388aa 4b7e1f682cb8d5dba918cc565714e04d2147663b18ecb9f90deae9ab28bf8f1b 52ccf7455c103e6db02356727227e4bb45d718e0205f28f89349c671997c6c09 62fb8f5173958bb58b2f84a854d08899f14706a6e20e57e3b906965ebd7db6f4 63d42b3e5da3c55a03d2f9b04456632a2f675547b853f142b8245c91bf15100d 68ffff6405e7baecff7f87af41afbbde02844a917a52660a87f36cff3635ccd2 6a0d55b4ed40a705c9e8af25cac6133b4fbb043909e509b1fce274238def0b07 7432dbc42a6785ad8f0cdfbecabcaa38c291e51b3aac8863b3bdfdb1cc1163fd 8350295d5dc2ae0d23d8a4831b461e4103abde3928b9d0f380eb83679fcbf26d 91dc25a40e00e8cc9f5d1074ff80a66ed5c927036e062ce0311a92e5e4b94480 a49071fdf4d34aaf88300a3703227c1fdcd532f9054f848dfbc5c1f15b6fef45 b76165ed0f3f9e8ac42394cf8700e8d8e8c7f4ee89b11c01e81d29b0b4006220 c0bc17998bde718499954f3cf7319b1633405452873b606671204889051cf1a0 c159a657fef9189a28461ac6725bd0a9d6cb1cf4311a3a7d6d95e06130eb629a c42edcd2dbcc690da04afb0d2bb771f2d4aef1e188aa3b8a096c051340b52ab4 c6f4e464c49730bfa10f56fb52a892793cd17f52dbbfc3e60a97a6bc270db136 c88d6a155c90a01b76884456c34f9f9d2670deb255b67e5111a8898ecee06d3c cb03a653a5d69f18b89a24e80b9294c86a08ba48a8bb6fb12223dc2f2b8b45a7 e71370e84a0973f799a58b0ef1e06b4c6343df99343cb778efd26e8257792c0c f574238919b3f09297232f706ab3a0f633aa7259657a0965d2a46a181a3ba266
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella N/A
WSA N/A
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Ramnit-9969260-0
Indicators of Compromise
IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: EnableFirewall 7
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList 7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 6
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @explorer.exe,-7001 5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusOverride 4
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify 4
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallDisableNotify 4
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallOverride 4
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify 4
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UacDisableNotify 4
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA 4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DoNotAllowExceptions 4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DisableNotifications 4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start 4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start 4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Start 4
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION
Value Name: jfghdug_ooetvtgk 4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: JudCsgdy 4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV
Value Name: Start 4
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Defender 4
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Userinit 4
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Userinit 4
<HKCU>\SOFTWARE\APPDATALOW\GOOGLE UPDATER
Value Name: LastUpdate 3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\PUBLICPROFILE
Value Name: EnableFirewall 3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SSDPSRV
Value Name: Start 3
Mutexes Occurrences
{7930D12C-1D38-EB63-89CF-4C8161B79ED4} 4
60F16AAB662B6A5DA3F649835F6E212598B68E3C 4
777OurStarterProcessMutex777 2
888OurMainProcessMutex888 2
999OurBrother1ProcessMutex999 2
000OurBrother2ProcessMutex000 2
A9MTX7ERFAMKLQ 1
A9ZLO3DAFRVH1WAE 1
B81XZCHO7OLPA 1
BSKLZ1RVAUON 1
GJLAAZGJI156R 1
I106865886KMTX 1
IGBIASAARMOAIZ 1
J8OSEXAZLIYSQ8J 1
LXCV0IMGIXS0RTA1 1
MKS8IUMZ13NOZ 1
NLYOPPSTY 1
OPLXSDF19WRQ 1
PLAX7FASCI8AMNA 1
RGT70AXCNUUD3 1
TEKL1AFHJ3 1
TXA19EQZP13A6JTR 1
VSHBZL6SWAG0C 1
flowblink90x33 1
22887842DFA648B38E6C28C844FF2BE798B68E3C 1
*See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
13[.]107[.]21[.]200 5
195[.]201[.]179[.]207 4
142[.]250[.]65[.]206 3
185[.]121[.]177[.]177 2
130[.]255[.]78[.]223 2
185[.]121[.]177[.]53 2
144[.]76[.]133[.]38 2
45[.]63[.]25[.]55 2
27[.]100[.]36[.]191 2
89[.]18[.]27[.]34 2
178[.]63[.]145[.]230 2
104[.]168[.]144[.]17 2
62[.]113[.]203[.]55 2
46[.]165[.]221[.]154 2
85[.]13[.]157[.]3 2
193[.]23[.]244[.]244 1
194[.]109[.]206[.]212 1
154[.]35[.]32[.]5 1
171[.]25[.]193[.]9 1
172[.]217[.]165[.]142 1
65[.]21[.]85[.]98 1
64[.]225[.]91[.]73 1
23[.]47[.]64[.]115 1
104[.]108[.]124[.]205 1
104[.]72[.]157[.]175 1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
www[.]bing[.]com 6
google[.]com 4
bunikabatedoba13[.]top 4
bvnotike[.]667[.]top 4
jokimutinke[.]net 4
opiutunuza11[.]net 4
ujnuyteeej[.]top 4
nerdasss33[.]top 4
drdrfdd[.]cat 3
eaxsess[.]cat 3
gagaxx[.]cat 3
huhujoo[.]cat 3
nknkd[.]cat 3
nknkdd[.]cat 3
nknkddx[.]cat 3
nknkddx2[.]cat 3
sdsdfg[.]cat 3
trtr44[.]cat 3
erwwbasmhtm[.]com 2
fbnurqhsbun[.]com 2
h37eyrba720ui[.]com 2
jdnpwbnnya[.]com 2
jhaiujfprlsbpyov[.]com 2
mngawiyhlyo[.]com 2
oxxvnflhtpomjmwst[.]com 2
*See JSON for more IOCs
Files and or directories created Occurrences
%LOCALAPPDATA%\bolpidti 4
%LOCALAPPDATA%\bolpidti\judcsgdy.exe 4
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\judcsgdy.exe 4
%APPDATA%\Microsoft\gawbgrrs 4
%APPDATA%\Microsoft\gawbgrrs\jisgivdt.exe 4
%ProgramData%\Device Driver Setup 3
\$Recycle.Bin\S-1-5-~2\!WhatHappenedWithMyFiles!.rtf 2
%HOMEPATH%\Documents and Settings\!WhatHappenedWithMyFiles!.rtf 2
\$Recycle.Bin\<User SID>\!WhatHappenedWithMyFiles!.rtf 2
%APPDATA%\!WhatHappenedWithMyFiles!.rtf 2
%HOMEPATH%\Documents\!WhatHappenedWithMyFiles!.rtf 2
\Users\All Users\Microsoft\RAC\PublishedData\!WhatHappenedWithMyFiles!.rtf 2
\Users\All Users\Microsoft\RAC\StateData\!WhatHappenedWithMyFiles!.rtf 2
%ProgramData%\Microsoft\RAC\PublishedData\!WhatHappenedWithMyFiles!.rtf 2
%ProgramData%\Microsoft\RAC\StateData\!WhatHappenedWithMyFiles!.rtf 2
%ProgramData%\Microsoft\RAC\PUBLIS~1\!WhatHappenedWithMyFiles!.rtf 2
\Users\ALLUSE~1\Microsoft\RAC\PUBLIS~1\!WhatHappenedWithMyFiles!.rtf 2
%ProgramData%\Microsoft\RAC\STATED~1\!WhatHappenedWithMyFiles!.rtf 2
\Users\ALLUSE~1\Microsoft\RAC\STATED~1\!WhatHappenedWithMyFiles!.rtf 2
%TEMP%\<random, matching '[0-9a-z]{8}'>.exe 2
%APPDATA%\SjyNBvm6RTID\9x56BxjU.cmd 1
%APPDATA%\Microsoft\cciihiec\jisgivdt.exe 1
%APPDATA%\SjyNBvm6RTID\XvNigAX3.cmd 1
%APPDATA%\SJYNBV~1\165TprqR.exe 1
%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup\165TprqR.lnk 1
*See JSON for more IOCs
File Hashes
0b2ad4aa2b64aae559973ec324330f137fd4c9546aeb2c2f9c35b5617b180c05 102092d52e39ed386a890d2687b4e80da6a0372f89ee2b83a8c29b3a13d22788 147569cb85cffa13769376d5da1c8ec7487443b710faf19afab24a021a58913b 25727f1d115764349d0cbd828598d52140640be6eade12e62ff3438525004630 5280855d2a67a6ba91900af80c235b1bafb51151cba3f7bff7566efda8d0ee09 5462ceb3fbab158b53c3c247d939183c89eb96229c8f78fdc61e44f1a939bfa4 60a52492d31994057a2d0566ccf469393fad834cabe943a89bbdb9d07852626a 7234d6a648ff98721f0045dcda255767f0f6d19a1cccea8c8e7db97f594da4bd 72d6c6b95eeaae1b2777d70ac14b122ca72874f1d98680d52dc9b27b2b66ded0 72f5a9c942d7d5efd18390cb99539d7f411983bb9c41f8137f0a2c5a7bb66152 73ed34beba387409f4bdfd3413079d3a50e49380a1ad39c5f8d67b1ea4d04aaf 7cb1a756133840264574c4683e437accbe24b254e853a17588a5c67e7858369a 868dc997d2fa2123e8035eb565d940542b9d7b363c54e177cc85dcd89529ab94 8cbebde91c55c93149db657c63fc480e5639f85f6f072a538b0155d3a5bec4bd 93cd72fbca2dbb3d75f972cfac420aaf1d007824b073f6bef7944108543c5c5b 9e67e77db32641775ebdcce463fe21b195539417d20168fac7209908825578d7 a2d53ce7f45959e6ca5786f0d0704a5f9056789b4d7afaf7bf93bc74ddf3e5dc a67bc1d4129d487029cbd0836241425213ed5b57806a089d427703d69b87a80a b48b525ec88d26ca83b1a80e16fc90bfe163e09e183df73009c8f6de39c24f99 bc703ff3117b8088ce29ba90a2a25708a845503b6a76946082f86787f53f6d93 bca38bba430425ae06eeff67707b04730cabdab8c28c5d7edb73a704d9a12ab0 c3a619f1b3493485405947c2eb13ade0def13b84ea9350def3a936c916dc9755 c71a94e585e6a8f225e97df8e8c5ee8d8224fdd265731205e9179f979e6d5787 c9702ab60a3acdb6319b30c7723ba448e544f72c9658e7169753d2ba6033f74b d677ac549428b51974e92573bd1aeb3869d58b2a23d3cc0e116473213678f237
*See JSON for more IOCs
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Kuluoz-9969050-0
Indicators of Compromise
IOCs collected from dynamic analysis of 15 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'> 15
<HKCU>\SOFTWARE\SQFRVCDX
Value Name: qbdiucws 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: vecqtanl 1
<HKCU>\SOFTWARE\QMBDQAJI
Value Name: mrwduoeq 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: cegwtkiq 1
<HKCU>\SOFTWARE\XSCWKWTB
Value Name: uaclqbul 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ucbqtutu 1
<HKCU>\SOFTWARE\JBDLTTQA
Value Name: mrwedtqx 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: vqutjntj 1
<HKCU>\SOFTWARE\JFXJSONS
Value Name: fecipfcv 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: arwphoht 1
<HKCU>\SOFTWARE\PCJDWGMU
Value Name: cjpxnmpf 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: nhloowrs 1
<HKCU>\SOFTWARE\USMUVJEA
Value Name: hbijvefk 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: conoxmsr 1
<HKCU>\SOFTWARE\UBVPEQTD
Value Name: bvqcqshx 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ukvchxne 1
<HKCU>\SOFTWARE\HBTTNUTT
Value Name: aeulprit 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: frrvhaca 1
<HKCU>\SOFTWARE\VUSJFBBT
Value Name: mpxwxiew 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: uejoeofv 1
<HKCU>\SOFTWARE\FMOPLQAL
Value Name: iqmwiqfj 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: wjrmnejf 1
<HKCU>\SOFTWARE\RKDPGLPX
Value Name: qmjertge 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: mbmgmhmo 1
Mutexes Occurrences
aaAdministrator 15
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
141[.]105[.]121[.]139 13
74[.]221[.]221[.]58 10
91[.]109[.]2[.]132 9
101[.]255[.]36[.]171 8
58[.]83[.]159[.]94 8
93[.]189[.]95[.]148 7
94[.]199[.]242[.]85 6
82[.]165[.]152[.]226 4
Files and or directories created Occurrences
%LOCALAPPDATA%\<random, matching '[a-z]{8}'>.exe 15
File Hashes
09650f5a6dbe38fc54c1d17e05955612e37e9268d3d821726fad65e5d13a127e 17b2f61b057168ed4414a71ec6c4f9cbaa78c96cfec6bd6330e7f8c298c715d5 235be690210e2d9c368f9028e47572dcc120b7f597877573af43ecaeb70e615f 2e61d7e17915a3359a01fd959b4383fdd2441b8544d457bb185fa2509e699d41 36f8895998b854c4276c0b2318baa41c947ea64f5bcc6666f634111ea62b6505 4bbaeba54a1b65e90b4d24714a45dbe37ec407364097a8c889f9f61d679e2fcd 51324e089d7b1ee9cf85837c719d993cea5dd928cc1e932aa2f17d3e758509e6 535a4f9cef7aef421ad38986f14de66251e72aba2dea5dd6ca666ab38f10f7db 55d37fae592c2d00bef0ff48e15dbe52f68edcd098c679233fd61d319d32c64b 5f050eaf9f0f3b9c2cddc84bbcf53115932932da4151f719169e5d2c8e672764 6cc11bd407b5882290b839eedae377cd63ec3a4d3cbc87f8686dd63e233922da 72b3b8bf3ce9c0bb3831e453fcfdcdf37e44e183eb1cdba383d5196e90829935 7cb0202a99a14882e1108c5c7deb738289873b99dec43172bbe6ee39136bd9fe 9ef1750fce26d1ef5908b3d7f7304a54edee5207282ffedcf525a8c714bb5ac8 d699fe8f3c9f2925101e85dfacaca00550fe2a7cf4ef22aff827bc88900f5a18
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella N/A
WSA N/A
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Remcos-9969014-0
Indicators of Compromise
IOCs collected from dynamic analysis of 13 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\ZANGARMARSH-228I7H 13
<HKCU>\SOFTWARE\ZANGARMARSH-228I7H
Value Name: EXEpath 13
Mutexes Occurrences
Remcos_Mutex_Inj 13
Zangarmarsh-228I7H 13
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
ezpz1[.]xyz 13
Files and or directories created Occurrences
%SystemRoot%\win.ini 13
%APPDATA%\csrss.exe 13
%System32%\Tasks\csrss 13
%APPDATA%\javacache 13
%APPDATA%\javacache\logs.dat 13
File Hashes
02d30b6a94180708d4d525914a917cd9370190926e549fada8d93b4fd033e906 0c335742c2a239dddbe7467946c481609d1840dca5b67a80ea071d4a593b4ad0 216c429a096cbc58d595d015dd82f9c2be8a89af1d295e511a9ae8431c889710 4a01a7d09fe699b3d699463a6f76b445e0a07dc0d8360ba4fca4ddcda7a2af66 4a86b0a93ce30688176f4f745c52cec56cd023a924c58f8a27d36570871ab580 5af743dffb813faf071cf185f39c3d258864556a154cfa12ac1b8a56607bd2ce 608bd3bada966b94ecff736b0811278b7db6cef97c0133e296a5d8bad2ac725d 7ac6edfc10a8361d20fee7f561d4fce8b3ea0e963cfc44c0421ca0fd8501c851 b4c77021bc5641683caa3280fe115fea383141b5722f215e6dcb4ad2913cc02f b4e9902d2d44051e6620b458c43514e552df4c8f5a6aebdfd5363b3ac9e344a0 ceec2d534fe22ef53ae86302717458922993cccb16a5cfbabfb40d1956ee2415 f4a212b3bdc04c7be624a5955e43acf7f836dc9a14852d2fddda48095c017e6b ff804004e7082fcf4802beb7d8b4d4b03867de1b746af1021a703767c2728c4b
Coverage
Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella N/A
WSA N/A
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Sept. 9 and Sept. 16. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.
The most prevalent threats highlighted in this roundup are:
Threat Name
Type
Description
Win.Dropper.LokiBot-9969312-0
Dropper
Lokibot is an information-stealing malware designed to siphon sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from several popular applications. It is commonly pushed via malicious documents delivered via spam emails.
Win.Dropper.Zeus-9969310-0
Dropper
Zeus is a trojan that steals information such as banking credentials using methods such as key-logging and form-grabbing.
Win.Dropper.Nanocore-9969309-0
Dropper
Nanocore is a .NET remote access trojan. Its source code has been leaked several times, making it widely available. Like other RATs, it allows full control of the system, including recording video and audio, stealing passwords, downloading files and recording keystrokes.
Win.Ransomware.Cerber-9969274-0
Ransomware
Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension “.cerber.” In more recent campaigns, other file extensions are used.
Win.Dropper.DarkKomet-9969269-0
Dropper
DarkKomet is a freeware remote access trojan released by an independent software developer. It provides the same functionality expected from a trojan, such as keylogging, webcam access, microphone access, remote desktop, URL download and program execution.
Win.Dropper.Ramnit-9969260-0
Dropper
Ramnit is a banking trojan that monitors web browser activity on an infected machine and collects login information from financial websites. It can also steal browser cookies and hides from popular antivirus software.
Win.Dropper.Kuluoz-9969050-0
Dropper
Kuluoz, sometimes known as “Asprox,” is a modular remote access trojan known to download and execute follow-on malware, such as fake antivirus software. Kuluoz is often delivered via spam emails pretending to be shipment delivery notifications or flight booking confirmations.
Win.Dropper.Remcos-9969014-0
Dropper
Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam and capture screenshots. It is commonly delivered through Microsoft Office documents with macros sent as attachments on malicious emails.
Threat Breakdown****Win.Dropper.LokiBot-9969312-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 15 samples
Registry Keys
Occurrences
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
3
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\INTELLIFORMS\STORAGE2
2
<HKLM>\SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA FIREFOX
2
<HKLM>\SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA FIREFOX\20.0.1 (EN-US)\MAIN
2
<HKLM>\SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA THUNDERBIRD
2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\system32\DeviceCenter.dll,-2000
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\DISCARDABLE\POSTSETUP\COMPONENT CATEGORIES{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\DISCARDABLE\POSTSETUP\COMPONENT CATEGORIES{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\ENUM
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\OWUZ370WDG
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\DISCARDABLE\POSTSETUP\COMPONENT CATEGORIES{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\ENUM
Value Name: Implementing
1
Mutexes
Occurrences
3749282D282E1E80C56CAE5A
1
-1L3OO7B8T5U3Hz8
1
86R24Q1820DI8G-5
1
0-RAP0BC8AFXV5YK
1
O926B232S79XBxBC
1
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
111[.]118[.]215[.]251
2
104[.]18[.]114[.]97
2
85[.]159[.]66[.]93
1
149[.]154[.]167[.]220
1
217[.]26[.]48[.]101
1
81[.]17[.]18[.]196
1
151[.]101[.]2[.]159
1
2[.]57[.]90[.]16
1
66[.]235[.]200[.]147
1
3[.]64[.]163[.]50
1
34[.]117[.]168[.]233
1
183[.]90[.]232[.]14
1
64[.]190[.]63[.]111
1
162[.]213[.]253[.]236
1
103[.]63[.]2[.]157
1
109[.]123[.]121[.]243
1
66[.]225[.]241[.]38
1
149[.]129[.]252[.]201
1
162[.]240[.]46[.]240
1
209[.]159[.]145[.]117
1
81[.]161[.]229[.]75
1
104[.]21[.]81[.]107
1
160[.]121[.]173[.]6
1
129[.]226[.]173[.]87
1
66[.]96[.]162[.]150
1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
icanhazip[.]com
2
mail[.]mayhighfilms[.]com
2
www[.]awesomegih[.]net
1
www[.]european-resilience[.]org
1
www[.]eminefendipsikoloji[.]xyz
1
www[.]solutionsdr[.]website
1
www[.]jeuxjetx[.]fr
1
www[.]mjmedia[.]online
1
www[.]ct666666[.]com
1
www[.]aceyourexams[.]org
1
www[.]famallcameroon[.]com
1
www[.]kevinandboots[.]com
1
www[.]grupoprius[.]com
1
www[.]6298vip15[.]com
1
www[.]goinuffies[.]com
1
www[.]strcktunkea[.]xyz
1
www[.]wettenunseam[.]xyz
1
www[.]998899[.]lc
1
www[.]gurilab[.]com
1
www[.]825766[.]com
1
www[.]agenlexispkr[.]xyz
1
www[.]randrconstruction[.]site
1
mail[.]nu-meqa[.]com
1
www[.]tbwtaobao[.]org
1
www[.]nineodesign[.]com
1
*See JSON for more IOCs
Files and or directories created
Occurrences
%ProgramFiles%\Microsoft DN1
1
%LOCALAPPDATA%\Microsoft Vision
1
%APPDATA%\D282E1
1
%APPDATA%\D282E1\1E80C5.lck
1
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5
1
%APPDATA%\ndwgxitf.y2z
1
%APPDATA%\Microsoft\Windows\TEMPLA~1\fgfhgf.exe
1
%APPDATA%\ndwgxitf.y2z\Firefox
1
%APPDATA%\ndwgxitf.y2z\Firefox\Profiles
1
%APPDATA%\ndwgxitf.y2z\Firefox\Profiles\1lcuq8ab.default
1
%APPDATA%\ndwgxitf.y2z\Firefox\Profiles\1lcuq8ab.default\cookies.sqlite
1
%APPDATA%\A1EB383543D3F00657D7
1
%APPDATA%\Microsoft\Windows\Templates\BCRHYN5A.zip
1
\TEMP\f400n12e.0.cs
1
\TEMP\f400n12e.cmdline
1
\TEMP\f400n12e.err
1
\TEMP\f400n12e.out
1
\TEMP\f400n12e.tmp
1
\x5c\x55\x73\x65\x72\x73\x5c\x41\x64\x6d\x69\x6e\x69\x73\x74\x72\x61\x74\x6f\x72\x5c\x41\x70\x70\x44\x61\x74\x61\x5c\x52\x6f\x61\x6d\x69\x6e\x67\x5c\x4d\x69\x63\x72\x6f\x73\x6f\x66\x74\x5c\x57\x69\x6e\x64\x6f\x77\x73\x5c\x54\x65\x6d\x70\x6c\x61\x74\x65\x73\x5c\xac0e\xac27\xac09\xac17\xac18\xac18\xac10\xac0f\xac20\xac15\x2e\xac02\xac12\xac27\xac14\xac16\xac0d\xac05\xac1e\xac26\xac05
1
%APPDATA%\rxbyry3j.lyu
1
%APPDATA%\rxbyry3j.lyu\Firefox
1
%APPDATA%\rxbyry3j.lyu\Firefox\Profiles
1
%APPDATA%\rxbyry3j.lyu\Firefox\Profiles\1lcuq8ab.default
1
%APPDATA%\rxbyry3j.lyu\Firefox\Profiles\1lcuq8ab.default\cookies.sqlite
1
%APPDATA%\gmzjfop1.kr5
1
*See JSON for more IOCs
File Hashes
00fdc4ec48b20f242022329109dc1e46b881a9f044f8d3d2c41c5071f13f284f
0a3b4186c412949b09fb35b24d0b7cfaab2726008c9dfd9ded81042678656a79
0bcfde1f70aeca56465e84252d3fed352a44686c52f1201e4474d5c126888842
17c40b93caacb07d7cb74d9bc9613780f3d346f5211323baa996e6516f830761
209ae4bb19c3fa5f5fd635e0bf9488ffc1b996edca12dcbd3771c5f6c560f9f9
2f64045ea223d08dd7556ac4d77b48153a96f881a0809e1c8ead0db9f6233884
36b098518b9abac620afde7568f084a592d1b43d50abdd8c70e030bca546b0e9
385203173d2547ac9df7af8711b18f9bff87c085e578e09a9a0999e2410a8744
41779f5ac5669c9d785d8348ee0cd0c03b31e0b260325995734cf67196eaa335
46ef92bfc91030701e6b5518deb8aba193a86e07ab8c63c0502a22e8acd9bc15
477038c22b79299bdd29784b5fa4d666735b962011b70f86fb6576fb690614b9
60214bf0cf8621867b6c69ffe98b203b8bec0c8f4a2144874b01f9f8c8a1cee6
a7157198068ee89caac77d8174b1e75bd71a42e0b3bb66ecbf9cbf05533f2153
bfdf0c6aa301a9305c58a7f3c4ef2a6b5ae2b3125600368acb8d0fb677e1b8a3
e602d598e6a30b8a9970e32469a499576fdc8bb987995add758221aa63142ed0
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Zeus-9969310-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 25 samples
Registry Keys
Occurrences
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PRIVACY
Value Name: CleanCookies
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100
Value Name: CheckSetting
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102
Value Name: CheckSetting
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104
Value Name: CheckSetting
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101
Value Name: CheckSetting
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103
Value Name: CheckSetting
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: {45E760AF-9D6C-3717-3BC0-7CBFD652F80C}
1
<HKCU>\SOFTWARE\MICROSOFT\HOESWE
1
<HKCU>\SOFTWARE\MICROSOFT\HOESWE
Value Name: Riiky
1
Mutexes
Occurrences
Local{825579BC-847F-F0A5-3BC0-7CBFD652F80C}
1
Local{A3F31C8C-E14F-D103-3BC0-7CBFD652F80C}
1
Local{A3F31C8D-E14E-D103-3BC0-7CBFD652F80C}
1
GLOBAL{<random GUID>}
1
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
193[.]143[.]97[.]30
1
Files and or directories created
Occurrences
%TEMP%\tmp100f6b7d.bat
1
%APPDATA%\Epxesy
1
%APPDATA%\Epxesy\veof.okx
1
%APPDATA%\Tioxp
1
%APPDATA%\Tioxp\quem.exe
1
File Hashes
06c09f8aaad2f106a4c64e96906b086bd033cebd96ca266d95bf729f8a68e3b8
0c45a6f787fcb67d8828be0a93b2e5cc9ff08d9a87e68bebc5d6d5d431e0b433
0edf80d5a575a23a2928a6ae7c4a97b2a11a1a9cb40c23521a6de75d8bcf39c8
1db78d1906bfc5ba8367a285c80fd8c67cea7acacd5eb116a7bbd18e77a59023
23905382d08a21e3611db1c290cc86cb22e0f1b493ea2a45f3ca44752a8303d7
2a1b0e3c895993130118782d79dd65b019c660e7b8a4c8af575cde7a5698ae00
2e985914ac0afb33fcbd4311383156af1a79bbe83f57e1225cb86583e6149966
38643489ca7412c15f8d7467d2e1fc622c00b3f6a93ef8ed574c70380de198a7
3e0092e6e6e825556a9e706fd8e3a083001bde9b8a08d8a1dd446ac9f0961cd8
5249e5dc425ceceb4ffd10e04be8fa78ffc8afc4d778fb2773c17f1aa695061c
59d35e5a1e59c4bf032381eeac422223979cbecbd8f668fd917d3bfcea3b7be2
5f897dd59f0621ccd91dfa1d2eb4f965da1b908d9553b4027cd774a18571d15f
65486a839b1c8ff2d4d008ccf33fab7e0404c6a4696fafc5c15961c3816862b8
6cab4306e33f527984b265383d0dea1d11a897b0924b015a2a62700af289edc0
712870bb11fc63cf3d4388668d0c0e707b47c4fc95ff7a0e9b737a50ea3b1c55
8507eafa7e63dc4095cf3424fba1d1a2674752fca8f1d452558d9cbfd0273500
8ac89088823963b316a78e2d5352c06126b1bf176d6a57ceed115cd91d45256b
8c32a4f95a5d1e3eaf9d0ce259f5eea51b4f4d5fb8d75b593e45bb7a776485ea
90c3de2ee8669c7b0cdb3fb57ad911dd40bc0825b32ca3df28687bf22c37098e
92e22ceaf491476477b5962eb64dd52bb7aff8a8e74ebb2dba253604df7525ad
b2e2d4451bf745e602446d4d68e76aa1e2e05fde70bee1dcdd283e2f691fd420
b8b6845966466ac1f25c737e86025dc4f5e82fa03947637089ebae7e43c62617
d19a0a01af2ced3e486cf0497204a03fbf2894dca6ef44e680678eed0350b5e9
d515963a214ea51cb885d73263feb275efb94aea759ad92eb395f668f11e1b86
dc792ed152e13f16d0bb6da06dd41091d26d2ad6e724c188bee6c9895ab112ef
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Nanocore-9969309-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 15 samples
Registry Keys
Occurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: AGP Manager
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
3
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @explorer.exe,-7001
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: UqRhmjYGcw
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: NoControlPanel
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: FmjwSAKZ\
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: pdb
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: wMxdYNJI\
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: kai
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ZeNNLCQY\
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: TpuuyrDY\
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: pbr
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: zSCGySDZ\
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: CoZNunCT\
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: zrVxOFxs\
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: PntmHtOf\
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: UzTQIQBw\
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: HpnSIvIw\
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: FPZeexxA\
1
Mutexes
Occurrences
GLOBAL{<random GUID>}
9
54b220f4544a7115f31b
2
2AC1A572DB6944B0A65C38C4140AF2F46386E886134
1
Global\534b56e0-35b0-11ed-9660-00151795f450
1
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
107[.]191[.]99[.]95
2
107[.]191[.]99[.]221
2
192[.]198[.]87[.]78
2
132[.]226[.]247[.]73
2
216[.]38[.]7[.]236
2
95[.]140[.]125[.]73
1
185[.]101[.]34[.]84
1
158[.]101[.]44[.]242
1
95[.]140[.]125[.]64
1
95[.]140[.]125[.]105
1
162[.]248[.]244[.]15
1
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
checkip[.]dyndns[.]org
3
monerohash[.]com
2
Files and or directories created
Occurrences
<random, matching [a-z]{7,15}>
11
<random, matching [a-z]{7,15}[a-z]{7,25}>.exe
11
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5
9
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs
9
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs\Administrator
9
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\run.dat
9
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\task.dat
9
%System32%\Tasks\AGP Manager
9
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp
9
%ProgramFiles(x86)%\AGP Manager
3
%ProgramFiles(x86)%\AGP Manager\agpmgr.exe
3
%System32%\Tasks\AGP Manager Task
3
%TEMP%\test.vbs
2
%LOCALAPPDATA%\AIMDKitteh
2
%LOCALAPPDATA%\AIMDKitteh\mymonero.exe
2
%APPDATA%\pdb
1
%APPDATA%\pdb\pdb.exe
1
%TEMP%\Fp7.exe
1
%APPDATA%\Microsoft\Windows\Templates\4HIM1_BUR_CHOCK_RUBBER_SPACER.pdf
1
%APPDATA%\kai
1
%APPDATA%\kai\kai.exe
1
%APPDATA%\pbr
1
%APPDATA%\pbr\pbr.exe
1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\zGMpWbpk.exe.lnk
1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\SyYwhHOl.exe.lnk
1
*See JSON for more IOCs
File Hashes
10da4db37896cf6b8caa342cf459b7d8f1c441395777bf91f08244d17781f303
1337715195d96f0e051b8da7c6bd4ceec714c780706d195cb44a7da8d8026bc3
24867d30ca0b7ff5aa56efad0007f2dd61f257d9c94f4f65104321756add8c5d
54a92443ad92b755492232393c79a650f38fbcc8e4c5e7edb4a740386be57685
54ef1dcdabc6abd29138ad60375b06c94e9adcf055668187ede39dd7af72d551
618fe651ef4c851931517d762d1d625d8a91dc8ec37c1b4cf1f810ee7107d4eb
652a8000a682aa0e6d66a81e88ebd2d16e67344a500223485e315b3d5b3725d5
8bc4a28c2ace03795a77a619fd9d1fe2b113852a65c5147fe76706549eecdd00
905518b072f0c8f6074a9ea3ef8b2571f949b2a2eec4be87d3d228575050db2e
9c7ddd3eb292885e83f583ee3a84d1a2750c85a62c5ef082f0e8adc45044ebe7
a31e5d93083043137148a1a50547f8f6812cf36e88211a1f371fab588238bd75
d225168def78f1460f3d9599b62267217eef5a36c5e816ee8e5cc0f9059fcf7b
e43ed7e08d4b9724bc7653156794825f5a5c12952fdd864e4adcfa530c5f9528
f889ca5350f42fdffeeb49395d7fa2cacadb33e0a909d6a839d4148167ba6c7d
f8d613ed7073e4c6aa721caa838af36e8a224eafe998b51dd065ec8745a9b289
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Ransomware.Cerber-9969274-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 26 samples
Mutexes
Occurrences
shell.{381828AA-8B28-3374-1B67-35680555C5EF}
26
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
31[.]184[.]234[.]0/23
26
Files and or directories created
Occurrences
%TEMP%\d19ab989
26
%TEMP%\d19ab989\4710.tmp
26
%TEMP%\d19ab989\a35f.tmp
26
File Hashes
001887448cac3a58f89bb4f1a8cc8ec45f628706da4e15ebe65429660b2cf825
0033255bc7041027253dc517866af84413f255c5552bcc47fd7e8e660838feed
039fc087b3471228b0be1f67091597e17f33e4cd04b0d2b4be5428657e314631
04097126ab04eef29679935eeaf4c411f04b7a9dfdf3f10bdb5ef7453e6b8692
056ad6d6e3bbd58774ed1ca65fd9b983504185993112a13c5aa54c65be2ca375
05dfa32796c95f0c0ea13074db213d53fab488fdde9afab36ed98c430bc1a930
06e837716cb81498c37c0b621c87acbd2e00d11cf60e27f628ce966702f1a11e
08ce2dac33264f90d5ad8d89bbe56ad0346fc32854a184ed23b15c1cfac81a63
09204adcfbb5041640705d9f80148a1b08ee206ba78d98e071dcdcea77aaf2ad
099ed53d97ba687736ae6e6bcf14c5cc39f65ee933115205c3237cfe19c81015
0b64ca7807d2836760e06c5b4f543d0ae52fa3029552a6e373656770f8eb53f7
109f7711ff16346888c05dbad80214832525d2f962456626e51b90675f4b5e4c
163ecfa1ca0dd985d0487bb496948eb43e2a37ff44a1f833ae1c92b38e269548
19fd3a451086711c12e345a717f0361db12cc8f4a88a3efa66bfa22c96c0e6d7
1a6f8c9f5ab69bfe50d01ab3c321468c6f7ae73091245efe5ec55a4e03f40002
1c09cbf3f181b08879c3cff05c31d0708a9331fddf0eba03e3bbe07ae220a8f8
1cf1dd029fff1b33bd7951e45b7304038c31547e082cabefa656b42e7349ae82
1f27597b0c1b7887511b302efc5fb94b8a241e9736295aeabf84f199f6ccee31
249d96a706928e747acaee7f2bbfa5650f58c957819c262b2cd25e6821f8ece0
270c413b723228cd91400050fbcd8c2eb549f17456f36ff8ad41b63deeb2870c
29598e11fac3a66758910e03c38bb17da6771141a968a1aaf99ae4520bf6c60c
2dde0afe1cf38036b2436a9ca80be179dce9371115ed882bbeb9278563f8d14a
301ca6accba0406fa35115716889892002e30ed8b9d84920b9c5cc2766b0c7f5
30d19efc5ed887ec148f4c280fe5daf01dd6b0098a81d99a864dce3bc8a5f8e4
3b4e4e8fc9b2bf6f7750cd8ed310f8bb4cd7d56ed9989e0fdd929aa5ee27debf
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.DarkKomet-9969269-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 25 samples
Registry Keys
Occurrences
<HKU><User SID>
23
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101
Value Name: CheckSetting
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103
Value Name: CheckSetting
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100
Value Name: CheckSetting
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102
Value Name: CheckSetting
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104
Value Name: CheckSetting
1
<HKCU>\SOFTWARE\MICROSOFT\UNBUR
1
<HKCU>\SOFTWARE\MICROSOFT\UNBUR
Value Name: Ryuplucyc
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: hyybo.exe
1
<HKCU>\SOFTWARE\MICROSOFT\UNBUR
Value Name: Yqtayfxe
1
Mutexes
Occurrences
Global{08995C04-83FA-2613-1053-58F3B048D958}
23
Global\8bf66b81-fa0d-11ec-b5f8-00501e3ae7b6
1
GLOBAL{<random GUID>}
1
Local{<random GUID>}
1
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
alchemistrywork[.]com
1
Files and or directories created
Occurrences
%TEMP%\tmp25673c86.bat
1
%APPDATA%\Otufux
1
%APPDATA%\Otufux\hyybo.exe
1
%APPDATA%\Vooqwo
1
%APPDATA%\Vooqwo\bayk.qua
1
File Hashes
01a66cc3487f0d7e2f27d5a8e69f0c234bdf3304b9ca06fd147fb004a50929f3
03f815c5390528e96c9abf400ce167582eadb1649589b00d39d29b433b03c7b0
2059a4cffd04bc3e04955e20fdd5df1d5d9908d6b9214f8e4c80e10321be77eb
2279feff7534923353197e71c57e3945b8a1efd80d66dcd8e146bcbf1f554a70
3948d73d942c6164c716b5d69041e0ecf9df653e6ece61555e507a745006a3fd
44b484fb9343f45c670e63f286313b09ae005edf5ca0168fb94229dcbd9388aa
4b7e1f682cb8d5dba918cc565714e04d2147663b18ecb9f90deae9ab28bf8f1b
52ccf7455c103e6db02356727227e4bb45d718e0205f28f89349c671997c6c09
62fb8f5173958bb58b2f84a854d08899f14706a6e20e57e3b906965ebd7db6f4
63d42b3e5da3c55a03d2f9b04456632a2f675547b853f142b8245c91bf15100d
68ffff6405e7baecff7f87af41afbbde02844a917a52660a87f36cff3635ccd2
6a0d55b4ed40a705c9e8af25cac6133b4fbb043909e509b1fce274238def0b07
7432dbc42a6785ad8f0cdfbecabcaa38c291e51b3aac8863b3bdfdb1cc1163fd
8350295d5dc2ae0d23d8a4831b461e4103abde3928b9d0f380eb83679fcbf26d
91dc25a40e00e8cc9f5d1074ff80a66ed5c927036e062ce0311a92e5e4b94480
a49071fdf4d34aaf88300a3703227c1fdcd532f9054f848dfbc5c1f15b6fef45
b76165ed0f3f9e8ac42394cf8700e8d8e8c7f4ee89b11c01e81d29b0b4006220
c0bc17998bde718499954f3cf7319b1633405452873b606671204889051cf1a0
c159a657fef9189a28461ac6725bd0a9d6cb1cf4311a3a7d6d95e06130eb629a
c42edcd2dbcc690da04afb0d2bb771f2d4aef1e188aa3b8a096c051340b52ab4
c6f4e464c49730bfa10f56fb52a892793cd17f52dbbfc3e60a97a6bc270db136
c88d6a155c90a01b76884456c34f9f9d2670deb255b67e5111a8898ecee06d3c
cb03a653a5d69f18b89a24e80b9294c86a08ba48a8bb6fb12223dc2f2b8b45a7
e71370e84a0973f799a58b0ef1e06b4c6343df99343cb778efd26e8257792c0c
f574238919b3f09297232f706ab3a0f633aa7259657a0965d2a46a181a3ba266
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Ramnit-9969260-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 25 samples
Registry Keys
Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: EnableFirewall
7
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
6
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @explorer.exe,-7001
5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusOverride
4
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify
4
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallDisableNotify
4
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallOverride
4
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify
4
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UacDisableNotify
4
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DoNotAllowExceptions
4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DisableNotifications
4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Start
4
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION
Value Name: jfghdug_ooetvtgk
4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: JudCsgdy
4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV
Value Name: Start
4
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Defender
4
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Userinit
4
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Userinit
4
<HKCU>\SOFTWARE\APPDATALOW\GOOGLE UPDATER
Value Name: LastUpdate
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\PUBLICPROFILE
Value Name: EnableFirewall
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SSDPSRV
Value Name: Start
3
Mutexes
Occurrences
{7930D12C-1D38-EB63-89CF-4C8161B79ED4}
4
60F16AAB662B6A5DA3F649835F6E212598B68E3C
4
777OurStarterProcessMutex777
2
888OurMainProcessMutex888
2
999OurBrother1ProcessMutex999
2
000OurBrother2ProcessMutex000
2
A9MTX7ERFAMKLQ
1
A9ZLO3DAFRVH1WAE
1
B81XZCHO7OLPA
1
BSKLZ1RVAUON
1
GJLAAZGJI156R
1
I106865886KMTX
1
IGBIASAARMOAIZ
1
J8OSEXAZLIYSQ8J
1
LXCV0IMGIXS0RTA1
1
MKS8IUMZ13NOZ
1
NLYOPPSTY
1
OPLXSDF19WRQ
1
PLAX7FASCI8AMNA
1
RGT70AXCNUUD3
1
TEKL1AFHJ3
1
TXA19EQZP13A6JTR
1
VSHBZL6SWAG0C
1
flowblink90x33
1
22887842DFA648B38E6C28C844FF2BE798B68E3C
1
*See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
13[.]107[.]21[.]200
5
195[.]201[.]179[.]207
4
142[.]250[.]65[.]206
3
185[.]121[.]177[.]177
2
130[.]255[.]78[.]223
2
185[.]121[.]177[.]53
2
144[.]76[.]133[.]38
2
45[.]63[.]25[.]55
2
27[.]100[.]36[.]191
2
89[.]18[.]27[.]34
2
178[.]63[.]145[.]230
2
104[.]168[.]144[.]17
2
62[.]113[.]203[.]55
2
46[.]165[.]221[.]154
2
85[.]13[.]157[.]3
2
193[.]23[.]244[.]244
1
194[.]109[.]206[.]212
1
154[.]35[.]32[.]5
1
171[.]25[.]193[.]9
1
172[.]217[.]165[.]142
1
65[.]21[.]85[.]98
1
64[.]225[.]91[.]73
1
23[.]47[.]64[.]115
1
104[.]108[.]124[.]205
1
104[.]72[.]157[.]175
1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
www[.]bing[.]com
6
google[.]com
4
bunikabatedoba13[.]top
4
bvnotike[.]667[.]top
4
jokimutinke[.]net
4
opiutunuza11[.]net
4
ujnuyteeej[.]top
4
nerdasss33[.]top
4
drdrfdd[.]cat
3
eaxsess[.]cat
3
gagaxx[.]cat
3
huhujoo[.]cat
3
nknkd[.]cat
3
nknkdd[.]cat
3
nknkddx[.]cat
3
nknkddx2[.]cat
3
sdsdfg[.]cat
3
trtr44[.]cat
3
erwwbasmhtm[.]com
2
fbnurqhsbun[.]com
2
h37eyrba720ui[.]com
2
jdnpwbnnya[.]com
2
jhaiujfprlsbpyov[.]com
2
mngawiyhlyo[.]com
2
oxxvnflhtpomjmwst[.]com
2
*See JSON for more IOCs
Files and or directories created
Occurrences
%LOCALAPPDATA%\bolpidti
4
%LOCALAPPDATA%\bolpidti\judcsgdy.exe
4
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\judcsgdy.exe
4
%APPDATA%\Microsoft\gawbgrrs
4
%APPDATA%\Microsoft\gawbgrrs\jisgivdt.exe
4
%ProgramData%\Device Driver Setup
3
$Recycle.Bin\S-1-5-~2!WhatHappenedWithMyFiles!.rtf
2
%HOMEPATH%\Documents and Settings!WhatHappenedWithMyFiles!.rtf
2
$Recycle.Bin<User SID>!WhatHappenedWithMyFiles!.rtf
2
%APPDATA%!WhatHappenedWithMyFiles!.rtf
2
%HOMEPATH%\Documents!WhatHappenedWithMyFiles!.rtf
2
\Users\All Users\Microsoft\RAC\PublishedData!WhatHappenedWithMyFiles!.rtf
2
\Users\All Users\Microsoft\RAC\StateData!WhatHappenedWithMyFiles!.rtf
2
%ProgramData%\Microsoft\RAC\PublishedData!WhatHappenedWithMyFiles!.rtf
2
%ProgramData%\Microsoft\RAC\StateData!WhatHappenedWithMyFiles!.rtf
2
%ProgramData%\Microsoft\RAC\PUBLIS~1!WhatHappenedWithMyFiles!.rtf
2
\Users\ALLUSE~1\Microsoft\RAC\PUBLIS~1!WhatHappenedWithMyFiles!.rtf
2
%ProgramData%\Microsoft\RAC\STATED~1!WhatHappenedWithMyFiles!.rtf
2
\Users\ALLUSE~1\Microsoft\RAC\STATED~1!WhatHappenedWithMyFiles!.rtf
2
%TEMP%<random, matching '[0-9a-z]{8}’>.exe
2
%APPDATA%\SjyNBvm6RTID\9x56BxjU.cmd
1
%APPDATA%\Microsoft\cciihiec\jisgivdt.exe
1
%APPDATA%\SjyNBvm6RTID\XvNigAX3.cmd
1
%APPDATA%\SJYNBV~1\165TprqR.exe
1
%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup\165TprqR.lnk
1
*See JSON for more IOCs
File Hashes
0b2ad4aa2b64aae559973ec324330f137fd4c9546aeb2c2f9c35b5617b180c05
102092d52e39ed386a890d2687b4e80da6a0372f89ee2b83a8c29b3a13d22788
147569cb85cffa13769376d5da1c8ec7487443b710faf19afab24a021a58913b
25727f1d115764349d0cbd828598d52140640be6eade12e62ff3438525004630
5280855d2a67a6ba91900af80c235b1bafb51151cba3f7bff7566efda8d0ee09
5462ceb3fbab158b53c3c247d939183c89eb96229c8f78fdc61e44f1a939bfa4
60a52492d31994057a2d0566ccf469393fad834cabe943a89bbdb9d07852626a
7234d6a648ff98721f0045dcda255767f0f6d19a1cccea8c8e7db97f594da4bd
72d6c6b95eeaae1b2777d70ac14b122ca72874f1d98680d52dc9b27b2b66ded0
72f5a9c942d7d5efd18390cb99539d7f411983bb9c41f8137f0a2c5a7bb66152
73ed34beba387409f4bdfd3413079d3a50e49380a1ad39c5f8d67b1ea4d04aaf
7cb1a756133840264574c4683e437accbe24b254e853a17588a5c67e7858369a
868dc997d2fa2123e8035eb565d940542b9d7b363c54e177cc85dcd89529ab94
8cbebde91c55c93149db657c63fc480e5639f85f6f072a538b0155d3a5bec4bd
93cd72fbca2dbb3d75f972cfac420aaf1d007824b073f6bef7944108543c5c5b
9e67e77db32641775ebdcce463fe21b195539417d20168fac7209908825578d7
a2d53ce7f45959e6ca5786f0d0704a5f9056789b4d7afaf7bf93bc74ddf3e5dc
a67bc1d4129d487029cbd0836241425213ed5b57806a089d427703d69b87a80a
b48b525ec88d26ca83b1a80e16fc90bfe163e09e183df73009c8f6de39c24f99
bc703ff3117b8088ce29ba90a2a25708a845503b6a76946082f86787f53f6d93
bca38bba430425ae06eeff67707b04730cabdab8c28c5d7edb73a704d9a12ab0
c3a619f1b3493485405947c2eb13ade0def13b84ea9350def3a936c916dc9755
c71a94e585e6a8f225e97df8e8c5ee8d8224fdd265731205e9179f979e6d5787
c9702ab60a3acdb6319b30c7723ba448e544f72c9658e7169753d2ba6033f74b
d677ac549428b51974e92573bd1aeb3869d58b2a23d3cc0e116473213678f237
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Kuluoz-9969050-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 15 samples
Registry Keys
Occurrences
<HKCU>\SOFTWARE<random, matching '[a-zA-Z0-9]{5,9}’>
15
<HKCU>\SOFTWARE\SQFRVCDX
Value Name: qbdiucws
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: vecqtanl
1
<HKCU>\SOFTWARE\QMBDQAJI
Value Name: mrwduoeq
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: cegwtkiq
1
<HKCU>\SOFTWARE\XSCWKWTB
Value Name: uaclqbul
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ucbqtutu
1
<HKCU>\SOFTWARE\JBDLTTQA
Value Name: mrwedtqx
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: vqutjntj
1
<HKCU>\SOFTWARE\JFXJSONS
Value Name: fecipfcv
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: arwphoht
1
<HKCU>\SOFTWARE\PCJDWGMU
Value Name: cjpxnmpf
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: nhloowrs
1
<HKCU>\SOFTWARE\USMUVJEA
Value Name: hbijvefk
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: conoxmsr
1
<HKCU>\SOFTWARE\UBVPEQTD
Value Name: bvqcqshx
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ukvchxne
1
<HKCU>\SOFTWARE\HBTTNUTT
Value Name: aeulprit
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: frrvhaca
1
<HKCU>\SOFTWARE\VUSJFBBT
Value Name: mpxwxiew
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: uejoeofv
1
<HKCU>\SOFTWARE\FMOPLQAL
Value Name: iqmwiqfj
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: wjrmnejf
1
<HKCU>\SOFTWARE\RKDPGLPX
Value Name: qmjertge
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: mbmgmhmo
1
Mutexes
Occurrences
aaAdministrator
15
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
141[.]105[.]121[.]139
13
74[.]221[.]221[.]58
10
91[.]109[.]2[.]132
9
101[.]255[.]36[.]171
8
58[.]83[.]159[.]94
8
93[.]189[.]95[.]148
7
94[.]199[.]242[.]85
6
82[.]165[.]152[.]226
4
Files and or directories created
Occurrences
%LOCALAPPDATA%<random, matching '[a-z]{8}’>.exe
15
File Hashes
09650f5a6dbe38fc54c1d17e05955612e37e9268d3d821726fad65e5d13a127e
17b2f61b057168ed4414a71ec6c4f9cbaa78c96cfec6bd6330e7f8c298c715d5
235be690210e2d9c368f9028e47572dcc120b7f597877573af43ecaeb70e615f
2e61d7e17915a3359a01fd959b4383fdd2441b8544d457bb185fa2509e699d41
36f8895998b854c4276c0b2318baa41c947ea64f5bcc6666f634111ea62b6505
4bbaeba54a1b65e90b4d24714a45dbe37ec407364097a8c889f9f61d679e2fcd
51324e089d7b1ee9cf85837c719d993cea5dd928cc1e932aa2f17d3e758509e6
535a4f9cef7aef421ad38986f14de66251e72aba2dea5dd6ca666ab38f10f7db
55d37fae592c2d00bef0ff48e15dbe52f68edcd098c679233fd61d319d32c64b
5f050eaf9f0f3b9c2cddc84bbcf53115932932da4151f719169e5d2c8e672764
6cc11bd407b5882290b839eedae377cd63ec3a4d3cbc87f8686dd63e233922da
72b3b8bf3ce9c0bb3831e453fcfdcdf37e44e183eb1cdba383d5196e90829935
7cb0202a99a14882e1108c5c7deb738289873b99dec43172bbe6ee39136bd9fe
9ef1750fce26d1ef5908b3d7f7304a54edee5207282ffedcf525a8c714bb5ac8
d699fe8f3c9f2925101e85dfacaca00550fe2a7cf4ef22aff827bc88900f5a18
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Remcos-9969014-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 13 samples
Registry Keys
Occurrences
<HKCU>\SOFTWARE\ZANGARMARSH-228I7H
13
<HKCU>\SOFTWARE\ZANGARMARSH-228I7H
Value Name: EXEpath
13
Mutexes
Occurrences
Remcos_Mutex_Inj
13
Zangarmarsh-228I7H
13
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
ezpz1[.]xyz
13
Files and or directories created
Occurrences
%SystemRoot%\win.ini
13
%APPDATA%\csrss.exe
13
%System32%\Tasks\csrss
13
%APPDATA%\javacache
13
%APPDATA%\javacache\logs.dat
13
File Hashes
02d30b6a94180708d4d525914a917cd9370190926e549fada8d93b4fd033e906
0c335742c2a239dddbe7467946c481609d1840dca5b67a80ea071d4a593b4ad0
216c429a096cbc58d595d015dd82f9c2be8a89af1d295e511a9ae8431c889710
4a01a7d09fe699b3d699463a6f76b445e0a07dc0d8360ba4fca4ddcda7a2af66
4a86b0a93ce30688176f4f745c52cec56cd023a924c58f8a27d36570871ab580
5af743dffb813faf071cf185f39c3d258864556a154cfa12ac1b8a56607bd2ce
608bd3bada966b94ecff736b0811278b7db6cef97c0133e296a5d8bad2ac725d
7ac6edfc10a8361d20fee7f561d4fce8b3ea0e963cfc44c0421ca0fd8501c851
b4c77021bc5641683caa3280fe115fea383141b5722f215e6dcb4ad2913cc02f
b4e9902d2d44051e6620b458c43514e552df4c8f5a6aebdfd5363b3ac9e344a0
ceec2d534fe22ef53ae86302717458922993cccb16a5cfbabfb40d1956ee2415
f4a212b3bdc04c7be624a5955e43acf7f836dc9a14852d2fddda48095c017e6b
ff804004e7082fcf4802beb7d8b4d4b03867de1b746af1021a703767c2728c4b
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK