Security
Headlines
HeadlinesLatestCVEs

Headline

Threat Roundup for September 9 to September 16

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Sept. 9 and Sept. 16. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found herethat includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files. The most prevalent threats highlighted in this roundup are:

Threat Name    Type    Description

Win.Dropper.LokiBot-9969312-0 Dropper Lokibot is an information-stealing malware designed to siphon sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from several popular applications. It is commonly pushed via malicious documents delivered via spam emails. Win.Dropper.Zeus-9969310-0 Dropper Zeus is a trojan that steals information such as banking credentials using methods such as key-logging and form-grabbing. Win.Dropper.Nanocore-9969309-0 Dropper Nanocore is a .NET remote access trojan. Its source code has been leaked several times, making it widely available. Like other RATs, it allows full control of the system, including recording video and audio, stealing passwords, downloading files and recording keystrokes. Win.Ransomware.Cerber-9969274-0 Ransomware Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension “.cerber.” In more recent campaigns, other file extensions are used. Win.Dropper.DarkKomet-9969269-0 Dropper DarkKomet is a freeware remote access trojan released by an independent software developer. It provides the same functionality expected from a trojan, such as keylogging, webcam access, microphone access, remote desktop, URL download and program execution. Win.Dropper.Ramnit-9969260-0 Dropper Ramnit is a banking trojan that monitors web browser activity on an infected machine and collects login information from financial websites. It can also steal browser cookies and hides from popular antivirus software. Win.Dropper.Kuluoz-9969050-0 Dropper Kuluoz, sometimes known as “Asprox,” is a modular remote access trojan known to download and execute follow-on malware, such as fake antivirus software. Kuluoz is often delivered via spam emails pretending to be shipment delivery notifications or flight booking confirmations. Win.Dropper.Remcos-9969014-0 Dropper Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam and capture screenshots. It is commonly delivered through Microsoft Office documents with macros sent as attachments on malicious emails.

Threat Breakdown

Win.Dropper.LokiBot-9969312-0

Indicators of Compromise

IOCs collected from dynamic analysis of 15 samples

        Registry Keys            Occurrences        
                             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: LanguageList                            3        
             
    <HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\INTELLIFORMS\STORAGE2                             2        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA FIREFOX                             2        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA FIREFOX\20.0.1 (EN-US)\MAIN                             2        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA THUNDERBIRD                             2        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @C:\Windows\system32\DeviceCenter.dll,-2000                            2        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\DISCARDABLE\POSTSETUP\COMPONENT CATEGORIES\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}                             1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\DISCARDABLE\POSTSETUP\COMPONENT CATEGORIES\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\ENUM                             1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\OWUZ370WDG                             1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\DISCARDABLE\POSTSETUP\COMPONENT CATEGORIES\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\ENUM                          
        Value Name: Implementing                            1        
                     
                
            
        Mutexes            Occurrences        
                                 
        3749282D282E1E80C56CAE5A            1            
                 
        -1L3OO7B8T5U3Hz8            1            
                 
        86R24Q1820DI8G-5            1            
                 
        0-RAP0BC8AFXV5YK            1            
                 
        O926B232S79XBxBC            1            
                     
                         
            
        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        111[.]118[.]215[.]251            2            
                 
        104[.]18[.]114[.]97            2            
                 
        85[.]159[.]66[.]93            1            
                 
        149[.]154[.]167[.]220            1            
                 
        217[.]26[.]48[.]101            1            
                 
        81[.]17[.]18[.]196            1            
                 
        151[.]101[.]2[.]159            1            
                 
        2[.]57[.]90[.]16            1            
                 
        66[.]235[.]200[.]147            1            
                 
        3[.]64[.]163[.]50            1            
                 
        34[.]117[.]168[.]233            1            
                 
        183[.]90[.]232[.]14            1            
                 
        64[.]190[.]63[.]111            1            
                 
        162[.]213[.]253[.]236            1            
                 
        103[.]63[.]2[.]157            1            
                 
        109[.]123[.]121[.]243            1            
                 
        66[.]225[.]241[.]38            1            
                 
        149[.]129[.]252[.]201            1            
                 
        162[.]240[.]46[.]240            1            
                 
        209[.]159[.]145[.]117            1            
                 
        81[.]161[.]229[.]75            1            
                 
        104[.]21[.]81[.]107            1            
                 
        160[.]121[.]173[.]6            1            
                 
        129[.]226[.]173[.]87            1            
                 
        66[.]96[.]162[.]150            1            

*See JSON for more IOCs

        Domain Names contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        icanhazip[.]com            2            
                 
        mail[.]mayhighfilms[.]com            2            
                 
        www[.]awesomegih[.]net            1            
                 
        www[.]european-resilience[.]org            1            
                 
        www[.]eminefendipsikoloji[.]xyz            1            
                 
        www[.]solutionsdr[.]website            1            
                 
        www[.]jeuxjetx[.]fr            1            
                 
        www[.]mjmedia[.]online            1            
                 
        www[.]ct666666[.]com            1            
                 
        www[.]aceyourexams[.]org            1            
                 
        www[.]famallcameroon[.]com            1            
                 
        www[.]kevinandboots[.]com            1            
                 
        www[.]grupoprius[.]com            1            
                 
        www[.]6298vip15[.]com            1            
                 
        www[.]goinuffies[.]com            1            
                 
        www[.]strcktunkea[.]xyz            1            
                 
        www[.]wettenunseam[.]xyz            1            
                 
        www[.]998899[.]lc            1            
                 
        www[.]gurilab[.]com            1            
                 
        www[.]825766[.]com            1            
                 
        www[.]agenlexispkr[.]xyz            1            
                 
        www[.]randrconstruction[.]site            1            
                 
        mail[.]nu-meqa[.]com            1            
                 
        www[.]tbwtaobao[.]org            1            
                 
        www[.]nineodesign[.]com            1            

*See JSON for more IOCs

        Files and or directories created            Occurrences        
                                 
        %ProgramFiles%\Microsoft DN1            1            
                 
        %LOCALAPPDATA%\Microsoft Vision            1            
                 
        %APPDATA%\D282E1            1            
                 
        %APPDATA%\D282E1\1E80C5.lck            1            
                 
        %APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5            1            
                 
        %APPDATA%\ndwgxitf.y2z            1            
                 
        %APPDATA%\Microsoft\Windows\TEMPLA~1\fgfhgf.exe            1            
                 
        %APPDATA%\ndwgxitf.y2z\Firefox            1            
                 
        %APPDATA%\ndwgxitf.y2z\Firefox\Profiles            1            
                 
        %APPDATA%\ndwgxitf.y2z\Firefox\Profiles\1lcuq8ab.default            1            
                 
        %APPDATA%\ndwgxitf.y2z\Firefox\Profiles\1lcuq8ab.default\cookies.sqlite            1            
                 
        %APPDATA%\A1EB383543D3F00657D7            1            
                 
        %APPDATA%\Microsoft\Windows\Templates\BCRHYN5A.zip            1            
                 
        \TEMP\f400n12e.0.cs            1            
                 
        \TEMP\f400n12e.cmdline            1            
                 
        \TEMP\f400n12e.err            1            
                 
        \TEMP\f400n12e.out            1            
                 
        \TEMP\f400n12e.tmp            1            
                 
        \x5c\x55\x73\x65\x72\x73\x5c\x41\x64\x6d\x69\x6e\x69\x73\x74\x72\x61\x74\x6f\x72\x5c\x41\x70\x70\x44\x61\x74\x61\x5c\x52\x6f\x61\x6d\x69\x6e\x67\x5c\x4d\x69\x63\x72\x6f\x73\x6f\x66\x74\x5c\x57\x69\x6e\x64\x6f\x77\x73\x5c\x54\x65\x6d\x70\x6c\x61\x74\x65\x73\x5c\xac0e\xac27\xac09\xac17\xac18\xac18\xac10\xac0f\xac20\xac15\x2e\xac02\xac12\xac27\xac14\xac16\xac0d\xac05\xac1e\xac26\xac05            1            
                 
        %APPDATA%\rxbyry3j.lyu            1            
                 
        %APPDATA%\rxbyry3j.lyu\Firefox            1            
                 
        %APPDATA%\rxbyry3j.lyu\Firefox\Profiles            1            
                 
        %APPDATA%\rxbyry3j.lyu\Firefox\Profiles\1lcuq8ab.default            1            
                 
        %APPDATA%\rxbyry3j.lyu\Firefox\Profiles\1lcuq8ab.default\cookies.sqlite            1            
                 
        %APPDATA%\gmzjfop1.kr5            1            

*See JSON for more IOCs

File Hashes

             00fdc4ec48b20f242022329109dc1e46b881a9f044f8d3d2c41c5071f13f284f              0a3b4186c412949b09fb35b24d0b7cfaab2726008c9dfd9ded81042678656a79              0bcfde1f70aeca56465e84252d3fed352a44686c52f1201e4474d5c126888842              17c40b93caacb07d7cb74d9bc9613780f3d346f5211323baa996e6516f830761              209ae4bb19c3fa5f5fd635e0bf9488ffc1b996edca12dcbd3771c5f6c560f9f9              2f64045ea223d08dd7556ac4d77b48153a96f881a0809e1c8ead0db9f6233884              36b098518b9abac620afde7568f084a592d1b43d50abdd8c70e030bca546b0e9              385203173d2547ac9df7af8711b18f9bff87c085e578e09a9a0999e2410a8744              41779f5ac5669c9d785d8348ee0cd0c03b31e0b260325995734cf67196eaa335              46ef92bfc91030701e6b5518deb8aba193a86e07ab8c63c0502a22e8acd9bc15              477038c22b79299bdd29784b5fa4d666735b962011b70f86fb6576fb690614b9              60214bf0cf8621867b6c69ffe98b203b8bec0c8f4a2144874b01f9f8c8a1cee6              a7157198068ee89caac77d8174b1e75bd71a42e0b3bb66ecbf9cbf05533f2153              bfdf0c6aa301a9305c58a7f3c4ef2a6b5ae2b3125600368acb8d0fb677e1b8a3              e602d598e6a30b8a9970e32469a499576fdc8bb987995add758221aa63142ed0              

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                                                                              
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                                                                              
             
        WSA                                                                                                                              

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Zeus-9969310-0

Indicators of Compromise

IOCs collected from dynamic analysis of 25 samples

        Registry Keys            Occurrences        
                             
    <HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PRIVACY                          
        Value Name: CleanCookies                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100                          
        Value Name: CheckSetting                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102                          
        Value Name: CheckSetting                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104                          
        Value Name: CheckSetting                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101                          
        Value Name: CheckSetting                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103                          
        Value Name: CheckSetting                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: {45E760AF-9D6C-3717-3BC0-7CBFD652F80C}                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\HOESWE                             1        
             
    <HKCU>\SOFTWARE\MICROSOFT\HOESWE                          
        Value Name: Riiky                            1        
                     
                
            
        Mutexes            Occurrences        
                                 
        Local\{825579BC-847F-F0A5-3BC0-7CBFD652F80C}            1            
                 
        Local\{A3F31C8C-E14F-D103-3BC0-7CBFD652F80C}            1            
                 
        Local\{A3F31C8D-E14E-D103-3BC0-7CBFD652F80C}            1            
                 
        GLOBAL\{<random GUID>}            1            
                     
                         
            
        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        193[.]143[.]97[.]30            1            
                     
                                 
            
        Files and or directories created            Occurrences        
                                 
        %TEMP%\tmp100f6b7d.bat            1            
                 
        %APPDATA%\Epxesy            1            
                 
        %APPDATA%\Epxesy\veof.okx            1            
                 
        %APPDATA%\Tioxp            1            
                 
        %APPDATA%\Tioxp\quem.exe            1            

File Hashes

             06c09f8aaad2f106a4c64e96906b086bd033cebd96ca266d95bf729f8a68e3b8              0c45a6f787fcb67d8828be0a93b2e5cc9ff08d9a87e68bebc5d6d5d431e0b433              0edf80d5a575a23a2928a6ae7c4a97b2a11a1a9cb40c23521a6de75d8bcf39c8              1db78d1906bfc5ba8367a285c80fd8c67cea7acacd5eb116a7bbd18e77a59023              23905382d08a21e3611db1c290cc86cb22e0f1b493ea2a45f3ca44752a8303d7              2a1b0e3c895993130118782d79dd65b019c660e7b8a4c8af575cde7a5698ae00              2e985914ac0afb33fcbd4311383156af1a79bbe83f57e1225cb86583e6149966              38643489ca7412c15f8d7467d2e1fc622c00b3f6a93ef8ed574c70380de198a7              3e0092e6e6e825556a9e706fd8e3a083001bde9b8a08d8a1dd446ac9f0961cd8              5249e5dc425ceceb4ffd10e04be8fa78ffc8afc4d778fb2773c17f1aa695061c              59d35e5a1e59c4bf032381eeac422223979cbecbd8f668fd917d3bfcea3b7be2              5f897dd59f0621ccd91dfa1d2eb4f965da1b908d9553b4027cd774a18571d15f              65486a839b1c8ff2d4d008ccf33fab7e0404c6a4696fafc5c15961c3816862b8              6cab4306e33f527984b265383d0dea1d11a897b0924b015a2a62700af289edc0              712870bb11fc63cf3d4388668d0c0e707b47c4fc95ff7a0e9b737a50ea3b1c55              8507eafa7e63dc4095cf3424fba1d1a2674752fca8f1d452558d9cbfd0273500              8ac89088823963b316a78e2d5352c06126b1bf176d6a57ceed115cd91d45256b              8c32a4f95a5d1e3eaf9d0ce259f5eea51b4f4d5fb8d75b593e45bb7a776485ea              90c3de2ee8669c7b0cdb3fb57ad911dd40bc0825b32ca3df28687bf22c37098e              92e22ceaf491476477b5962eb64dd52bb7aff8a8e74ebb2dba253604df7525ad              b2e2d4451bf745e602446d4d68e76aa1e2e05fde70bee1dcdd283e2f691fd420              b8b6845966466ac1f25c737e86025dc4f5e82fa03947637089ebae7e43c62617              d19a0a01af2ced3e486cf0497204a03fbf2894dca6ef44e680678eed0350b5e9              d515963a214ea51cb885d73263feb275efb94aea759ad92eb395f668f11e1b86              dc792ed152e13f16d0bb6da06dd41091d26d2ad6e724c188bee6c9895ab112ef              

*See JSON for more IOCs

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                     N/A                                                          
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                     N/A                                                          
             
        WSA                                                                     N/A                                                          

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Nanocore-9969309-0

Indicators of Compromise

IOCs collected from dynamic analysis of 15 samples

        Registry Keys            Occurrences        
                             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: AGP Manager                            3        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: LanguageList                            3        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @explorer.exe,-7001                            3        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: UqRhmjYGcw                            2        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER                          
        Value Name: NoControlPanel                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: FmjwSAKZ\                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: pdb                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: wMxdYNJI\                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: kai                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: ZeNNLCQY\                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: TpuuyrDY\                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: pbr                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: zSCGySDZ\                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: CoZNunCT\                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: zrVxOFxs\                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: PntmHtOf\                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: UzTQIQBw\                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: HpnSIvIw\                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: FPZeexxA\                            1        
                     
                
            
        Mutexes            Occurrences        
                                 
        GLOBAL\{<random GUID>}            9            
                 
        54b220f4544a7115f31b            2            
                 
        2AC1A572DB6944B0A65C38C4140AF2F46386E886134            1            
                 
        Global\534b56e0-35b0-11ed-9660-00151795f450            1            
                     
                         
            
        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        107[.]191[.]99[.]95            2            
                 
        107[.]191[.]99[.]221            2            
                 
        192[.]198[.]87[.]78            2            
                 
        132[.]226[.]247[.]73            2            
                 
        216[.]38[.]7[.]236            2            
                 
        95[.]140[.]125[.]73            1            
                 
        185[.]101[.]34[.]84            1            
                 
        158[.]101[.]44[.]242            1            
                 
        95[.]140[.]125[.]64            1            
                 
        95[.]140[.]125[.]105            1            
                 
        162[.]248[.]244[.]15            1            
                     
                          
            
        Domain Names contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        checkip[.]dyndns[.]org            3            
                 
        monerohash[.]com            2            
                     
                          
            
        Files and or directories created            Occurrences        
                                 
        \<random, matching [a-z]{7,15}>            11            
                 
        \<random, matching [a-z]{7,15}\[a-z]{7,25}>.exe            11            
                 
        %APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5            9            
                 
        %APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs            9            
                 
        %APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs\Administrator            9            
                 
        %APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\run.dat            9            
                 
        %APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\task.dat            9            
                 
        %System32%\Tasks\AGP Manager            9            
                 
        %TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp            9            
                 
        %ProgramFiles(x86)%\AGP Manager            3            
                 
        %ProgramFiles(x86)%\AGP Manager\agpmgr.exe            3            
                 
        %System32%\Tasks\AGP Manager Task            3            
                 
        %TEMP%\test.vbs            2            
                 
        %LOCALAPPDATA%\AIMDKitteh            2            
                 
        %LOCALAPPDATA%\AIMDKitteh\mymonero.exe            2            
                 
        %APPDATA%\pdb            1            
                 
        %APPDATA%\pdb\pdb.exe            1            
                 
        %TEMP%\Fp7.exe            1            
                 
        %APPDATA%\Microsoft\Windows\Templates\4HIM1_BUR_CHOCK_RUBBER_SPACER.pdf            1            
                 
        %APPDATA%\kai            1            
                 
        %APPDATA%\kai\kai.exe            1            
                 
        %APPDATA%\pbr            1            
                 
        %APPDATA%\pbr\pbr.exe            1            
                 
        %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\zGMpWbpk.exe.lnk            1            
                 
        %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\SyYwhHOl.exe.lnk            1            

*See JSON for more IOCs

File Hashes

             10da4db37896cf6b8caa342cf459b7d8f1c441395777bf91f08244d17781f303              1337715195d96f0e051b8da7c6bd4ceec714c780706d195cb44a7da8d8026bc3              24867d30ca0b7ff5aa56efad0007f2dd61f257d9c94f4f65104321756add8c5d              54a92443ad92b755492232393c79a650f38fbcc8e4c5e7edb4a740386be57685              54ef1dcdabc6abd29138ad60375b06c94e9adcf055668187ede39dd7af72d551              618fe651ef4c851931517d762d1d625d8a91dc8ec37c1b4cf1f810ee7107d4eb              652a8000a682aa0e6d66a81e88ebd2d16e67344a500223485e315b3d5b3725d5              8bc4a28c2ace03795a77a619fd9d1fe2b113852a65c5147fe76706549eecdd00              905518b072f0c8f6074a9ea3ef8b2571f949b2a2eec4be87d3d228575050db2e              9c7ddd3eb292885e83f583ee3a84d1a2750c85a62c5ef082f0e8adc45044ebe7              a31e5d93083043137148a1a50547f8f6812cf36e88211a1f371fab588238bd75              d225168def78f1460f3d9599b62267217eef5a36c5e816ee8e5cc0f9059fcf7b              e43ed7e08d4b9724bc7653156794825f5a5c12952fdd864e4adcfa530c5f9528              f889ca5350f42fdffeeb49395d7fa2cacadb33e0a909d6a839d4148167ba6c7d              f8d613ed7073e4c6aa721caa838af36e8a224eafe998b51dd065ec8745a9b289              

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                                                                              
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                     N/A                                                          
             
        WSA                                                                                                                              

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Ransomware.Cerber-9969274-0

Indicators of Compromise

IOCs collected from dynamic analysis of 26 samples

        Mutexes            Occurrences        
                                 
        shell.{381828AA-8B28-3374-1B67-35680555C5EF}            26            
                     
                         
            
        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        31[.]184[.]234[.]0/23            26            
                     
                                 
            
        Files and or directories created            Occurrences        
                                 
        %TEMP%\d19ab989            26            
                 
        %TEMP%\d19ab989\4710.tmp            26            
                 
        %TEMP%\d19ab989\a35f.tmp            26            

File Hashes

             001887448cac3a58f89bb4f1a8cc8ec45f628706da4e15ebe65429660b2cf825              0033255bc7041027253dc517866af84413f255c5552bcc47fd7e8e660838feed              039fc087b3471228b0be1f67091597e17f33e4cd04b0d2b4be5428657e314631              04097126ab04eef29679935eeaf4c411f04b7a9dfdf3f10bdb5ef7453e6b8692              056ad6d6e3bbd58774ed1ca65fd9b983504185993112a13c5aa54c65be2ca375              05dfa32796c95f0c0ea13074db213d53fab488fdde9afab36ed98c430bc1a930              06e837716cb81498c37c0b621c87acbd2e00d11cf60e27f628ce966702f1a11e              08ce2dac33264f90d5ad8d89bbe56ad0346fc32854a184ed23b15c1cfac81a63              09204adcfbb5041640705d9f80148a1b08ee206ba78d98e071dcdcea77aaf2ad              099ed53d97ba687736ae6e6bcf14c5cc39f65ee933115205c3237cfe19c81015              0b64ca7807d2836760e06c5b4f543d0ae52fa3029552a6e373656770f8eb53f7              109f7711ff16346888c05dbad80214832525d2f962456626e51b90675f4b5e4c              163ecfa1ca0dd985d0487bb496948eb43e2a37ff44a1f833ae1c92b38e269548              19fd3a451086711c12e345a717f0361db12cc8f4a88a3efa66bfa22c96c0e6d7              1a6f8c9f5ab69bfe50d01ab3c321468c6f7ae73091245efe5ec55a4e03f40002              1c09cbf3f181b08879c3cff05c31d0708a9331fddf0eba03e3bbe07ae220a8f8              1cf1dd029fff1b33bd7951e45b7304038c31547e082cabefa656b42e7349ae82              1f27597b0c1b7887511b302efc5fb94b8a241e9736295aeabf84f199f6ccee31              249d96a706928e747acaee7f2bbfa5650f58c957819c262b2cd25e6821f8ece0              270c413b723228cd91400050fbcd8c2eb549f17456f36ff8ad41b63deeb2870c              29598e11fac3a66758910e03c38bb17da6771141a968a1aaf99ae4520bf6c60c              2dde0afe1cf38036b2436a9ca80be179dce9371115ed882bbeb9278563f8d14a              301ca6accba0406fa35115716889892002e30ed8b9d84920b9c5cc2766b0c7f5              30d19efc5ed887ec148f4c280fe5daf01dd6b0098a81d99a864dce3bc8a5f8e4              3b4e4e8fc9b2bf6f7750cd8ed310f8bb4cd7d56ed9989e0fdd929aa5ee27debf              

*See JSON for more IOCs

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                     N/A                                                          
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                     N/A                                                          
             
        WSA                                                                     N/A                                                          

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.DarkKomet-9969269-0

Indicators of Compromise

IOCs collected from dynamic analysis of 25 samples

        Registry Keys            Occurrences        
                             
    <HKU>\<User SID>                             23        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: LanguageList                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101                          
        Value Name: CheckSetting                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103                          
        Value Name: CheckSetting                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100                          
        Value Name: CheckSetting                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102                          
        Value Name: CheckSetting                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104                          
        Value Name: CheckSetting                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\UNBUR                             1        
             
    <HKCU>\SOFTWARE\MICROSOFT\UNBUR                          
        Value Name: Ryuplucyc                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: hyybo.exe                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\UNBUR                          
        Value Name: Yqtayfxe                            1        
                     
                
            
        Mutexes            Occurrences        
                                 
        Global\{08995C04-83FA-2613-1053-58F3B048D958}            23            
                 
        Global\8bf66b81-fa0d-11ec-b5f8-00501e3ae7b6            1            
                 
        GLOBAL\{<random GUID>}            1            
                 
        Local\{<random GUID>}            1            
                     
                                
            
        Domain Names contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        alchemistrywork[.]com            1            
                     
                          
            
        Files and or directories created            Occurrences        
                                 
        %TEMP%\tmp25673c86.bat            1            
                 
        %APPDATA%\Otufux            1            
                 
        %APPDATA%\Otufux\hyybo.exe            1            
                 
        %APPDATA%\Vooqwo            1            
                 
        %APPDATA%\Vooqwo\bayk.qua            1            

File Hashes

             01a66cc3487f0d7e2f27d5a8e69f0c234bdf3304b9ca06fd147fb004a50929f3              03f815c5390528e96c9abf400ce167582eadb1649589b00d39d29b433b03c7b0              2059a4cffd04bc3e04955e20fdd5df1d5d9908d6b9214f8e4c80e10321be77eb              2279feff7534923353197e71c57e3945b8a1efd80d66dcd8e146bcbf1f554a70              3948d73d942c6164c716b5d69041e0ecf9df653e6ece61555e507a745006a3fd              44b484fb9343f45c670e63f286313b09ae005edf5ca0168fb94229dcbd9388aa              4b7e1f682cb8d5dba918cc565714e04d2147663b18ecb9f90deae9ab28bf8f1b              52ccf7455c103e6db02356727227e4bb45d718e0205f28f89349c671997c6c09              62fb8f5173958bb58b2f84a854d08899f14706a6e20e57e3b906965ebd7db6f4              63d42b3e5da3c55a03d2f9b04456632a2f675547b853f142b8245c91bf15100d              68ffff6405e7baecff7f87af41afbbde02844a917a52660a87f36cff3635ccd2              6a0d55b4ed40a705c9e8af25cac6133b4fbb043909e509b1fce274238def0b07              7432dbc42a6785ad8f0cdfbecabcaa38c291e51b3aac8863b3bdfdb1cc1163fd              8350295d5dc2ae0d23d8a4831b461e4103abde3928b9d0f380eb83679fcbf26d              91dc25a40e00e8cc9f5d1074ff80a66ed5c927036e062ce0311a92e5e4b94480              a49071fdf4d34aaf88300a3703227c1fdcd532f9054f848dfbc5c1f15b6fef45              b76165ed0f3f9e8ac42394cf8700e8d8e8c7f4ee89b11c01e81d29b0b4006220              c0bc17998bde718499954f3cf7319b1633405452873b606671204889051cf1a0              c159a657fef9189a28461ac6725bd0a9d6cb1cf4311a3a7d6d95e06130eb629a              c42edcd2dbcc690da04afb0d2bb771f2d4aef1e188aa3b8a096c051340b52ab4              c6f4e464c49730bfa10f56fb52a892793cd17f52dbbfc3e60a97a6bc270db136              c88d6a155c90a01b76884456c34f9f9d2670deb255b67e5111a8898ecee06d3c              cb03a653a5d69f18b89a24e80b9294c86a08ba48a8bb6fb12223dc2f2b8b45a7              e71370e84a0973f799a58b0ef1e06b4c6343df99343cb778efd26e8257792c0c              f574238919b3f09297232f706ab3a0f633aa7259657a0965d2a46a181a3ba266              

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                     N/A                                                          
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                     N/A                                                          
             
        WSA                                                                     N/A                                                          

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Ramnit-9969260-0

Indicators of Compromise

IOCs collected from dynamic analysis of 25 samples

        Registry Keys            Occurrences        
                             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE                          
        Value Name: EnableFirewall                            7        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: LanguageList                            7        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN                             6        
             
    <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E                          
        Value Name: @explorer.exe,-7001                            5        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER                          
        Value Name: AntiVirusOverride                            4        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER                          
        Value Name: AntiVirusDisableNotify                            4        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER                          
        Value Name: FirewallDisableNotify                            4        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER                          
        Value Name: FirewallOverride                            4        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER                          
        Value Name: UpdatesDisableNotify                            4        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER                          
        Value Name: UacDisableNotify                            4        
             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM                          
        Value Name: EnableLUA                            4        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE                          
        Value Name: DoNotAllowExceptions                            4        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE                          
        Value Name: DisableNotifications                            4        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC                          
        Value Name: Start                            4        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND                          
        Value Name: Start                            4        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC                          
        Value Name: Start                            4        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION                          
        Value Name: jfghdug_ooetvtgk                            4        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: JudCsgdy                            4        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV                          
        Value Name: Start                            4        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: Windows Defender                            4        
             
    <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON                          
        Value Name: Userinit                            4        
             
    <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON                          
        Value Name: Userinit                            4        
             
    <HKCU>\SOFTWARE\APPDATALOW\GOOGLE UPDATER                          
        Value Name: LastUpdate                            3        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\PUBLICPROFILE                          
        Value Name: EnableFirewall                            3        
             
    <HKLM>\SYSTEM\CONTROLSET001\SERVICES\SSDPSRV                          
        Value Name: Start                            3        
                     
                
            
        Mutexes            Occurrences        
                                 
        {7930D12C-1D38-EB63-89CF-4C8161B79ED4}            4            
                 
        60F16AAB662B6A5DA3F649835F6E212598B68E3C            4            
                 
        777OurStarterProcessMutex777            2            
                 
        888OurMainProcessMutex888            2            
                 
        999OurBrother1ProcessMutex999            2            
                 
        000OurBrother2ProcessMutex000            2            
                 
        A9MTX7ERFAMKLQ            1            
                 
        A9ZLO3DAFRVH1WAE            1            
                 
        B81XZCHO7OLPA            1            
                 
        BSKLZ1RVAUON            1            
                 
        GJLAAZGJI156R            1            
                 
        I106865886KMTX            1            
                 
        IGBIASAARMOAIZ            1            
                 
        J8OSEXAZLIYSQ8J            1            
                 
        LXCV0IMGIXS0RTA1            1            
                 
        MKS8IUMZ13NOZ            1            
                 
        NLYOPPSTY            1            
                 
        OPLXSDF19WRQ            1            
                 
        PLAX7FASCI8AMNA            1            
                 
        RGT70AXCNUUD3            1            
                 
        TEKL1AFHJ3            1            
                 
        TXA19EQZP13A6JTR            1            
                 
        VSHBZL6SWAG0C            1            
                 
        flowblink90x33            1            
                 
        22887842DFA648B38E6C28C844FF2BE798B68E3C            1            

*See JSON for more IOCs

        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        13[.]107[.]21[.]200            5            
                 
        195[.]201[.]179[.]207            4            
                 
        142[.]250[.]65[.]206            3            
                 
        185[.]121[.]177[.]177            2            
                 
        130[.]255[.]78[.]223            2            
                 
        185[.]121[.]177[.]53            2            
                 
        144[.]76[.]133[.]38            2            
                 
        45[.]63[.]25[.]55            2            
                 
        27[.]100[.]36[.]191            2            
                 
        89[.]18[.]27[.]34            2            
                 
        178[.]63[.]145[.]230            2            
                 
        104[.]168[.]144[.]17            2            
                 
        62[.]113[.]203[.]55            2            
                 
        46[.]165[.]221[.]154            2            
                 
        85[.]13[.]157[.]3            2            
                 
        193[.]23[.]244[.]244            1            
                 
        194[.]109[.]206[.]212            1            
                 
        154[.]35[.]32[.]5            1            
                 
        171[.]25[.]193[.]9            1            
                 
        172[.]217[.]165[.]142            1            
                 
        65[.]21[.]85[.]98            1            
                 
        64[.]225[.]91[.]73            1            
                 
        23[.]47[.]64[.]115            1            
                 
        104[.]108[.]124[.]205            1            
                 
        104[.]72[.]157[.]175            1            

*See JSON for more IOCs

        Domain Names contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        www[.]bing[.]com            6            
                 
        google[.]com            4            
                 
        bunikabatedoba13[.]top            4            
                 
        bvnotike[.]667[.]top            4            
                 
        jokimutinke[.]net            4            
                 
        opiutunuza11[.]net            4            
                 
        ujnuyteeej[.]top            4            
                 
        nerdasss33[.]top            4            
                 
        drdrfdd[.]cat            3            
                 
        eaxsess[.]cat            3            
                 
        gagaxx[.]cat            3            
                 
        huhujoo[.]cat            3            
                 
        nknkd[.]cat            3            
                 
        nknkdd[.]cat            3            
                 
        nknkddx[.]cat            3            
                 
        nknkddx2[.]cat            3            
                 
        sdsdfg[.]cat            3            
                 
        trtr44[.]cat            3            
                 
        erwwbasmhtm[.]com            2            
                 
        fbnurqhsbun[.]com            2            
                 
        h37eyrba720ui[.]com            2            
                 
        jdnpwbnnya[.]com            2            
                 
        jhaiujfprlsbpyov[.]com            2            
                 
        mngawiyhlyo[.]com            2            
                 
        oxxvnflhtpomjmwst[.]com            2            

*See JSON for more IOCs

        Files and or directories created            Occurrences        
                                 
        %LOCALAPPDATA%\bolpidti            4            
                 
        %LOCALAPPDATA%\bolpidti\judcsgdy.exe            4            
                 
        %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\judcsgdy.exe            4            
                 
        %APPDATA%\Microsoft\gawbgrrs            4            
                 
        %APPDATA%\Microsoft\gawbgrrs\jisgivdt.exe            4            
                 
        %ProgramData%\Device Driver Setup            3            
                 
        \$Recycle.Bin\S-1-5-~2\!WhatHappenedWithMyFiles!.rtf            2            
                 
        %HOMEPATH%\Documents and Settings\!WhatHappenedWithMyFiles!.rtf            2            
                 
        \$Recycle.Bin\<User SID>\!WhatHappenedWithMyFiles!.rtf            2            
                 
        %APPDATA%\!WhatHappenedWithMyFiles!.rtf            2            
                 
        %HOMEPATH%\Documents\!WhatHappenedWithMyFiles!.rtf            2            
                 
        \Users\All Users\Microsoft\RAC\PublishedData\!WhatHappenedWithMyFiles!.rtf            2            
                 
        \Users\All Users\Microsoft\RAC\StateData\!WhatHappenedWithMyFiles!.rtf            2            
                 
        %ProgramData%\Microsoft\RAC\PublishedData\!WhatHappenedWithMyFiles!.rtf            2            
                 
        %ProgramData%\Microsoft\RAC\StateData\!WhatHappenedWithMyFiles!.rtf            2            
                 
        %ProgramData%\Microsoft\RAC\PUBLIS~1\!WhatHappenedWithMyFiles!.rtf            2            
                 
        \Users\ALLUSE~1\Microsoft\RAC\PUBLIS~1\!WhatHappenedWithMyFiles!.rtf            2            
                 
        %ProgramData%\Microsoft\RAC\STATED~1\!WhatHappenedWithMyFiles!.rtf            2            
                 
        \Users\ALLUSE~1\Microsoft\RAC\STATED~1\!WhatHappenedWithMyFiles!.rtf            2            
                 
        %TEMP%\<random, matching '[0-9a-z]{8}'>.exe            2            
                 
        %APPDATA%\SjyNBvm6RTID\9x56BxjU.cmd            1            
                 
        %APPDATA%\Microsoft\cciihiec\jisgivdt.exe            1            
                 
        %APPDATA%\SjyNBvm6RTID\XvNigAX3.cmd            1            
                 
        %APPDATA%\SJYNBV~1\165TprqR.exe            1            
                 
        %ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup\165TprqR.lnk            1            

*See JSON for more IOCs

File Hashes

             0b2ad4aa2b64aae559973ec324330f137fd4c9546aeb2c2f9c35b5617b180c05              102092d52e39ed386a890d2687b4e80da6a0372f89ee2b83a8c29b3a13d22788              147569cb85cffa13769376d5da1c8ec7487443b710faf19afab24a021a58913b              25727f1d115764349d0cbd828598d52140640be6eade12e62ff3438525004630              5280855d2a67a6ba91900af80c235b1bafb51151cba3f7bff7566efda8d0ee09              5462ceb3fbab158b53c3c247d939183c89eb96229c8f78fdc61e44f1a939bfa4              60a52492d31994057a2d0566ccf469393fad834cabe943a89bbdb9d07852626a              7234d6a648ff98721f0045dcda255767f0f6d19a1cccea8c8e7db97f594da4bd              72d6c6b95eeaae1b2777d70ac14b122ca72874f1d98680d52dc9b27b2b66ded0              72f5a9c942d7d5efd18390cb99539d7f411983bb9c41f8137f0a2c5a7bb66152              73ed34beba387409f4bdfd3413079d3a50e49380a1ad39c5f8d67b1ea4d04aaf              7cb1a756133840264574c4683e437accbe24b254e853a17588a5c67e7858369a              868dc997d2fa2123e8035eb565d940542b9d7b363c54e177cc85dcd89529ab94              8cbebde91c55c93149db657c63fc480e5639f85f6f072a538b0155d3a5bec4bd              93cd72fbca2dbb3d75f972cfac420aaf1d007824b073f6bef7944108543c5c5b              9e67e77db32641775ebdcce463fe21b195539417d20168fac7209908825578d7              a2d53ce7f45959e6ca5786f0d0704a5f9056789b4d7afaf7bf93bc74ddf3e5dc              a67bc1d4129d487029cbd0836241425213ed5b57806a089d427703d69b87a80a              b48b525ec88d26ca83b1a80e16fc90bfe163e09e183df73009c8f6de39c24f99              bc703ff3117b8088ce29ba90a2a25708a845503b6a76946082f86787f53f6d93              bca38bba430425ae06eeff67707b04730cabdab8c28c5d7edb73a704d9a12ab0              c3a619f1b3493485405947c2eb13ade0def13b84ea9350def3a936c916dc9755              c71a94e585e6a8f225e97df8e8c5ee8d8224fdd265731205e9179f979e6d5787              c9702ab60a3acdb6319b30c7723ba448e544f72c9658e7169753d2ba6033f74b              d677ac549428b51974e92573bd1aeb3869d58b2a23d3cc0e116473213678f237              

*See JSON for more IOCs

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                                                                              
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                                                                              
             
        WSA                                                                                                                              

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Kuluoz-9969050-0

Indicators of Compromise

IOCs collected from dynamic analysis of 15 samples

        Registry Keys            Occurrences        
                             
    <HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'>                             15        
             
    <HKCU>\SOFTWARE\SQFRVCDX                          
        Value Name: qbdiucws                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: vecqtanl                            1        
             
    <HKCU>\SOFTWARE\QMBDQAJI                          
        Value Name: mrwduoeq                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: cegwtkiq                            1        
             
    <HKCU>\SOFTWARE\XSCWKWTB                          
        Value Name: uaclqbul                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: ucbqtutu                            1        
             
    <HKCU>\SOFTWARE\JBDLTTQA                          
        Value Name: mrwedtqx                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: vqutjntj                            1        
             
    <HKCU>\SOFTWARE\JFXJSONS                          
        Value Name: fecipfcv                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: arwphoht                            1        
             
    <HKCU>\SOFTWARE\PCJDWGMU                          
        Value Name: cjpxnmpf                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: nhloowrs                            1        
             
    <HKCU>\SOFTWARE\USMUVJEA                          
        Value Name: hbijvefk                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: conoxmsr                            1        
             
    <HKCU>\SOFTWARE\UBVPEQTD                          
        Value Name: bvqcqshx                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: ukvchxne                            1        
             
    <HKCU>\SOFTWARE\HBTTNUTT                          
        Value Name: aeulprit                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: frrvhaca                            1        
             
    <HKCU>\SOFTWARE\VUSJFBBT                          
        Value Name: mpxwxiew                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: uejoeofv                            1        
             
    <HKCU>\SOFTWARE\FMOPLQAL                          
        Value Name: iqmwiqfj                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: wjrmnejf                            1        
             
    <HKCU>\SOFTWARE\RKDPGLPX                          
        Value Name: qmjertge                            1        
             
    <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN                          
        Value Name: mbmgmhmo                            1        
                     
                
            
        Mutexes            Occurrences        
                                 
        aaAdministrator            15            
                     
                         
            
        IP Addresses contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        141[.]105[.]121[.]139            13            
                 
        74[.]221[.]221[.]58            10            
                 
        91[.]109[.]2[.]132            9            
                 
        101[.]255[.]36[.]171            8            
                 
        58[.]83[.]159[.]94            8            
                 
        93[.]189[.]95[.]148            7            
                 
        94[.]199[.]242[.]85            6            
                 
        82[.]165[.]152[.]226            4            
                     
                                 
            
        Files and or directories created            Occurrences        
                                 
        %LOCALAPPDATA%\<random, matching '[a-z]{8}'>.exe            15            

File Hashes

             09650f5a6dbe38fc54c1d17e05955612e37e9268d3d821726fad65e5d13a127e              17b2f61b057168ed4414a71ec6c4f9cbaa78c96cfec6bd6330e7f8c298c715d5              235be690210e2d9c368f9028e47572dcc120b7f597877573af43ecaeb70e615f              2e61d7e17915a3359a01fd959b4383fdd2441b8544d457bb185fa2509e699d41              36f8895998b854c4276c0b2318baa41c947ea64f5bcc6666f634111ea62b6505              4bbaeba54a1b65e90b4d24714a45dbe37ec407364097a8c889f9f61d679e2fcd              51324e089d7b1ee9cf85837c719d993cea5dd928cc1e932aa2f17d3e758509e6              535a4f9cef7aef421ad38986f14de66251e72aba2dea5dd6ca666ab38f10f7db              55d37fae592c2d00bef0ff48e15dbe52f68edcd098c679233fd61d319d32c64b              5f050eaf9f0f3b9c2cddc84bbcf53115932932da4151f719169e5d2c8e672764              6cc11bd407b5882290b839eedae377cd63ec3a4d3cbc87f8686dd63e233922da              72b3b8bf3ce9c0bb3831e453fcfdcdf37e44e183eb1cdba383d5196e90829935              7cb0202a99a14882e1108c5c7deb738289873b99dec43172bbe6ee39136bd9fe              9ef1750fce26d1ef5908b3d7f7304a54edee5207282ffedcf525a8c714bb5ac8              d699fe8f3c9f2925101e85dfacaca00550fe2a7cf4ef22aff827bc88900f5a18              

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                     N/A                                                          
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                     N/A                                                          
             
        WSA                                                                     N/A                                                          

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Remcos-9969014-0

Indicators of Compromise

IOCs collected from dynamic analysis of 13 samples

        Registry Keys            Occurrences        
                             
    <HKCU>\SOFTWARE\ZANGARMARSH-228I7H                             13        
             
    <HKCU>\SOFTWARE\ZANGARMARSH-228I7H                          
        Value Name: EXEpath                            13        
                     
                
            
        Mutexes            Occurrences        
                                 
        Remcos_Mutex_Inj            13            
                 
        Zangarmarsh-228I7H            13            
                     
                                
            
        Domain Names contacted by malware. Does not indicate maliciousness            Occurrences        
                                 
        ezpz1[.]xyz            13            
                     
                          
            
        Files and or directories created            Occurrences        
                                 
        %SystemRoot%\win.ini            13            
                 
        %APPDATA%\csrss.exe            13            
                 
        %System32%\Tasks\csrss            13            
                 
        %APPDATA%\javacache            13            
                 
        %APPDATA%\javacache\logs.dat            13            

File Hashes

             02d30b6a94180708d4d525914a917cd9370190926e549fada8d93b4fd033e906              0c335742c2a239dddbe7467946c481609d1840dca5b67a80ea071d4a593b4ad0              216c429a096cbc58d595d015dd82f9c2be8a89af1d295e511a9ae8431c889710              4a01a7d09fe699b3d699463a6f76b445e0a07dc0d8360ba4fca4ddcda7a2af66              4a86b0a93ce30688176f4f745c52cec56cd023a924c58f8a27d36570871ab580              5af743dffb813faf071cf185f39c3d258864556a154cfa12ac1b8a56607bd2ce              608bd3bada966b94ecff736b0811278b7db6cef97c0133e296a5d8bad2ac725d              7ac6edfc10a8361d20fee7f561d4fce8b3ea0e963cfc44c0421ca0fd8501c851              b4c77021bc5641683caa3280fe115fea383141b5722f215e6dcb4ad2913cc02f              b4e9902d2d44051e6620b458c43514e552df4c8f5a6aebdfd5363b3ac9e344a0              ceec2d534fe22ef53ae86302717458922993cccb16a5cfbabfb40d1956ee2415              f4a212b3bdc04c7be624a5955e43acf7f836dc9a14852d2fddda48095c017e6b              ff804004e7082fcf4802beb7d8b4d4b03867de1b746af1021a703767c2728c4b              

Coverage

        Product            Protection        
                     
        Secure Endpoint                                                                                                                              
             
        Cloudlock                                                                     N/A                                                          
             
        CWS                                                                                                                              
             
        Email Security                                                                                                                              
             
        Network Security                                                                     N/A                                                          
             
        Stealthwatch                                                                     N/A                                                          
             
        Stealthwatch Cloud                                                                     N/A                                                          
             
        Secure Malware Analytics                                                                                                                              
             
        Umbrella                                                                     N/A                                                          
             
        WSA                                                                     N/A                                                          

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

TALOS
#sql#vulnerability#web#mac#windows#google#microsoft#js#java#intel#pdf#acer#firefox

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Sept. 9 and Sept. 16. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name

Type

Description

Win.Dropper.LokiBot-9969312-0

Dropper

Lokibot is an information-stealing malware designed to siphon sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from several popular applications. It is commonly pushed via malicious documents delivered via spam emails.

Win.Dropper.Zeus-9969310-0

Dropper

Zeus is a trojan that steals information such as banking credentials using methods such as key-logging and form-grabbing.

Win.Dropper.Nanocore-9969309-0

Dropper

Nanocore is a .NET remote access trojan. Its source code has been leaked several times, making it widely available. Like other RATs, it allows full control of the system, including recording video and audio, stealing passwords, downloading files and recording keystrokes.

Win.Ransomware.Cerber-9969274-0

Ransomware

Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension “.cerber.” In more recent campaigns, other file extensions are used.

Win.Dropper.DarkKomet-9969269-0

Dropper

DarkKomet is a freeware remote access trojan released by an independent software developer. It provides the same functionality expected from a trojan, such as keylogging, webcam access, microphone access, remote desktop, URL download and program execution.

Win.Dropper.Ramnit-9969260-0

Dropper

Ramnit is a banking trojan that monitors web browser activity on an infected machine and collects login information from financial websites. It can also steal browser cookies and hides from popular antivirus software.

Win.Dropper.Kuluoz-9969050-0

Dropper

Kuluoz, sometimes known as “Asprox,” is a modular remote access trojan known to download and execute follow-on malware, such as fake antivirus software. Kuluoz is often delivered via spam emails pretending to be shipment delivery notifications or flight booking confirmations.

Win.Dropper.Remcos-9969014-0

Dropper

Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam and capture screenshots. It is commonly delivered through Microsoft Office documents with macros sent as attachments on malicious emails.

Threat Breakdown****Win.Dropper.LokiBot-9969312-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 15 samples

Registry Keys

Occurrences

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: LanguageList

3

<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\INTELLIFORMS\STORAGE2

2

<HKLM>\SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA FIREFOX

2

<HKLM>\SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA FIREFOX\20.0.1 (EN-US)\MAIN

2

<HKLM>\SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA THUNDERBIRD

2

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @C:\Windows\system32\DeviceCenter.dll,-2000

2

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\DISCARDABLE\POSTSETUP\COMPONENT CATEGORIES{56FFCC30-D398-11D0-B2AE-00A0C908FA49}

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\DISCARDABLE\POSTSETUP\COMPONENT CATEGORIES{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\ENUM

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\OWUZ370WDG

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\DISCARDABLE\POSTSETUP\COMPONENT CATEGORIES{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\ENUM

        Value Name: Implementing

1

Mutexes

Occurrences

3749282D282E1E80C56CAE5A

1

-1L3OO7B8T5U3Hz8

1

86R24Q1820DI8G-5

1

0-RAP0BC8AFXV5YK

1

O926B232S79XBxBC

1

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

111[.]118[.]215[.]251

2

104[.]18[.]114[.]97

2

85[.]159[.]66[.]93

1

149[.]154[.]167[.]220

1

217[.]26[.]48[.]101

1

81[.]17[.]18[.]196

1

151[.]101[.]2[.]159

1

2[.]57[.]90[.]16

1

66[.]235[.]200[.]147

1

3[.]64[.]163[.]50

1

34[.]117[.]168[.]233

1

183[.]90[.]232[.]14

1

64[.]190[.]63[.]111

1

162[.]213[.]253[.]236

1

103[.]63[.]2[.]157

1

109[.]123[.]121[.]243

1

66[.]225[.]241[.]38

1

149[.]129[.]252[.]201

1

162[.]240[.]46[.]240

1

209[.]159[.]145[.]117

1

81[.]161[.]229[.]75

1

104[.]21[.]81[.]107

1

160[.]121[.]173[.]6

1

129[.]226[.]173[.]87

1

66[.]96[.]162[.]150

1

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

icanhazip[.]com

2

mail[.]mayhighfilms[.]com

2

www[.]awesomegih[.]net

1

www[.]european-resilience[.]org

1

www[.]eminefendipsikoloji[.]xyz

1

www[.]solutionsdr[.]website

1

www[.]jeuxjetx[.]fr

1

www[.]mjmedia[.]online

1

www[.]ct666666[.]com

1

www[.]aceyourexams[.]org

1

www[.]famallcameroon[.]com

1

www[.]kevinandboots[.]com

1

www[.]grupoprius[.]com

1

www[.]6298vip15[.]com

1

www[.]goinuffies[.]com

1

www[.]strcktunkea[.]xyz

1

www[.]wettenunseam[.]xyz

1

www[.]998899[.]lc

1

www[.]gurilab[.]com

1

www[.]825766[.]com

1

www[.]agenlexispkr[.]xyz

1

www[.]randrconstruction[.]site

1

mail[.]nu-meqa[.]com

1

www[.]tbwtaobao[.]org

1

www[.]nineodesign[.]com

1

*See JSON for more IOCs

Files and or directories created

Occurrences

%ProgramFiles%\Microsoft DN1

1

%LOCALAPPDATA%\Microsoft Vision

1

%APPDATA%\D282E1

1

%APPDATA%\D282E1\1E80C5.lck

1

%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5

1

%APPDATA%\ndwgxitf.y2z

1

%APPDATA%\Microsoft\Windows\TEMPLA~1\fgfhgf.exe

1

%APPDATA%\ndwgxitf.y2z\Firefox

1

%APPDATA%\ndwgxitf.y2z\Firefox\Profiles

1

%APPDATA%\ndwgxitf.y2z\Firefox\Profiles\1lcuq8ab.default

1

%APPDATA%\ndwgxitf.y2z\Firefox\Profiles\1lcuq8ab.default\cookies.sqlite

1

%APPDATA%\A1EB383543D3F00657D7

1

%APPDATA%\Microsoft\Windows\Templates\BCRHYN5A.zip

1

\TEMP\f400n12e.0.cs

1

\TEMP\f400n12e.cmdline

1

\TEMP\f400n12e.err

1

\TEMP\f400n12e.out

1

\TEMP\f400n12e.tmp

1

\x5c\x55\x73\x65\x72\x73\x5c\x41\x64\x6d\x69\x6e\x69\x73\x74\x72\x61\x74\x6f\x72\x5c\x41\x70\x70\x44\x61\x74\x61\x5c\x52\x6f\x61\x6d\x69\x6e\x67\x5c\x4d\x69\x63\x72\x6f\x73\x6f\x66\x74\x5c\x57\x69\x6e\x64\x6f\x77\x73\x5c\x54\x65\x6d\x70\x6c\x61\x74\x65\x73\x5c\xac0e\xac27\xac09\xac17\xac18\xac18\xac10\xac0f\xac20\xac15\x2e\xac02\xac12\xac27\xac14\xac16\xac0d\xac05\xac1e\xac26\xac05

1

%APPDATA%\rxbyry3j.lyu

1

%APPDATA%\rxbyry3j.lyu\Firefox

1

%APPDATA%\rxbyry3j.lyu\Firefox\Profiles

1

%APPDATA%\rxbyry3j.lyu\Firefox\Profiles\1lcuq8ab.default

1

%APPDATA%\rxbyry3j.lyu\Firefox\Profiles\1lcuq8ab.default\cookies.sqlite

1

%APPDATA%\gmzjfop1.kr5

1

*See JSON for more IOCs

File Hashes

    00fdc4ec48b20f242022329109dc1e46b881a9f044f8d3d2c41c5071f13f284f

    0a3b4186c412949b09fb35b24d0b7cfaab2726008c9dfd9ded81042678656a79

    0bcfde1f70aeca56465e84252d3fed352a44686c52f1201e4474d5c126888842

    17c40b93caacb07d7cb74d9bc9613780f3d346f5211323baa996e6516f830761

    209ae4bb19c3fa5f5fd635e0bf9488ffc1b996edca12dcbd3771c5f6c560f9f9

    2f64045ea223d08dd7556ac4d77b48153a96f881a0809e1c8ead0db9f6233884

    36b098518b9abac620afde7568f084a592d1b43d50abdd8c70e030bca546b0e9

    385203173d2547ac9df7af8711b18f9bff87c085e578e09a9a0999e2410a8744

    41779f5ac5669c9d785d8348ee0cd0c03b31e0b260325995734cf67196eaa335

    46ef92bfc91030701e6b5518deb8aba193a86e07ab8c63c0502a22e8acd9bc15

    477038c22b79299bdd29784b5fa4d666735b962011b70f86fb6576fb690614b9

    60214bf0cf8621867b6c69ffe98b203b8bec0c8f4a2144874b01f9f8c8a1cee6

    a7157198068ee89caac77d8174b1e75bd71a42e0b3bb66ecbf9cbf05533f2153

    bfdf0c6aa301a9305c58a7f3c4ef2a6b5ae2b3125600368acb8d0fb677e1b8a3

    e602d598e6a30b8a9970e32469a499576fdc8bb987995add758221aa63142ed0

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

WSA

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Zeus-9969310-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples

Registry Keys

Occurrences

<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PRIVACY

        Value Name: CleanCookies

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100

        Value Name: CheckSetting

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102

        Value Name: CheckSetting

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104

        Value Name: CheckSetting

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101

        Value Name: CheckSetting

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103

        Value Name: CheckSetting

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: {45E760AF-9D6C-3717-3BC0-7CBFD652F80C}

1

<HKCU>\SOFTWARE\MICROSOFT\HOESWE

1

<HKCU>\SOFTWARE\MICROSOFT\HOESWE

        Value Name: Riiky

1

Mutexes

Occurrences

Local{825579BC-847F-F0A5-3BC0-7CBFD652F80C}

1

Local{A3F31C8C-E14F-D103-3BC0-7CBFD652F80C}

1

Local{A3F31C8D-E14E-D103-3BC0-7CBFD652F80C}

1

GLOBAL{<random GUID>}

1

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

193[.]143[.]97[.]30

1

Files and or directories created

Occurrences

%TEMP%\tmp100f6b7d.bat

1

%APPDATA%\Epxesy

1

%APPDATA%\Epxesy\veof.okx

1

%APPDATA%\Tioxp

1

%APPDATA%\Tioxp\quem.exe

1

File Hashes

    06c09f8aaad2f106a4c64e96906b086bd033cebd96ca266d95bf729f8a68e3b8

    0c45a6f787fcb67d8828be0a93b2e5cc9ff08d9a87e68bebc5d6d5d431e0b433

    0edf80d5a575a23a2928a6ae7c4a97b2a11a1a9cb40c23521a6de75d8bcf39c8

    1db78d1906bfc5ba8367a285c80fd8c67cea7acacd5eb116a7bbd18e77a59023

    23905382d08a21e3611db1c290cc86cb22e0f1b493ea2a45f3ca44752a8303d7

    2a1b0e3c895993130118782d79dd65b019c660e7b8a4c8af575cde7a5698ae00

    2e985914ac0afb33fcbd4311383156af1a79bbe83f57e1225cb86583e6149966

    38643489ca7412c15f8d7467d2e1fc622c00b3f6a93ef8ed574c70380de198a7

    3e0092e6e6e825556a9e706fd8e3a083001bde9b8a08d8a1dd446ac9f0961cd8

    5249e5dc425ceceb4ffd10e04be8fa78ffc8afc4d778fb2773c17f1aa695061c

    59d35e5a1e59c4bf032381eeac422223979cbecbd8f668fd917d3bfcea3b7be2

    5f897dd59f0621ccd91dfa1d2eb4f965da1b908d9553b4027cd774a18571d15f

    65486a839b1c8ff2d4d008ccf33fab7e0404c6a4696fafc5c15961c3816862b8

    6cab4306e33f527984b265383d0dea1d11a897b0924b015a2a62700af289edc0

    712870bb11fc63cf3d4388668d0c0e707b47c4fc95ff7a0e9b737a50ea3b1c55

    8507eafa7e63dc4095cf3424fba1d1a2674752fca8f1d452558d9cbfd0273500

    8ac89088823963b316a78e2d5352c06126b1bf176d6a57ceed115cd91d45256b

    8c32a4f95a5d1e3eaf9d0ce259f5eea51b4f4d5fb8d75b593e45bb7a776485ea

    90c3de2ee8669c7b0cdb3fb57ad911dd40bc0825b32ca3df28687bf22c37098e

    92e22ceaf491476477b5962eb64dd52bb7aff8a8e74ebb2dba253604df7525ad

    b2e2d4451bf745e602446d4d68e76aa1e2e05fde70bee1dcdd283e2f691fd420

    b8b6845966466ac1f25c737e86025dc4f5e82fa03947637089ebae7e43c62617

    d19a0a01af2ced3e486cf0497204a03fbf2894dca6ef44e680678eed0350b5e9

    d515963a214ea51cb885d73263feb275efb94aea759ad92eb395f668f11e1b86

    dc792ed152e13f16d0bb6da06dd41091d26d2ad6e724c188bee6c9895ab112ef

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Nanocore-9969309-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 15 samples

Registry Keys

Occurrences

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: AGP Manager

3

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: LanguageList

3

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @explorer.exe,-7001

3

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: UqRhmjYGcw

2

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER

        Value Name: NoControlPanel

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: FmjwSAKZ\

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: pdb

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: wMxdYNJI\

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: kai

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: ZeNNLCQY\

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: TpuuyrDY\

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: pbr

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: zSCGySDZ\

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: CoZNunCT\

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: zrVxOFxs\

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: PntmHtOf\

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: UzTQIQBw\

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: HpnSIvIw\

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: FPZeexxA\

1

Mutexes

Occurrences

GLOBAL{<random GUID>}

9

54b220f4544a7115f31b

2

2AC1A572DB6944B0A65C38C4140AF2F46386E886134

1

Global\534b56e0-35b0-11ed-9660-00151795f450

1

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

107[.]191[.]99[.]95

2

107[.]191[.]99[.]221

2

192[.]198[.]87[.]78

2

132[.]226[.]247[.]73

2

216[.]38[.]7[.]236

2

95[.]140[.]125[.]73

1

185[.]101[.]34[.]84

1

158[.]101[.]44[.]242

1

95[.]140[.]125[.]64

1

95[.]140[.]125[.]105

1

162[.]248[.]244[.]15

1

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

checkip[.]dyndns[.]org

3

monerohash[.]com

2

Files and or directories created

Occurrences

<random, matching [a-z]{7,15}>

11

<random, matching [a-z]{7,15}[a-z]{7,25}>.exe

11

%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5

9

%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs

9

%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs\Administrator

9

%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\run.dat

9

%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\task.dat

9

%System32%\Tasks\AGP Manager

9

%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp

9

%ProgramFiles(x86)%\AGP Manager

3

%ProgramFiles(x86)%\AGP Manager\agpmgr.exe

3

%System32%\Tasks\AGP Manager Task

3

%TEMP%\test.vbs

2

%LOCALAPPDATA%\AIMDKitteh

2

%LOCALAPPDATA%\AIMDKitteh\mymonero.exe

2

%APPDATA%\pdb

1

%APPDATA%\pdb\pdb.exe

1

%TEMP%\Fp7.exe

1

%APPDATA%\Microsoft\Windows\Templates\4HIM1_BUR_CHOCK_RUBBER_SPACER.pdf

1

%APPDATA%\kai

1

%APPDATA%\kai\kai.exe

1

%APPDATA%\pbr

1

%APPDATA%\pbr\pbr.exe

1

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\zGMpWbpk.exe.lnk

1

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\SyYwhHOl.exe.lnk

1

*See JSON for more IOCs

File Hashes

    10da4db37896cf6b8caa342cf459b7d8f1c441395777bf91f08244d17781f303

    1337715195d96f0e051b8da7c6bd4ceec714c780706d195cb44a7da8d8026bc3

    24867d30ca0b7ff5aa56efad0007f2dd61f257d9c94f4f65104321756add8c5d

    54a92443ad92b755492232393c79a650f38fbcc8e4c5e7edb4a740386be57685

    54ef1dcdabc6abd29138ad60375b06c94e9adcf055668187ede39dd7af72d551

    618fe651ef4c851931517d762d1d625d8a91dc8ec37c1b4cf1f810ee7107d4eb

    652a8000a682aa0e6d66a81e88ebd2d16e67344a500223485e315b3d5b3725d5

    8bc4a28c2ace03795a77a619fd9d1fe2b113852a65c5147fe76706549eecdd00

    905518b072f0c8f6074a9ea3ef8b2571f949b2a2eec4be87d3d228575050db2e

    9c7ddd3eb292885e83f583ee3a84d1a2750c85a62c5ef082f0e8adc45044ebe7

    a31e5d93083043137148a1a50547f8f6812cf36e88211a1f371fab588238bd75

    d225168def78f1460f3d9599b62267217eef5a36c5e816ee8e5cc0f9059fcf7b

    e43ed7e08d4b9724bc7653156794825f5a5c12952fdd864e4adcfa530c5f9528

    f889ca5350f42fdffeeb49395d7fa2cacadb33e0a909d6a839d4148167ba6c7d

    f8d613ed7073e4c6aa721caa838af36e8a224eafe998b51dd065ec8745a9b289

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Ransomware.Cerber-9969274-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples

Mutexes

Occurrences

shell.{381828AA-8B28-3374-1B67-35680555C5EF}

26

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

31[.]184[.]234[.]0/23

26

Files and or directories created

Occurrences

%TEMP%\d19ab989

26

%TEMP%\d19ab989\4710.tmp

26

%TEMP%\d19ab989\a35f.tmp

26

File Hashes

    001887448cac3a58f89bb4f1a8cc8ec45f628706da4e15ebe65429660b2cf825

    0033255bc7041027253dc517866af84413f255c5552bcc47fd7e8e660838feed

    039fc087b3471228b0be1f67091597e17f33e4cd04b0d2b4be5428657e314631

    04097126ab04eef29679935eeaf4c411f04b7a9dfdf3f10bdb5ef7453e6b8692

    056ad6d6e3bbd58774ed1ca65fd9b983504185993112a13c5aa54c65be2ca375

    05dfa32796c95f0c0ea13074db213d53fab488fdde9afab36ed98c430bc1a930

    06e837716cb81498c37c0b621c87acbd2e00d11cf60e27f628ce966702f1a11e

    08ce2dac33264f90d5ad8d89bbe56ad0346fc32854a184ed23b15c1cfac81a63

    09204adcfbb5041640705d9f80148a1b08ee206ba78d98e071dcdcea77aaf2ad

    099ed53d97ba687736ae6e6bcf14c5cc39f65ee933115205c3237cfe19c81015

    0b64ca7807d2836760e06c5b4f543d0ae52fa3029552a6e373656770f8eb53f7

    109f7711ff16346888c05dbad80214832525d2f962456626e51b90675f4b5e4c

    163ecfa1ca0dd985d0487bb496948eb43e2a37ff44a1f833ae1c92b38e269548

    19fd3a451086711c12e345a717f0361db12cc8f4a88a3efa66bfa22c96c0e6d7

    1a6f8c9f5ab69bfe50d01ab3c321468c6f7ae73091245efe5ec55a4e03f40002

    1c09cbf3f181b08879c3cff05c31d0708a9331fddf0eba03e3bbe07ae220a8f8

    1cf1dd029fff1b33bd7951e45b7304038c31547e082cabefa656b42e7349ae82

    1f27597b0c1b7887511b302efc5fb94b8a241e9736295aeabf84f199f6ccee31

    249d96a706928e747acaee7f2bbfa5650f58c957819c262b2cd25e6821f8ece0

    270c413b723228cd91400050fbcd8c2eb549f17456f36ff8ad41b63deeb2870c

    29598e11fac3a66758910e03c38bb17da6771141a968a1aaf99ae4520bf6c60c

    2dde0afe1cf38036b2436a9ca80be179dce9371115ed882bbeb9278563f8d14a

    301ca6accba0406fa35115716889892002e30ed8b9d84920b9c5cc2766b0c7f5

    30d19efc5ed887ec148f4c280fe5daf01dd6b0098a81d99a864dce3bc8a5f8e4

    3b4e4e8fc9b2bf6f7750cd8ed310f8bb4cd7d56ed9989e0fdd929aa5ee27debf

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.DarkKomet-9969269-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples

Registry Keys

Occurrences

<HKU><User SID>

23

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: LanguageList

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101

        Value Name: CheckSetting

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103

        Value Name: CheckSetting

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100

        Value Name: CheckSetting

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102

        Value Name: CheckSetting

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104

        Value Name: CheckSetting

1

<HKCU>\SOFTWARE\MICROSOFT\UNBUR

1

<HKCU>\SOFTWARE\MICROSOFT\UNBUR

        Value Name: Ryuplucyc

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: hyybo.exe

1

<HKCU>\SOFTWARE\MICROSOFT\UNBUR

        Value Name: Yqtayfxe

1

Mutexes

Occurrences

Global{08995C04-83FA-2613-1053-58F3B048D958}

23

Global\8bf66b81-fa0d-11ec-b5f8-00501e3ae7b6

1

GLOBAL{<random GUID>}

1

Local{<random GUID>}

1

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

alchemistrywork[.]com

1

Files and or directories created

Occurrences

%TEMP%\tmp25673c86.bat

1

%APPDATA%\Otufux

1

%APPDATA%\Otufux\hyybo.exe

1

%APPDATA%\Vooqwo

1

%APPDATA%\Vooqwo\bayk.qua

1

File Hashes

    01a66cc3487f0d7e2f27d5a8e69f0c234bdf3304b9ca06fd147fb004a50929f3

    03f815c5390528e96c9abf400ce167582eadb1649589b00d39d29b433b03c7b0

    2059a4cffd04bc3e04955e20fdd5df1d5d9908d6b9214f8e4c80e10321be77eb

    2279feff7534923353197e71c57e3945b8a1efd80d66dcd8e146bcbf1f554a70

    3948d73d942c6164c716b5d69041e0ecf9df653e6ece61555e507a745006a3fd

    44b484fb9343f45c670e63f286313b09ae005edf5ca0168fb94229dcbd9388aa

    4b7e1f682cb8d5dba918cc565714e04d2147663b18ecb9f90deae9ab28bf8f1b

    52ccf7455c103e6db02356727227e4bb45d718e0205f28f89349c671997c6c09

    62fb8f5173958bb58b2f84a854d08899f14706a6e20e57e3b906965ebd7db6f4

    63d42b3e5da3c55a03d2f9b04456632a2f675547b853f142b8245c91bf15100d

    68ffff6405e7baecff7f87af41afbbde02844a917a52660a87f36cff3635ccd2

    6a0d55b4ed40a705c9e8af25cac6133b4fbb043909e509b1fce274238def0b07

    7432dbc42a6785ad8f0cdfbecabcaa38c291e51b3aac8863b3bdfdb1cc1163fd

    8350295d5dc2ae0d23d8a4831b461e4103abde3928b9d0f380eb83679fcbf26d

    91dc25a40e00e8cc9f5d1074ff80a66ed5c927036e062ce0311a92e5e4b94480

    a49071fdf4d34aaf88300a3703227c1fdcd532f9054f848dfbc5c1f15b6fef45

    b76165ed0f3f9e8ac42394cf8700e8d8e8c7f4ee89b11c01e81d29b0b4006220

    c0bc17998bde718499954f3cf7319b1633405452873b606671204889051cf1a0

    c159a657fef9189a28461ac6725bd0a9d6cb1cf4311a3a7d6d95e06130eb629a

    c42edcd2dbcc690da04afb0d2bb771f2d4aef1e188aa3b8a096c051340b52ab4

    c6f4e464c49730bfa10f56fb52a892793cd17f52dbbfc3e60a97a6bc270db136

    c88d6a155c90a01b76884456c34f9f9d2670deb255b67e5111a8898ecee06d3c

    cb03a653a5d69f18b89a24e80b9294c86a08ba48a8bb6fb12223dc2f2b8b45a7

    e71370e84a0973f799a58b0ef1e06b4c6343df99343cb778efd26e8257792c0c

    f574238919b3f09297232f706ab3a0f633aa7259657a0965d2a46a181a3ba266

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Ramnit-9969260-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples

Registry Keys

Occurrences

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE

        Value Name: EnableFirewall

7

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: LanguageList

7

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN

6

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E

        Value Name: @explorer.exe,-7001

5

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER

        Value Name: AntiVirusOverride

4

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER

        Value Name: AntiVirusDisableNotify

4

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER

        Value Name: FirewallDisableNotify

4

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER

        Value Name: FirewallOverride

4

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER

        Value Name: UpdatesDisableNotify

4

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER

        Value Name: UacDisableNotify

4

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM

        Value Name: EnableLUA

4

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE

        Value Name: DoNotAllowExceptions

4

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE

        Value Name: DisableNotifications

4

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC

        Value Name: Start

4

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND

        Value Name: Start

4

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC

        Value Name: Start

4

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION

        Value Name: jfghdug_ooetvtgk

4

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: JudCsgdy

4

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV

        Value Name: Start

4

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: Windows Defender

4

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON

        Value Name: Userinit

4

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON

        Value Name: Userinit

4

<HKCU>\SOFTWARE\APPDATALOW\GOOGLE UPDATER

        Value Name: LastUpdate

3

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\PUBLICPROFILE

        Value Name: EnableFirewall

3

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SSDPSRV

        Value Name: Start

3

Mutexes

Occurrences

{7930D12C-1D38-EB63-89CF-4C8161B79ED4}

4

60F16AAB662B6A5DA3F649835F6E212598B68E3C

4

777OurStarterProcessMutex777

2

888OurMainProcessMutex888

2

999OurBrother1ProcessMutex999

2

000OurBrother2ProcessMutex000

2

A9MTX7ERFAMKLQ

1

A9ZLO3DAFRVH1WAE

1

B81XZCHO7OLPA

1

BSKLZ1RVAUON

1

GJLAAZGJI156R

1

I106865886KMTX

1

IGBIASAARMOAIZ

1

J8OSEXAZLIYSQ8J

1

LXCV0IMGIXS0RTA1

1

MKS8IUMZ13NOZ

1

NLYOPPSTY

1

OPLXSDF19WRQ

1

PLAX7FASCI8AMNA

1

RGT70AXCNUUD3

1

TEKL1AFHJ3

1

TXA19EQZP13A6JTR

1

VSHBZL6SWAG0C

1

flowblink90x33

1

22887842DFA648B38E6C28C844FF2BE798B68E3C

1

*See JSON for more IOCs

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

13[.]107[.]21[.]200

5

195[.]201[.]179[.]207

4

142[.]250[.]65[.]206

3

185[.]121[.]177[.]177

2

130[.]255[.]78[.]223

2

185[.]121[.]177[.]53

2

144[.]76[.]133[.]38

2

45[.]63[.]25[.]55

2

27[.]100[.]36[.]191

2

89[.]18[.]27[.]34

2

178[.]63[.]145[.]230

2

104[.]168[.]144[.]17

2

62[.]113[.]203[.]55

2

46[.]165[.]221[.]154

2

85[.]13[.]157[.]3

2

193[.]23[.]244[.]244

1

194[.]109[.]206[.]212

1

154[.]35[.]32[.]5

1

171[.]25[.]193[.]9

1

172[.]217[.]165[.]142

1

65[.]21[.]85[.]98

1

64[.]225[.]91[.]73

1

23[.]47[.]64[.]115

1

104[.]108[.]124[.]205

1

104[.]72[.]157[.]175

1

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

www[.]bing[.]com

6

google[.]com

4

bunikabatedoba13[.]top

4

bvnotike[.]667[.]top

4

jokimutinke[.]net

4

opiutunuza11[.]net

4

ujnuyteeej[.]top

4

nerdasss33[.]top

4

drdrfdd[.]cat

3

eaxsess[.]cat

3

gagaxx[.]cat

3

huhujoo[.]cat

3

nknkd[.]cat

3

nknkdd[.]cat

3

nknkddx[.]cat

3

nknkddx2[.]cat

3

sdsdfg[.]cat

3

trtr44[.]cat

3

erwwbasmhtm[.]com

2

fbnurqhsbun[.]com

2

h37eyrba720ui[.]com

2

jdnpwbnnya[.]com

2

jhaiujfprlsbpyov[.]com

2

mngawiyhlyo[.]com

2

oxxvnflhtpomjmwst[.]com

2

*See JSON for more IOCs

Files and or directories created

Occurrences

%LOCALAPPDATA%\bolpidti

4

%LOCALAPPDATA%\bolpidti\judcsgdy.exe

4

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\judcsgdy.exe

4

%APPDATA%\Microsoft\gawbgrrs

4

%APPDATA%\Microsoft\gawbgrrs\jisgivdt.exe

4

%ProgramData%\Device Driver Setup

3

$Recycle.Bin\S-1-5-~2!WhatHappenedWithMyFiles!.rtf

2

%HOMEPATH%\Documents and Settings!WhatHappenedWithMyFiles!.rtf

2

$Recycle.Bin<User SID>!WhatHappenedWithMyFiles!.rtf

2

%APPDATA%!WhatHappenedWithMyFiles!.rtf

2

%HOMEPATH%\Documents!WhatHappenedWithMyFiles!.rtf

2

\Users\All Users\Microsoft\RAC\PublishedData!WhatHappenedWithMyFiles!.rtf

2

\Users\All Users\Microsoft\RAC\StateData!WhatHappenedWithMyFiles!.rtf

2

%ProgramData%\Microsoft\RAC\PublishedData!WhatHappenedWithMyFiles!.rtf

2

%ProgramData%\Microsoft\RAC\StateData!WhatHappenedWithMyFiles!.rtf

2

%ProgramData%\Microsoft\RAC\PUBLIS~1!WhatHappenedWithMyFiles!.rtf

2

\Users\ALLUSE~1\Microsoft\RAC\PUBLIS~1!WhatHappenedWithMyFiles!.rtf

2

%ProgramData%\Microsoft\RAC\STATED~1!WhatHappenedWithMyFiles!.rtf

2

\Users\ALLUSE~1\Microsoft\RAC\STATED~1!WhatHappenedWithMyFiles!.rtf

2

%TEMP%<random, matching '[0-9a-z]{8}’>.exe

2

%APPDATA%\SjyNBvm6RTID\9x56BxjU.cmd

1

%APPDATA%\Microsoft\cciihiec\jisgivdt.exe

1

%APPDATA%\SjyNBvm6RTID\XvNigAX3.cmd

1

%APPDATA%\SJYNBV~1\165TprqR.exe

1

%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup\165TprqR.lnk

1

*See JSON for more IOCs

File Hashes

    0b2ad4aa2b64aae559973ec324330f137fd4c9546aeb2c2f9c35b5617b180c05

    102092d52e39ed386a890d2687b4e80da6a0372f89ee2b83a8c29b3a13d22788

    147569cb85cffa13769376d5da1c8ec7487443b710faf19afab24a021a58913b

    25727f1d115764349d0cbd828598d52140640be6eade12e62ff3438525004630

    5280855d2a67a6ba91900af80c235b1bafb51151cba3f7bff7566efda8d0ee09

    5462ceb3fbab158b53c3c247d939183c89eb96229c8f78fdc61e44f1a939bfa4

    60a52492d31994057a2d0566ccf469393fad834cabe943a89bbdb9d07852626a

    7234d6a648ff98721f0045dcda255767f0f6d19a1cccea8c8e7db97f594da4bd

    72d6c6b95eeaae1b2777d70ac14b122ca72874f1d98680d52dc9b27b2b66ded0

    72f5a9c942d7d5efd18390cb99539d7f411983bb9c41f8137f0a2c5a7bb66152

    73ed34beba387409f4bdfd3413079d3a50e49380a1ad39c5f8d67b1ea4d04aaf

    7cb1a756133840264574c4683e437accbe24b254e853a17588a5c67e7858369a

    868dc997d2fa2123e8035eb565d940542b9d7b363c54e177cc85dcd89529ab94

    8cbebde91c55c93149db657c63fc480e5639f85f6f072a538b0155d3a5bec4bd

    93cd72fbca2dbb3d75f972cfac420aaf1d007824b073f6bef7944108543c5c5b

    9e67e77db32641775ebdcce463fe21b195539417d20168fac7209908825578d7

    a2d53ce7f45959e6ca5786f0d0704a5f9056789b4d7afaf7bf93bc74ddf3e5dc

    a67bc1d4129d487029cbd0836241425213ed5b57806a089d427703d69b87a80a

    b48b525ec88d26ca83b1a80e16fc90bfe163e09e183df73009c8f6de39c24f99

    bc703ff3117b8088ce29ba90a2a25708a845503b6a76946082f86787f53f6d93

    bca38bba430425ae06eeff67707b04730cabdab8c28c5d7edb73a704d9a12ab0

    c3a619f1b3493485405947c2eb13ade0def13b84ea9350def3a936c916dc9755

    c71a94e585e6a8f225e97df8e8c5ee8d8224fdd265731205e9179f979e6d5787

    c9702ab60a3acdb6319b30c7723ba448e544f72c9658e7169753d2ba6033f74b

    d677ac549428b51974e92573bd1aeb3869d58b2a23d3cc0e116473213678f237

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

WSA

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Kuluoz-9969050-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 15 samples

Registry Keys

Occurrences

<HKCU>\SOFTWARE<random, matching '[a-zA-Z0-9]{5,9}’>

15

<HKCU>\SOFTWARE\SQFRVCDX

        Value Name: qbdiucws

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: vecqtanl

1

<HKCU>\SOFTWARE\QMBDQAJI

        Value Name: mrwduoeq

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: cegwtkiq

1

<HKCU>\SOFTWARE\XSCWKWTB

        Value Name: uaclqbul

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: ucbqtutu

1

<HKCU>\SOFTWARE\JBDLTTQA

        Value Name: mrwedtqx

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: vqutjntj

1

<HKCU>\SOFTWARE\JFXJSONS

        Value Name: fecipfcv

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: arwphoht

1

<HKCU>\SOFTWARE\PCJDWGMU

        Value Name: cjpxnmpf

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: nhloowrs

1

<HKCU>\SOFTWARE\USMUVJEA

        Value Name: hbijvefk

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: conoxmsr

1

<HKCU>\SOFTWARE\UBVPEQTD

        Value Name: bvqcqshx

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: ukvchxne

1

<HKCU>\SOFTWARE\HBTTNUTT

        Value Name: aeulprit

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: frrvhaca

1

<HKCU>\SOFTWARE\VUSJFBBT

        Value Name: mpxwxiew

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: uejoeofv

1

<HKCU>\SOFTWARE\FMOPLQAL

        Value Name: iqmwiqfj

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: wjrmnejf

1

<HKCU>\SOFTWARE\RKDPGLPX

        Value Name: qmjertge

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: mbmgmhmo

1

Mutexes

Occurrences

aaAdministrator

15

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

141[.]105[.]121[.]139

13

74[.]221[.]221[.]58

10

91[.]109[.]2[.]132

9

101[.]255[.]36[.]171

8

58[.]83[.]159[.]94

8

93[.]189[.]95[.]148

7

94[.]199[.]242[.]85

6

82[.]165[.]152[.]226

4

Files and or directories created

Occurrences

%LOCALAPPDATA%<random, matching '[a-z]{8}’>.exe

15

File Hashes

    09650f5a6dbe38fc54c1d17e05955612e37e9268d3d821726fad65e5d13a127e

    17b2f61b057168ed4414a71ec6c4f9cbaa78c96cfec6bd6330e7f8c298c715d5

    235be690210e2d9c368f9028e47572dcc120b7f597877573af43ecaeb70e615f

    2e61d7e17915a3359a01fd959b4383fdd2441b8544d457bb185fa2509e699d41

    36f8895998b854c4276c0b2318baa41c947ea64f5bcc6666f634111ea62b6505

    4bbaeba54a1b65e90b4d24714a45dbe37ec407364097a8c889f9f61d679e2fcd

    51324e089d7b1ee9cf85837c719d993cea5dd928cc1e932aa2f17d3e758509e6

    535a4f9cef7aef421ad38986f14de66251e72aba2dea5dd6ca666ab38f10f7db

    55d37fae592c2d00bef0ff48e15dbe52f68edcd098c679233fd61d319d32c64b

    5f050eaf9f0f3b9c2cddc84bbcf53115932932da4151f719169e5d2c8e672764

    6cc11bd407b5882290b839eedae377cd63ec3a4d3cbc87f8686dd63e233922da

    72b3b8bf3ce9c0bb3831e453fcfdcdf37e44e183eb1cdba383d5196e90829935

    7cb0202a99a14882e1108c5c7deb738289873b99dec43172bbe6ee39136bd9fe

    9ef1750fce26d1ef5908b3d7f7304a54edee5207282ffedcf525a8c714bb5ac8

    d699fe8f3c9f2925101e85dfacaca00550fe2a7cf4ef22aff827bc88900f5a18

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Remcos-9969014-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 13 samples

Registry Keys

Occurrences

<HKCU>\SOFTWARE\ZANGARMARSH-228I7H

13

<HKCU>\SOFTWARE\ZANGARMARSH-228I7H

        Value Name: EXEpath

13

Mutexes

Occurrences

Remcos_Mutex_Inj

13

Zangarmarsh-228I7H

13

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

ezpz1[.]xyz

13

Files and or directories created

Occurrences

%SystemRoot%\win.ini

13

%APPDATA%\csrss.exe

13

%System32%\Tasks\csrss

13

%APPDATA%\javacache

13

%APPDATA%\javacache\logs.dat

13

File Hashes

    02d30b6a94180708d4d525914a917cd9370190926e549fada8d93b4fd033e906

    0c335742c2a239dddbe7467946c481609d1840dca5b67a80ea071d4a593b4ad0

    216c429a096cbc58d595d015dd82f9c2be8a89af1d295e511a9ae8431c889710

    4a01a7d09fe699b3d699463a6f76b445e0a07dc0d8360ba4fca4ddcda7a2af66

    4a86b0a93ce30688176f4f745c52cec56cd023a924c58f8a27d36570871ab580

    5af743dffb813faf071cf185f39c3d258864556a154cfa12ac1b8a56607bd2ce

    608bd3bada966b94ecff736b0811278b7db6cef97c0133e296a5d8bad2ac725d

    7ac6edfc10a8361d20fee7f561d4fce8b3ea0e963cfc44c0421ca0fd8501c851

    b4c77021bc5641683caa3280fe115fea383141b5722f215e6dcb4ad2913cc02f

    b4e9902d2d44051e6620b458c43514e552df4c8f5a6aebdfd5363b3ac9e344a0

    ceec2d534fe22ef53ae86302717458922993cccb16a5cfbabfb40d1956ee2415

    f4a212b3bdc04c7be624a5955e43acf7f836dc9a14852d2fddda48095c017e6b

    ff804004e7082fcf4802beb7d8b4d4b03867de1b746af1021a703767c2728c4b

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

TALOS: Latest News

Something to Read When You Are On Call and Everyone Else is at the Office Party