Friday, July 8, 2022

Threat Roundup for July 1 to July 8


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 1 and July 8. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name Type Description
Win.Trojan.Miner-9954173-0 Trojan This malware installs and executes cryptocurrency mining software. You can read more about this kind of threat on our blog https://blog.talosintelligence.com/2018/07/blocking-cryptomining.html.
Win.Trojan.Qakbot-9954811-1 Trojan Qakbot, aka Qbot, has been around since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.
Win.Packed.Tofsee-9954338-0 Packed Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages to infect additional systems and increase the size of the botnet under the operator's control.
Win.Malware.TinyBanker-9954340-1 Malware TinyBanker, also known as Zusy or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.
Win.Dropper.Kuluoz-9954356-0 Dropper Kuluoz, sometimes known as "Asprox," is a modular remote access trojan that is also known to download and execute follow-on malware, such as fake antivirus software. Kuluoz is often delivered via spam emails pretending to be shipment delivery notifications or flight booking confirmations.
Win.Ransomware.Cerber-9954874-0 Ransomware Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension ".cerber," although in more recent campaigns, other file extensions are used.
Win.Dropper.DarkComet-9954765-1 Dropper DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.
Win.Dropper.Remcos-9954770-0 Dropper Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam and capture screenshots. This malware is commonly delivered through Microsoft Office documents with macros sent as attachments on malicious emails.
Win.Packed.Phorpiex-9954771-1 Packed Phorpiex is a trojan and worm that infects machines to deliver follow-on malware. Phorpiex has been known to drop a wide range of payloads, including ransomwar to ransomware and cryptocurrency miners.

Threat Breakdown

Win.Trojan.Miner-9954173-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 15 samples
Mutexes Occurrences
4pC39Ev2yuzFY8izw76DGDJR 15
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
185[.]10[.]68[.]123 7
109[.]71[.]252[.]45 5
185[.]10[.]68[.]220 3
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
eu[.]minerpool[.]pw 15

File Hashes

22c5f484c0ca54377b53db45a2356ea10ae6b7542e8ca41a57bc95409850e3b4 3316abe9a785cd3d249d454133034643a52c263872cea118e8cfe77b5631c65f 3c37f061b8ca7856947695208a3caa689f0c2baf3150d099b21c03da3a392338 4ad373e04374bf5c238af3eec178216a4ba3b7eb01f4af0e7dcb32fd84280837 699b6990ef08b12cf0be3c2031dee69f22c44ba99cd96b37f6bf2c7fe753281d 6c6346ab8f6745af5251b5836328979eb18e21f92e9fbf6779a3709f829412ac 77efce26a18fd5cff7b6166a14f6ecdee0882d832235bd0a71bb05cdf02b7002 783af063a11a09e61ed53bca2326d3df6dea2ea70525b9f16ecc20230ba12709 7c62dbcb7afae510afd9917b954754abd5bd14fef14b77b9a2be6ae683ba378f a7fffe45935cec3d3e9d0a002b1cb93bd19d32e8d7220ec1a5cafb5fe644a5e6 c6c668d616d42a63e86492eac5f0804501b408d8ed5850fc68ea7b6c08f3c1ea ca970c9576c222ca9a80849fe51c088091f5274f1ebde51ffd41408d36d3776a cc17eb63de7984359668d1efa58d8004864522b9bba92763ec4385beebe39241 ed8631c2234b9034018796218dac327b7474135427d9247682f458ab5a7ca0c2 ede98b6626ad617ab6e4bfbe02d2a1b87dee8084c6c7ea6591818bc47875ffa4

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Trojan.Qakbot-9954811-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 22 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK 22
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: bd63ad6b
22
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: bf228d17
22
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: f7b512d3
22
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO 22
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO
Value Name: ff0b3567
22
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO
Value Name: fd4a151b
22
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\ProgramData\Microsoft\Ecrirfryzd
22
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Users\Administrator\AppData\Roaming\Microsoft\Xtuou
22
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO
Value Name: b5dd8adf
22
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: 79eea72
22
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: 7a96a5f8
22
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO
Value Name: 45f6727e
22
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO
Value Name: 38fe3df4
22
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: c22ac29d
22
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: 5dfca0e
22
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: 88fc7d25
22
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO
Value Name: 80425a91
22
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO
Value Name: 47b75202
22
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO
Value Name: ca94e529
22
Mutexes Occurrences
Global\{06253ADC-953E-436E-8695-87FADA31FDFB} 22
{06253ADC-953E-436E-8695-87FADA31FDFB} 22
{357206BB-1CE6-4313-A3FA-D21258CBCDE6} 22
Global\{280C5EDE-5A47-4F1C-97D3-B8CFE4CF258D} 22
{280C5EDE-5A47-4F1C-97D3-B8CFE4CF258D} 22
Files and or directories created Occurrences
%APPDATA%\Microsoft\Xtuou 22
%ProgramData%\Microsoft\Ecrirfryzd 22
%System32%\Tasks\rrwdbpxgz 2
\TEMP\314ad4819a3e020885ed7fc1e952135e.dll 1
%System32%\Tasks\whzonuyzye 1
%System32%\Tasks\ksjwhajlq 1
%System32%\Tasks\jyqpwyc 1
%System32%\Tasks\ujfnhbf 1
%System32%\Tasks\bhafmhi 1
%System32%\Tasks\xhpbgymjwx 1
%System32%\Tasks\jubfqwgt 1
%System32%\Tasks\gptecaa 1
%System32%\Tasks\ejildfvgb 1
%System32%\Tasks\qjthztfzr 1
%System32%\Tasks\ieodxvl 1
%System32%\Tasks\ctsbuzalje 1
%System32%\Tasks\dmptvbes 1
%System32%\Tasks\phkhoifgs 1
%System32%\Tasks\axgdpda 1
%System32%\Tasks\utaigbhdrp 1
%System32%\Tasks\xoxwuzijwh 1
%System32%\Tasks\dystgbh 1
%System32%\Tasks\ocsgwzoyy 1
%System32%\Tasks\mhsgfbj 1

File Hashes

06189f067e73cf345a9a648552dc8043256a3cf27843002944c8e9c37747f56c 13fa83c2bda9fe9d15d49e985328091baa07c7e45f3b05a605a7313aed2035e8 192035e53ade26cfc8178f6ae6b623bdd66227353d61878a24034429c3c3d0c8 2e897bda81c18be469f2a321bbe91a6f8c6bd6d21672bce80db2fa2110067071 357c49437126845a41004121fa25dbbbad5b6c1c601baad3ec26764dd954605e 3d20f9b85e5ff0c27fe70cc03754190622837aaf35f7b66761a19d57864e2dea 4b890be585b6ce3ef66e04026503861ea4d00085517281b4e44968a8ceb7835d 4e3f8a89957996a57bc7d5e0ca90f7e1caf057c9030cada96338a65cb5de7ac1 4edb644a2ddb6e1cf87086dfe164f23287506502b74c8532fd361b4001cadee0 52d415a09858a5497fdc294ad059d57cb66ed0a10206b6b29a5b0590b61f4209 538f15667cb104d39d62d2b12812d6ea5dff49fe19a9e8cbcb6e6026de469f6d 54adb9a03c513c70ddd84880125d5db548342541971d0bcd22a726d710a5f214 5d8e71daf5e0e335b141da1c77a09f3f6b58e99ed2620e1b2d1e70aff3c13980 7545962b3804663b5037e4f779c116197980f3ed8afd548438f08472ff54ce8e 862836ae9a7f49b7587bf8b287fa28831f3bb1063d2841c152523a68e77620f9 a3520cb61c5d36770e63a146e1239c661d809d4201756fdbf6e12c12405c25c0 b31ef58067047f8c4cef4e3bd2d8ab1b298cc456f59d09da5eb357c519fa45fe c646951c696c25ccbf62170bf2df69a4964448ee24de9a6df70f2d74b0ac42bf e144275a75426e2f93bae0373c2a22695b4ce31d7955fe76d4154d1d4655544e e6d8af42a5e72f1986cc0a653a525b90320dc73763318c4ecdac22f45cf428fe ec3423a1ab95edda57631d7a382ce87d4d92ff61bbfe53468000aa2569129496 f70fba2b5df0f88e0112890f99256d8dc6e9b1b702c2f989d3dfeb5402ddfeb0

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Packed.Tofsee-9954338-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 16 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
12
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config4
8
<HKU>\.DEFAULT\CONTROL PANEL\BUSES 8
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config0
8
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config1
8
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2
8
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config3
8
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\mwytphgc
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\tdfawonj
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\xhjeasrn
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\lvxsogfb
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\nxzuqihd
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\yikfbtso
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\jtvqmedz
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\gqsnjbaw
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\kuwrnfea
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\rbdyumlh
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
31[.]41[.]244[.]82 8
31[.]41[.]244[.]85 8
89[.]223[.]120[.]217 8
80[.]66[.]75[.]254 8
80[.]66[.]75[.]4 8
31[.]41[.]244[.]128 8
31[.]41[.]244[.]126/31 8
74[.]208[.]5[.]20 7
192[.]0[.]47[.]59 7
144[.]160[.]235[.]143 7
31[.]13[.]65[.]174 7
117[.]53[.]116[.]15 7
51[.]81[.]61[.]70 7
64[.]136[.]44[.]37 6
194[.]25[.]134[.]8 6
202[.]137[.]234[.]30 6
212[.]54[.]56[.]11 6
212[.]77[.]101[.]4 6
67[.]231[.]149[.]140 6
67[.]231[.]152[.]94 6
212[.]227[.]15[.]40/31 6
142[.]250[.]80[.]36 6
197[.]234[.]175[.]114 6
121[.]53[.]85[.]11 6
146[.]112[.]61[.]105 6
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
microsoft-com[.]mail[.]protection[.]outlook[.]com 16
microsoft[.]com 16
svartalfheim[.]top 16
249[.]5[.]55[.]69[.]bl[.]spamcop[.]net 8
249[.]5[.]55[.]69[.]cbl[.]abuseat[.]org 8
249[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net 8
249[.]5[.]55[.]69[.]in-addr[.]arpa 8
249[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org 8
249[.]5[.]55[.]69[.]zen[.]spamhaus[.]org 8
www[.]google[.]com 8
jotunheim[.]name 8
www[.]instagram[.]com 7
whois[.]arin[.]net 7
whois[.]iana[.]org 7
aspmx[.]l[.]google[.]com 7
mta5[.]am0[.]yahoodns[.]net 7
mx-aol[.]mail[.]gm0[.]yahoodns[.]net 7
earthlink[.]net 7
verizon[.]net 7
mail[.]com 7
mx01[.]oxsus-vadesecure[.]net 7
ameritrade[.]com 7
mxa-000cb501[.]gslb[.]pphosted[.]com 7
nate[.]com 7
mx1[.]nate[.]com 7
*See JSON for more IOCs
Files and or directories created Occurrences
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'> 16
%TEMP%\<random, matching '[a-z]{8}'>.exe 16
%SystemRoot%\SysWOW64\config\systemprofile 8
%SystemRoot%\SysWOW64\config\systemprofile:.repos 8

File Hashes

0370c3e6ca311c5938d4c2b42ac911389078246d8d28820db03489869c627952 06d8e104d37d9d0d417f3bc3e39ea1c23da058657dbdf9dc3c0ee2ee9f4dd6b1 073e064f0d51351f78f280215a905f2e6b8ab1fe92f1e15e5d066e065e744fcb 0b9c9b284ea2c7f4f1d2fcece1850e6073808c37e81f0325627e7c82e6887746 1909314fc39c4af7a83beaf815cf48be782f35570174ba59542529df5c8504a3 343385423be7f0f77cbbc56cca7a078c8f0c152e8cba3e9d73025c971969cfbe 3cdb65fad9847f108615c8710510baea74b1de245bc806222438c7f0b4501a2b 4bd96c267d22dd38a0e99409c88afe8f19362015a2b26c6b56d858037283dd33 7c11fc1112da725e144b717938170a2767dc36ac7a12407799b2e035d1a455bf 7dca4276c1af8f6620dd3772d8375d6d0428f871fcecbab460fae99cd0f07f57 81f48cf29d01ee96748b42179adcea0d68a3900e4f0d49cc9726f6f409d4eb79 ab9261b2c258a63dd4563f0ab2150927ee0b18a3fbb26bc7031b938f26245b89 c65201021ea6f0d0e6ff91a98788d62dbd80e789a6e2468d8bf06ac06d3a10ba d94eb5f31f67f2b361c50dd7d88f13b94fea03233e327777486e1263bcab4626 e589ca07439b86d88a5820b00535a1fac141bd022c904fff4b80c914d5d67862 e89f3fba9d27b3804df4472b9d8a5d77cea098e0714d2d514a3329c0db5f4121

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Malware.TinyBanker-9954340-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 339 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: DA81EF4C
339
Mutexes Occurrences
DA81EF4C 339
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
www[.]google[.]com 13
insamertojertoq[.]cc 13
Files and or directories created Occurrences
%HOMEPATH%\AppData\LocalLow\DA81EF4C 339
%APPDATA%\DA81EF4C 339
%APPDATA%\DA81EF4C\bin.exe 339

File Hashes

0009b8d023a72b5d50473cf4596ba8f8f84e987d2e0d9b28e822361e59977351 00a5388c61811a760e86eb28bc3cc2b76c5c9010668186226435f5978dfdd35a 018aa683eb001071159e48ed00c28de1a5693ddbd2d72a9cd5d382965cd6b7a2 01d5de917963186957ca3bbcfb596897e8877f3956d88d3ff08308550f084548 02150c6f1f8df4d8363fcbb7e8a411bedee1175ec85b330856de2e694cc396f2 0264e06fdc681bef2e32d8ecfec426ac3cda80132b42cef2e1cade5beb6c9257 02c457445a98193228680bb9ef465d10f7b5fe36ff9426d6e55a2d27d0d407dc 0309af9f10598fb0efa863d89c3ebafd7c828868ce3c7cfc4cd8ba401575c18f 038a7a8602eadb8f7662ae8ce49787bf46d546f5e860c22323c586c3cfdbf479 039e9feb31370347e563f81dbbdc90009f9bff708641fe410a3a15f332d97904 0449640b54babd0fc80e93115277588e9b153c95b37562df8ef9cbf940c5923e 049325f04dbd42764f439185d12b5ec45aae18096cd8b2d85ef917e54386e0de 04e84f8d588d4d82276a4c1f243379ffdcc2aae07e325733976e3bae047685a8 05a558635de9e89a23d3277f14b0c8e07b158a5501615a3852f2b46a1fdfca88 0608cc8b120093bf2bf4b6af8f5b8497dc92db814a28b808605c7ebc40d0b3b2 0640709e8b7d9dbce59f2ae2bfc2903d5be95160c01e99a48719a8c166f597e1 0678fe42384e0abea7f348e1a4f22af729de51795d7e84e99e97b5fa8e21ee94 0737aeaa1ddd4df4376ed82560bdf533bbdb31e4eb04f0ecb6fafbd0b7224f73 0808fdbb771b74fe9e0ea7c1dfd33d1d87ff3689cd0a96cbc3e04b9b1c35410e 0828f87ebfe0c7a4dd7abbc79310477ce355d597d952a8283a57200fffeeae67 084376f113e40bc11645818e591af6bef28b4b37a102992aa8a5355a80f87cf1 0893c79987b29bc28e603470cb207ad93dcfcf824a33061ca2aa40ba61210327 08edb8d0a5bfd645447606ca0b3c17c8c6fb8d294c93672e230a9045fe4fbf6f 09ad6c30f487590d6461f24ef682635ac0fa311919c4c80e07bf617b803736fa 0a80024f1a3a2ea97035b95381091b38384754d3f5151417641312dd528c734b
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



Umbrella



MITRE ATT&CK





Win.Dropper.Kuluoz-9954356-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 109 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'> 109
<HKCU>\SOFTWARE\MDMCUKPX
Value Name: uqducguu
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: paneesca
1
<HKCU>\SOFTWARE\DWFIFUWS
Value Name: bafvewrr
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: eitorrpk
1
<HKCU>\SOFTWARE\UKERJJEJ
Value Name: vtbnghrg
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: sholjmhe
1
<HKCU>\SOFTWARE\VSQLQAON
Value Name: bgqeshvc
1
<HKCU>\SOFTWARE\FDMOXXFS
Value Name: cbgefnqa
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: lohbehwk
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: lnibtlam
1
<HKCU>\SOFTWARE\HAFWCQSW
Value Name: nfrutvji
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: glgncfng
1
<HKCU>\SOFTWARE\NXNIVOQA
Value Name: ctxfkkqk
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: qhuomnlb
1
<HKCU>\SOFTWARE\RRWNRLAN
Value Name: ujtkjncg
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: bpvxshbl
1
<HKCU>\SOFTWARE\RJAPWLXO
Value Name: xumksvqw
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: vjhaddrx
1
<HKCU>\SOFTWARE\DCOFPBLK
Value Name: dvurcpmi
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ihdgdplg
1
<HKCU>\SOFTWARE\WIMUAMID
Value Name: mtkehigx
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ufnjusnb
1
<HKCU>\SOFTWARE\EHUFRLXG
Value Name: vpskebau
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: oidjmcex
1
Mutexes Occurrences
2GVWNQJz1 109
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
173[.]192[.]72[.]226 84
196[.]211[.]170[.]187 73
113[.]53[.]247[.]147 70
76[.]74[.]184[.]127 66
81[.]177[.]22[.]90 66
91[.]142[.]223[.]136 65
198[.]0[.]216[.]35 64
151[.]3[.]8[.]106 63
91[.]121[.]177[.]88 63
Files and or directories created Occurrences
%LOCALAPPDATA%\<random, matching '[a-z]{8}'>.exe 109

File Hashes

0009c4f78503252df2b9cfcd30289822d10eeb06a450786bd88b976d2c3fbfa5 02554836f2ac11e2d47b06ad1930ae763e739b6a115b2703088a2c757be97e6e 0a9d9fd522eb5c3e23bdabcbd08a60b7cdb6fe677c975b804d74c59729dba731 0b0032a05dbe18f6990c85b16ee2fc0f6d31b947b19041e63cf8080728cb5886 0c2e8a800b55f433feb14eac47cd2679c014ede8c2036921e0830d6df19c7cc8 0c932f3db91da0a7a57776e706a63272cfd8080d5806537bb5e6542344f9cd95 0e7e9ea70bde379db6c0aab287b044360cda95d00d97bbc7a588c9691fbbfb3b 0ec369b719e46d50a3dfa6f338148cecbf05f772b74eb218fb53436981386eda 0f7184c6a98b066d8c3e8dd2d9abf6e6ac506e038df9a288e215e3857dbd9753 1072829998e5a3655bc9efe6f469bd4175ebea6eaf7538f52a34898e56950b67 11c7776cbadd8c8b35c2b36f7aaeff44dbe7db84ac10b05538b176be00583098 140da0cdbd8bb1f8eaec5dc13de595ddf67e3b75ea2bd20c75eb3f9095781009 15995ef76df1c95149c5fa7307d060eb238847d3a70b94512ace4d11e6f9ce28 161bfb6d8dc760537041bf75438303a103a091cf1d24b6c55546ddf9643b3197 189ef2087222c0506f681d4a0bc4b083b456979da0128c85cb5e506577dde97f 1a2f5ef5c3e8918443be5f354a398bb8785b4493a172d32c73f7618b864965e5 1dd65f1065bddb23f4d3aa4a883bcc116ee2d2ff71e8f9f117f54fb7fd85fcb7 1ef6527a9a2257fec4ceda8b6beb340515e6359fc0ae482c42acd4f5a8650a75 21456f7b331c3f9e3acae1d077d8c397199b0c245f0abfcc5e06a14d2c78da28 24859d27ac3387ee5f815dd572f092e6ab1c9d13c464cb7dec968059f3d0e468 299f217a4f2a423087bb2f4b601ac8f64e9b93eb09de16250c775f709c8ed288 2e2b6751ae19e64349515267de372435332954611db86f422b46978de1783c78 2fd5ed44eeacb2407a6aad7a8f1c17f38c4b2c3f92e4e4e7a0a09f0a025521df 2fe7960dd79a50fa40e5215609ec2672474056781952aa873af8bd9113f6e3e0 3358af4b18ecbf4e2e1e2bcb069babe6864f91a94b774a8adce4ed85a428017d
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Ransomware.Cerber-9954874-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 24 samples
Mutexes Occurrences
debug.{8067AF37-05F3-E0A7-F91D-CF35012EB051} 23
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
19[.]48[.]17[.]0/27 23
77[.]12[.]57[.]0/27 23
87[.]98[.]176[.]0/22 23
172[.]67[.]2[.]88 9
104[.]20[.]21[.]251 8
178[.]128[.]255[.]179 7
104[.]20[.]20[.]251 6
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
api[.]blockcypher[.]com 23
qfjhpgbefuhenjp7[.]1bxzyr[.]top 16
bitaps[.]com 7
btc[.]blockr[.]io 7
Files and or directories created Occurrences
\pc\users\public\recorded tv\sample media\win7_scenic-demoshort_raw.wtv 23
%TEMP%\d19ab989 23
%TEMP%\d19ab989\4710.tmp 23
%TEMP%\d19ab989\a35f.tmp 23
%LOCALAPPDATA%\Microsoft\Office\Groove1\System\CSMIPC.dat 23
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp 23
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.bmp 23
<dir>\_R_E_A_D___T_H_I_S___<random, matching '[A-F0-9]{4,8}'>_.txt 23
<dir>\_R_E_A_D___T_H_I_S___<random, matching '[A-F0-9]{4,8}'>_.hta 23

File Hashes

036e575927b733037cd781d5628c4726ba2d0326270199d071c383462041a02a 0edd6b6665c86628191d08bd5dd11e97140b959cc3fec017e3953c6cb4234edc 1524a7b857fded713e633b3ffdc06e2de4d26d7db085461d247db4a8ba0866b5 1e926712055dbbcc7b56f85db31580e1910ca1f82bf409657e69613c7b768a89 1f6e379bd103ef8069d2dfab13565a25c92bd6ce1715936c934fceb6b565ae82 2892281799a56b87e9bd13dbe0942e14ccdbc51a75e8267a2572be136b582051 2f26e32b17d6bad5791f12f8e746bef4de6f442cc87b7416f53ad43fc858aaf4 3752da71a1cec465d059ae8f768e6e3e875584647772244fc7172a4d91eb50dc 447bef04ef76a10bb955b0063574232b53e45c77b5c166b85a3c493ed879969a 59047aee37e18ea4fb27153d1e2f08ca93032482c6641ec69f8703ba2be005b4 6d1b633d807cca17d7bef63e28fdc158a98cd5cc9db24f38febcdaf887a448de 6ea1c10264608f9cbd3ab5f0d688703ac080c1a54df0c9cb16c38a7eb2180915 7544d2bc1b097fdd141b59efdff27ebe050e9f004ef81d9d378c717f57caf983 7d5160549ba6cf88fdb3b577d75f70558799ca8b320c9c9771dafb4e13f6298a 82c5dde62779f84f36844175a9e1b1fd83c8a3c6e379823cf46c09c933d1b964 88d234e22ec6b460c7d13aab86c81160848e5387f9f5194c12aa5c0cb48803bc 900b50a3a7e3ed0bfe63ba0c141a10037dae3fd42045d47f7f9247d3453ab3cf 985682ecdf5ba3aa46f28a391ba72d89d09fae801718d025c422478b7cffd1f6 a7015c52575a754fd32a3c1a7f5ac4e763862f97b0f24bab53496e878fa2be46 bcb1efddc68b520621aebab86a69981f0f45d30abac832a56132cc5e8906bd0c d026608f54bb7a0e503dd2ae6687e6f7134e7b74a9ee8b5b30041c964b3edab2 d2efdbb24000478d1c547b0333fdfcadb93609f733657f3c5491d7742b24ed94 eb2d15be3bada92a6ac785309ef5ab842be64b46482a6bb4446bf200d6922598 f49905e5ec2f3829230579e29020a7b92cff6792ea1c94af53e65d5068b01780

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.DarkComet-9954765-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 11 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\RFC1156AGENT\CURRENTVERSION\PARAMETERS
Value Name: TrapPollTimeMilliSecs
11
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\RFC1156AGENT 11
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\RFC1156AGENT\CURRENTVERSION 11
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\RFC1156AGENT\CURRENTVERSION\PARAMETERS 11
<HKLM>\SOFTWARE\WOW6432NODE\LICENSES 11
<HKLM>\SOFTWARE\WOW6432NODE\LICENSES
Value Name: {K7C0DB872A3F777C0}
11
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{08DC0A16-DAEE-5740-EE63-C96A9095083C} 11
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{08DC0A16-DAEE-5740-EE63-C96A9095083C}
Value Name: 0
11
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{08DC0A16-DAEE-5740-EE63-C96A9095083C}\INPROCSERVER32 10
<HKCU>\SOFTWARE\DC3_FEXEC 5
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: UserInit
5
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{08DC0A16-DAEE-5740-EE63-C96A9095083C}\PROGID 5
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{08DC0A16-DAEE-5740-EE63-C96A9095083C}\AZSOCBAU 5
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{08DC0A16-DAEE-5740-EE63-C96A9095083C}\DKTJA 5
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{08DC0A16-DAEE-5740-EE63-C96A9095083C}\FJUZWK 5
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{08DC0A16-DAEE-5740-EE63-C96A9095083C}\YFLVCGLB 5
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{08DC0A16-DAEE-5740-EE63-C96A9095083C}\KMWRUOCEZXRVY 5
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{08DC0A16-DAEE-5740-EE63-C96A9095083C}\MXCH 5
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{08DC0A16-DAEE-5740-EE63-C96A9095083C}\HCUF 5
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{08DC0A16-DAEE-5740-EE63-C96A9095083C}\HBEGY 5
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{08DC0A16-DAEE-5740-EE63-C96A9095083C}
Value Name: iJtYQjajh
5
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{08DC0A16-DAEE-5740-EE63-C96A9095083C}\AZSOCBAU 5
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{08DC0A16-DAEE-5740-EE63-C96A9095083C}\DKTJA 5
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{08DC0A16-DAEE-5740-EE63-C96A9095083C}\FJUZWK 5
<HKLM>\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{08DC0A16-DAEE-5740-EE63-C96A9095083C}\MXCH 5
Mutexes Occurrences
35561FD7::WK 11
RAL35561FD7 11
35561FD7:SIMULATEEXPIRED 11
DC_MUTEX-<random, matching [A-Z0-9]{7}> 5
6A0::DA5D0984AC 4
640::DA5D0984AC 3
63C::DA5D0984AC 2
_x_X_BLOCKMOUSE_X_x_ 1
_x_X_PASSWORDLIST_X_x_ 1
_x_X_UPDATE_X_x_ 1
6BC::DA5D0984AC 1
784::DA5D0984AC 1
3E4::DA5D0984AC 1
758::DA5D0984AC 1
6F4::DA5D0984AC 1
310::DA5D0984AC 1
330::DA5D0984AC 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
23[.]65[.]245[.]250 3
104[.]104[.]80[.]110 2
13[.]107[.]21[.]200 1
184[.]85[.]70[.]179 1
88[.]232[.]223[.]176 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
docs[.]microsoft[.]com 3
go[.]microsoft[.]com 3
www[.]bing[.]com 3
berkeinthe[.]duckdns[.]org 2
sonucbir23[.]duckdns[.]org 1
deeplool22[.]ddns[.]net 1
wdwgberke[.]duckdns[.]org 1
Files and or directories created Occurrences
%ProgramData%\TEMP 11
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\699c4b9cdebca7aaea5193cae8a50098_d19ab989-a35f-4710-83df-7b2db7efe7c5 10
%APPDATA%\dclogs 5
%ProgramData%\TEMP:83CE2D1C 5
%HOMEPATH%\Documents\MSDCSC 4
%HOMEPATH%\Documents\MSDCSC\msdcsc.exe 4
%SystemRoot%\SysWOW64\MSDCSC 1
%SystemRoot%\SysWOW64\MSDCSC\chrome.exe 1

File Hashes

0fbb6edb74acbd0e022fa384ff7c0b52dadaf048dba8e51f63764e0350d4ae89 2466757393e898aabb39fb928697b6f4bd28cfdd4772197b1de6a43edcea2da5 37c987cd047d9a4ebfce5f8819defc4970b7cd04c8e8d6408bc9cdd98da895c8 420cb6e3d6aae656659d7548616319e2d00ad04eeb1f98dd54d5cfc8e8c8fe01 5847e0b50f7279000e7335af0b0925b413718810cf5591d8ea253ae55893a197 58fcde0ffab58fe13b2132b985ec3fbadd885f8a2fbe12a817fa1335fac68992 9218f3fae5155c9c1dbfb8533dfb1b67fbffa2c37e112ac7ade5026674bedade 92b72fdf536eaf825a93ba89a24c1f28b3d533cbf592c462022b914f7236e643 b4ac6f1ba035fa7fb9428186acfef3426d7cd29725b4d74dcf949a6ba5883e99 bc9f628dea0f4bdbcfa6b6dc44ea8913eefb31c9cede1fd2e87956875152a7aa cf7a2e6b31cf809ff7a32aa7be72db5d0f00449fdd57be16bfeeae74dfbd5a52

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.Remcos-9954770-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 16 samples
Registry Keys Occurrences
<HKCU>\Software\Remcos-<random, matching '[A-Z0-9]{6}'> 6
<HKCU>\Software\Remcos-<random, matching '[A-Z0-9]{6}'>
Value Name: exepath
6
<HKCU>\Software\Remcos-<random, matching '[A-Z0-9]{6}'>
Value Name: licence
6
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\INTELLIFORMS\STORAGE2 2
<HKLM>\SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA FIREFOX 2
<HKLM>\SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA FIREFOX\20.0.1 (EN-US)\MAIN 2
<HKLM>\SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA THUNDERBIRD 2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Sepudffdow
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: XZWT4RBPT
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Gnjxcchbvi
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Glwxtqqztb
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: VFIHZLNHGZY8
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Flccjqinyw
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Gnbaqnyaxe
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Tavpfjrjwd
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Bjfxzjcask
1
Mutexes Occurrences
Remcos_Mutex_Inj 6
Remcos-<random, matching [A-Z0-9]{6}> 6
O33049D-3XBEG18I 1
092440R786BXBxG4 1
004P450-G9CIB008 1
J6RABDT9B2C6Y6JH 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
13[.]107[.]42[.]12/31 5
172[.]64[.]149[.]82 3
37[.]0[.]14[.]195 3
162[.]159[.]129[.]233 2
162[.]159[.]135[.]233 2
3[.]64[.]163[.]50 2
104[.]18[.]38[.]174 2
199[.]192[.]23[.]166 2
103[.]114[.]104[.]219 2
209[.]99[.]40[.]222 1
192[.]0[.]78[.]24 1
198[.]54[.]117[.]215 1
198[.]54[.]117[.]211 1
93[.]89[.]226[.]17 1
52[.]72[.]49[.]79 1
194[.]58[.]112[.]174 1
198[.]251[.]81[.]30 1
162[.]159[.]133[.]233 1
162[.]159[.]130[.]233 1
198[.]54[.]117[.]244 1
3[.]13[.]31[.]214 1
79[.]134[.]225[.]9 1
34[.]102[.]136[.]180 1
23[.]227[.]38[.]74 1
142[.]250[.]80[.]83 1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
cdn[.]discordapp[.]com 6
onedrive[.]live[.]com 5
cacerts[.]digicert[.]com 5
www[.]elanagro[.]online 1
www[.]gasurvivalgear[.]com 1
www[.]100shortvideos[.]com 1
r4tk6w[.]am[.]files[.]1drv[.]com 1
www[.]iden3s[.]com 1
www[.]augustamobilenotary[.]net 1
www[.]sinibelanja[.]website 1
www[.]vineabank[.]com 1
www[.]disintar[.]xyz 1
www[.]hayatcevredanismanlik[.]com 1
www[.]ezhuilike[.]com 1
keywea[.]db[.]files[.]1drv[.]com 1
www[.]timinis23[.]com 1
www[.]unitedoceanlogistics[.]com 1
www[.]hubinvoice[.]com 1
www[.]icarus-soft[.]com 1
www[.]tematemazo[.]com 1
www[.]assasa[.]net 1
www[.]duckholland[.]com 1
www[.]takeka[.]com 1
www[.]waydiscount3[.]xyz 1
www[.]letbeautifyus[.]com 1
*See JSON for more IOCs
Files and or directories created Occurrences
%ProgramFiles%\Microsoft DN1 1
%ProgramFiles(x86)%\T2dt 1
%TEMP%\T2dt 1
%ProgramFiles(x86)%\Og0h 1
%TEMP%\Og0h 1
%PUBLIC%\Libraries\Cdex.bat 1
%PUBLIC%\Libraries\Null 1
%ProgramFiles(x86)%\Og0h\updateqlr0.exe 1
%PUBLIC%\Libraries\Sepudffdow.exe 1
%PUBLIC%\Libraries\SepudffdowO.bat 1
%PUBLIC%\Libraries\Sepudffdowt.bat 1
%PUBLIC%\Libraries\wodffdupeS.url 1
%TEMP%\Og0h\updateqlr0.exe 1
%PUBLIC%\Libraries\Gnjxcchbvi.exe 1
%PUBLIC%\Libraries\ivbhccxjnG.url 1
%ProgramFiles(x86)%\T2dt\colorcplrdi8n6.exe 1
%PUBLIC%\Libraries\Glwxtqqztb.exe 1
%PUBLIC%\Libraries\btzqqtxwlG.url 1
%TEMP%\T2dt\colorcplrdi8n6.exe 1
%PUBLIC%\Libraries\Flccjqinyw.exe 1
%PUBLIC%\Libraries\wyniqjcclF.url 1
%PUBLIC%\Libraries\Gnbaqnyaxe.exe 1
%PUBLIC%\Libraries\exaynqabnG.url 1
%PUBLIC%\Libraries\Tavpfjrjwd.exe 1
%PUBLIC%\Libraries\dwjrjfpvaT.url 1
*See JSON for more IOCs

File Hashes

02c6faaf7dacbc44b08e16ccc94a37b1d91b330fe9c1d1c8c4190307d81b9f51 24cc101a911dab4d60d216074891c71dfc3bc988c7a1cba584b80f6897d7b6db 3b2011d7c0d7cff6661fd758752004db6c4431c337a40f5e7312675e15d17350 3fcbe7a0e267613273776e6065ca9ea590672a8fcc98c72668d4feb3d94ded53 4f45c0298ae00be039e62c02e8ae363b1403620f00c421dd32fd814475831d84 581a7ac2c4bd76fff10c7e222319f7df696a1b33dc95a55dd62dd73b947cb305 6de796281a2fa4f9661b9e980d98fe5ce7fdd7a80a09ca93ba2e7c69e6f95af5 715b1f826c3de9d3b38097292155815a7a224855c966a4ecbfef311397a375a6 b03d98d7167c602853bcb43aaab9e926d00fc0babeaa51405efe6c5364a1102f bf4dbf3c3658eafedb37aa070761a8877166b5401341594cd052e8b75f83bce0 cb197482888713f270c003760e0ce64a252bab8697b36231aa87e41ee33466e7 d25d2c22b3843c1e8aaecec11b29d4ebb6fbe5b67a6f5a345abf0709516920d3 d313893673c0d4f03315f7346d2df1fcc0ba7624234360b2e2aae9af359adc1a e7d9370ccf6b4e33c6c28d7e1a2cdcddceac1f5545ebc064a4130cf3d4be0d47 f587d7f192093dfaa3afd3169abd75cc1f5476e617e486df3dd507613eafeffb f5fcd1c154f0ad8e635cef464f0f28ba6fbabf07f9379aa2a1cfec9ea59a173d

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Packed.Phorpiex-9954771-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 15 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusOverride
11
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify
11
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallDisableNotify
11
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallOverride
11
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify
11
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesOverride
11
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AutoUpdateDisableNotify
11
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Microsoft Windows Driver
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Microsoft Windows Driver
11
Mutexes Occurrences
59304 11
enote/Administrator 1
ACz8pRIPSWo1ZpimjrSzfSASZMyYdusS 1
Global\73cc6b21-fbd1-11ec-b5f8-00501e3ae7b6 1
Global\{B4DA2783-5567-F63E-A7E4-4C2053E64169} 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
92[.]63[.]197[.]190 11
146[.]112[.]61[.]105 10
163[.]66[.]216[.]177 1
102[.]228[.]233[.]31 1
164[.]112[.]134[.]199 1
58[.]74[.]224[.]218 1
119[.]89[.]97[.]243 1
100[.]72[.]177[.]40 1
128[.]178[.]176[.]234 1
81[.]21[.]140[.]143 1
168[.]205[.]174[.]125 1
103[.]98[.]79[.]11 1
60[.]162[.]101[.]123 1
170[.]100[.]37[.]250 1
80[.]216[.]89[.]38 1
124[.]206[.]131[.]143 1
20[.]206[.]235[.]31 1
35[.]45[.]98[.]140 1
159[.]164[.]206[.]29 1
194[.]201[.]144[.]47 1
194[.]6[.]12[.]158 1
57[.]197[.]27[.]187 1
120[.]207[.]149[.]8 1
123[.]82[.]190[.]187 1
78[.]148[.]145[.]239 1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
tldrbox[.]top 11
drive[.]google[.]com 1
www[.]tldrbox[.]top 1
Files and or directories created Occurrences
\autorun.inf 11
\.lnk 11
\__\DriveMgr.exe 11
E:\autorun.inf 11
E:\__\DriveMgr.exe 11
E:\.lnk 11
E:\__ 11
E:\__\$RECYCLE.BIN 11
E:\__\$RECYCLE.BIN\S-1-5-21-2580483871-590521980-3826313501-500 11
E:\__\System Volume Information 11
%APPDATA%\winsvcs.txt 11
%TEMP%\1235929499.exe 1
%TEMP%\1568320431.exe 1
%TEMP%\2121133818.exe 1
%TEMP%\2204625615.exe 1
%TEMP%\2635321236.exe 1
%TEMP%\2572339688.exe 1
%TEMP%\3149511422.exe 1
%TEMP%\1231911167.exe 1
%TEMP%\1276121491.exe 1
%TEMP%\1428828012.exe 1
%TEMP%\2697522266.exe 1
%TEMP%\3586714917.exe 1
%TEMP%\1732128979.exe 1
%TEMP%\1017410538.exe 1
*See JSON for more IOCs

File Hashes

017d9b3ad3d3fc1de31e4d121c499721882b0eb8a1abf38c71929fdd44f1e45f 03d85fea6867024b35caa3246247dd80c285eff9a2386b3bef30b72f475e7b13 40a6fb569e0abd218106b96ea9f7f6e74e094937c63ed4fcd44bdd754542228a 556af1554c00ca438d3a6db46125c296e34704f4811231b6e719969b7d622dd8 6f177fb753eadcd5ae20054b2db2e04a3661d8967f53f44118fc1074c5f4a0aa 75f7a0659a2ae87e013d5160dd84948a9e6b73794d7d7fdb68b44ef49e17fe00 78c8de63886867675d4c22ef0dcb904bed8b580a1c3421c0d339888d8c172cd9 7c16255833c42f715f7229b5c1c79074404a9f18fe592462f00a458d558c3f77 829bd1b0536915c3dbf00d2e376cdfba58246db2583d628bbaedd22205f0df4d 86d2ab9fdc91814a2ef5e8c97da80caaa81e47a3e7f650234166d82bd46ebd56 886f906ff2e8c2ae89543a138542b59395e6bd771ba161411363809f6272317f 96126ca08928a42b573dd72065f88182b9b0aef970d0b71eb70cb918edef38a0 c8c3acea8fcb0656671ba22414cd12f6425fd55ad4116558be1b4eb644ffc751 ee0dd59a307ed3d10d870c40bf3bb2c8d9ae6ed0015d7806eb500da505597db2 ef199978d755dae99fa2d70d2634eb0113a28e42a0bea7e2f12a1dc0b2a1188e

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





No comments:

Post a Comment

Note: Only a member of this blog may post a comment.