Friday, August 26, 2022

Threat Roundup for August 19 to August 26


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 19 and Aug. 26. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name Type Description
Win.Virus.Ramnit-9964077-0 Virus Ramnit is a banking trojan that monitors web browser activity on an infected machine and collects login information from financial websites. It also steals browser cookies and attempts to hide from popular antivirus software.
Win.Virus.Xpiro-9964080-1 Virus Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.
Win.Dropper.Cerber-9964300-0 Dropper Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension ".cerber," although in more recent campaigns, other file extensions are used.
Win.Worm.Kuluoz-9964104-0 Worm Kuluoz, sometimes known as "Asprox," is a modular remote access trojan that is also known to download and execute follow-on malware, such as fake antivirus software. Kuluoz is often delivered via spam emails pretending to be shipment delivery notifications or flight booking confirmations.
Win.Dropper.HawkEye-9964231-0 Dropper HawkEye is an information-stealing malware that specifically targets usernames and passwords stored by web browsers and mail clients on an infected machine. It is commonly spread via email and can propagate through removable media.
Win.Dropper.Formbook-9964246-0 Dropper Formbook is an information stealer that attempts to collect sensitive information from an infected machine by logging keystrokes, stealing saved web browser credentials, and monitoring information copied to the clipboard.
Win.Dropper.Remcos-9964868-1 Dropper Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam and capture screenshots. This malware is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Dropper.XtremeRAT-9964479-0 Dropper XtremeRAT is a remote access trojan active since 2010 that allows the attacker to eavesdrop on users and modify the running system. The source code for XtremeRAT, written in Delphi, was leaked online and has since been used by similar RATs.
Win.Packed.Shiz-9964480-0 Packed Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information. It is commonly spread via droppers or by visiting a malicious site.

Threat Breakdown

Win.Virus.Ramnit-9964077-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 18 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusOverride
18
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify
18
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallDisableNotify
18
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallOverride
18
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify
18
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UacDisableNotify
18
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: EnableFirewall
18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DoNotAllowExceptions
18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DisableNotifications
18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Start
18
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION
Value Name: jfghdug_ooetvtgk
18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV
Value Name: Start
18
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Defender
18
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Userinit
18
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Userinit
18
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: JudCsgdy
18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND 1
Mutexes Occurrences
{7930D12C-1D38-EB63-89CF-4C8161B79ED4} 18
{79345B6A-421F-2958-EA08-07396ADB9E27} 17
{7930D12D-1D38-EB63-89CF-4C8161B79ED4} 16
{7930CC18-1D38-EB63-89CF-4C8161B79ED4} 16
{7930DB19-1D38-EB63-89CF-4C8161B79ED4} 16
{<random GUID>} 16
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
46[.]165[.]254[.]201 18
72[.]26[.]218[.]70 18
195[.]201[.]179[.]207 18
208[.]100[.]26[.]245 18
206[.]191[.]152[.]58 18
142[.]250[.]72[.]110 18
64[.]225[.]91[.]73 18
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
google[.]com 18
testetst[.]ru 18
iihsmkek[.]com 18
mtsoexdphaqliva[.]com 18
uulwwmawqjujuuprpp[.]com 18
twuybywnrlqcf[.]com 18
wcqqjiixqutt[.]com 18
ubgjsqkad[.]com 18
tlmmcvqvearpxq[.]com 18
flkheyxtcedehipox[.]com 18
edirhtuawurxlobk[.]com 18
tfjcwlxcjoviuvtr[.]com 18
Files and or directories created Occurrences
%LOCALAPPDATA%\bolpidti 18
%LOCALAPPDATA%\bolpidti\judcsgdy.exe 18
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\judcsgdy.exe 18
%TEMP%\squhapjc.exe 16
%TEMP%\aacwxnxw.exe 16
%ProgramData%\qvqdlyny.log 16
%LOCALAPPDATA%\yjghhxdl.log 16
%LOCALAPPDATA%\aanqrsjf.log 14
\TEMP\tFXd2E8YU 1
%LOCALAPPDATA%\bolpidti\pxBC6E.tmp 1
\TEMP\5ETGN6snq 1
\TEMP\zYyccBVe 1
%LOCALAPPDATA%\bolpidti\pxBE23.tmp 1
%LOCALAPPDATA%\bolpidti\pxACA6.tmp 1
%LOCALAPPDATA%\bolpidti\pxB5DA.tmp 1
\TEMP\cjTnE8Jr 1
\TEMP\o2gKdKfQ 1
\TEMP\o192e68 1
\TEMP\QYnhH23 1
\TEMP\lgxG4A4 1
\TEMP\YWj2Vj1 1
\TEMP\5nPK0vwsR 1
%LOCALAPPDATA%\bolpidti\pxBDC6.tmp 1
%LOCALAPPDATA%\bolpidti\pxB676.tmp 1
%LOCALAPPDATA%\bolpidti\pxB53E.tmp 1
*See JSON for more IOCs

File Hashes

16b156359492fd1c04ca8024be9520ed9b2f2c1c3a9d2d72177b74e53c5f7237 1837b9072548d7fd6ccff6dff1c9f6261df6ab977c06aef95b328bcbcde8f24d 1a74c2f06d531a5947ea3fa980fb9e08dd4ef2938cd53215b1fb04403160632d 1b85483edb2968b8303b3a3edeb69776cc237bfb2e844862315aad399a1fbb60 3cf846acf89647d5eec22871e3b8d36fb2e6a1e24b609cc140fb4d32b3627a89 3ea014d13ab9de10c12705d951d36001fade2375373992d09f04a13991abdda6 650b142204d54fb6be3adc953325be09df8e8472f6e75bf89bd96fac0604df07 705e36bc25534e3496cf040179df7965df62f4f8d20d2296af65ed2c7765ad08 7d34aa04431ca6d29ae750551d62303521f50e7302e508b8c3a68c2501cedbc7 7dcf9ef1156ebc96cd7f33fa65da1aa3ee6c4e40d98f396ef4f997384324debd 9ad3fe646a2e70461cbd0c6b5baf6e6aa86780bfec67324dc37cc71abc16dc6d 9f42d128eadd1933ef6f05b58612799009a028830d9e62a384565616fca5d6a3 c963abb11b88bd5d2b451b6a73e2e853ce7777ff07a5a481d1c6d195f5d6bf34 d9799be6fc5a08a58f2da15d8ce3550fb462ccb97b6e932d1531ffdbc4af28c7 d9cbec3c2d30347d5781f4f656e0775eda33ae905092bc1673a8d68aeb9f643a ecc77e015461dc1d4f9760ae11faa17ed9a46916a15c958cd2fd888b9d18441a f1e64265f0a305cba4442afeb8014c726b93c5065b92cbe997ebe02ff38f4092 fd2ee83c36b70791828d0143ad3737d917edaaf909f72499f6709615391e3700

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Virus.Xpiro-9964080-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WISP\PEN\SYSEVENTPARAMETERS
Value Name: RightMaskEnable
25
<HKCU>\SOFTWARE\MICROSOFT\WISP\PEN\SYSEVENTPARAMETERS
Value Name: ShakeEnable
25
<HKCU>\SOFTWARE\MICROSOFT\WISP\PEN\PERSIST\0\1
Value Name: HidCursorName
25
<HKCU>\SOFTWARE\MICROSOFT\WISP\PEN\PERSIST\0
Value Name: type
25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\TABLET PC
Value Name: Ident
25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\TABLET PC\CACHE
Value Name: HPITP
25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\TABLET PC\CACHE
Value Name: HPETP
25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\TABLET PC
Value Name: IsTabletPC
25
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\TABLET PC
Value Name: IsTabletPC
25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\TABLET PC
Value Name: DeviceKind
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABLETINPUTSERVICE
Value Name: Start
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABLETINPUTSERVICE\TRIGGERINFO\0
Value Name: Type
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABLETINPUTSERVICE\TRIGGERINFO\0
Value Name: Action
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABLETINPUTSERVICE\TRIGGERINFO\0
Value Name: Guid
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABLETINPUTSERVICE\TRIGGERINFO\0
Value Name: Data0
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABLETINPUTSERVICE\TRIGGERINFO\0
Value Name: DataType0
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABLETINPUTSERVICE\TRIGGERINFO\0
Value Name: Data1
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABLETINPUTSERVICE\TRIGGERINFO\0
Value Name: DataType1
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABLETINPUTSERVICE\TRIGGERINFO\0
Value Name: Data2
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABLETINPUTSERVICE\TRIGGERINFO\0
Value Name: DataType2
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABLETINPUTSERVICE\TRIGGERINFO\0
Value Name: Data3
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TABLETINPUTSERVICE\TRIGGERINFO\0
Value Name: DataType3
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: HideSCAHealth
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV
Value Name: Start
25
Mutexes Occurrences
kkq-vx_mtx63 25
kkq-vx_mtx64 25
kkq-vx_mtx65 25
kkq-vx_mtx66 25
kkq-vx_mtx67 25
kkq-vx_mtx68 25
kkq-vx_mtx69 25
kkq-vx_mtx70 25
kkq-vx_mtx71 25
kkq-vx_mtx72 25
kkq-vx_mtx73 25
kkq-vx_mtx74 25
kkq-vx_mtx75 25
kkq-vx_mtx76 25
kkq-vx_mtx77 25
kkq-vx_mtx78 25
kkq-vx_mtx79 25
kkq-vx_mtx80 25
kkq-vx_mtx81 25
kkq-vx_mtx82 25
kkq-vx_mtx83 25
kkq-vx_mtx84 25
kkq-vx_mtx85 25
kkq-vx_mtx86 25
kkq-vx_mtx87 25
*See JSON for more IOCs
Files and or directories created Occurrences
%CommonProgramFiles%\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE 25
%CommonProgramFiles(x86)%\microsoft shared\Source Engine\OSE.EXE 25
%ProgramFiles(x86)%\Microsoft Office\Office14\GROOVE.EXE 25
%ProgramFiles(x86)%\Mozilla Maintenance Service\maintenanceservice.exe 25
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe 25
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe 25
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 25
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 25
%System32%\alg.exe 25
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.log 25
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log 25
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log 25
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log 25
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat 25
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat 25
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat 25
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock 25
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat 25
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock 25
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat 25
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat 25
%SystemRoot%\Microsoft.NET\ngenservice_pri1_lock.dat 25
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat 25
%LOCALAPPDATA%\Microsoft\Journal 25
%LOCALAPPDATA%\Microsoft\Journal\Cache 25
*See JSON for more IOCs

File Hashes

0070146a1ddd5e7afa882029c836662a3fb7b83f2c838d1d89caf36ceaa73a47 00b9049e01ce60ee17e973f88fc730db18f2354b24a991cac09045cf697ffcf2 016023a53be6ce6624efe73b85c47c87d1e11ba8593009e261361addc6b5229e 048729edafbebec1b073db5db75450793fdd7e424dff0f851ad7500637b18bb3 087ef762c54b247a6fe8c1780073c934a4109a19dea80daefeec3bc98ca184ba 0b903e0f08dd1d929b6465e79971af4270fd7adb95e3271f442e4f6c2b6c01cf 0e40ef742a696da27514cf05055133991293a0e7d451ccc6d96ec93c0e864518 0e5e93e845310617138227cb8a453da259c23edcc9a8059fac49da8e947887a5 158627899237148353fefd8771d26c622b873d6177960e2efe00355179fb4926 1a4a30778ce717e13e02870993244eea6614a74a47bd0c5b01a8d839c670ef3c 1b56d9fe2ff011d5fad562c8e8da9dcb15a8f417619e5f506772acb6d53b3814 1b6494daf80b3f3afa22ffb43976d529383b9c3e0e2a337fa03234c784ce68a6 1e955e41ac1707547188639c3e0d8dcf46c0a05880041076eafb967a5cb2e6ca 1f48b7aaccb5c9c37c9a5322aecde23cec77a378e20db829c3ea8888c153bdc2 1f89fcbb17f91bee3821e3ae7ad9b8c2f2427ecb7e11b2af366713111c5f4a9f 21a7485afe868ce040664494eb3adbefd2f88eaed2fbf168feac2ec1eb2fa213 28e949123a4493bc7276085d3387c5f8aa761087087b9488782543b41c47cf7f 2bb191ac9f42eeb32f06ed94083221c5abb6b894f0bffe17355e125773a85f7f 2d5faf0c2fce5f825fa278dea2aef683d928326d30e976aa8d85bd3d1a3bf947 30408f887ac16f3a1b11b1ba075c5c6aa6a8fd34dc3059ecb611dcd80245b70a 341507c416c481481ced2ca2b4739e58a23882bcf8d3a48b193e4983743db45f 347b1f4517869f1574065c2867ed410a6a8c5bac063b8551133769890f16305e 3bbbe0a4c6cf2f6a1a57c7b31adc6abff0bd39e9b4ead44ec93558f03e5aa9dc 3bcdda17309cd36926504ad0300da1226ba126413c25aaabed729d889e293deb 3c35ed8b6f46dec8e7386f380ea3f0530fb592e50f0a66486a5c1d1390441f2c
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.Cerber-9964300-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Mutexes Occurrences
shell.{381828AA-8B28-3374-1B67-35680555C5EF} 25
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
31[.]184[.]234[.]0/23 25
Files and or directories created Occurrences
%APPDATA%\Microsoft\Access\AccessCache.accdb 1
%APPDATA%\Microsoft\Access\# HELP DECRYPT #.html 1
%APPDATA%\Microsoft\Access\# HELP DECRYPT #.txt 1
%APPDATA%\Microsoft\Access\# HELP DECRYPT #.url 1
%HOMEPATH%\Documents\Outlook Files\# HELP DECRYPT #.html 1
%HOMEPATH%\Documents\Outlook Files\# HELP DECRYPT #.txt 1
%HOMEPATH%\Documents\Outlook Files\# HELP DECRYPT #.url 1
%HOMEPATH%\Documents\OneNote Notebooks\Notes\# HELP DECRYPT #.html 1
%HOMEPATH%\Documents\OneNote Notebooks\Notes\# HELP DECRYPT #.txt 1
%HOMEPATH%\Documents\OneNote Notebooks\Notes\# HELP DECRYPT #.url 1
%HOMEPATH%\Documents\# HELP DECRYPT #.html 1
%HOMEPATH%\Documents\# HELP DECRYPT #.txt 1
%HOMEPATH%\Documents\# HELP DECRYPT #.url 1
%HOMEPATH%\Documents\OneNote Notebooks\Personal\# HELP DECRYPT #.html 1

File Hashes

1d742c8577645242811867311339af6291f2ec45f74bc8065a1cf167a140a5fd 241a8a73608aae3d0b55451290c7e3d46ff6b53d7cfad628ddc43892fb4ee89f 32cafa5a0a63f137fda8532c81a4825895a71b4bd5192ef77ee46b4f5f6f55c9 3f066735d5b3e9e1d145865b805dad9f17c7569e86a2fd0dadfd82fa3f2494b5 46df3cbdc0c960cc03467797f2a8f4000de6f3860ddd87a93f0db4bc04bf3dc9 5145e134c5c488fac15c3772747505246139842d64e995a20aa343e87d05805a 529c0ad1eba89641544fe5eb534b717fdb0a21e36db94874cdc7720b3e58170d 65fb6bf40643b54875192d5964ead478b867784c09708c9be583a06d820462e8 6a380578e8f27a835c45af896c8292c173ccf10819eadb160d8fd1ec9301ae61 6bd30bfa9ee3dcf045298887cb839ccf7ebd19950a4a1798bb15c9c2bcd89df6 715e19ce015fb13ad5b0bd5aa520b7a9fdb52c15a58b78da79db3c74cdccee83 74a423f877c5f0819116f6f93870658bac4ac7de6048e68d5f1cb98df9c77992 7781696924168577eb1045874ac6a259617184cd2bdf429fd032efd63254016d 7eecc13411c597f5e2fa68c77ae65943ae99c0eb6bb76e527a9711ffff73d505 832487a8c89c32e86036b1c94353117ab0ca7a4276a9f4c08b29c96c447247fa 89ec20a6130f663160015755f0c1b4f1698812e3f0e39d3e7094950c3644bca4 8ab03a0c900cc88a57e9474d3ced6b4f43be422750f5afc8a08ff6cdb801930b 936d99a0dc23922d4e5874f1548114fe8f2170016f29d9b91858796a1b2ab095 96671b8ca3f8cf75427a23de8ddde2513efd4f1eba5afa2b18610c66548d0b55 988a44db0411379ea08fece4af0577d3af7ed5114dcbd897a03ec46474fafa81 a162009fa564f3c20b801568ab82dd34b53655473c6e379272e3dfd766fe2c02 a3004d7f08a9357c5d0a9e063dafd5f4c627fce7b030a575b6959f0f5f7c9ff1 b2f4ef1398ae23fabaa137be5f8f7f5412b1b8f74f902d23de5e0a87ef5a3867 bcc77c2e25a5ceee5fd7023dd879baa53a16ce0f4b3187a90a5eb22cf46631af df5d03a2ca58bb71c44a8b23191c7d3e24327e806509dfcccad1cd63729dc445
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Worm.Kuluoz-9964104-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'> 26
<HKCU>\SOFTWARE\TKQJXHIR
Value Name: nnagtvkf
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: iemwudbv
2
<HKCU>\SOFTWARE\PKBQSDOK
Value Name: wfiqbttr
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: deiobboq
2
<HKCU>\SOFTWARE\TEFAPJXX
Value Name: hjlkqasv
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: nmvftwdp
2
<HKCU>\SOFTWARE\ROHCSWFU
Value Name: ivxesusr
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: rskaarvw
1
<HKCU>\SOFTWARE\ONFHUPBQ
Value Name: qrlpghvv
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: dwxwetxw
1
<HKCU>\SOFTWARE\JUNLDJNI
Value Name: paxvvuef
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: buwqaweo
1
<HKCU>\SOFTWARE\QPANUOIR
Value Name: mmvjkbpj
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: lawgdaar
1
<HKCU>\SOFTWARE\IDIFICQU
Value Name: uqiuudaf
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: uaugufwr
1
<HKCU>\SOFTWARE\EPCSQSNO
Value Name: sdkgxoqv
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: nojriosh
1
<HKCU>\SOFTWARE\IIBPNATQ
Value Name: qbmgekoa
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: tabswxsd
1
<HKCU>\SOFTWARE\CHUFRWHS
Value Name: nhmwllub
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: kawalexr
1
<HKCU>\SOFTWARE\QDCTDCFM
Value Name: ietjtgir
1
<HKCU>\SOFTWARE\JUOBFMWV
Value Name: ucngtfoi
1
Mutexes Occurrences
2GVWNQJz1 26
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
91[.]196[.]126[.]16 21
88[.]198[.]25[.]17 20
173[.]203[.]113[.]44 19
178[.]33[.]162[.]8 18
176[.]31[.]106[.]226 18
74[.]50[.]60[.]116 18
198[.]24[.]142[.]66 17
Files and or directories created Occurrences
%LOCALAPPDATA%\<random, matching '[a-z]{8}'>.exe 26

File Hashes

0828aee088e7c191c463dac5a2449474da1b106da5e12b6335f61d2dd3ae320e 0ddf461f926f814d19696d3851f3673c10d69a15fa2d7cfac9552c3af9460c66 12b274776143da76ceea8cfc1b8219535bca09dea1ea6059a48e74dd6a78e80d 160999be2e3f124a106ced958bce6b6f94fbc3645895aa0129e4dedb443011d7 21245351ac8d14c31552d46c0f8ceec6d576a1abae0ab3d5131e25e9e8fefe32 23fec3f833e9a7ee790ea9cad1b205ade2036466282654b2e53f23516553b775 24e1fb11b1c63caf42bc0a9d8df57cb1c84ccb11415f01c56de128d6ceb2ea4e 2bf5a6f99c57bcaddd28a0a8dad595686b9a660843cd4037575d4abb82af8f69 32a01832f4de0f17e438fed6be9f155d9fd30056133681c7474f0114a1731a9b 35a4fe74474b4f7e7f9c777d063097e36a16f509bc3afb9579779c0504b73af4 3a3fae86a4e14a7d50b6c5bc5d78dc12745fa53d240df641e1fc311449368c85 3da619fa973717201422faf7329016a266b27b89f8a39416cac203f75f32259a 405d7737a27f0798b16f85939c3eacfcbe9e5305b4c621dd20bcaffbe994d88f 413f4fcae50cdad66f08e0e3ae083e60e18e54f890492fcd0241deb9dfe81b81 44d0507ee9143aa548ae8a03171b27633f4226abbad172a0456194a2ef2eb507 44d1449c19d3f79a3fe21e2ab9d333a1bea4156565a3106fc2203ccefa869a9b 4979dce8592c0d16bdc6228b9741ef6c315e3bb1ff34de14271fb3499cd0f139 4b7891ed58a08b45b576282afd74fe835845cd4be8c5aab467ad09136e87ec8e 4bc8eb3d2e72a44384b3d824b33a971ace9eae20998dfe8bdd2ab9b9267b5b43 4c6528d000e07485c69f1c32a95967a454fd20864a4ad2c062160d99987822ef 50c108f9fc31557d55216dfe28b9eeac15fe5f1175a089ff196e1129d6ddf593 5730f9ce8c84e6f1c153c247146ac1590fd989a73cdc9dce9d67594b33caf354 5a45837812962153f5d480918eab77093394dd41c45c610ffd142461ab433668 5e37715cc8a5d1b6c5bed437eea25da495285bb1386cf2aef2b5484fd6c30e69 5ee4adead518246dc926545a0d28e1a488f04d530c49591cc788a8e2b360ad89
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.HawkEye-9964231-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Audiodgi
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableRegistryTools
1
<HKCU>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SYSTEM
Value Name: DisableCMD
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM 1
<HKCU>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SYSTEM 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: wsntcffy
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: nvidia
1
Mutexes Occurrences
<random, matching [a-zA-Z0-9]{5,9}> 25
Global\2ef47fa0-2008-11ed-9660-001517841a07 1
Global\30820541-2008-11ed-9660-001517841a07 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
178[.]62[.]9[.]171 8
185[.]53[.]177[.]51 8
172[.]253[.]62[.]108/31 5
178[.]217[.]187[.]144/31 3
217[.]69[.]139[.]160 2
123[.]126[.]97[.]113 2
103[.]224[.]182[.]246 1
178[.]217[.]186[.]170 1
178[.]217[.]187[.]103 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
myip[.]ru 8
resolveme[.]org 8
www[.]myip[.]ru 8
smtp[.]gmail[.]com 5
smtp[.]mail[.]ru 2
smtp[.]163[.]com 2
bobbyjoeconfirmed[.]biz 2
pradaengaged[.]serveftp[.]com 1
xtradaniels[.]no-ip[.]biz 1
funtalk[.]info 1
moneymakingmachines[.]in 1
Files and or directories created Occurrences
%APPDATA%\_backups 25
%TEMP%\logff.txt 16
%TEMP%\logmail.txt 16
%APPDATA%\AudioSettings 12
%APPDATA%\AudioSettings\Audiodgi.exe 9
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Audiodgi.exe 8
%APPDATA%\Audiodgi.exe 2
%TEMP%\mRef.vbs 1
%APPDATA%\21bc764836db3d1ea78f465895072d4b.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\wsntcffy.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\nvidia.exe 1

File Hashes

03766a0f7239053205ddf362d05c9714374468c47b7978c5f180d4346ad8dd75 04d8e6413d217a3b8667284be0d3f1fc586a12ccb29f03f798b48e92c2ba2a6a 051c2a84fd29361d952dc213ebaa39da5dadfa41927b9424e8960e79556ff91d 08c9702801db0785656c59c1d180a3a026ece467bf674aeaf9329611ae442306 13c0b67b1985e5e8292200b4c340090d5cc9ef1885a1f891b00f6f08a33c45da 1506c249e7b6fc69f4c1ec396ccc692de2c8546685f6aed55e5bcf33849255ab 1bea6b0a9773065b3ef5ed3ce7c3ad5a2b495406a539b4dccb3c1e32073961e4 1cbf4d46e6d149b1f97de0013aea8bda5b2f4535a1b5fca4ca8739e88f95a4ba 22f80ae2cad2fd2aa7a7cb0565721804cd24c72e2eeaeb2783ef70f81b99e843 2a2b148519552d60b9c62b888f0d9ee578113f5ce58256d8471913dfb5a32578 2eed91ed6b2132227ac6b4889bbe8d355af50741cf8cef18cbed1e4395c8c42d 370ce2f768b84e42a2c56e597fe7a2d86799a7715e683e59fc4beb826a69ba6c 3d6425c514e23ca7982ab26f5b2f1ca29abada5b15e19826611be2610be094bc 4294385e9d05112594442aa9b7dcbc37a39a1324301c5e80e8d2549ba984b537 46324728750feb25ce7ce3f933aed27cb0daf27731205b0e05dbbba4923faf36 47122b45356ff2c4f0edfa9048cb93f11c277b05287ae178436083a255719d1f 4be4967316c1b328c834cc67659c4d441a94d5625be466a0010138f90d7a0279 4e382da874ae16b2ba6b98b3398db36bd3c6623d0708f4d10571dc15baac1c65 52d93afc8cb34ee03f9fbf9c38a519573f78bf3e05ab428ae33efc84aa48b419 5887043c8072209c8a0060620a6161446aae16c9b47f71ad6f26e77bdc448ecc 5f3dd03b1c9156a7adf1926b4aacc9e799aa18b3e28eefe9be5e2f19229a0544 606bc0f3eb81ef1f352adfad845122dac3d67294bc5218aead9c9d43ab771133 654ad2f7e51da105511c1963e47206a7cbd45d50d9637f1411c0a31a4639e342 67c0c1048e1a354c6bc71745f552d7c2e51311ae6983cddce72526c4e0da3022 6942e3afa79edc13dcfd9a3d7142b960bf4b13618b1918dab731ba7dadb0eaa4
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.Formbook-9964246-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 18 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
11
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\INTELLIFORMS\STORAGE2 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Ejetkygbp
1
Mutexes Occurrences
8-3503835SZBFHHZ 1
862Q-UTS0E2J0FF1 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
13[.]107[.]42[.]12/31 4
172[.]64[.]149[.]82 4
104[.]18[.]38[.]174 3
162[.]159[.]136[.]232 1
20[.]190[.]154[.]18 1
52[.]95[.]165[.]126 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
onedrive[.]live[.]com 11
cacerts[.]digicert[.]com 7
login[.]live[.]com 1
discord[.]com 1
www[.]samtaxitours[.]com 1
dioefa[.]ph[.]files[.]1drv[.]com 1
patronkingoopsalmghandnaiojamexicoquadaras[.]s3[.]sa-east-1[.]amazonaws[.]com 1
vuladq[.]am[.]files[.]1drv[.]com 1
dimk5w[.]ph[.]files[.]1drv[.]com 1
njie9a[.]am[.]files[.]1drv[.]com 1
ibjoxq[.]dm[.]files[.]1drv[.]com 1
zlpuma[.]bn[.]files[.]1drv[.]com 1
rqy3zg[.]db[.]files[.]1drv[.]com 1
Files and or directories created Occurrences
%APPDATA%\862Q-UTS 1
%APPDATA%\862Q-UTS\862log.ini 1
%APPDATA%\862Q-UTS\862logrc.ini 1
%APPDATA%\862Q-UTS\862logri.ini 1
%PUBLIC%\Libraries\Ejetkygbp.exe 1
%PUBLIC%\Libraries\pbgyktejE.url 1

File Hashes

0f972ec1fd4fb660cc86ed459c5a793a134451d479154b00a2d4a1a360d44e42 13e91b5a246dc5f98cc413508e78136fd38c9f2e9151c65a96f509b2d82ddf46 13f7ce642c44202a089400e9b33db0ed02f824b5291ed4b5da3d080ecc40589f 14ce5ef3e6e3d3354150ae58fd4e9938bcb747c5e4190bd5f793043355e009e4 5a377c52fb8f4bbce7272f13d3f6ac8c36ce7a6f51561ed0a79cca6b8facf23e 5fb5546859ff3e2a9d75d37a208f43449f254442f67a2da49b60cfd169abdc44 6555c0d7b9acbff665b84aec9164dd1cf01740a10e735791f25c28a5da830740 6c232920b9bb1f2c3bf71124f93f06f49fdf41c3bae35237f7b031bebba14cc5 b4175a0744b29d7aecf1245dfb253e6417f839d2eeb2ef90b8ed222e1387aa1e c2062d2d3ac3815d7a050a1bfb261c98581e7398f8b0c7ca670d7ddb328611d2 c6628dd39b388886cc7867d66b7a133f61b666421ad489bb0bddaf5c856ce841 cac68bb4b0df3a7078d4c66d810a0d8f8863afd22722cd3dd0788af291dd1853 cdcf2ed4c36ebd0856e7663921d67c31e51ad8a6cbb5c5cdd401d30812e25a62 d332fa69a36ac7e14d35c336a609a04f74e8da6c51b6ad6286f23ad5f2837cd8 dc31d2ad84fda1d9af2e623493e1e4f5dcfc8aa3abd55c6d58d1eae807cb56d8 e62a70218462e892bcf89e851549e6a4f75131d52d57734bc642332141169aa9 eda74534f0c37003022c0003d4b4c3262016d486d919298a323164eae4f0925a ee2ced66adeccfe45722c49efd8b99fd032d0426ff74cd10fc1e182521431404

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.Remcos-9964868-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 14 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\REMCOS_VOXCYIGINC 14
<HKCU>\SOFTWARE\REMCOS_VOXCYIGINC
Value Name: EXEpath
14
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
12
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @explorer.exe,-7001
12
Mutexes Occurrences
Remcos_Mutex_Inj 14
remcos_voxcyiginc 14
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
urchamadi[.]ddns[.]net 14
Files and or directories created Occurrences
%APPDATA%\remcos 14
%APPDATA%\remcos\logs.dat 14
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\windows.vbe 14
%APPDATA%\windows.exe 14

File Hashes

027f1a3e4c10fcf167c4df0451862b388e934e0ec1ee0f799f5113d830566415 280e9283aa6b2a3f5237de7c01d2ae8abaa9ba4e54655e3f367e889407f259ec 47dc41e8614cfa6f3e7fcd6d718321db4c9306146a176632aa124b345d530611 56f3edac172934d7ceea861ecffc2a727241deb5e939d1b69c5220c7333bef8c 616b57cac5aa00dfb8030f79094d170bad2b6a082bb963594cfc29397cce8b5d 83ab1ddbc24e145b0e170e8af46f3fc5fd4f6e1f571abac0aed6992c5d136071 af24dd23d021d1e43844af9cb31ba7f552377c7a7e49d536abbf2a6ecf1b54a2 b203e1e8f2083c7edf540cb91c424915bed88565dcaac579ffba224d4d76c714 b2516e86182da64f80fbf82cf84a6bcfcd37547cea16d1ff07a75c866fd4d36f d1e35f8e65cd1da6f33177604901c8d6b1a77cf7ee0735aa0b072f492e3f2194 de62cfc82da844304fb94bef7151808d025b183c5df68c77dfad9a035dd41690 e30895e1d44a156b336bfc8a685d5d2176341cb24620f51b5732f60ab64167f5 f127a27a300ecd23bc6115577884521a30884d67251df39fcbdecb63aaba3523 ff307f7c3f5c00ba357b696914a2772ddd656fa29c501eda006b7bbb91440607

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.XtremeRAT-9964479-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 15 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: EnableBalloonTips
15
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
12
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UACDisableNotify
12
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 10
<HKCU>\ENVIRONMENT
Value Name: ProgramData
8
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: explorer
6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: explorer
6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: explorer
6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableTaskMgr
5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableRegistryTools
5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM 5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: services
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: services
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: services
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: spoolsv
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: spoolsv
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: atiedxx
1
<HKCU>\SOFTWARE\MICROSOFT\FEEFA 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: atiedxx
1
<HKCU>\SOFTWARE\MICROSOFT\OPKYIF 1
<HKCU>\SOFTWARE\MICROSOFT
Value Name: zupi.exe
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: atiedxx
1
<HKCU>\SOFTWARE\MICROSOFT
Value Name: uwhuevat.exe
1
<HKCU>\SOFTWARE\MICROSOFT\FEEFA
Value Name: Yrivxya
1
<HKCU>\SOFTWARE\MICROSOFT\OPKYIF
Value Name: Otmabyek
1
Mutexes Occurrences
6nkxLO02qtXYL2vjf6Q3Ld1BXvM8Xk 4
Local\{E79956D8-8C6C-29D3-F3B6-46F6B67AA745} 3
Local\{E79956DA-8C6E-29D3-F3B6-46F6B67AA745} 3
Local\{E79956DB-8C6F-29D3-F3B6-46F6B67AA745} 3
GLOBAL\{<random GUID>} 3
qYLS3Rl0xK7U0fJaaFHI9gyEU4OQEO 2
JbdhwlrcWDpyZ78nPglBqnLY8exSoG 2
hbOblX81rgTLtJRBvLX2JB0nKVPZRh 1
BRMVTk3lQ1Jq0Oqd4zcgHKYq4NnaR9 1
f5SUSZmQlEOC00yG9p1Ivna3rOzI0e 1
akRIZKudnSn2WvMCpN5alLvywbcRXT 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
23[.]202[.]81[.]150 12
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
tulipbloom[.]in 6
iamthecause[.]top 3
www[.]tribosjovens[.]org[.]br 1
www[.]streetfighterx[.]top 1
www[.]cheapestconcerttickets[.]top 1
Files and or directories created Occurrences
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe 6
%APPDATA%\com6.{00C6D95F-329C-409a-81D7-C46C66EA7F33}\Off.c 6
%APPDATA%\com6.{00C6D95F-329C-409a-81D7-C46C66EA7F33} 6
%APPDATA%\com6.{00C6D95F-329C-409a-81D7-C46C66EA7F33}\explorer.exe 6
%System32%\Tasks\explorer.exe 6
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\services.exe 3
%System32%\Tasks\services.exe 3
%TEMP%\com6.{00C6D95F-329C-409a-81D7-C46C66EA7F33} 3
%TEMP%\com6.{00C6D95F-329C-409a-81D7-C46C66EA7F33}\services.exe 3
%TEMP%\com6.{00C6D95F-329C-409a-81D7-C46C66EA7F33}\Off.c 3
%ProgramData%\<random, matching '[a-z0-9]{3,7}'> 3
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\spoolsv.exe 2
%TEMP%\com8.{15eae92e-f17a-4431-9f28-805e482dafd4} 2
%TEMP%\com8.{15eae92e-f17a-4431-9f28-805e482dafd4}\spoolsv.exe 2
%TEMP%\com8.{15eae92e-f17a-4431-9f28-805e482dafd4}\Off.c 2
%TEMP%\D0B38F0F.cmd 1
%TEMP%\DA9F635A.cmd 1
%TEMP%\AA95177A.cmd 1
%TEMP%\4DA5383F.cmd 1
%TEMP%\D925C77F.cmd 1
%TEMP%\F0470C51.cmd 1
%APPDATA%\com3.{025A5937-A6BE-4686-A844-36FE4BEC8B6D} 1
%APPDATA%\com3.{025A5937-A6BE-4686-A844-36FE4BEC8B6D}\atiedxx.exe 1
%TEMP%\97BB41A5.cmd 1
%TEMP%\5DBB78C4.cmd 1
*See JSON for more IOCs

File Hashes

048b8ea9aef3287bae09d9327536faea0b662d48e9cb0d477e88805a7797bcc7 21cd479707dc5865122fa6f1cc638ab15953b09c43ee41abc8a197823a60b65b 34e610d6e74bc3332d7a8a25f61f6a979be8deab8dc1f8f6fdf487dd4ddd3070 5ea6b3668a008b77f6dff12788101e258e6c90d2b08de9e89d7d886834d98ad0 63cae1e75e5d8e54c8dfccebe7552e5a9aa2592cf259357a516d0115ebcf655e 75ee917f5022839d776082a470333a6c6c82069a7f443005f77cce1ff2ccaeb9 7817f2ee4c83e004d9b9602d8f68adc04076f949e1bc868a3bb28c47d98a4933 8159704f8517ba8d8a2f9ea6ec42f5fd4e18438c940806e48dcdd726b923ab66 856869554541785eaadb13c38bfb22392c38254968fc9a41d8d0f1c2b4d420be 8c99d803e23df187a0925aade258e7eeb1dea15607670a05f1fade726320cc05 8e770cc47212a54fee1deb9a642c6afb52238c176cc00bdd2fd3d473e3b601fc a79939e710792b9d290f2ee2a9ae82529b4b78ba7a578341e52a7994aef5ef11 b9298520c6b390e4fb488f7fc7d99d1651c28482b06e6c008512e29049714a20 cc9d4f4daddee4e5e0c9839543c0c84360c8cc42758f894bc13bb814fbd572f1 da303496b9ba5a139b724e5cd1d35da3d04b89ccd82b281de14e8febb68f4eb6

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Packed.Shiz-9964480-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT
Value Name: 67497551a
26
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: 98b68e3c
26
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: userinit
26
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: System
26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: load
26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: run
26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: userinit
26
Mutexes Occurrences
Global\674972E3a 26
Global\MicrosoftSysenterGate7 26
internal_wutex_0x000004b4 26
internal_wutex_0x0000043c 26
internal_wutex_0x000004dc 26
internal_wutex_0x<random, matching [0-9a-f]{8}> 26
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
13[.]107[.]21[.]200 13
45[.]33[.]18[.]44 7
45[.]79[.]19[.]196 5
45[.]33[.]2[.]79 5
173[.]255[.]194[.]134 5
45[.]33[.]20[.]235 5
198[.]58[.]118[.]167 4
72[.]14[.]185[.]43 4
96[.]126[.]123[.]244 3
45[.]56[.]79[.]23 3
45[.]33[.]30[.]197 3
72[.]14[.]178[.]174 3
45[.]33[.]23[.]183 1
85[.]94[.]194[.]169 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
gahoqohofib[.]eu 26
rytifaquwer[.]eu 26
kepujajynib[.]eu 26
lyrosajupid[.]eu 26
tuwaraqidek[.]eu 26
xuqeqejohiv[.]eu 26
pumebeqalew[.]eu 26
cinycekecid[.]eu 26
divulewybek[.]eu 26
cilakyfaloq[.]eu 26
vocijekyqiv[.]eu 26
foxofewuteq[.]eu 26
nozapekidis[.]eu 26
makymykakic[.]eu 26
galerywogej[.]eu 26
qeguxylevus[.]eu 26
rydohyluruc[.]eu 26
lysafurisam[.]eu 26
tupepulofup[.]eu 26
kefilyrymaj[.]eu 26
purumulazux[.]eu 26
xutyrurojah[.]eu 26
ciqivutevam[.]eu 26
dimoxuzynup[.]eu 26
citonocebyl[.]eu 26
*See JSON for more IOCs
Files and or directories created Occurrences
%TEMP%\<random, matching [A-F0-9]{1,4}>.tmp 26

File Hashes

0aa01d0e6ab4b0dab543cd0f7d226a1971c896c1b5668ef55d5d84fd8aac331f 232b980cba11ed3757cd13e6e4ec20993f819d07254999411e7a308561f10ac9 27eb369a639c17edfcc1eefc7f2d21d0680f62dd00a7bd2cf0a3d50030134dc9 2ebf268325f6e2840fa65e481e61cee94d0dc889f3f032abdf7492dd7772be07 31532a2178c74921a141b257175fd25aa587d611e480ae6399255000a875f86b 3634d7d5b0e31a068dbb17eec6dd39b927dc2e6ca7a7d1f50fe122fd9a348578 3ce214e14dc05772c4f6ed8bf5df0c2f6916c3cb78cad5ec7960e8a5aa3183dd 3db521931dd32b2d76a0b694eba198d54db0642289c4c04797d81abba1e8cc1c 44aaba781695fd9c5a859fe91a1b251f3700cfc65d20c70827108aade73a2d47 491e939589d3df18f8c2601acd0ecb2e730744625208a9ef10e1153c8fbd999d 4aef6f77172ffbe97608338d59b4e327f80ac6b1280234acfd1a35c519a8cc54 5153f49e288d120950522e3cedade50d389452cb5344344672b1dbbe4fd6b2c3 5950d60ccaf62ebbd4d8e6f67c8aae6ffa9d7c7f3950aa3aa6c97810f2e192b4 5bdcf125d1dd26dc4eea102736976a474e7c95ca4486ca8e13cf404ed6b54661 66703ea93baf17db72cce7c91b39df923574a9173768ebfda5f78580e1f1e05e 6728f5c294584f01a2e8a8f320cce6df9a85656b582f29e7dcd1b226d51d0b46 706de588bf28a2345331005686aeb0a65d92eea4195050f948577ce0623bc7b3 8818d782007a434aaf773fa601467cb8ea9514ffbdba74a4b2cf8ad0ee096110 914e601f65f04fb41f1ede09babc33d9d067fdf089a6f720eb7dcb5489da182c a3b5359d0320885dc46a8e01583304adcc8f8697bd72d4a9fa1e02b0d210e061 b9d4f9b412b05af3a6f1b601041422117f3c4ccdfa02b140a1b06da1ba53193b bcf08953ce18c297e8b3714bd66563fde1d031b9eec8c26cc5a880f6b57eea5c bd984088a849d6b0593a970dec6a8792b82c8c04edecd4032cfd6a447d4f3c48 c7297544b35ded090c59b73c53c1c6a3f50b0b30206f237c1f84114b01adcdfd ccaa68c04b2d4378b62753b540e5b25cb36e6334a48a10eb9975c2064fc393da
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





No comments:

Post a Comment

Note: Only a member of this blog may post a comment.