Talos is publishing a glimpse into the most
prevalent threats we've observed from July 22 - 29. As with previous roundups, this post isn't meant to
be an in-depth analysis. Instead, this post will summarize the threats
we've observed by highlighting key behavioral characteristics,
indicators of compromise and discussing how our customers are automatically
protected from these threats.
As a reminder, the information provided for the following threats
in this post is non-exhaustive and current as of the date of
publication. Additionally, please keep in mind that IOC searching
is only one part of threat hunting. Spotting a single IOC does not
necessarily indicate maliciousness. Detection and coverage for the
following threats is subject to updates, pending additional threat
or vulnerability analysis. For the most current information, please
refer to your Firepower Management Center,
Snort.org, or
ClamAV.net.
For each threat described below, this blog post only lists 25 of the
associated file hashes and up to 25 IOCs for each category. An
accompanying JSON file can be found here
that includes the complete list of file hashes, as well as all other IOCs
from this post. A visual depiction of the MITRE ATT&CK techniques
associated with each threat is also shown. In these images, the brightness
of the technique indicates how prevalent it is across all threat files where
dynamic analysis was conducted. There are five distinct shades that are used,
with the darkest indicating that no files exhibited technique behavior and the
brightest indicating that technique behavior was observed from 75 percent or
more of the files.
The most prevalent threats highlighted in this roundup are:
| Threat Name |
Type |
Description |
|
Win.Dropper.Shiz-9957065-0
|
Dropper
|
Shiz is a remote access trojan that allows an attacker to access an infected machine in order to harvest sensitive information. It is commonly spread via droppers or by visiting a malicious site.
|
|
Win.Dropper.Tofsee-9957067-0
|
Dropper
|
Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages to infect additional systems and increase the size of the botnet under the operator's control.
|
|
Win.Ransomware.TeslaCrypt-9957356-0
|
Ransomware
|
TeslaCrypt is a well-known ransomware family that encrypts a user's files with strong encryption and demands Bitcoin in exchange for a file decryption service. A flaw in the encryption algorithm was discovered that allowed files to be decrypted without paying the ransomware, and eventually, the malware developers released the master key allowing all encrypted files to be recovered easily.
|
|
Win.Virus.Expiro-9957505-0
|
Virus
|
Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.
|
|
Win.Dropper.Kuluoz-9957187-0
|
Dropper
|
Kuluoz, sometimes known as "Asprox," is a modular remote access trojan that is also known to download and execute follow-on malware, such as fake antivirus software. Kuluoz is often delivered via spam emails pretending to be shipment delivery notifications or flight booking confirmations.
|
|
Win.Dropper.DarkComet-9957280-1
|
Dropper
|
DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. This malware can download files from a user's machine and contains mechanisms for persistence and hiding. It also sends back usernames and passwords from the infected system.
|
|
Win.Trojan.Sality-9957294-1
|
Trojan
|
Sality is a file infector that establishes a peer-to-peer botnet. Although it's been prevalent for over a decade, we continue to see new samples that require marginal attention to remain consistent with detection. Once perimeter security has been bypassed by a Sality client, the end goal is to execute a downloader component capable of executing additional malware.
|
Threat Breakdown
Win.Dropper.Shiz-9957065-0
Indicators of Compromise
- IOCs collected from dynamic analysis of 27 samples
| Registry Keys |
Occurrences |
<HKLM>\SOFTWARE\MICROSOFT
Value Name: 67497551a
|
27 |
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: 98b68e3c
|
27 |
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: userinit
|
27 |
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: System
|
27 |
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: load
|
27 |
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: run
|
27 |
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: userinit
|
27 |
| Mutexes |
Occurrences |
Global\674972E3a |
27 |
Global\MicrosoftSysenterGate7 |
27 |
internal_wutex_0x000000e0 |
27 |
internal_wutex_0x0000038c |
27 |
internal_wutex_0x00000448 |
27 |
internal_wutex_0x<random, matching [0-9a-f]{8}> |
15 |
internal_wutex_0x00000640 |
12 |
| IP Addresses contacted by malware. Does not indicate maliciousness |
Occurrences |
13[.]107[.]21[.]200 |
19 |
45[.]79[.]19[.]196 |
8 |
72[.]14[.]185[.]43 |
7 |
96[.]126[.]123[.]244 |
5 |
45[.]33[.]23[.]183 |
5 |
45[.]33[.]18[.]44 |
5 |
45[.]56[.]79[.]23 |
4 |
45[.]33[.]2[.]79 |
4 |
45[.]33[.]20[.]235 |
4 |
198[.]58[.]118[.]167 |
3 |
45[.]33[.]30[.]197 |
3 |
85[.]94[.]194[.]169 |
2 |
173[.]255[.]194[.]134 |
2 |
72[.]14[.]178[.]174 |
2 |
| Domain Names contacted by malware. Does not indicate maliciousness |
Occurrences |
vocijekyqiv[.]eu |
27 |
foxofewuteq[.]eu |
27 |
nozapekidis[.]eu |
27 |
makymykakic[.]eu |
27 |
galerywogej[.]eu |
27 |
qeguxylevus[.]eu |
27 |
rydohyluruc[.]eu |
27 |
lysafurisam[.]eu |
27 |
kefilyrymaj[.]eu |
27 |
purumulazux[.]eu |
27 |
ciqivutevam[.]eu |
27 |
vopycyfutoc[.]eu |
27 |
fotulybidyq[.]eu |
27 |
norijyfohop[.]eu |
27 |
mamasufexix[.]eu |
27 |
gaqofubakeh[.]eu |
27 |
jenerunybem[.]eu |
27 |
qebequgyqip[.]eu |
27 |
kevybunureh[.]eu |
27 |
rycucugisix[.]eu |
27 |
tulojigakit[.]eu |
27 |
lyxilunogem[.]eu |
27 |
xukafinezeg[.]eu |
27 |
pujepigeviz[.]eu |
27 |
cihyrimymen[.]eu |
27 |
*See JSON for more IOCs
| Files and or directories created |
Occurrences |
%TEMP%\<random, matching [A-F0-9]{1,4}>.tmp |
27 |
File Hashes
0067560aba08824dfeb770ca27e3d0e1ece982b8460187f8d9b5a141436577d8
00b97ecd94f57d5a56cdf81df2b5031886913dc017b0d089ea453db9fbf84a41
00e5836b518919f036f5757d5d7fb19b8deec74d1b9f4974e832e72d24158620
019e5844590d1519e9e75d605dac69e3216eab3395d64edae9682f522a02680e
054c5a47542510462512167f374d1bca1ad18d04c26cb7d94a2fce9d7646438a
072b0b3d68b21de76ceb5296f3dba4cb9741f59dacf8b1e7d7bc06976da86149
0772ed398daf5d48a638ad446bb989c5ce74319f9c364c933ab5917572123388
09825454a9f3e88b69f21307efa2e6093f2394d9e5a246ba87547e15a2d4ac86
09fce5411ee6353ddaa268c2e49a3557546dc2c83fcba0a6292a640498facf82
0a07532300d240f7346be75bc5e44d130f7dab376de86ea2ea385bc8cf86d425
0b2b2c70f849d8edbc124f00879fd5ed3ed6c86253bc3c4851885467974fd567
0c22d4fe5ddbecded7048875e9a7e0cdddd5198350aa8dfc7048b9cb24d49022
0d36aa152877523190d50d72eb7c383e27312286cda6eedc3feaaa9c7b407a8c
0d53b772610ba18ea4b296d94b33730e1f16f82e81719d887b303d5ffd0bb724
0d9e7df2c3f7ee39261b2b5af1e70d924ff931473bdc795b0cad29fbcf65d22b
0db7fb425f0e5fe4fe7cc0e9f155a1bb6fa36469487274418e0cf10350264248
0e54984099f81c595ff7ced76bef3bc8547731f8f0e12c298437f08774fffcb4
139be07d5ad7673637d6249789061171692738737023c86a35e9332000f8cac2
1517de689fc7d424de67c20031ee04cff3fc878e1ebe0e8545df14efb159a98b
15f23b0f7665d6092eaee9b28bcbc43086e652cb35633cfaa2f061d9d5b4b3b0
1905329fc88cff0c323d75d844050dddf71f085b1b031cd78eb286e3b49aa30a
198d9692d11bffc2a5c5dd4504f7fa13743a25d785e08d0cab9073142900c45e
19e233e3a11bcc6916977b99cb89df850230812a7087fb9b11b9b4ed0f33c2f3
1eed66a3938ff9a7dd07a443c0922b54d71877463ad0429123e902e97acc3523
213fe1fdb10d80b6abd770e2020913ad6a1872411224fccff3aa58d334414040
*See JSON for more IOCs
Coverage
| Product |
Protection |
| Secure Endpoint |
|
| Cloudlock |
N/A
|
| CWS |
|
| Email Security |
|
| Network Security |
|
| Stealthwatch |
N/A
|
| Stealthwatch Cloud |
N/A
|
| Secure Malware Analytics |
|
| Umbrella |
|
| WSA |
|
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Tofsee-9957067-0
Indicators of Compromise
- IOCs collected from dynamic analysis of 17 samples
| Registry Keys |
Occurrences |
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config4
|
4 |
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
|
4 |
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config0
|
4 |
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config1
|
4 |
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2
|
4 |
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config3
|
4 |
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD
|
1 |
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD
Value Name: Type
|
1 |
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD
Value Name: Start
|
1 |
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD
Value Name: ErrorControl
|
1 |
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD
Value Name: DisplayName
|
1 |
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD
Value Name: WOW64
|
1 |
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD
Value Name: ObjectName
|
1 |
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NXZUQIHD
Value Name: Description
|
1 |
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\nxzuqihd
|
1 |
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EOQLHZYU
|
1 |
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EOQLHZYU
Value Name: Type
|
1 |
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EOQLHZYU
Value Name: Start
|
1 |
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EOQLHZYU
Value Name: ErrorControl
|
1 |
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EOQLHZYU
Value Name: DisplayName
|
1 |
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EOQLHZYU
Value Name: WOW64
|
1 |
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EOQLHZYU
Value Name: ObjectName
|
1 |
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EOQLHZYU
Value Name: Description
|
1 |
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\eoqlhzyu
|
1 |
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TDFAWONJ
|
1 |
| Mutexes |
Occurrences |
Global\07ada3c1-08f4-11ed-b5f8-00501e3ae7b6 |
1 |
Global\067cf3c1-08f4-11ed-b5f8-00501e3ae7b6 |
1 |
Global\08e8d341-08f4-11ed-b5f8-00501e3ae7b6 |
1 |
| IP Addresses contacted by malware. Does not indicate maliciousness |
Occurrences |
212[.]77[.]101[.]4 |
4 |
142[.]250[.]72[.]100 |
4 |
31[.]41[.]244[.]82 |
4 |
31[.]41[.]244[.]85 |
4 |
80[.]66[.]75[.]254 |
4 |
80[.]66[.]75[.]4 |
4 |
31[.]41[.]244[.]128 |
4 |
31[.]41[.]244[.]126/31 |
4 |
185[.]165[.]123[.]13 |
4 |
208[.]71[.]35[.]137 |
3 |
208[.]76[.]51[.]51 |
3 |
216[.]146[.]35[.]35 |
3 |
199[.]5[.]157[.]131 |
3 |
208[.]76[.]50[.]50 |
3 |
195[.]46[.]39[.]39 |
3 |
23[.]90[.]4[.]6 |
3 |
194[.]25[.]134[.]8 |
3 |
144[.]160[.]235[.]143 |
3 |
193[.]222[.]135[.]150 |
3 |
209[.]244[.]0[.]3 |
3 |
119[.]205[.]212[.]219 |
3 |
67[.]231[.]152[.]94 |
3 |
31[.]13[.]65[.]174 |
3 |
117[.]53[.]116[.]15 |
3 |
172[.]253[.]115[.]26/31 |
3 |
*See JSON for more IOCs
| Domain Names contacted by malware. Does not indicate maliciousness |
Occurrences |
249[.]5[.]55[.]69[.]bl[.]spamcop[.]net |
4 |
249[.]5[.]55[.]69[.]cbl[.]abuseat[.]org |
4 |
249[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net |
4 |
249[.]5[.]55[.]69[.]in-addr[.]arpa |
4 |
249[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org |
4 |
249[.]5[.]55[.]69[.]zen[.]spamhaus[.]org |
4 |
microsoft-com[.]mail[.]protection[.]outlook[.]com |
4 |
microsoft[.]com |
4 |
www[.]google[.]com |
4 |
whois[.]arin[.]net |
4 |
whois[.]iana[.]org |
4 |
aspmx[.]l[.]google[.]com |
4 |
wp[.]pl |
4 |
ameritrade[.]com |
4 |
mxa-000cb501[.]gslb[.]pphosted[.]com |
4 |
mx[.]wp[.]pl |
4 |
svartalfheim[.]top |
4 |
www[.]instagram[.]com |
3 |
mta5[.]am0[.]yahoodns[.]net |
3 |
hanmail[.]net |
3 |
freenet[.]de |
3 |
korea[.]com |
3 |
t-online[.]de |
3 |
o2[.]pl |
3 |
nate[.]com |
3 |
*See JSON for more IOCs
| Files and or directories created |
Occurrences |
%SystemRoot%\SysWOW64\config\systemprofile |
4 |
%SystemRoot%\SysWOW64\config\systemprofile:.repos |
4 |
%SystemRoot%\SysWOW64\nxzuqihd |
1 |
%SystemRoot%\SysWOW64\eoqlhzyu |
1 |
%SystemRoot%\SysWOW64\tdfawonj |
1 |
%SystemRoot%\SysWOW64\hrtokcbx |
1 |
%TEMP%\oacsevkh.exe |
1 |
%TEMP%\htrzurov.exe |
1 |
%TEMP%\rzwntxyj.exe |
1 |
%TEMP%\mcilsztg.exe |
1 |
File Hashes
1b64011f2f80b0ded096cbdb81c2bdac9786dc8a4ea7425b15547bdca34e043f
34c17bb102b2ed718471668da1ddc7daf397175979582942bf89d8e272cfa141
59bdcd1599938f1c5c2845d1fef198a0d97b03744432fc6705c9c67f13eedab4
64d6709c3cfbf8765e9434abfe6fc8bad67d87a3e4fe0622e68aa1d15aac8d6b
6857bce2c5f73e1d1bc4b14cb7b281beb33fed8cb580a43f236460c2af0e65e2
6eb7dd7f943a22822b0aaef6301d32b54eb43e432070c41b7d3c6a3d041ec8b3
6f3ef01ce9f2896b54c06fe4cd5e5769dda3a958868557a20469feb21c7e1273
79699aa58081b925c0b75140f0110f3ebf9a47e9bc8ba1699d53d7b14cb49591
7e2975f6cb11bb324bd49ec6fd4b77478e3488bf99fe623851a29f06e9b1fb37
89974e5d8be578da3cc6c0a33398659aabb160cdb03f7158066969f430dab796
9449f5dd9a6728664a3be973ccb91adbf64ffe980ff96de05a0419eb0a77bbd7
b77c2b3942f50e8fef2440481de894d506418f7a7c35fb29d40cfa8ce795ebf4
cbbc899843ca8f5908c27645960a33952fbecbf3d5cefc5054ab1dd023bb8582
d0596ec9d08cdd81f86e07d5ab70b518c6ca23a9ed4f557d041d3307b3ca7020
d518bbcb40208cfd7cbb6965e1647fabd5f65f2f1c1520e1217996957a1ada8d
e6411e18f8a1096f9b5d7528a24f6acdf1f97d120dd0dae4d76703c8eb5e4040
efced050e17235d050db86e0d763a07cfff375771d586736bbd17520725f1ebf
Coverage
| Product |
Protection |
| Secure Endpoint |
|
| Cloudlock |
N/A
|
| CWS |
|
| Email Security |
|
| Network Security |
|
| Stealthwatch |
N/A
|
| Stealthwatch Cloud |
N/A
|
| Secure Malware Analytics |
|
| Umbrella |
N/A
|
| WSA |
|
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Ransomware.TeslaCrypt-9957356-0
Indicators of Compromise
- IOCs collected from dynamic analysis of 25 samples
| Registry Keys |
Occurrences |
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLinkedConnections
|
25 |
<HKCU>\SOFTWARE\XXXSYS
|
25 |
<HKCU>\SOFTWARE\XXXSYS
Value Name: ID
|
25 |
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0
Value Name: CheckSetting
|
25 |
<HKCU>\Software\<random, matching '[A-Z0-9]{14,16}'>
|
24 |
<HKCU>\Software\<random, matching '[A-Z0-9]{14,16}'>
Value Name: data
|
24 |
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: hdtjbroygvvb
|
1 |
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: owvhajogulen
|
1 |
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: pyfepfifrjwi
|
1 |
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: xbmnkkfnowvh
|
1 |
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: gulenopvybnq
|
1 |
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: tbqdqvojagik
|
1 |
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: hajogulenopv
|
1 |
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: mgtbqdqvcoqj
|
1 |
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ulenopvybnqj
|
1 |
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: lpyfepfifrjw
|
1 |
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: epfifrjwiqou
|
1 |
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ifrjwiqouteu
|
1 |
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: teumgtbqdqvo
|
1 |
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: nrxbmnkkfnow
|
1 |
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: whmtlmoxvcsc
|
1 |
<HKCU>\SOFTWARE\159643D83772F
|
1 |
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: bmnkkfnowvha
|
1 |
<HKCU>\SOFTWARE\159643D83772F
Value Name: data
|
1 |
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: vcscusnnmyjx
|
1 |
| Mutexes |
Occurrences |
ityeofm9234-23423 |
25 |
| IP Addresses contacted by malware. Does not indicate maliciousness |
Occurrences |
107[.]6[.]161[.]162 |
25 |
| Domain Names contacted by malware. Does not indicate maliciousness |
Occurrences |
jessforkicks[.]com |
25 |
heizhuangym[.]com |
25 |
infotlogomas[.]malangkota[.]go[.]id |
25 |
csucanuevo[.]csuca[.]org |
25 |
snibi[.]se |
25 |
danecobain[.]com |
25 |
www[.]danecobain[.]com |
25 |
| Files and or directories created |
Occurrences |
%ProgramFiles%\7-Zip\Lang\ka.txt |
25 |
%ProgramFiles%\7-Zip\Lang\kaa.txt |
25 |
%ProgramFiles%\7-Zip\Lang\kab.txt |
25 |
%ProgramFiles%\7-Zip\Lang\kk.txt |
25 |
%ProgramFiles%\7-Zip\Lang\ko.txt |
25 |
%ProgramFiles%\7-Zip\Lang\ku-ckb.txt |
25 |
%ProgramFiles%\7-Zip\Lang\ku.txt |
25 |
%ProgramFiles%\7-Zip\Lang\ky.txt |
25 |
%ProgramFiles%\7-Zip\Lang\lij.txt |
25 |
%ProgramFiles%\7-Zip\Lang\lt.txt |
25 |
%ProgramFiles%\7-Zip\Lang\lv.txt |
25 |
%ProgramFiles%\7-Zip\Lang\mk.txt |
25 |
%ProgramFiles%\7-Zip\Lang\mn.txt |
25 |
%ProgramFiles%\7-Zip\Lang\mng.txt |
25 |
%ProgramFiles%\7-Zip\Lang\mng2.txt |
25 |
%ProgramFiles%\7-Zip\Lang\mr.txt |
25 |
%ProgramFiles%\7-Zip\Lang\ms.txt |
25 |
%ProgramFiles%\7-Zip\Lang\nb.txt |
25 |
%ProgramFiles%\7-Zip\Lang\ne.txt |
25 |
%ProgramFiles%\7-Zip\Lang\nl.txt |
25 |
%ProgramFiles%\7-Zip\Lang\nn.txt |
25 |
%ProgramFiles%\7-Zip\Lang\pa-in.txt |
25 |
%ProgramFiles%\7-Zip\Lang\pl.txt |
25 |
%ProgramFiles%\7-Zip\Lang\ps.txt |
25 |
%ProgramFiles%\7-Zip\Lang\pt-br.txt |
25 |
*See JSON for more IOCs
File Hashes
11bf02df58d00bf7dfc22e46b27db8a2cfcb9c8d03ad38b2e3baafa193bbbd89
1a4a1e76c6d2dc585ce77c9be7163163c0d614d5668a0c83601bb3d6f91376a0
1c2ddbf956ee1e2b40472b70603371ed21817fbf95d5825b2f75bbf6f9728089
1d4114c8ee19f343f3dcf80a542295af29df63d9745ad77cce43562c909551c5
2f1f927c219ccfcffeb997c9433733a04200ae35a2fc0c48fc07cb49062cddc7
3ef3021ce3ffdffcfba2bd590c4186c3a3ecdd3b6ce40d51d2500897fb55ffb0
41ab6446df889a5a24e4e859146c0225d13a2ba8553c83cb93e45017212884b2
4bae8a4e0124724e695c10202a94eec99cf5990507fbc94ec3f08e11de3ce2c2
4dc12416bf7c3be9d573c8fa07847050307bd05cb67480e3c3874696614b73e9
4fa8c1eaa4846a8a06fb2480a746d5526f743cee314f7101db0508577bdd3776
5207a70e0e818741279d7c25c0d9cb6be136a4fc8ca8fe6f48112c4d0572d64f
5aaad74cb36db78ad6da4d499a75c41d2ace8b97ff8f88c5bc7f738ad353d3d7
67e2caf00dd0293080cb5b45d2db11d4f567ce9a3d6fd5c9723358d18da80e71
6a9e6e5c50b3b90376530ee4e9e81cdf5cdc9b7c07cdb71207b3a1799f77ec7a
6ab8f9569a70beb0f96bf4e030381e70bcce7703b308a05542f4ccf1b6002af9
71f0f23220cb0f5d8b31fce30f08bc1687acd675b7c3a8ae7e0538bacb0d3eec
a3a6b4f405f2175af97128c64d9ad68700e05e22d66c43dad966add8436af79f
a760b60722cfa7c719e79b5c97cfe789720c6300a200421c846e13287cdb160a
d8be6b950a872b1b7c752cc83a5440b4cfe62870097df78794f10986fb7fcb63
dd6483183967845c18a3d5cc6154233aa8f3a48acb4e9cccd3606afe7d4d7eef
de5dc2aed0e06894e0bb1292fb68343fadc46b489e6c85e6cca56cf5bad70c09
e1a00e6beb02475b4bdd8d821ccac3e67bbafd182332cbf35a45c6766ad83b87
e8c460f171e964db6fff16eb38684b9ec82134c4fd1a1cdc64ba338941ef1199
f69edf352cdca309c7faa71f87a429daf2b46e4ae6ed85a25ff03aa34b4702c4
fbcec257455e5546a294ec1534f7e11f05d144c73ef583a0e891e14759e133eb
Coverage
| Product |
Protection |
| Secure Endpoint |
|
| Cloudlock |
N/A
|
| CWS |
|
| Email Security |
|
| Network Security |
N/A
|
| Stealthwatch |
N/A
|
| Stealthwatch Cloud |
N/A
|
| Secure Malware Analytics |
|
| Umbrella |
|
| WSA |
|
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Virus.Expiro-9957505-0
Indicators of Compromise
- IOCs collected from dynamic analysis of 97 samples
| Registry Keys |
Occurrences |
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32
Value Name: Start
|
97 |
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_64
Value Name: Start
|
97 |
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\COMSYSAPP
Value Name: Start
|
97 |
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IEETWCOLLECTORSERVICE
Value Name: Start
|
97 |
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MOZILLAMAINTENANCE
Value Name: Start
|
97 |
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSISERVER
Value Name: Start
|
97 |
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32
Value Name: Start
|
97 |
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ALG
Value Name: Start
|
97 |
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EHRECVR
Value Name: Start
|
97 |
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EHSCHED
Value Name: Start
|
97 |
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FAX
Value Name: Start
|
97 |
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MICROSOFT SHAREPOINT WORKSPACE AUDIT SERVICE
Value Name: Start
|
97 |
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSDTC
Value Name: Start
|
97 |
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64
Value Name: Start
|
97 |
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FAX
Value Name: ObjectName
|
97 |
<HKLM>\SOFTWARE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATE
Value Name: AccumulatedWaitIdleTime
|
97 |
<HKLM>\SOFTWARE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\LISTENEDSTATE
Value Name: RootstoreDirty
|
97 |
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATE
Value Name: AccumulatedWaitIdleTime
|
97 |
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\LISTENEDSTATE
Value Name: RootstoreDirty
|
97 |
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MEDIA CENTER\SERVICE\SCHEDULER
|
97 |
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MEDIA CENTER\SERVICE\SCHEDULER
Value Name: ServiceFailures
|
97 |
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MEDIA CENTER\SERVICE\SCHEDULER
Value Name: ServiceStarted
|
97 |
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MEDIA CENTER\SERVICE\SCHEDULER
Value Name: Heartbeat
|
97 |
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MEDIA CENTER\SERVICE\SCHEDULER
Value Name: WaitingForShutdown
|
97 |
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MEDIA CENTER\SERVICE\SCHEDULER
Value Name: HeartbeatIntervalMs
|
97 |
| Mutexes |
Occurrences |
http://www.microsoft.com/windowsxp/mediacenter/ehtray.exe/singleinstancemutex |
97 |
Global\MCStoreCreateTable_a1d78cdcc411921ce3b07770aa2a0e0745789b11 |
97 |
Global\MCStoreOpen_b4cae1f9a3aead62bebb934ca33cadb730c8d3ed |
97 |
Global\MCStoreSyncMem_02004a9f865399b5c2a02973d5e53544ed4ce2ea |
97 |
Global\MCStoreSyncMem_5ea381292eeb3ed3e61dc84a3dbd4d7f59767eca |
97 |
Global\MCStoreSyncMem_71bdfe29063ac557a4e7b3205ed180408457fcd4 |
97 |
Global\MCStoreSyncMem_7715dc857070a1523dea43f32f1fe67c1ce58e0b |
97 |
Global\__?_c:_programdata_microsoft_ehome_mcepg2-0.db |
97 |
Global\__?_c:_programdata_microsoft_ehome_mcepg2-0.db:x |
97 |
Global\eHome_DbMutex_1 |
97 |
Global\eHome_DbMutex_2 |
97 |
Global\eHome_DbRWMutex_1 |
97 |
Global\Multiarch.m0yv-98b68e3c311dcc78-inf |
97 |
Global\Multiarch.m0yv-98b68e3c311dcc78493cd690-b |
97 |
Global\Multiarch.m0yv-98b68e3c311dcc789ea72c54-b |
97 |
Global\MCStoreAddStoredType_a1d78cdcc411921ce3b07770aa2a0e0745789b11 |
94 |
Global\eHome_DbMutex_3 |
94 |
Global\OfficeSourceEngineMutex |
92 |
Global\Media Center Tuner Request |
70 |
Global\eHome_DbMutex_4 |
69 |
Global\eHome_DbMutex_5 |
69 |
Global\PVRLibraryLock_a1d78cdcc411921ce3b07770aa2a0e0745789b11 |
57 |
Global\eHome_DbRWMutex_2 |
54 |
Global\__?_c:_programdata_microsoft_ehome_mcepg2-0.db:splk:1036 |
8 |
Global\__?_c:_programdata_microsoft_ehome_mcepg2-0.db:splk:924 |
5 |
*See JSON for more IOCs
| IP Addresses contacted by malware. Does not indicate maliciousness |
Occurrences |
172[.]105[.]27[.]61 |
95 |
167[.]99[.]35[.]88 |
70 |
206[.]191[.]152[.]58 |
66 |
63[.]251[.]106[.]25 |
62 |
178[.]162[.]217[.]107 |
20 |
85[.]17[.]31[.]82 |
16 |
178[.]162[.]203[.]202 |
15 |
5[.]79[.]71[.]205 |
14 |
85[.]17[.]31[.]122 |
14 |
173[.]231[.]184[.]124 |
11 |
63[.]251[.]126[.]10 |
11 |
178[.]162[.]203[.]226 |
10 |
178[.]162[.]203[.]211 |
9 |
5[.]79[.]71[.]225 |
7 |
35[.]234[.]136[.]13 |
6 |
185[.]185[.]69[.]77 |
2 |
82[.]112[.]184[.]197 |
1 |
| Domain Names contacted by malware. Does not indicate maliciousness |
Occurrences |
pywolwnvd[.]biz |
97 |
ssbzmoy[.]biz |
97 |
cvgrf[.]biz |
78 |
npukfztj[.]biz |
75 |
przvgke[.]biz |
71 |
zlenh[.]biz |
68 |
knjghuig[.]biz |
8 |
uhxqin[.]biz |
8 |
anpmnmxo[.]biz |
1 |
lpuegx[.]biz |
1 |
| Files and or directories created |
Occurrences |
%ProgramFiles(x86)%\Microsoft Office\Office14\GROOVE.EXE |
97 |
%ProgramFiles(x86)%\Mozilla Maintenance Service\maintenanceservice.exe |
97 |
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe |
97 |
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe |
97 |
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe |
97 |
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe |
97 |
%System32%\FXSSVC.exe |
97 |
%System32%\alg.exe |
97 |
%System32%\dllhost.exe |
97 |
%System32%\ieetwcollector.exe |
97 |
%System32%\msdtc.exe |
97 |
%System32%\msiexec.exe |
97 |
%SystemRoot%\ehome\ehrecvr.exe |
97 |
%SystemRoot%\ehome\ehsched.exe |
97 |
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.log |
97 |
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log |
97 |
%SystemRoot%\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{33EC2C09-9668-4DE7-BCC0-EFC69D7355D7}.crmlog |
97 |
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log |
97 |
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log |
97 |
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat |
97 |
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat |
97 |
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat |
97 |
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock |
97 |
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat |
97 |
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock |
97 |
*See JSON for more IOCs
File Hashes
003197ab7aab0056ef0fbeb11dd4b6762216c3d27540ca4825f181fab330a832
01b59d7b8d9e128753e33b88705d6b0ee2be945fd4bd95c92c25fe160bcc2a28
01c2d4cecc87e39c6c08db505065e5ef9d4927fac599f0e1e752407e15c4e633
024c5d8975e9e34be65107327c05e119c8b595c954eadb25b07cbf55cbc898a9
032794dc64b0ac4b893561771732bd67ae0962f1f381c53bdef1be6a5155df3e
03d2208d010c08559d1625142d2efc90b48bd94cc19f33123b8b665e6e607b34
03d83413d2881f01a23c0794d66d0d29510ce12ccb66f1005ab64910cd4e7f07
03db00a2082925d5504e4d46eeab2dab8d9ef3a18c96eb9b8ab8717fd0ccbe8d
03f7b3af2bf5e87b1c975459f64756b7a79baa18d42d90f0e0cae4599d08fe90
043c30b9943b579599eb43e475c1d25ede670783c187700a3e7bbdb26bfeea63
04eb47a0bd5b0f3cc4eee02186545267cfed907b9eb9c496b771e95b48554060
058f0d75c3422806327c0a7d4834481e69b1e92b080aa260361c3702e5469e7b
0648fd62ac4c8b83f30aba65893b6b9598a7186a1ad55c39b4c7055d17702053
06bc99dec80527c04d4c623ab723f162d794c019b426a017d7ad41d83e055357
074729717198ab9a66bf4da155e5d4fdc5c430c60f344e64b7de97e57f344c4d
0763bb050181bab831d844067d18dc1492d0500a491664c3f9b90e19e6d2b781
08094e18e7913ca6c8eaf4cd94927fbd099c45c889cd65e4fd67ce2009c97725
095a0557fade67da6e340307af110014f915168df9b124a9fec1f197d52c4640
0a570f1ebd5fe52d306ce5a3b4bd19d399f2fcbe7002dff34a3d6bfff905e584
0b68ddbf260f48f30b24dd0f11e76572c5b10cf48abdb8f99de3d1d1c2e841de
0c37b22edd74cda6accb4f7a2325f149a78ccf5cb81af509714c202729815020
0c80ed840ae70061a0cc5ccd1f3c12832e3a51a5e937a5be3319c6fbbb47360e
0dbcd43911ae093ae0fb18adbe4488c7260e7dc8f4217241fd3ae5de7b795b9f
1022b2e11bd77dd96b27522ec5c889746c75c9a8eadf58e5396fa87da10e8331
10abdec91ee97c257bfe44b29232ea57a485d3d1cc72f8f706f3ed586910434b
*See JSON for more IOCs
Coverage
| Product |
Protection |
| Secure Endpoint |
|
| Cloudlock |
N/A
|
| CWS |
|
| Email Security |
|
| Network Security |
|
| Stealthwatch |
N/A
|
| Stealthwatch Cloud |
N/A
|
| Secure Malware Analytics |
|
| Umbrella |
N/A
|
| WSA |
|
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Kuluoz-9957187-0
Indicators of Compromise
- IOCs collected from dynamic analysis of 15 samples
| Registry Keys |
Occurrences |
<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'>
|
15 |
<HKCU>\SOFTWARE\FVXBJPWU
Value Name: vcariano
|
1 |
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: llqjxikf
|
1 |
<HKCU>\SOFTWARE\PWWTTVLV
Value Name: twekalil
|
1 |
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: xxdfmerx
|
1 |
<HKCU>\SOFTWARE\EWMGTFIM
Value Name: anxufehi
|
1 |
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: nqrwcsef
|
1 |
<HKCU>\SOFTWARE\WFPJGFQR
Value Name: vjiwxwuh
|
1 |
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: wddfjook
|
1 |
<HKCU>\SOFTWARE\DRBVCKTP
Value Name: lpeeclca
|
1 |
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: igudfpld
|
1 |
<HKCU>\SOFTWARE\TBTCBEWS
Value Name: qbdbpkdf
|
1 |
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ddgljbjp
|
1 |
<HKCU>\SOFTWARE\ATTOEKEN
Value Name: euvumrrn
|
1 |
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: kxadigun
|
1 |
<HKCU>\SOFTWARE\NWOLGMSD
Value Name: okhudfoo
|
1 |
<HKCU>\SOFTWARE\SXPMECNO
Value Name: vbuvphur
|
1 |
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: bshrfueu
|
1 |
<HKCU>\SOFTWARE\NAFNCVOV
Value Name: iatqgcgc
|
1 |
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: lnxhasuw
|
1 |
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: oxviaxao
|
1 |
<HKCU>\SOFTWARE\BPLLBGMG
Value Name: aqonboar
|
1 |
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: iurwprlq
|
1 |
<HKCU>\SOFTWARE\BEOHVVNC
Value Name: mujhuapl
|
1 |
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: qsmriksl
|
1 |
| Mutexes |
Occurrences |
aaAdministrator |
15 |
| IP Addresses contacted by malware. Does not indicate maliciousness |
Occurrences |
162[.]209[.]14[.]32 |
12 |
222[.]124[.]143[.]12 |
10 |
176[.]123[.]0[.]160 |
9 |
173[.]255[.]197[.]31 |
9 |
46[.]105[.]117[.]13 |
8 |
195[.]5[.]208[.]87 |
8 |
195[.]65[.]173[.]133 |
5 |
64[.]128[.]16[.]144 |
5 |
| Files and or directories created |
Occurrences |
%LOCALAPPDATA%\<random, matching '[a-z]{8}'>.exe |
15 |
File Hashes
060286b4d0f8a14abe1ef08c1b3298eedd6ca8d7136514cbd28a64a80e4e5dd3
0dd7adbeab2b75d5d1e9d00ac3f59ac9e67dd4a7e2ac763e2de683d368b9f7ef
150f82c49d0a42de8a82632bb18077078076e9ba378291e5654e6cf0b14fb351
2c00d6f49dcc5bafbd868cf5c3894ddb21aa2216c54bfe148a7b861723c47a65
34f0305175ea18e197c488b450535c0cd8db1eccebdd6ecb2a2996fc813f14e7
4f4ccbcab032d9c6b8c97b452027d976b6dca4dd3c4237b8a3532f3d11bebd64
6ac1fa955677a1012e17bb3f35acf922f50d1f8810e94939ba2074756948aeae
81ce4d06b1af27b542e809e4e9f8e188782d4d14edf2a2dc94d9c857fe0c0560
8ef2563081b7dfd5e6c7c5d502b06e0d4c9fdf405b0fddbd60aff47a688e3a68
933f42380d718778039317a56fea346fbca1b07353edf46a97692ca4a6e20ba6
c9d671789d74e64450c9f33c2bb45a3337ce40ba06eb5632471fe624e2872616
cbf0ec5ad28bc4c6d44057398b3232fd519229ead06b88260b7b2d50bd5d95ac
d178feddad4373a848f2fe9361b96ef7a907e1b1bd5127a5bb74926bb270d1a1
f22ba989587086403663558e7912a43b3a339f67ad42654b93c95e9120532de9
f3e21ed6c8cfc19a65076b58eddfe69683268b704649a47b513f5ef61368fe38
Coverage
| Product |
Protection |
| Secure Endpoint |
|
| Cloudlock |
N/A
|
| CWS |
|
| Email Security |
|
| Network Security |
N/A
|
| Stealthwatch |
N/A
|
| Stealthwatch Cloud |
N/A
|
| Secure Malware Analytics |
|
| Umbrella |
N/A
|
| WSA |
N/A |
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.DarkComet-9957280-1
Indicators of Compromise
- IOCs collected from dynamic analysis of 12 samples
| Registry Keys |
Occurrences |
<HKCU>\SOFTWARE\DC3_FEXEC
|
10 |
| Mutexes |
Occurrences |
DC_MUTEX-F75JL20 |
10 |
| Files and or directories created |
Occurrences |
%TEMP%\Crypted.exe |
12 |
File Hashes
0753d1475d7a3779684afe69f76ff81d7da01766fd34d85a23c1455008546108
0c7c5afce5165fd6be988f7aabe03abdbfdd8f0671dfe7f4b9fa73f243c9a9f1
238022cdf5b4fc75ecbb0db1654586b4686b43fcbabbcb17fec891879cdf3ba8
27bbe0f40ecf946a841f727101d707d57aadc31e4e5ca8699fe67aa61568c9b3
318eb4c14be4777bb921bbe44c1f7512d910c344fe4dbdfa373746cc7e767b1b
5631d5b53191510f47896a6fc0e9ba21e973cd35f25b21d26b984c1a46a7aca5
b45c2ab96c70d2beb2fda40032e1695324278c39918b0a8dfa3474a667c6312d
b8adaf25ff8faa4c00b08993080daad260a6ba124199c020deabc8e38e636a3f
c5469b740d9c2c7ffde2ea1e606fe044b87c4b21b4a502fdf63a7fd02aabc426
e36abaab1b6871ccb3ea2331168c7f04627f6861964b87b047241d79d56e664b
e5daaf2b2c3c03711c622d482e0274ff1d4dbe3909969992864f2ea73c77ea8a
ff107b513ffcf70490a9cef3e594bc15aba3c3f573e7b792d257f6e3188bf236
Coverage
| Product |
Protection |
| Secure Endpoint |
|
| Cloudlock |
N/A
|
| CWS |
|
| Email Security |
|
| Network Security |
N/A
|
| Stealthwatch |
N/A
|
| Stealthwatch Cloud |
N/A
|
| Secure Malware Analytics |
|
| Umbrella |
N/A
|
| WSA |
N/A
|
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Trojan.Sality-9957294-1
Indicators of Compromise
- IOCs collected from dynamic analysis of 23 samples
| Registry Keys |
Occurrences |
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: Hidden
|
23 |
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusOverride
|
23 |
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify
|
23 |
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallDisableNotify
|
23 |
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallOverride
|
23 |
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify
|
23 |
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UacDisableNotify
|
23 |
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC
Value Name: AntiVirusOverride
|
23 |
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC
Value Name: AntiVirusDisableNotify
|
23 |
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC
Value Name: FirewallDisableNotify
|
23 |
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC
Value Name: FirewallOverride
|
23 |
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC
Value Name: UpdatesDisableNotify
|
23 |
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC
Value Name: UacDisableNotify
|
23 |
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
|
23 |
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: EnableFirewall
|
23 |
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DoNotAllowExceptions
|
23 |
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DisableNotifications
|
23 |
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Windows\SysWOW64\msiexec.exe
|
23 |
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Windows\SysWOW64\svchost.exe
|
23 |
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
|
23 |
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
|
23 |
<HKCU>\SOFTWARE\AASPPAPMMXKVS\-993627007
Value Name: -757413758
|
21 |
<HKCU>\SOFTWARE\AASPPAPMMXKVS\-993627007
Value Name: 1011363011
|
21 |
<HKCU>\SOFTWARE\AASPPAPMMXKVS\-993627007
Value Name: -1514827516
|
21 |
<HKCU>\SOFTWARE\AASPPAPMMXKVS\-993627007
Value Name: 253949253
|
21 |
| Mutexes |
Occurrences |
uxJLpe1m |
23 |
smss.exeM_204_ |
15 |
<process name>.exeM_<pid>_ |
3 |
| IP Addresses contacted by malware. Does not indicate maliciousness |
Occurrences |
20[.]72[.]235[.]82 |
14 |
23[.]207[.]52[.]109 |
13 |
23[.]207[.]56[.]109 |
10 |
20[.]109[.]209[.]108 |
9 |
20[.]103[.]85[.]33 |
9 |
20[.]81[.]111[.]85 |
8 |
20[.]84[.]181[.]62 |
5 |
20[.]53[.]203[.]50 |
1 |
| Domain Names contacted by malware. Does not indicate maliciousness |
Occurrences |
support[.]microsoft[.]com |
23 |
updatewindows[.]net |
23 |
| Files and or directories created |
Occurrences |
\4091535952 |
23 |
%SystemRoot%\system.ini |
19 |
%ProgramData%\dxwaolen.exe |
1 |
%ProgramData%\dxfbqp.exe |
1 |
%ProgramData%\dxpxcwowo.exe |
1 |
%ProgramData%\dxdaph.exe |
1 |
%ProgramData%\dxiybfjm.exe |
1 |
%ProgramData%\dxuiyaear.exe |
1 |
%ProgramData%\dxrflamrh.exe |
1 |
%ProgramData%\dxiaolh.exe |
1 |
%ProgramData%\dxczvbx.exe |
1 |
%ProgramData%\dxezxtat.exe |
1 |
%ProgramData%\dxayaahen.exe |
1 |
%ProgramData%\dxvdovort.exe |
1 |
%ProgramData%\dxupnglb.exe |
1 |
%ProgramData%\dxzliuhie.exe |
1 |
%ProgramData%\dxvros.exe |
1 |
%ProgramData%\dxxakx.exe |
1 |
%ProgramData%\dxueoa.exe |
1 |
%ProgramData%\dxoupe.exe |
1 |
%ProgramData%\dxhbtsa.exe |
1 |
%ProgramData%\dxquorfdh.exe |
1 |
%ProgramData%\dxyjlzmr.exe |
1 |
%ProgramData%\dxwetlif.exe |
1 |
%ProgramData%\dxcmiazi.exe |
1 |
File Hashes
155b235838bb38a009d3959a22afeefe29990bf08b886d450d5523a1e8ef52e9
1ab9fcb9422511f11ce386dd89602256b4423cc13df20d8cae15cf74ac96899c
1ebee245aa20139a5c0d78869e42cb7700b2c746fe554000dc24fd6d79b2dc7a
37ef12da9294aa84a551a49705c9aaeffa3e440ac9183e670aaae18de6f0cee9
38690107fc5ab4fc661469ab6d179f6a8f98ffc6abeeae8e8fb879fa24c92818
3c73ee4a0a2a9d2f78dd95d11df24a3d27c3a14ff2e6f56e014f10d0832bb869
4888ce37000aa2d5029dcdf080efb7ccf3b4ba347ee24103df15a3cb9be4dc5b
4d9868767a8260a2c0f663eb424f491de8cc1706ade137c59ce84c9da5e15e50
541a54f29dbcd3412f244a16098acf87f466699a5832270e4d7d642b067c32a1
56ecf33836287e107f9bda8a3522fddf9cc699f6e291990ab66753d692ac92b2
605c9f1b05b0b47ed4e99a34a526adfed8eb56ce724815fd207708c94313883e
6e99fec151c58577d9360fd6f846a0e436907258ad24b0117be07ab438b89abb
79e56d2705ee36750de0b2b521777d73ea3fec9faca7ca78a39c06ac5e689b0a
7bd446737e62430c0ed764392c1573c8b3b81ac3c969a473a7cab9849302eff4
83f4e46b5dd1811bd62b184710cb206ab7ac5ae0a52a797745fe400cde4ed2f4
8a99d2f8e63dc8bdfe9c10be15e65a881e473afa45dc349ad8a9bf387cb90e91
8f618126cfbdd291e149f978420a885cbc31876de6771c78a32b60edf47225a6
9c447450d5f5767d268341ebd7fdf3e50b302bae87d7ea1ca7ffc45d81b271ac
aca2c69def78f145126fd8f2a9e88326ee74c80e59b704dd5a48a3de91effe94
c9216a18da434cd1d24b0e57e2f1236d3ebcd9d38d4b772153db4bb60a661b54
da3ee20e162f6ee44397e737ca1f7c3d371f41075414c959ddbdbb4d06dfbd94
e15c93bf9e1f8ad217103c0d9156cabc5a923ba3bf177b7cde178854a1efb243
f254301a5209750c391375336d9b93e19b45e557e0cd97a504df6b22d52facce
Coverage
| Product |
Protection |
| Secure Endpoint |
|
| Cloudlock |
N/A
|
| CWS |
|
| Email Security |
|
| Network Security |
|
| Stealthwatch |
N/A
|
| Stealthwatch Cloud |
N/A
|
| Secure Malware Analytics |
|
| Umbrella |
N/A
|
| WSA |
N/A
|
Screenshots of Detection
Posts
Subscribe via Email
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.