Friday, June 24, 2022

Threat Roundup for June 17 to June 24


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 17 and June 24. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name Type Description
Win.Ransomware.Cerber-9952230-0 Ransomware Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension ".cerber," although in more recent campaigns other file extensions are used.
Win.Packed.Shiz-9953408-0 Packed Shiz is a remote access trojan that allows an attacker to access an infected machine in order to harvest sensitive information. It is commonly spread via droppers or by visiting a malicious site.
Win.Packed.Ursnif-9952366-0 Packed Ursnif is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits.
Win.Packed.Upatre-9952760-0 Packed Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.
Win.Malware.Gamarue-9952453-0 Malware Gamarue, also known as Andromeda, is a botnet used to spread malware, steal information and perform activities such as click fraud.
Win.Packed.Razy-9953445-0 Packed Razy is oftentimes a generic detection name for a Windows trojan. It collects sensitive information from the infected host and encrypt the data, and send it to a command and control (C2) server. Information collected might include screenshots. The samples modify auto-execute functionality by setting and creating a value in the registry for persistence.
Win.Dropper.TinyBanker-9952565-1 Dropper TinyBanker, also known as Zusy or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe". When the user accesses a banking website, it displays a form to trick the user into submitting personal information.
Win.Dropper.Kuluoz-9952603-0 Dropper Kuluoz, sometimes known as "Asprox," is a modular remote access trojan that is also known to download and execute follow-on malware, such as fake antivirus software. Kuluoz is often delivered via spam emails pretending to be shipment delivery notifications or flight booking confirmations.
Win.Dropper.TrickBot-9952626-0 Dropper TrickBot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts.

Threat Breakdown

Win.Ransomware.Cerber-9952230-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 20 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: Run
20
<HKCU>\SOFTWARE\MICROSOFT\COMMAND PROCESSOR
Value Name: AutoRun
20
<HKCU>\PRINTERS\DEFAULTS\{21A3D5EE-E123-244A-98A1-8E36C26EFF6D} 20
<HKCU>\PRINTERS\DEFAULTS 20
<HKCU>\PRINTERS\DEFAULTS\{21A3D5EE-E123-244A-98A1-8E36C26EFF6D}
Value Name: Component_01
20
<HKCU>\PRINTERS\DEFAULTS\{21A3D5EE-E123-244A-98A1-8E36C26EFF6D}
Value Name: Component_00
20
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: netbtugc
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: netbtugc
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: javaw
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: javaw
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: help
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: help
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: EhStorAuthn
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: EhStorAuthn
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: rdrleakdiag
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: rdrleakdiag
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: w32tm
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: w32tm
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ntkrnlpa
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: ntkrnlpa
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: dialer
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: dialer
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: lodctr
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: lodctr
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: wuapp
1
Mutexes Occurrences
shell.{381828AA-8B28-3374-1B67-35680555C5EF} 20
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
85[.]93[.]0[.]2/31 20
85[.]93[.]0[.]92/30 20
85[.]93[.]0[.]96/28 20
85[.]93[.]0[.]112/30 20
85[.]93[.]0[.]116/31 20
85[.]93[.]3[.]224/27 20
85[.]93[.]4[.]0/25 20
85[.]93[.]4[.]128/26 20
85[.]93[.]4[.]192/27 20
85[.]93[.]4[.]224/29 20
85[.]93[.]4[.]232/30 20
85[.]93[.]39[.]8/29 20
85[.]93[.]39[.]16/28 20
85[.]93[.]39[.]32/27 20
85[.]93[.]39[.]64/26 20
85[.]93[.]39[.]128/25 20
85[.]93[.]40[.]0/21 20
85[.]93[.]48[.]0/24 20
85[.]93[.]49[.]0/25 20
85[.]93[.]49[.]128/28 20
85[.]93[.]0[.]4 19
85[.]93[.]0[.]118 19
85[.]93[.]49[.]144/31 19
85[.]93[.]0[.]91 1
85[.]93[.]0[.]1 1
*See JSON for more IOCs
Files and or directories created Occurrences
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2} 20
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\netbtugc.lnk 2
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\netbtugc.exe 2
%System32%\Tasks\netbtugc 2
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\en-US\netbtugc.exe.mui 2
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\en\netbtugc.exe.mui 2
%System32%\Tasks\help 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\sdchange.lnk 1
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\sdchange.exe 1
%System32%\Tasks\sdchange 1
%System32%\Tasks\dialer 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\dialer.lnk 1
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\dialer.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\wuapp.lnk 1
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\wuapp.exe 1
%System32%\Tasks\bootcfg 1
%System32%\Tasks\ntkrnlpa 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\ntkrnlpa.lnk 1
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\ntkrnlpa.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\EhStorAuthn.lnk 1
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\EhStorAuthn.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\unlodctr.lnk 1
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\unlodctr.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\icacls.lnk 1
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\icacls.exe 1
*See JSON for more IOCs

File Hashes

001d87b0eb5d103187f4e3188c7484a33d62fb0634819a90e185fc2e4c310d91 034cb8befd39e03fd9b1e90b2555657bcb4ee518dc36e944c6dedac8b92b021f 1051753e469a984319fd659bcf5c8f2c120dae6ec8ad9b87f84c207f8265f5db 288539c8f98053db83b9da5ecae06fb9c8e4c8a1064f192b59f19caf120a1dd8 4e7f1ecc835b0e46501bb7da4942297b02623de18dcc2ff86ccb9028da1b92d8 51f2f2f9f60d555a51155d5408df0448de7dd9806ddb7178b14bec3a5bc5fe7f 54fb7fe722e92ea69d78ed72ab4a5e9b300e3b5137e2a74c520e1f14a59617a0 595d0bcaf5f889abdc1c331cbd1ea13403360cad3495bc8a9e0ce1413723cddd 643796efb211a67dc9edcf392fbf041c690dd8e48a1eae639e04ca80a8501363 78e60d8eced38cb527e37fccce1f2dfa4c5cc4f939ff2e2ea14b5659db469548 79377a77ab515c88211d25f3224d9e5d6550a1fbb4a3e63c56afbd891bf9f636 8ea20ee1fc33ee8693802a521f1518843af13b003c3cb03498df94705adeeae8 9971a760ad96ac142cba642cbed9c58905415bf7fcb35e46431cc22dcdda93b1 c59d9dbeea0b66f1b602d3f7d3248e47f5e030e2d1d83b4cbb6dfd78e3421549 c885fa84b8919abf8ea574db4b520b54f27c6a23dfba74f9f77340240544d95a dfa17e1496d92dfc4b2d29aad3e3b5a5ac4ef6a0ee469281ee86c2ad2ff1691f e8090b7bf26e05f8cad1da0dd92764b1cf394ecf410acd802c4c60ebf47889a6 f280ca62d46fd562e6c38a886d4a95f29f4dbf9cb2260397935ac7d0f931d4e3 f6edb3a69f673fb1e31e3f3cab164553fcf9737703613bca4a5ea1954e523ccc fd4d220494338fb9645b6bfe84d168a745672cda112bbc8dda68680cf4618ec5

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Packed.Shiz-9953408-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 112 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT
Value Name: 67497551a
94
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: 98b68e3c
94
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: userinit
94
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: System
94
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: load
94
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: run
94
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: userinit
94
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\STARTPAGE
Value Name: StartMenu_Balloon_Time
2
Mutexes Occurrences
Global\674972E3a 94
Global\MicrosoftSysenterGate7 94
internal_wutex_0x000000e0 94
internal_wutex_0x0000038c 94
internal_wutex_0x00000448 91
internal_wutex_0x000007d0 21
internal_wutex_0x000006a0 19
internal_wutex_0x<random, matching [0-9a-f]{8}> 16
internal_wutex_0x00000640 15
internal_wutex_0x0000072c 12
internal_wutex_0x00000310 11
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
13[.]107[.]21[.]200 39
45[.]79[.]19[.]196 24
45[.]33[.]23[.]183 17
45[.]33[.]2[.]79 17
45[.]33[.]20[.]235 17
45[.]56[.]79[.]23 16
72[.]14[.]178[.]174 16
96[.]126[.]123[.]244 15
173[.]255[.]194[.]134 14
198[.]58[.]118[.]167 13
45[.]33[.]30[.]197 12
45[.]33[.]18[.]44 11
85[.]94[.]194[.]169 10
72[.]14[.]185[.]43 8
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
ryqozapaleb[.]eu 94
lymajaxecir[.]eu 94
tunegapenef[.]eu 94
xubysaxywil[.]eu 94
dixonesohed[.]eu 94
volocecaluk[.]eu 94
fokalesaxav[.]eu 94
nojejecebuw[.]eu 94
qedoqyvoguq[.]eu 94
kepabydokas[.]eu 94
marawukyqos[.]eu 94
dikuvizigiz[.]eu 94
puvutaputeb[.]eu 94
ciciqacidir[.]eu 94
gahyfesyqad[.]eu 94
ryhuneqevyv[.]eu 94
kejywajazok[.]eu 94
xudakejupok[.]eu 94
lygivejynow[.]eu 94
tufozequwyd[.]eu 94
pupegeqifev[.]eu 94
citydekohiw[.]eu 94
vowuqykecij[.]eu 94
dirutewaled[.]eu 94
nomocykyqiq[.]eu 94
*See JSON for more IOCs
Files and or directories created Occurrences
%TEMP%\<random, matching [A-F0-9]{1,4}>.tmp 94

File Hashes

00fdd08d0d3deb0c619edffb8e2256bfaff042aebfede20450a6fc08b6523152 03241934f19d9106d1de2aec66620f554d7124f5a4f4a7ed3283a41d283f7cb0 041e082f62e7dcece1ae39b4be3a2f0a4f439776ec2ee80b5f49f8bcec37222d 049f79478b838b94348f93f496bc2faeca290c44a571845fd3fb5c9508271360 068b394d2b3c7d886ba09ff72dafbd1af6152ecd4e97cbed400ed255009d96b6 06f05a265c1812865f66ce09db34981f6f314feb48d99ced9bebadc0bd059b17 077d870d15285b79a367b2af9997c0785bd8c33524a828867ef081552061c9e3 08567b509fcc32690798fc1ce4b6e43983654d1bb9c534742828119f85301ea8 09cd0f278b780c6f60584b5742987b65d1e6e2352449494f530f53f33ef7a9bd 0a1f66e74ea563106cf1374fd18c95451b30f05a94c8c4c720b8c8aad02592fe 0a44d61232cf88b65acf91c276513aabe12ae6c42db25cbf48084ea478996490 0bc7952c7d9f697f5e0ec1c6ce9036e686ea7036159b34aeeb6e35137332ee10 0bd13cab271bc4469cdb09cb1a08e410cbcaf52ee12054bca41930262359eb2f 0c44ef031d50ad13ec6910d7fa613714974817741fee8762c4b588d25f58b469 0f1427c414a8a32d99ad9fdf83dbb7ad3401dcf61c4e46f99265abb6a7c0e435 100d1bbafdd01d6bbb07763493367ac944d39199a5acf6a17ebb30927d2b5186 12c5f916a1a50b89574dc9fb14b68eb94344e573cbd68b6ff2920a94020abf75 13470bc15b3cfa0c0b9147d629ffc2ab1b831bcbdac780cd5b2f8ad7bd6af650 17c4d0ec8d60e9487f5ae0bdca661e6b2792d1800239659d0a9ec6ca7c747fc5 1853109b51d09efeab1c503109ffb090118c5a85bf572eaacc736c63042e9ba7 1aa325d8b142678ea2ba3d08f594f4f60dd3ddb14fd6af9ee34501d7e63df8cd 1ac6a0f1e58b700c8ddafb0c680a444152c96ef31b7422f3b7a632248f202b76 1b0231c1291c54f7611bb956f715329f568a31702b14016d8bc8a5443c7bf15d 1b6215715e89f9d9944b3dff1636494b28c11607e6c5aef9a759101a513aba4e 251240c2652f569c198e6570aaf945d8dbe08a4ff0105064cf4dfd0fcfa705ca
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Packed.Ursnif-9952366-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}
Value Name: FaviconPath
26
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}
Value Name: Deleted
26
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES
Value Name: DefaultScope
26
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
13[.]107[.]21[.]200 11
142[.]251[.]40[.]228/31 11
13[.]107[.]22[.]200 6
142[.]250[.]188[.]36 3
131[.]253[.]33[.]200 2
142[.]250[.]31[.]103 2
142[.]250[.]188[.]196 2
172[.]253[.]122[.]105 1
172[.]253[.]63[.]104 1
172[.]253[.]122[.]99 1
142[.]251[.]16[.]103 1
142[.]251[.]41[.]4/31 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
www[.]bing[.]com 26
www[.]google[.]com 26
gmail[.]com 26
greatestcups[.]com 2

File Hashes

00a8dd60eddb7ef0f93b182b3710b1280786a1cbc463cf170fc2507f260c9952 0161f6feb3b7dac7bdca6802cd9eca99d9388156abcffa92914b24668323b461 01f0790aa502b86e65fdb6ae4438c7a6d1479d4a6f230e8a62e3871aafe74d89 055ff29e1087a61a61855b36e69df4395a3d38c28f56cc214949085aca40001e 063fef4ed15c29e5a7baf19f39e1f608d2d675005ac5b23f68f466973b289a76 0aa50123c5dd1b7b8cbcaa3b4144246353ab032fc298b0f045ec489e13bfffb7 0c6ac8735ea3b36a3ee6068591978d600025d9ca545068f312dcdaf83e645be3 147332e9dbdc3a7613343f4bc052a7e9510a82ce4e26276fbf616aa3b72737a0 177cf4120ee74450f5bdb6639df0595d8784478832d2934c60160d7c9f06818a 22ce9d8618b2f21fa17eaf1471d183fcb7d6bb4ecf11f5e6db12a7e741b3e948 292e21e9e1af8d73942afa3e2dc999344adf8bfddd65440bc2b52940122e39ad 2aefc37a24f431af9981823031178533a15fc418fba02d5d92c6e209ff165803 30957dbdba1fd19a8c9bcf53161a944c245de598b55868b5e7cb9774959e84a1 35c1313bcda0f6afdd8df73bc13212f5bd194a14edb4bc0d1ce72e69cbbc05cb 39f196d2539de56e7d7b7cba38d0258a6cd9ef34f92aa78a050b6984a58a94ea 401acbfc3b42f0100ff4d391acdd8cb610b70ad350bfdd90810ee65e667fc6cc 4321ae3a329be2785857d3116729017cf9b2b4a4b71356781a25389249ad781d 47ca7e7e1c7388e7c4bf962f4f50a40ef486c1c81e835968abb926b3dcd89f5f 4c9b68ddaf8201b78866be56f736f5756ab33d1525d2a9066401473107d7da20 4dabc932fd394870b5ff36f95d024de5783a5442c0e5506f2ec27205f08a54bc 506af2a26f2816d6e8d58760d1c8914e6e62c341b103a2e27fdc385dec2805ac 53c5507560643f9dbcda96db6fe0dc54a8341113225fc22f69c477047da93151 592a6adbd41f8ac7146816ec8e770267e79bc414453b7d03ce2d33a687142a02 599f961b1e19f56dec30737d48e7fd79fabef003fcd7afb2b50f3b4c268eef9c 5bd8bee3c7cfc96519e84f07906a3d64831e0acecdc58e0ce4ec3e5367adff32
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Packed.Upatre-9952760-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 36 samples
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
52[.]56[.]229[.]15 36
162[.]144[.]254[.]155 36
162[.]241[.]6[.]138 36
23[.]46[.]150[.]72 21
23[.]46[.]150[.]48 14
23[.]1[.]236[.]16 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
apps[.]identrust[.]com 36
nimbacreations[.]com 36
www[.]nimbacreations[.]comvideo 36
eganchurchsupply[.]com 36
laurencechurchsupplies[.]com 36
Files and or directories created Occurrences
%TEMP%\viewpdf_update.exe 36

File Hashes

049fb580d507ba01b406e5e5ec7a4224ad45f2537fe927dcb95671ef33b09b58 051ccdd98a3bc5cf475aa3767da22a3a6a24ea6d6107703ff1ee9b767afc3003 185640676598e653064dc63025672ad0c3befaadadd25c1c52e47448f9a99587 23f94e8d8d2531d43e775d6628a9961d1f8e2580368b098510808b33bf001d3f 3010e16a38dc9f89e03490e8458d4a24d5a16c300d32df7d0c906d410c7580c8 31dd2a7e3ccb35c881c12155add524032a75bfcff1be047d094b1499d0985e08 3d162d2208a8f1d9a00374a2a020c7f3478c2cf8e1fe0891208e0ae6bd455424 3d7df14de16c35245ad10085c414728015b653cc3d4d53ce959d2ee0d399fd63 436045273c493ed09596c4806ce5282c4182e3f4f43cb4609e870d0cd67265e5 4f49bd0e441705f615d29072856961d99ed67e82c0b7a2d6c79d66f098b97339 53f5a69f79fa09bde08e0c685a13068de375fac3ca35fb6ea4e81525e16036d6 56812033c6d262e88a3ffbb8d86df98e8a03eb5fac3f79b08de8d1707a912b27 59c823687a0bb2239b623f2cd1bc1dfe05f7446b0f67d8d934406edf66fec899 62c4468e45ab5ecb14939c40fb98d10baadcc5fef0fc6c71ecbbc074cf2c0e4d 658cdc238144d33997a2aaf6816873eb88df56fa4b97fe7aa92d942064b3dabc 66d5cfac4093f51505cfaabcb7bcf72e93c4509ae1006fdd0d5146f65463968b 672e18b01195958e49922db9996b85b36e0dd84f5c7469fd60d2e648038a8f1f 6ab8996071016f3f8401dc07bf35c0fab3de4917d9bcd2a9fd7ab8888cbf3d4c 78cd2b7e0908fa7981f7e93056bc614fd895f848bbe52e9559bfde7b38eb9dd1 7ccebcf883a47c02012d38db52ed0721f5a8279aef87c0a60d31bd44a4d2ce1b 87319147eade6dc8955c2ad8aae2004d2754bdb10ad4f586bb62b3f52be88f1e 9264177719fa725205c94d48cf28ca399d03042603276ab8d6d3510ed3ffda27 96e582e3f3abf7d4dc70958614808b9579a66ce692f478f3cddbc7d8c4d66254 9bac54a662a1719dcce7696b4881603f7ddfe01e84e26aec69e2cffbb6b87b5a 9f6d771b89d265268ba987c6bfdd7d8d69102810267c75f55101e6b57e915be4
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Malware.Gamarue-9952453-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 30 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: AhnUpadate
30
Mutexes Occurrences
345rdxcvgt567yhjm 30
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
175[.]126[.]111[.]143 30
211[.]43[.]203[.]28 30
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
www[.]hellobetta[.]com 30
www[.]aega[.]co[.]kr 30
Files and or directories created Occurrences
%ProgramData%\AhnLab\AhnSvc.exe 30
%ProgramData%\AhnLab 30

File Hashes

01369a57c3ff4aac43b9b32940ba0e6266ab59bc7ca494b050c1b368ba59f63b 01f245ca3f46dc757bec57ec72663921c212c8bd4aa428a979c0ce5281a7cc59 02790d40cc1bec162ae71f2a07b458436069d17881dae036cd5b66d002ed353a 0305809f57cbbb3b77887ddd4d8fd773c26b64a5ca778194f23910fc3068395a 03a95c85704b779e7e567bef48efe1a568b83009a91b804c3527d61a3128a6bf 0427a620e90ac9ef63604fadde7d29b83a9a436bf77a5379e6c29d60be9cabd3 0bc473b1333b01b134c140ff84f0c0577dedd8355de11459f6e78a49b1ef3209 0d1d6fdd42506925cdd591e6e1937e0ca700acadb96b84105c2ad0c896d8654e 0e5598348a8a169b8200db978dd941804ddd26cf2bfd4f894f32d24829950fc1 0e73563979295f961e3efa15c9feea5e9ab563a5f1e5951f97100897acf6dd4b 0f14936181bf66d953049f2b3773ab21454630c1c89814b3f3625ef69748865e 1197004d327cf90d046b76e1583eafb948e3d1c4fec2633beb03984dfe081a02 11b8882e4b57cd2bfb9983a4c4834b6cdaa333a70a23c122239cd557e32fc4d9 123c43a6eb32fcd0218d59c8c65ce064b4ce307c89319fec49303c4d5039fb54 15820afe0d765bfb5bd4801516e9c6b837796cac354e93b398d72e1a14d85a3e 1809966444e6d698474d4e0a7f79218318beb82f29ab2c22e979d1b35524c014 18f0ffcc1d1ba6b6088a6bbdcc85c4a49e932a8250193be18496634903f30bfb 19091358be18e480437b6d681782309cd63a87377cd6fbd807cc4e821423bcd8 1997d9b57a35492a00181ab2991d801b9b7009528351f281b982a10a783f1dba 19f5bb9e7e78da536d1623407d10b0702f008008bcef66ff11838a4248d93caf 1a7bf9542c232c8bb7988e2d983fc11494316515102750dfa6b69da58561465a 1a92ba667ee165a80326fae74af7cedf8eacbc97edc0623fc92a21918062ed04 1b3590917d3cf25450d66f2c4bd9a7a9bd45a8628d9f04f8731bb24518d20881 1b74245e622f51c04daed48cb8e464732ec5ef8e26d3ed2d6e06be7696b41f0c 209e035ae0466fab69f5fc4b2bf69a5cb30e80b22d29558ef2d3074da57fdb03
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Packed.Razy-9953445-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 16 samples
Mutexes Occurrences
<random, matching [A-Z0-9]{10}> 16
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
142[.]250[.]72[.]110 9
172[.]67[.]34[.]170 8
104[.]20[.]68[.]143 6
142[.]250[.]176[.]206 6
104[.]20[.]67[.]143 2
142[.]250[.]80[.]110 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
pastebin[.]com 16
w[.]google[.]com 16
www[.]pmsiuv2egu[.]com 1
www[.]pjo4lk3lvp[.]com 1
www[.]xuzdlwf11z[.]com 1
www[.]9umr3xr0vf[.]com 1
www[.]phwpsjm6ji[.]com 1
www[.]jmynj5jgr4[.]com 1
www[.]b8wbmktdse[.]com 1
www[.]yfpsjoxgiu[.]com 1
www[.]xcnvk6lg46[.]com 1
www[.]qxkzoeroiz[.]com 1
www[.]qa0vhboy2f[.]com 1
www[.]j6lqyapabz[.]com 1
www[.]482gaw0sq9[.]com 1
www[.]t2p13nfjuf[.]com 1
www[.]knqqiu9lwb[.]com 1
www[.]flc4hf8xai[.]com 1
Files and or directories created Occurrences
%System32%\Tasks\Google_Trk_Updater 16

File Hashes

23e04b2105540815c6e9e7bad4e63d20f2e97ed6e256bdf8fce5c10a4d5bf37e 2a32c0c612dd5f63a93f55b5cbb4510299e1658426409a9a74d4655d0d781dbd 2f6acff2815f96fb82d47f73701b5e1caa4c16c6dddd037982b7b12b42df830b 5949977d2293812b80c8db0ba11c6220c7d7c506a6b528d5740c04fd3cde7606 5c5a57d04b059b56ee2a4667671ebc57113d27f003f7c3efd835ece2189ded57 64de66d129b5ad4d49a13570539424bd2a843dee03672f1d08b35a87c1483ef8 6b9050550e4e785dab68c8aa700536ca0011b1eeb7cfe539d2ba4a0602a2f676 72a5749d3cf7d37685da08d50f981e352504a73a08f6f8a1ef3b18652aaeb7e1 7a8c44608f3f0bdc7f38959d5db07be4ff7d7b4c09855e4b0f195fe5a67f4a82 b4d0fca568810ffa9d7651a2ab2650b96128cfe42ad549d346fda67d20ea55a0 be27ae89c8c75724007a1755d735766ab050649d9f1f9b664fb89df90197b68b c8b55a224d4868b9f2786f63bfa861a340370e06f2619a8b67e077415d32194a cc86a7ca299925e93897df7a7d471527d5cbacf0927a171697b16e7d8101a4b9 cf97248bbd0a39d045c1274eda86d2faba6473cd0beeb8bcb432d7059f45dde7 f24a788c00eb40cbe789a389817d82c639aed5c883f1c0b6f5a1d0d5b95ce27b fec8d786aac1ad1fca04b17be44ab5a3311611e0e89755a2189533597580b247

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.TinyBanker-9952565-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: EEFEB657
25
Mutexes Occurrences
EEFEB657 25
Files and or directories created Occurrences
%HOMEPATH%\AppData\LocalLow\EEFEB657 25
%APPDATA%\EEFEB657 25
%APPDATA%\EEFEB657\bin.exe 25

File Hashes

0ce4fcc13380c284705db4a9bf6a2a3729bf85716447a7656ccc443ce2cbe971 102ee4f77f958107eead41d9f66750944a4c898ef554cecfd0d0a71f21c436b8 212c8deae8f9423ab8d07362645be0e3c9a0336e5c0e365c92ecf973f50a569d 221dd85fb8af714896e2b69c55e7db52425b43418d924db03e929c5fc76d62da 3586164ca9899172f3d35f22cf86dd36bfce6f2eae8b0cf958c9ceb864796f44 369611c4e4d6b878fc7e9ea61dd4481d957813bf7285926bfab962c31335d458 3f5825dfae0e8f6705793c7e75cefa2d641566fdc1141f54e01d8bf26369e01d 49afa1d1ea690425c88935b91ccc584e05cd0de0e5cebd35e0092ddce57801df 4ee65ec12adb00e5680ab258ec901c119d64adadebc00416f4e5b355da2cece7 543a83a7e7f445dce8c65f84d12f33db9767a498f97355c3886df06771b89ee7 5da8a2aab78ad3347543c0831641fa10e3372bac3b7f68e796d8c385c3ae71ea 72232d1d7942046a2a5d2cc1777bdbf5db63a57d69a10b0ea79736bde1c53a2c 85da6fe9501781ef9affde3bc93c4540b25a34511354b65b157b6336ee246137 8ede35a7bfe70a30d2cb02a5df621ff6414d93d0ac0c25257d5934247fcdfedf 8fd6cd0ebb2ac3a928f9e64de5f9449624e38de8bf7c52cd5be634afa62acb4c 9a627c90f050619cf79d1bcb7d847f4f15fffd5b16afd30817dea65493593aa4 a609fcc51158efc4b6571a907f8ade4b19d6040a252930b1079f44b285552d6d ac554462d78001819de32e9ef0fad185abf8b3784f38bb691b5aa5ddd2071c09 b77da0c6c536d4a688cb95e5d228d83c62957d1179ff3562b4a48d09ffdef6a2 baaa6d4b2919174462f1f72598011fe3b2209b78e3b112385d668fb387f5f1d5 c74b1fe2019073f05f0c84b9d2a75dd5a2cb1cd620587ca510280fc24fe93262 c7c643afb9e3009c95a9c5cc766283c3fdbcbd1105d231f94ca42ef1c92da5c4 c9766b97cafcbc2a8bdf8db400f820d51a998d8e31c899f6216b90be6d9b609f e729e73f5d79087ba5da5357e12e6e79dea87509d27380e9ae52046b38356c59 e89ccd2da7bd28dc7eab0c3dd449e764d5284be13babf00bec553d50dc51edcd
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.Kuluoz-9952603-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 27 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'> 27
<HKCU>\SOFTWARE\AQRVIBWV
Value Name: avajnbgg
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ihnluxxw
1
<HKCU>\SOFTWARE\HQIHBRGD
Value Name: capvgwgc
1
<HKCU>\SOFTWARE\TENSKJJJ
Value Name: efgtdthk
1
<HKCU>\SOFTWARE\IGGULPUX
Value Name: knhspcfj
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: xntuedmm
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: gxfbptiw
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: vwctkmkr
1
<HKCU>\SOFTWARE\CLTPMXNU
Value Name: arenjpah
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: dchjdqqf
1
<HKCU>\SOFTWARE\KLATBKGR
Value Name: uavtpojk
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: pvujnklh
1
<HKCU>\SOFTWARE\TQDECVLO
Value Name: bnhlsgoc
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: uhsmcver
1
<HKCU>\SOFTWARE\NJQSNVQJ
Value Name: efgnkasb
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: bdmwgwso
1
<HKCU>\SOFTWARE\OVRQHJHQ
Value Name: kxlohbjj
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: suronehb
1
<HKCU>\SOFTWARE\HCCLNEXF
Value Name: lbcrmohg
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: viqtnwtw
1
<HKCU>\SOFTWARE\MGUMQTHW
Value Name: bvqqkvuo
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: jvfsfovv
1
<HKCU>\SOFTWARE\XWRSHPSW
Value Name: nijmlqgo
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: qglqiqfn
1
Mutexes Occurrences
aaAdministrator 27
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
37[.]35[.]107[.]208 21
195[.]154[.]225[.]137 18
222[.]236[.]47[.]53 16
37[.]59[.]212[.]214 16
198[.]74[.]56[.]121 16
202[.]75[.]53[.]48 15
91[.]121[.]13[.]78 14
Files and or directories created Occurrences
%LOCALAPPDATA%\<random, matching '[a-z]{8}'>.exe 27

File Hashes

018a9a6506abbf3d87b7065b5d9c00a06aeddd87499bbeaba56bfa5195977af1 02670ffe35affff3eebd82c1e536437d7a0dcd59236e38089313edd9501ac1b3 034c356d5f8263827380ede3895c161f25a17be7c400fde6f47b6b458a35f8f3 095fc0d8bfb12acbd8e2f16cc7bcfb071a841a45d43ce32a70e46352efbdffa9 09968d167a3f05e62a94622b64cd1f802a8daeb64e29f37eb26dc90a096b541e 0d076d2c83183b2b2ed5ca38b45d757c9fe3fd2f23f996839ed54d536564e662 0f1756dfbef2a491e3b5b2b4a60147823435360fca75c410ff19078959ddf7e5 1264db659467b88f2041f4a17098a14d06d722f1441f092f69b1f4e360fc296f 145eec46abed77a674dbe1e0c6f1700562d3b99573ab4d7ceda4b1134e56649b 184dc9313aae7234b638eb0ef00edad9e351c82a0140a964bd37d4653cedb4ef 1a5bb4848635f5958277be673ad3c2cb5b618b7e770d5a05a6e207466aaa11a5 1ba73bab6a55a7efa7ed0d64288d351d9b3281417eb94e842e3c5944b5c12dba 1e055012ca2748e1c4431389de1051a3f9f6613e17a16bf5190f91702af32d71 1e0880f750a1837d3ed8665ce029afeba06ecd23bed8485d14a198d9a9b7a489 1f88704003273dd55bc6d926ba52a761ec3f0f7a7e34c50bbf8896a1976bee8f 2189b9cf4f5e94c55a73fd9eafdab61f9644874709596240b4cb3ad15ea81d12 2dcd40d930ff91bb46e0bf5d430538e296b64ec4e05a61a5420bc5b3d2671882 2e95c3384cd030e893793b89e35953ec6ca0954e9bada9f553850764b772c1ee 311df4ba4aea044a0f1bdbc748e35fa9f7014465c0c2df7d7e3d6a8d338ac497 351462d707e3a10bd7b731f6d1d6de0f527bb36bd11fb5799c3becd03587acd8 362f57ebdca7ec7605eb1c884c95247c73e747e5cdf4c3f05af9ab34380c1954 369be3fec44520ed544b4ab174ad24be9b8bf89750d7430e6d2214a734bae6dc 381338e111db697ec76bcac469061ac9266021e1a6d371bb3cc99c6a3801502b 3b2c692d2e67047fc62e3f1c2dc83e1d19593c42685270f971f60551aa8e5a66 3cdba2258d1133d8d853325800e879faa63a82ff2088c29844a33c57d8e4c85a
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.TrickBot-9952626-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples
Mutexes Occurrences
316D1C7871E00 26
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
23[.]19[.]31[.]135 6
34[.]117[.]59[.]81 4
104[.]18[.]115[.]97 4
166[.]70[.]170[.]198 4
116[.]203[.]16[.]95 3
92[.]63[.]102[.]64 2
194[.]87[.]236[.]59 2
78[.]24[.]217[.]227 2
54[.]243[.]208[.]112 2
195[.]133[.]48[.]67 2
162[.]255[.]93[.]51 2
3[.]209[.]171[.]143 2
188[.]227[.]75[.]224 2
195[.]133[.]146[.]232 2
46[.]237[.]117[.]193 1
104[.]18[.]114[.]97 1
52[.]20[.]78[.]240 1
194[.]87[.]239[.]28 1
82[.]146[.]40[.]206 1
194[.]87[.]102[.]14 1
89[.]231[.]13[.]38 1
194[.]87[.]92[.]191 1
82[.]146[.]47[.]127 1
3[.]231[.]23[.]10 1
3[.]217[.]175[.]153 1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
checkip[.]amazonaws[.]com 7
wtfismyip[.]com 6
icanhazip[.]com 5
ip[.]anysrc[.]net 3
myexternalip[.]com 3
api[.]ipify[.]org 1
ipecho[.]net 1
Files and or directories created Occurrences
%APPDATA%\winapp\Modules 26
%System32%\Tasks\services update 26
%APPDATA%\winapp\client_id 26
%APPDATA%\winapp\group_tag 26
%APPDATA%\winapp 26
%APPDATA%\winapp\79dc697d57f0cfd07702c94e066c466f.exe 1
%APPDATA%\winapp\302cgfe268e96d6c4e2995520fcg5ee47d49f2f4gdce65g700a688f4eg246864.exe 1
%APPDATA%\winapp\4599de7267946e5g6cd7a66676e2e86e5c3gf3c330492aa666c86g9f654f3cad.exe 1
%APPDATA%\winapp\096e968g87e76f052663667ddgf9f0c38f3ce2694d6a763aa978c47747aff242.exe 1
%APPDATA%\winapp\45ag25d6gdaec8f4c2860e648dfee22f973923g76c6702d8264fa268ddae66a3.exe 1
%APPDATA%\winapp\43a598fe6cg050cg6gg876a986fg99d30ee00296648820446ea674gdfd43e80g.exe 1
%APPDATA%\winapp\0fe6ggcf83da064gd3406c66dc9dd8c46fgae5feg934gf228aa68a60d0d83ee5.exe 1
%APPDATA%\winapp\4566e5953835g3d93g3g53e52d644a5af6aea8g9247954g53d247fa24geggef6.exe 1
%APPDATA%\winapp\2g84e8e99400f228607e20f5c4e536c82090e6c3g4a9egc30gd30923g2g370ee.exe 1
%APPDATA%\winapp\3ed6e02765cd8d7egd26673g52660d52a354d8a52349654g9cc5a04cf3d75g07.exe 1
%APPDATA%\winapp\594g06207g08eg4d622d60g0cd3327030f7e707dd6f85g3c6e458768c20acca9.exe 1
%APPDATA%\winapp\570657c3028676f5d5d3566gd46505c05a58389g7g8603de55c02655af9g72g0.exe 1
%APPDATA%\winapp\57458d060c0676ff22g73a7f59c8d39696a96d69795cgd6895d6e469826e3d28.exe 1
%APPDATA%\winapp\68eg9594e807c4dfe05c09880gf9462a59ceg69c4g42496gga4e6cd254d28f2e.exe 1
%APPDATA%\winapp\668243accg68f96663360decf0cc864362f656c76d47c632d22e7572af420a62.exe 1
%APPDATA%\winapp\52379cd0697g5a9dd6c065f69364d346aaa9fc0c88aaa646e47f060309fg8936.exe 1
%APPDATA%\winapp\58adc29f27a020f69g45gd3740565d8d8ea949e7ca7g63a884657ge93f0c67a9.exe 1
%APPDATA%\winapp\467cf4cfc6f5582e59932cgff5g9ac365e667e0ac60ca7g80654a7eed486gc3g.exe 1
%APPDATA%\winapp\596f82497c49576afcc7e75434fgc8d6f0d5d06596ae5e266dggc626705e435d.exe 1
%APPDATA%\winapp\0d9c2c6df4742cg8ecgf20543c2g0d3gg58e4ddeae6a38a6784e209c2cd07284.exe 1
*See JSON for more IOCs

File Hashes

096d968f87d75e041662657ccfe9e0b28e2bd1593c5a762aa978b37737aee131 0c9b1b5ce3731bf8dbfe10432b1f0c2ff48d3ccdad6a28a6783d109b1bc07183 0ed6ffbe82ca063fc2306b66cb9cc8b36efad4edf923fe118aa68a60c0c82dd4 1f83d8d99300e118507d10e4b3d425b81090d6b2f3a9dfb20fc20912f1f270dd 201bfed168d95c5b3d1994410ebf4dd37c39e1e3fcbd64f700a688e3df136863 2dc5d01754bc8c7dfc15572f41560c41a243c8a41239543f9bb4a03be2c74f07 32a498ed5bf040bf5ff875a986ef99c20dd00195638810336da573fcec32d80f 3455d4942824f2c92f2f42d41c533a4ae6ada8f9137943f42c137ea13fdffde5 3499cd7167936d4f5bc7a65675d1d86d4b2fe2b220391aa666b85f9e643e2bac 34af14c6fcadb8e3b1860d638cedd11e972912f76b5701c8153ea158ccad56a2 3662df206caec93703cb296cbe512336938e22fb3575c778672babc95e5cb2fd 367be3beb6e4481d49921bfee4f9ab254d667d0ab60ba7f80643a7ddc386fb2f 397bbf16f3dfc872408e41bdcd9cf84d69c945b747eaae310f6a28fe6cb55c3d 398db6543fd61e2163e80b59226e233b605bb9d75e4880a6441d4dc1f759f281 3d7ee12da08de01772a9db6f2f286601a742cae5f1e6b227eda17190b6e8a83d 41279bc0597f4a9cc6b064e69263c236aaa9eb0b88aaa535d37e060209ef8926 465c783f5e56f6be601390efa6df907f473b7c63668d39f91e183ed050985ae8 470547b2018576e4c4c2455fc35404b04a48289f7f8602cd44b01544ae9f71f0 47348c050b0675ee11f72a7e49b8c29595a95c59794bfc6894c6d359815d2c18 48acb19e17a010e59f34fc2730464c8c8da939d7ba7f52a883547fd92e0b67a9 493f06107f08df3c611c50f0bc2217020e7d707cc5e84f2b5d348758b10abba9 496e81397b39476aebb7d74323efb8c6e0c4c06495ad4d165cffb615704d324c 51ffb4c8feb1dfc70974864e0644eb77ab6b72f87f89ad65570b38f334ab2a37 58df9493d807b3ced04b09880fe9351a49bdf69b3f31395ffa3d5bc143c18e1d 668132abbf58e95662250cdbe0bb853261e545b75c37b521c11d7471ae310a61
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





No comments:

Post a Comment

Note: Only a member of this blog may post a comment.