Friday, November 5, 2021

Threat Roundup for October 29 to November 5


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 29 and Nov. 5. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name Type Description
Win.Dropper.Tofsee-9905031-0 Dropper Tofsee is multi-purpose malware that features multiple modules to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages to infect additional systems and increase the size of the botnet under the operator's control.
Win.Virus.Xpiro-9905216-1 Virus Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.
Win.Dropper.Shiz-9905047-0 Dropper Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information. It is commonly spread via droppers or by visiting a malicious site.
Win.Dropper.Remcos-9905709-0 Dropper Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam and capture screenshots. This malware is commonly delivered through Microsoft Office documents with macros sent as attachments on malicious emails.
Win.Dropper.TrickBot-9905314-0 Dropper TrickBot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts.
Win.Dropper.Formbook-9905387-0 Dropper Formbook is an information stealer that attempts to collect sensitive information from an infected machine by logging keystrokes, stealing saved web browser credentials, and monitoring information copied to the clipboard.
Win.Packed.LokiBot-9905395-0 Packed Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from several popular applications. It is commonly pushed via malicious documents delivered via spam emails.
Win.Dropper.Cerber-9905750-0 Dropper Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension ".cerber," although in more recent campaigns, other file extensions are used.

Threat Breakdown

Win.Dropper.Tofsee-9905031-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 90 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
63
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
63
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
63
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
63
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
63
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
63
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
63
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 63
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 63
<HKU>\.DEFAULT\CONTROL PANEL\BUSES 61
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config0
61
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config1
61
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config4
58
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2
58
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config3
58
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
32
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\haoutbhw
6
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\jcqwvdjy
5
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\yrflksyn
5
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\rkyedlrg
5
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\athnmuap
4
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\kdrxwekz
4
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\vocihpvk
4
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\unbhgouj
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\lesyxfla
3
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
43[.]231[.]4[.]7 63
185[.]215[.]113[.]58 61
185[.]7[.]214[.]171 54
185[.]7[.]214[.]210 54
45[.]9[.]20[.]187 54
45[.]9[.]20[.]178/31 54
142[.]250[.]80[.]100 41
104[.]47[.]53[.]36 30
157[.]240[.]229[.]174 28
192[.]0[.]47[.]59 23
125[.]209[.]238[.]100 23
208[.]76[.]51[.]51 20
40[.]112[.]72[.]205 20
208[.]76[.]50[.]50 20
208[.]71[.]35[.]137 18
216[.]146[.]35[.]35 17
199[.]5[.]157[.]131 17
217[.]69[.]139[.]200 17
142[.]251[.]40[.]195 16
40[.]76[.]4[.]15 15
103[.]224[.]212[.]34 15
195[.]46[.]39[.]39 14
84[.]200[.]69[.]80 13
40[.]113[.]200[.]201 13
74[.]6[.]143[.]26 13
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
microsoft-com[.]mail[.]protection[.]outlook[.]com 63
microsoft[.]com 63
lazystax[.]ru 63
249[.]5[.]55[.]69[.]in-addr[.]arpa 61
249[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net 58
249[.]5[.]55[.]69[.]bl[.]spamcop[.]net 57
249[.]5[.]55[.]69[.]cbl[.]abuseat[.]org 56
249[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org 56
249[.]5[.]55[.]69[.]zen[.]spamhaus[.]org 56
www[.]instagram[.]com 28
mta6[.]am0[.]yahoodns[.]net 27
yahoo[.]com 25
whois[.]arin[.]net 23
whois[.]iana[.]org 23
mail[.]ru 23
mx1[.]naver[.]com 23
www[.]msftncsi[.]com 23
wpad[.]example[.]org 23
www[.]google[.]co[.]uk 19
park-mx[.]above[.]com 15
www[.]youtube[.]com 12
mx4[.]beavis99[.]com 12
al-ip4-mx-vip1[.]prodigy[.]net 12
mta7[.]am0[.]yahoodns[.]net 10
www[.]google[.]co[.]nz 10
*See JSON for more IOCs
Files and or directories created Occurrences
%TEMP%\<random, matching '[a-z]{8}'>.exe 74
%SystemRoot%\SysWOW64\config\systemprofile 61
%SystemRoot%\SysWOW64\config\systemprofile:.repos 61
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'> 61
%System32%\<random, matching '[a-z]{7,8}'>\<random, matching '[a-z]{6,8}'>.exe (copy) 19
\Documents and Settings\LocalService:.repos 18
\Users\user\AppData\Local\Temp\zyokrns.exe 2
\Users\user\AppData\Local\Temp\ssrxiwdg.exe 2
%TEMP%\ondzgch.exe 1
%TEMP%\baqmtpu.exe 1
%TEMP%\mlbxeaf.exe 1
\Users\user\AppData\Local\Temp\lumlugkb.exe 1
\Users\user\AppData\Local\Temp\ejwwzyot.exe 1
\Users\user\AppData\Local\Temp\vlrkltjs.exe 1
\Users\user\AppData\Local\Temp\vukgnjo.exe 1
\Users\user\AppData\Local\Temp\feqmrbly.exe 1
\Users\user\AppData\Local\Temp\lhbhnphy.exe 1
\Users\user\AppData\Local\Temp\kagzaiyh.exe 1
\Users\user\AppData\Local\Temp\hcjgfcyz.exe 1
\Users\user\AppData\Local\Temp\tkdgnaml.exe 1
\Users\user\AppData\Local\Temp\micioqiz.exe 1
\Users\user\AppData\Local\Temp\lsffitlg.exe 1
\Users\user\AppData\Local\Temp\vewvequl.exe 1
\Users\user\AppData\Local\Temp\jiuqvfpc.exe 1
\Users\user\AppData\Local\Temp\lcvyfsed.exe 1
*See JSON for more IOCs

File Hashes

016f7f0db9174d5b1eee7c9d75ca4eca4144f2f8022788a09aa5cccc5d23cf3c 04a4232005cd3a8d1ff7d68e62e60e182ead7f447d01fce4dfc8ab38c137de86 062b45c5f3c3ca89b1ffb4ba1dbc1bf00fe65bd359252c9d9c908176e46abb5a 09798abd4f801a9705ea91c9fe3bc45698581182e15e45fc226a77c57385dccd 0a41e5c1a46e76a6c1502a6bd039fbcdece4e005e0a2e1dfe90d3f7d3e528fe1 0adad073bf947a35c072e9c20c507d1c23f44b304300f6eb9f9b58cdf518a10a 10e264ab095c3cfb9584e75dbe655f195eeeb719d9b2b1c81d70bf5500e12d83 1253539181bdeb698e2612a4bfdb9e152bef83dfb9411fcff578930a8f1222e6 125461a8f5acca9fd1b36bd24b15f5db641a44467520dc47a7159b8976e25c2d 125608d7d07f55cca855f2ebce7a3e519c33a4a64878db723cc16491fdce8cdb 1283dd2dceb3b131e5d2f2d0a86ea8994d60eb91796c5e3f70beb3c68de47721 12fa15bc01b40464733a40f470cee3e010a8b447b87e0a89aa1906ddef931041 13573f98478916fb97b844eccb4881209c86d2c3f593bbd5833365c8bbfb7c05 152b8c286512f28b0aed6c46367b1618f8bc300ee9a171855e82ee6b68393c5e 160b00953ef50a50f115a5e1e29faf08d9f34198280df55bda66fd8c154eb76b 175f4dbb1e0afa10f100ac6d961f249058559cb8d7605adff11393ada7cb645a 1798ef38a8a03ba6b3a408d4aa72f0b4df542f9b7d47cb0842a29a3aa0f1eac3 187c81e2db643c99c75b95a646f9635d5dece15eaedb671c7743caa802f2f103 1c1a3d9d84c62f336842f59036d4a60ac23e00748b48822ca0c23acdbdd9aa38 1ebbf519c65821916d1d6b0b19941d2b5bd8aa034baebb3f35e2b2fcbf9cfc6b 1ef2998bb08d46eec2661851d56797a2125f369d56116ceb4a6120c033b24130 1fecaee82ad520795ab81ffd67758e9c6cda85083ee3faba41881b9a153c0682 210202282c617ec43a285f39b42507ef0a23075c393d424e88b0cd9cede1790b 216d9c0080c435c8a2bb79b9f80f4582be20297e1a2e0df6f01d43a6c6732ca0 21c317f718a5a3afe1fc316d0a4d5e55575d7f7b8694f171942bf658254f7519
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Virus.Xpiro-9905216-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 10 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\COMSYSAPP
Value Name: Type
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\COMSYSAPP
Value Name: Start
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSISERVER
Value Name: Type
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSISERVER
Value Name: Start
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AELOOKUPSVC
Value Name: Type
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AELOOKUPSVC
Value Name: Start
10
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 10
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101
Value Name: CheckSetting
10
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103
Value Name: CheckSetting
10
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100
Value Name: CheckSetting
10
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102
Value Name: CheckSetting
10
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104
Value Name: CheckSetting
10
Mutexes Occurrences
kkq-vx_mtx73 10
kkq-vx_mtx74 10
kkq-vx_mtx75 10
kkq-vx_mtx76 10
kkq-vx_mtx77 10
kkq-vx_mtx78 10
kkq-vx_mtx79 10
kkq-vx_mtx80 10
kkq-vx_mtx81 10
kkq-vx_mtx82 10
kkq-vx_mtx83 10
kkq-vx_mtx84 10
kkq-vx_mtx85 10
kkq-vx_mtx86 10
kkq-vx_mtx87 10
kkq-vx_mtx88 10
kkq-vx_mtx89 10
kkq-vx_mtx90 10
kkq-vx_mtx91 10
kkq-vx_mtx92 10
kkq-vx_mtx93 10
kkq-vx_mtx94 10
kkq-vx_mtx95 10
kkq-vx_mtx96 10
kkq-vx_mtx97 10
*See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
3[.]223[.]115[.]185 8
37[.]48[.]65[.]152 2
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
www[.]msftncsi[.]com 10
hdredirect-lb7-5a03e1c2772e1c9c[.]elb[.]us-east-1[.]amazonaws[.]com 8
www[.]avcheck[.]ru 8
www[.]virtest[.]com 8
wpad[.]example[.]org 7
cashing[.]cc 2
computer[.]example[.]org 1
Files and or directories created Occurrences
%SystemRoot%\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{33EC2C09-9668-4DE7-BCC0-EFC69D7355D7}.crmlog 10
%SystemRoot%\SysWOW64\dllhost.exe 10
%SystemRoot%\SysWOW64\msiexec.exe 10
%SystemRoot%\SysWOW64\svchost.exe 10
%SystemRoot%\SysWOW64\dllhost.vir 10
%SystemRoot%\SysWOW64\msiexec.vir 10
%SystemRoot%\SysWOW64\svchost.vir 10
%ProgramFiles%\7-Zip\Uninstall.exe 10
%ProgramFiles%\7-Zip\Uninstall.vir 10
%ProgramFiles%\7-Zip\7z.exe 10
%ProgramFiles%\7-Zip\7zFM.exe 10
%ProgramFiles%\7-Zip\7zG.exe 10
%ProgramFiles%\Windows Media Player\wmpnetwk.exe 10
%ProgramFiles%\Windows Media Player\wmpnetwk.vir 10
%System32%\FXSSVC.exe 10
%System32%\UI0Detect.exe 10
%System32%\WindowsPowerShell\v1.0\powershell.exe 10
%System32%\WindowsPowerShell\v1.0\powershell.vir 10
%System32%\fxssvc.vir 10
%System32%\ieetwcollector.exe 10
%System32%\ieetwcollector.vir 10
%System32%\msdtc.exe 10
%System32%\msdtc.vir 10
%System32%\snmptrap.exe 10
%System32%\snmptrap.vir 10
*See JSON for more IOCs

File Hashes

10fead5c5e63b2da718c7ad176ad4a1ca992ee19a8798c648e9eebe373f11729 17357a25014eb9981fd44462e8445b481b4d961b7ed1204b86572b3b12b7217d 423cdcd1d7d15c47c9171c55ec1eac9307ec21ca16432184fda784d4a34b7aec 65c88e70c8c39e359162e03b9a1891f7102b7a8f222692baf88cc2b7a93e4bbe 9a7fef02695a530298116ab323751fdfbcfa5d90604a3d57c07355cea6478df9 cb02d8cd06b60bdfa3c81212ddc7464d7f0267b3f670b9462b9ee2a6fa47f6a1 cf6c364b597f437f9eca4702ebbe9e8e649c79b7face2b04afaae4eb6a83943b d89398f1dd0e31d0b8931b9fd135cdbf91d82fcdf0ae925904cbfbc5e3687f2e df553fd479a2b4a17be627bcab912cdfba37e5b8b9b7a675ae8fd528160b0128 fbbb95ba11ceaedd432bdefbcc3f6e0a667b248f307d09daf7bb8597b4c81b92

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.Shiz-9905047-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 167 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 165
<HKLM>\SOFTWARE\MICROSOFT
Value Name: 67497551a
164
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: 98b68e3c
164
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: userinit
164
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: System
164
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: load
164
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: run
164
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: userinit
164
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\STARTPAGE
Value Name: StartMenu_Balloon_Time
2
Mutexes Occurrences
Global\674972E3a 164
Global\MicrosoftSysenterGate7 164
internal_wutex_0x000000e0 164
internal_wutex_0x0000038c 164
internal_wutex_0x00000448 163
internal_wutex_0x<random, matching [0-9a-f]{8}> 42
internal_wutex_0x0000063c 37
internal_wutex_0x000006bc 35
internal_wutex_0x000007e0 21
internal_wutex_0x00000750 14
internal_wutex_0x000007c4 14
internal_wutex_0x000006b8 11
internal_wutex_0x00000310 11
Global\C3D74C3Ba 1
Global\53dc6781-38ee-11ec-b5f8-00501e3ae7b6 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
147[.]75[.]61[.]38 82
147[.]75[.]63[.]87 82
13[.]107[.]21[.]200 74
45[.]33[.]23[.]183 32
173[.]255[.]194[.]134 32
45[.]33[.]2[.]79 30
72[.]14[.]178[.]174 30
45[.]56[.]79[.]23 26
45[.]33[.]30[.]197 26
72[.]14[.]185[.]43 25
96[.]126[.]123[.]244 24
45[.]33[.]18[.]44 24
45[.]79[.]19[.]196 23
198[.]58[.]118[.]167 22
45[.]33[.]20[.]235 21
13[.]107[.]22[.]200 8
23[.]56[.]9[.]181 7
131[.]253[.]33[.]200 7
104[.]239[.]157[.]210 1
23[.]253[.]126[.]58 1
35[.]231[.]151[.]7 1
45[.]77[.]226[.]209 1
208[.]100[.]26[.]245 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
qeguhapyrer[.]eu 164
puryxepenek[.]eu 164
lysowaxojib[.]eu 164
rydopapifel[.]eu 164
ciqukecywiv[.]eu 164
vonodecidid[.]eu 164
dimigesupew[.]eu 164
fobatesohek[.]eu 164
ryhadyvigis[.]eu 164
jeluzydyqej[.]eu 164
gacenysacew[.]eu 164
gatopuwenyq[.]eu 164
jewemurutyj[.]eu 164
qeqyvulidox[.]eu 164
kemuxurohym[.]eu 164
tucadilebix[.]eu 164
rynikulokop[.]eu 164
lyvoguraxeh[.]eu 164
xuxetiryqem[.]eu 164
puzewilurip[.]eu 164
cilynitiseg[.]eu 164
vojizitoken[.]eu 164
fogokozazit[.]eu 164
gadedozymiz[.]eu 164
masytoturen[.]eu 164
*See JSON for more IOCs
Files and or directories created Occurrences
%TEMP%\<random, matching [A-F0-9]{1,4}>.tmp 164
%SystemRoot%\AppPatch\<random, matching '[a-z]{6,8}'>.exe 36
%SystemRoot%\apppatch\evqtpoy.exe:Zone.Identifier 1
%SystemRoot%\apppatch\gnhibb.exe:Zone.Identifier 1
%SystemRoot%\apppatch\qruqmmi.exe:Zone.Identifier 1
%SystemRoot%\apppatch\halmhrg.exe:Zone.Identifier 1
%SystemRoot%\apppatch\xxltdck.exe:Zone.Identifier 1
%SystemRoot%\apppatch\pwevjtc.exe:Zone.Identifier 1
%SystemRoot%\apppatch\jdtdlb.exe:Zone.Identifier 1
%SystemRoot%\apppatch\iktkuxx.exe:Zone.Identifier 1
%SystemRoot%\apppatch\lvgqbo.exe:Zone.Identifier 1
%SystemRoot%\apppatch\rgwontf.exe:Zone.Identifier 1
%SystemRoot%\apppatch\xpqohb.exe:Zone.Identifier 1
%SystemRoot%\apppatch\ortqeql.exe:Zone.Identifier 1
%SystemRoot%\apppatch\rjntclt.exe:Zone.Identifier 1
%SystemRoot%\apppatch\wcvjrfc.exe:Zone.Identifier 1
%SystemRoot%\apppatch\gwuasq.exe:Zone.Identifier 1
%SystemRoot%\apppatch\xhaper.exe:Zone.Identifier 1
%SystemRoot%\apppatch\nrnjgq.exe:Zone.Identifier 1
%SystemRoot%\apppatch\xpmify.exe:Zone.Identifier 1
%SystemRoot%\apppatch\mrmuqlx.exe:Zone.Identifier 1
%SystemRoot%\apppatch\pqfude.exe:Zone.Identifier 1
%SystemRoot%\apppatch\mwqaix.exe:Zone.Identifier 1
%SystemRoot%\apppatch\fgwcmsb.exe:Zone.Identifier 1
%SystemRoot%\apppatch\iwibxep.exe:Zone.Identifier 1
*See JSON for more IOCs

File Hashes

04f91e8e431e9a1fa07d70393a7a927062bc2342c4aaab91fca7309fa747ea14 0662cdf8f2b283940388af235c6eec863a9531833bbb584036931c769807ea57 0933d6962abc588189455f5104bc9aa3185650fb1193ba5835c48fd041500b84 0b842217f0d63a6d0f1d3a95387925771a8643dbd4de736f1522389e026cae5f 0c6cda02f0e9fa4918cda8e5c2a37fea0b8e42b5cc3d14cf22cd7fc9bc09d89c 0f1c0bf8e36fb46cdb5294338bf70b3e6b02ff696fa8978f6ad9b67e466cdf80 0f3e8740d9a93b2edb1ae56aa28cdc4cd4f22e8f47eb6df0825ce96c9349513e 0f9e878a61fc55fe29307a20621a5aa9a808da08fa5943c121a8300513b2cab3 11f5506c22eef1b12411321de9244af7283a2f04b6797b7f6f5a75c38407c405 15c20587aa400eab84217f8eb3488305598da3a63c5cc3482dcbb17ee1b25bb7 1790f9cbe4ed673828770b1009712e6909b3194290469a1c334a002fd9aa3815 1e36c2085f60d512890107d51ea1ba549414026f72fef067be9c209d6b0ec793 1fbcd93405a9f95bd57cf41bf0694042f90051669bfb547192303f22b88bfcbd 25584513100af73fbe0603f1c28a5d884951416cb6424893483c26576b894677 25aefdb28717eb2a9d819f551863f71ce47d03aec38706af8c7b97b7a615a218 25d65ddd388d8054ae9bb720d77e450a7c3f73ca2e3c6f889756f0796c2b0956 26acfec03c1e62b822951bab77a14215a91a8b8037cf217e208f384d3a5babc3 26da34606d0d85b84546b147312b8e8edb7c9ae82626d7cfa0a8c24336895908 28833224084ac9b028cb83334ab7d8595c6b98d0486de0d7efc0ade9c3370d47 2927806517447a4d9a2ce7155db74b86e3a0c5a0662a8eba5c49f2ca76ef52cb 2a79298f607fb0bab9a707ab721cef13475425f798697d2c6983852eb721dd2e 2b4769bedbb68c7d16ce8a24d11a71501251c087381e74fb442b3d18608f0593 2f0cbda2d3909186b4bfad72bae2aa2b37132c7f077378efebe683d946db1504 32066c0958d4e12e233bf8f51a041edc20190ee63721eb371407c588f7ba1794 3388b024c98ac0c78499f3a0012473d9085ef05b10b9ccb9045af090a2596ea8
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.Remcos-9905709-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 16 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: remcos
13
<HKCU>\SOFTWARE\REMCOS-UPOF3W
Value Name: exepath
13
<HKCU>\SOFTWARE\REMCOS-UPOF3W
Value Name: license
13
<HKCU>\SOFTWARE\REMCOS-UPOF3W 13
<HKCU>\SOFTWARE\REMCOS-UPOF3W
Value Name: Inj
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: hpsupport
2
<HKCU>\SOFTWARE\HPSUPPORT-1H2OJB
Value Name: exepath
2
<HKCU>\SOFTWARE\HPSUPPORT-1H2OJB
Value Name: licence
2
<HKCU>\SOFTWARE\HPSUPPORT-1H2OJB 2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\STARTPAGE
Value Name: StartMenu_Balloon_Time
1
Mutexes Occurrences
Remcos_Mutex_Inj 15
Remcos-UPOF3W 13
hpsupport-1H2OJB 2
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
triggerd[.]ddns[.]net 13
cemileorucs[.]ddns[.]net 2
Files and or directories created Occurrences
%SystemRoot%\win.ini 15
%TEMP%\install.vbs 15
%APPDATA%\remcos 13
%APPDATA%\remcos\logs.dat 13
%APPDATA%\remcos\remcos.exe 13
%APPDATA%\hpsupport 2
%APPDATA%\hpsupport\hpsupport.exe 2
%APPDATA%\hpsupport\logs.dat 2

File Hashes

0638d514c06090c3c344d59abbb458ca9ccde4e7e581faad880c58a15b2b10b4 0ba194872139ac85544213acbfd22b2cfb7642d1c486fd8ac66b5a3cea945744 15eb56af5d04ad3bad00b4193e5ee9e8b786b3d8d419291b33ca4fa8090a2f5b 1a8e73f191343894a2ff5c1f13a8cd0a29135bbd1b81f52212f28f6a50a8dc41 1ea753ece3d0ce52306ad167ddaabef9a739fd2c056a4d0b6be5104438ebf6ee 30115765f6834c4e1dae38aee7d469710d012350844890ce6da6a0e3a0a6a3c6 3690ed1fbc4eb8447a288a3bb28041e88fa1f8ff9c3ad020229edb3fb2f35cb1 4bce1b74cc45d0e5afe829b23fe3f684697006d4acb4262c57f0a20adecaed4a 4deb2cd7552e5f48d97d32aeb777b9a51b708a525832b1fa877b91cd78945df1 511bd9125a95cbf8f4a4aab0dfc9b1ee4118c4beb80811ce197c76a2dd16504d 64c068cd1fcfe8f86c6379b81428c890c350890437cddde3d8c5dd382b8d6021 7d3de42d191a1d5144d6ac2e63c8fb2be695d727ed1c6d42cc853e6566752b8a c30119aa801e8225a001a6e0a68960e77b278259c49b948440806f71ce1bdae5 dda12f2ca191f8bc096987db988f1a56b9808b4efcae83cda5966a4dbce92453 ebb5d5b111e05511c5098832a5a71b82bf2b2fdd7f4c49bf8a84f1cbfc7a499a f365cc666f3715d3b981f0cb97c8e3e60a0c7708d43d39915fd1868c7876ff82

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.TrickBot-9905314-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 25
Mutexes Occurrences
316D1C7871E00 25
785161C887200 3
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
116[.]203[.]16[.]95 6
34[.]117[.]59[.]81 6
92[.]53[.]66[.]81 4
92[.]53[.]78[.]189 4
212[.]14[.]51[.]43 4
80[.]87[.]199[.]45 3
95[.]213[.]252[.]113 3
194[.]87[.]237[.]175 3
195[.]133[.]196[.]72 3
62[.]109[.]16[.]17 3
149[.]154[.]68[.]34 3
69[.]120[.]56[.]211 3
194[.]87[.]235[.]41 3
185[.]236[.]130[.]84 3
146[.]255[.]36[.]1 2
194[.]87[.]235[.]76 2
82[.]202[.]246[.]171 2
92[.]53[.]66[.]78 2
160[.]72[.]43[.]233 2
82[.]202[.]246[.]76 2
82[.]146[.]56[.]193 2
95[.]213[.]191[.]147 2
104[.]18[.]114[.]97 2
109[.]234[.]36[.]168 2
94[.]103[.]82[.]230 2
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
ip[.]anysrc[.]net 6
checkip[.]amazonaws[.]com 4
icanhazip[.]com 3
api[.]ipify[.]org 3
wtfismyip[.]com 3
ipinfo[.]io 3
apps[.]identrust[.]com 3
ipecho[.]net 2
myexternalip[.]com 1
Files and or directories created Occurrences
%APPDATA%\localservice\client_id 26
%APPDATA%\localservice\group_tag 26
%System32%\Tasks\services update 25
%APPDATA%\localservice 25
%APPDATA%\localservice\Modules 25
%SystemRoot%\Tasks\services update.job 3
%APPDATA%\localservice\ruonf.exe 1
%APPDATA%\localservice\9a855fa82e5e23c538500f6a9ff3bf79.exe 1
%APPDATA%\localservice\395833884.exe 1
%APPDATA%\localservice\395833892.exe 1
%APPDATA%\localservice\604abf5g5567g9f0fg6f6bagcb2e4c07a64ab5cbc6ee7a6603fgb0bg62763fa9.exe 1
%APPDATA%\localservice\248ce8389ee357f0e65479ea5g82064gf056b256f09gbf35ca56b329gb8a44a6.exe 1
%APPDATA%\localservice\0g3ae5f39b547ee265ag4e6535f73607b866206g07e632ac6e2298366f6965c4.exe 1
%APPDATA%\localservice\03e206584ac424b366259fgaa3f3446f72gg8806924af7655g6gc20768e0f6ge.exe 1
%APPDATA%\localservice\56392aef9c6364g6f077562727c987b4ebbc5gg6084fb804776b0667be2be83b.exe 1
%APPDATA%\localservice\377g59c74e2beb502b885556ag8079ge978280347560b6b3fa7e0ga6gefaf64f.exe 1
%APPDATA%\localservice\6ecb6a88683950ge069fbee87e98ac65fb8935af08b78cffba2a087476867b36.exe 1
%APPDATA%\localservice\6e95f945af6c24g0b68caa5eg3beg8e9b3a44gae627ae32cg6f59660c37352be.exe 1
%APPDATA%\localservice\776c6442g79e9a48c78745489b786f026g4ceec02686498a64209b43942c740c.exe 1
%APPDATA%\localservice\5720005g53fa6b59gff56a66ab96fgc257e825b8349fg260a29f3b355967744a.exe 1
%APPDATA%\localservice\69e9caeb7e682ec45288ef53g94696c3938e465390b605cb72fe54egcff63g95.exe 1
%APPDATA%\localservice\24efa5bf00653b4c445c40ccbce2a7ee209eg265bf09679cf02g904bca6459gc.exe 1
%APPDATA%\localservice\34bb49887b28479203bgggcae27gbbge37f7fa2bef0270e7e2f5966eae2eg299.exe 1
%APPDATA%\localservice\834e5b9g6fg806f476b3ae4267474336cc98f479b564208676g67452bb29503c.exe 1
%APPDATA%\localservice\a3ec43f9baf7702965ebgg2e2a08e70b3fg790733e3c46e236ff9698f8080b9e.exe 1
*See JSON for more IOCs

File Hashes

02d105483ac313b266149efaa2e2335e71ff8806913ae7644f5fc10768d0e6fd 0554a16cf259d2cc672c5b008987219382e098f35b7bfb84c14c0d29930c8eb7 0f2ad4e29b437dd164af3d6424e72607b866105f07d621ac5d1198266e6954c3 138cd8289dd247e0d64379da4f81053fe045b145e09fbe24ca46b219fb8a33a5 13dea4be00642b3c334c30ccbcd1a7dd109df154be09679ce01f903bca5349fc 1966429bfc1e9134d6226bce7666d987da9c606d9828d92174bbdc02e40c9039 1e0de5782d379b8bd2b29194b0240d325fb9e9b969eb46441d8644bc54ddbcfa 23bb39887b18379102bfffcad17fbbfd27e7ea1bde0170d7d1e4955dad1df199 277f49c73d1bdb401b884446af8079fd978180237450b6b2ea7d0fa5fdeae53e 35c5cacc06512a970751ac9a23237d803051bbc1cb4e0132dbb456a94471de4e 42ff5709a31263f210f7ca563e5f97cbca01998983fd6f70054c1061271ed83a 46291ade9c6253f5e077451717c987b3dbbc4ff5083eb803775b0567bd1bd82b 4710004f42ea6b49fee46a55ab95efc147d814b8239ef160a19e2b244967733a 4e785f03946f770582bb6bee35036b4c81eae14bb5a6240e2af5d1577eac529e 503abe4f4457f9e0ef5e6bafcb1d3c07a53ab4cbc6dd7a5502efb0bf51752ea9 59d9cadb7d581dc34188de42f93596c2928d354290b504cb71ed43dfcee62f94 5d94e934ae5c13f0b58caa4df2bdf8d9b2a33fad617ad21cf5e49660c27241bd 6dcb6a88682940fd059ebdd87d98ac64eb8924ae08b78ceeba1a087375857b25 74772f49ffb1f3e3721d843ceaf749baf84afe5f353a909f4be2d4ff8bf2dad1 74b3f69c29894846d7ec06c91762a7b533be45f8a8f9194ecce2385d3f6a55b0 775c5331f79d9a38c78734389b786e015f3cddc01686398a63109b32931c730c 823d4b9f6ef806e376b2ad3167373226cc98e379b453108676f57341bb19402c 9bfba44070ba59790b4a053b9869eca016b500660d6b0849abf0acb2085e2c19 9d1fc6d9a736aabd552e46eeca17073382264a261b80b38a51e9244c7f9045be a2dc32e9bae7701954dbff1d1a08d70b2ef790722d2c36d125ee9598e8080b9d
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.Formbook-9905387-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 16 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 7
<HKCU>\ENVIRONMENT
Value Name: windir
4
<HKCU>\SOFTWARE\ONEDRIVES-Y6FI41 4
<HKCU>\SOFTWARE\ONEDRIVES-Y6FI41
Value Name: exepath
4
<HKCU>\SOFTWARE\ONEDRIVES-Y6FI41
Value Name: licence
4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Vhjrhxr
4
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 2
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\INTELLIFORMS\STORAGE2 1
<HKLM>\SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA FIREFOX 1
<HKLM>\SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA FIREFOX\20.0.1 (EN-US)\MAIN 1
<HKLM>\SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA THUNDERBIRD 1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: H480CTW0_6U
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Agcwesm
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: ZTDDQPY80FE
1
Mutexes Occurrences
Remcos_Mutex_Inj 4
onedrives-Y6FI41 4
8-3503835SZBFHHZ 1
L953C4A1G8ABxyJ2 1
OPA4OUV-9U54W082 1
9N96O9-QRT6IW-5Y 1
NK8R75A625ZDGyH1 1
S-1-5-21-2580483-9081837792465 1
JN29T2UVFA0I4YZF 1
J67BN9PRTB63BXFE 1
9K8-5Q8QF4DFBKB2 1
14LR7R1W3-YZDx8G 1
5173BA9QWY68WAXz 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
162[.]159[.]129[.]233 10
162[.]159[.]134[.]233 8
162[.]159[.]135[.]233 5
162[.]159[.]133[.]233 4
185[.]244[.]30[.]18 4
51[.]161[.]61[.]88 4
162[.]159[.]130[.]233 3
34[.]98[.]99[.]30 2
23[.]227[.]38[.]74 2
142[.]250[.]72[.]115 2
198[.]185[.]159[.]144 1
192[.]0[.]78[.]24 1
204[.]11[.]56[.]48 1
185[.]199[.]109[.]153 1
52[.]58[.]78[.]16 1
184[.]168[.]131[.]241 1
198[.]71[.]232[.]3 1
88[.]214[.]207[.]96 1
85[.]233[.]160[.]22 1
81[.]17[.]18[.]197 1
34[.]102[.]136[.]180 1
44[.]227[.]65[.]245 1
13[.]248[.]216[.]40 1
172[.]67[.]147[.]219 1
52[.]20[.]84[.]62 1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
cdn[.]discordapp[.]com 12
www[.]msftncsi[.]com 9
wpad[.]example[.]org 9
xchilogs[.]duckdns[.]org 4
xxxxza[.]dynamic-dns[.]net 4
www[.]glocp9[.]com 1
www[.]jqxfinance[.]com 1
www[.]mylife25[.]com 1
www[.]cataractmeds[.]com 1
www[.]anjanaonline[.]com 1
www[.]cabinetra[.]com 1
www[.]xn--v4q8fq9ps1clx5d774b[.]com 1
www[.]healthchu[.]com 1
www[.]whereistheherb[.]store 1
www[.]gun-stores[.]net 1
www[.]obersrock[.]com 1
www[.]blakedroberts[.]com 1
www[.]mbc-lucky[.]com 1
www[.]fsoinc[.]com 1
www[.]ue3uue[.]com 1
www[.]dongtaykethop[.]cloud 1
www[.]briankingfineart[.]com 1
www[.]listertarot[.]com 1
www[.]sexting-sites[.]com 1
www[.]studiodates[.]com 1
*See JSON for more IOCs
Files and or directories created Occurrences
%PUBLIC%\nest 4
%PUBLIC%\KDECO.bat 4
%PUBLIC%\Trast.bat 4
%PUBLIC%\UKO.bat 4
%PUBLIC%\nest.bat 4
%APPDATA%\onedriveslogs 4
%APPDATA%\onedriveslogs\logs.dat 4
%PUBLIC%\Libraries\Vhjrhxr 4
%PUBLIC%\Libraries\Vhjrhxr\Vhjrhxr.exe 4
%PUBLIC%\Libraries\rxhrjhV.url 4
\Users\user\AppData\Local\Temp\WER2A24.tmp.appcompat.txt 1
%PUBLIC%\Libraries\Pqjpzgz 1
%ProgramFiles(x86)%\Gk4g4n4 1
%ProgramFiles(x86)%\Gk4g4n4\Cookiesdpx8ftbp.exe 1
%TEMP%\Gk4g4n4 1
%TEMP%\Gk4g4n4\Cookiesdpx8ftbp.exe 1
%PUBLIC%\Libraries\Fpqxvkm 1
%PUBLIC%\Libraries\Ghqhvyl 1
%PUBLIC%\Libraries\Agcwesm 1
%PUBLIC%\Libraries\Agcwesm\Agcwesm.exe 1
%PUBLIC%\Libraries\msewcgA.url 1
%PUBLIC%\Libraries\Cdkdwye 1
%PUBLIC%\Libraries\Qrzjmzb 1
\Users\user\AppData\Local\CrashDumps\512233356.exe.2812.dmp 1
\Users\user\AppData\Local\Temp\WAX5162.tmp 1
*See JSON for more IOCs

File Hashes

1c8044345a2bea4eaaebf8e61b0fb378e940944c0c1fb712bac3a07ca95fc39e 4dc16dae8f47287845279752dc52bbd24a61573e5cfba83180dc6de2a0b5ab85 4f88fcf537adbb598d8335dd88dba85c97ed666930084bf718502938eb75bc42 672f4709ac1b3b7738d6233e7e4d56510139db30a915a055c32e85dab8ca5a55 6b93224c145b221ac786bf10b1471af61722e45bbd41a029789170ea7f1c0751 727db4fa156692175943bef3ef7dbaa0cee2773ba328a96bf738921fbd0140fb 794e8844531d9ea6f37755360d429ed93827c79e77c7b5bf76ad08b4108549dd 98e51501b084abbd93a92f14bb01eabdda161b54940bbeb5eb296e20e99c398f a118f0a92d575020353fefe21d2ed28ce02602a14b8aa04723846924d33c65e7 b04e08fbd45bee67a058b15628e924595f9510d84b8100902ebb39e4ac2768f5 b4f85b9bdb00281bad25634e199c2ab8d2fda045832b6b87aa677e4019f6e2bd b7bcbf864fdf20b862d293bf7dc91d05dafc8d22fbb195597fd675e6d2b5a46d c5209d3ef6131477df386baba66bba2f086d6d6625cb4164bb6e25af5c5b05f8 d3734658794b114956b89eed4855b01b3fb2ed70f5825c3d388847db02913da6 d4c4cf88609523920f8b06fd04a9422e7d1ea56001c698a78ab236fc67e98656 d9ba3ad58d7e437a966010e62cc58651a3ff2d0219013a40abd10d412763893e

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Packed.LokiBot-9905395-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: zfsGyb
1
Mutexes Occurrences
3749282D282E1E80C56CAE5A 5
gPYvrIIZrEFX 1
uasoIDFPIcgkJxeWqiKzZE 1
PWgzPeLjlLlkGmOIueRUPGm 1
nZQavufWatZROFyXY 1
VQyRAKHjueyTAfuZbQuKXs 1
YPEDHDtuqLPYPAraHmyOkEh 1
bnOFTsdjxRmsAFrn 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
63[.]141[.]228[.]141 3
208[.]91[.]197[.]27 1
131[.]186[.]113[.]70 1
192[.]185[.]0[.]218 1
34[.]102[.]136[.]180 1
172[.]67[.]188[.]154 1
52[.]60[.]87[.]163 1
104[.]21[.]19[.]200 1
212[.]227[.]15[.]142 1
158[.]101[.]44[.]242 1
212[.]227[.]15[.]158 1
127[.]0[.]0[.]1 1
15[.]197[.]142[.]173 1
185[.]114[.]22[.]216 1
213[.]165[.]67[.]102 1
213[.]165[.]67[.]118 1
91[.]238[.]163[.]174 1
31[.]220[.]52[.]219 1
182[.]163[.]126[.]72 1
185[.]8[.]153[.]27 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
www[.]msftncsi[.]com 17
wpad[.]example[.]org 17
manvim[.]co 2
checkip[.]dyndns[.]com 1
checkip[.]dyndns[.]org 1
freegeoip[.]app 1
smtp[.]1and1[.]es 1
computer[.]example[.]org 1
abslevha[.]com 1
www[.]israelemirates[.]travel 1
teachuswell[.]com 1
www[.]easx[.]systems 1
filmarabia[.]com 1
www[.]couragepennies[.]com 1
www[.]theshadedco[.]com 1
www[.]creativehuesdesigns[.]com 1
www[.]kellenkamm[.]com 1
www[.]abslevha[.]com 1
www[.]misteraircondition[.]com 1
www[.]filmarabia[.]com 1
www[.]dacyclinu[.]com 1
www[.]keminadentalcare[.]com 1
www[.]chinhhanghm46[.]site 1
www[.]wildslaskan[.]com 1
www[.]sex8e[.]com 1
*See JSON for more IOCs
Files and or directories created Occurrences
%LOCALAPPDATA%\Microsoft\CLR_v4.0_32\UsageLogs\runme.exe.log 7
%APPDATA%\D282E1 5
%APPDATA%\D282E1\1E80C5.lck 5
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5 5
%System32%\Tasks\Updates 5
\Users\user\AppData\Roaming\7C7955\5D4644.lck 5
\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1160359183-2529320614-3255788068-500\a18ca4003deb042bbee7a40f15e1970b_24e2b309-1719-4436-b195-573e7cb0f5b1 5
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp 5
%System32%\drivers\etc\hosts 2
%APPDATA%\zfsGyb\zfsGyb.exe 1
%APPDATA%\weCBraw.exe 1
%APPDATA%\HSrKJAlLhQ.exe 1
%APPDATA%\JsDdfNd.exe 1
%System32%\Tasks\Updates\weCBraw 1
%APPDATA%\JhPpTk.exe 1
%System32%\Tasks\Updates\JhPpTk 1
%System32%\Tasks\Updates\JsDdfNd 1
%System32%\Tasks\Updates\HSrKJAlLhQ 1
%APPDATA%\kTlGZihJ.exe 1
%System32%\Tasks\Updates\kTlGZihJ 1
\Users\user\AppData\Local\Temp\WAX59FC.tmp 1
\Users\user\AppData\Local\Temp\WER713E.tmp.appcompat.txt 1
\Users\user\AppData\Local\Temp\WER7297.tmp.WERInternalMetadata.xml 1
\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\512234814.exe.log 1
\Users\user\AppData\Local\Temp\WAXF3C4.tmp 1
*See JSON for more IOCs

File Hashes

03f403b32fc64427ca194b41d99460191d799bb0b78142eb649d673d6346bae0 173256731ccf58460e223bac2eafd0f62f81b3e562fc9ee37625b9c603e3fbfa 1d6cac17381e03728882db8d50bef577b65ba46cacd96f12ba3953cd3a50dbc9 31b5a22b7f24374158a0f0efa300d17630c7f88ffcd5fb8626b076cacdd964a8 324e4fa910d84930f2e838e55a0279ca6b299a737a9817f67e847affb79f295b 360a5bae39929248684c319d768bcbcd87a8a1907e9926336b7a7d0c22cd17bb 393c48d1152773df832af27f58231b1ed12bbbc57f47eb8b7ed321e0417c9eaf 5fabc722c8b7c25ddd274453f8510b03c72d639ec1ef6a9541cfb6c3e4de9b13 626a90f43277d782b8e4a0b18576cad6dc33e3f547caea386cabe8971ec6f7b6 71a0771f80052557006cdda3c4c223e88269368324e07b5e58de7736f37ad985 866e6a5726ac586d1e09e2e1fc2dd34e738f3fcc15f598135e861f1c6d18ff11 9473ad59481f78b51f11d1577ff892294dd38ba9aec8c7eb8be6bef21f0e0df9 96e88a52bedfff7b7270c805e1e3e3069a3d4111210a6f568d37e9a9e0ebc88d 9c40045e4cbcdbb4e471da75ebfb077b0d12408a88aa1e925c6ba19fac1c8165 a280dde5cc8e380d57fb6ec9cb725dbe7cc2280c7487daf131c1bc7899177c74 a43e700d308ec72f30fd4098b7d4113b83c244d3679f4b59f26f7f309ebefdcc ab8ce041e1aebd8028334fc076fe5dfb8c8ca7e057f75e856392f4cab449f8af aebbab96f77fcb10285ed70e083e224cb62cbffbe19c9bf5983bbe14935b619b b2637d91d5143b189c7e4a0ba6442ac794b959eaf9acb09a63b5217fda034726 b3ec5ff38b55a4301b8b4505aca5bee8f2409805eb4bee5594bf506bfe57b9b1 b975c7e1bd3e03de91c55dad66174c35f3e2d4416a9cd8f6ede8f7510eae296f bb1317ced122d23448353be57ded7530347445fc3f14994ec293169a9dc628b9 d0a474ecce534b8ebc89fd05112692af4c6b6e948a72ee0b3a28f45ccd3095cf d7cba0f9d81b66b68aae18b632473067fb4b20f540bbde54878f08ccac1dab61 d88c900359615b46fe1e2361268ba54d8f95696bade0644b35202bafc1ebc8c1
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.Cerber-9905750-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 38 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 37
<HKLM>\SOFTWARE\CLASSES\LNKFILE
Value Name: IsShortcut
9
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER
Value Name: GlobalAssocChangedCounter
9
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}
Value Name: FaviconPath
4
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}
Value Name: Deleted
4
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES
Value Name: DefaultScope
4
Mutexes Occurrences
shell.{381828AA-8B28-3374-1B67-35680555C5EF} 17
m2562100796 9
{B4810E6F-AA5C-3E54-1818-CCDBE577D2BD} 7
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
149[.]202[.]122[.]0/27 17
149[.]202[.]64[.]0/27 13
149[.]202[.]248[.]0/22 13
172[.]67[.]2[.]88 7
104[.]20[.]20[.]251 6
104[.]20[.]21[.]251 4
87[.]98[.]175[.]85 3
23[.]94[.]5[.]133 3
45[.]56[.]117[.]118 3
5[.]9[.]49[.]12 3
144[.]76[.]133[.]38 3
89[.]18[.]27[.]34 2
108[.]61[.]164[.]218 2
45[.]63[.]99[.]180 2
141[.]138[.]157[.]53 2
45[.]32[.]28[.]232 2
45[.]63[.]25[.]55 2
213[.]161[.]5[.]12 2
13[.]107[.]21[.]200 1
185[.]133[.]72[.]100 1
96[.]90[.]175[.]167 1
5[.]135[.]183[.]146 1
193[.]183[.]98[.]154 1
84[.]201[.]32[.]108 1
104[.]238[.]186[.]189 1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
www[.]msftncsi[.]com 23
wpad[.]example[.]org 23
api[.]blockcypher[.]com 17
hjhqmbxyinislkkt[.]1j9r76[.]top 17
www[.]bing[.]com 9
btc[.]blockr[.]io 8
bitaps[.]com 8
computer[.]example[.]org 4
zz[.]dfkecvowerfwd[.]pro 3
health[.]worldwidecons[.]ltd 3
chain[.]so 1
isatap[.]example[.]org 1
_ldap[.]_tcp[.]dc[.]_msdcs[.]example[.]org 1
Files and or directories created Occurrences
%TEMP%\d19ab989 17
%TEMP%\d19ab989\4710.tmp 17
%TEMP%\d19ab989\a35f.tmp 17
%LOCALAPPDATA%\Microsoft\Office\Groove1\System\CSMIPC.dat 17
\Users\user\AppData\Local\Microsoft\Office\15.0\OfficeFileCache\CentralTable.accdb 17
\Users\user\Documents\Documents\resume.docx 17
\Users\user\Documents\Documents\resume.pdf 17
\Users\user\Documents\Documents\resume.rtf 17
\Users\user\Documents\Documents\resume.x.odt 17
\Users\user\Documents\Presentations\Presentation 1.ppt 17
\Users\user\Documents\Presentations\Presentation 1.pptx 17
\Users\user\Documents\Sheets\budget.5.xls 17
\Users\user\Documents\Sheets\budget.xls 17
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp 17
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.bmp 17
<dir>\_READ_THI$_FILE_<random, matching [A-F0-9]{4,8}>_.hta 17
<dir>\_READ_THI$_FILE_<random, matching [A-F0-9]{4,8}>_.txt 17
<dir>\_READ_THI$_FILE_<random, matching [A-F0-9]{4,8}>_.jpeg 17
\Users\user\AppData\Local\Temp\24e2b309\1719.tmp 13
\Users\user\AppData\Local\Temp\24e2b309\4436.tmp 13
\Users\user\Documents\Documents\resume.docm 13
\Users\user\Documents\Documents\resume.dot 13
\Users\user\Documents\Documents\resume.dotm 13
\Users\user\Documents\Documents\resume.dotx 13
\Users\user\Documents\Documents\resume.x.xml 13
*See JSON for more IOCs

File Hashes

0085bd626daf5156f1a672802339e9ebbbe8f6a66c3bb13515cb1c49981ecec8 04e55f268a68c429344e533486adcd69d00863d415b40cd90f31f3753ede5fb9 0cbedf858fbd020acaffa48d12555bc1e994cce29dd331595f4e3203328de0fa 10835bc265400c7f33720d8ba9f7c6e6543c0ed871fd254436b245fa27d01283 1342077811316fa66f11d7970706df218ccad26f2f3748d485a2499e85d4fab9 1cae2c61a36a26906a5bbfd85a8c496437a394f1b0768ac2c3bceb145e1962d1 23c8721a7117f3b42b9e6fad0c7ca903b8e3129cbe820b8f6cee34d22655523a 24205c177a537ed399ce06f6a9ffc388f53edf9e7dd998f25e6c1a805ba96cde 298b36734b89ad5870f63024776b22a00a56e42e258bdf83dd09d9bcd7c5ddc6 307a6c1bce8bb09f91cb6aa33209e5554c37658a0bd088721c6bde45f63e1ac2 347df449a6a471ada6c093e0ef87a3f2f86b90b28a2bbe101c2ac28cfcdab970 4f1dade52ca6707976732a24a7122f72c980993c01d4b83ab83c995579c8787a 5081f1c6d6d0875f379607a33e46d2dc27ce5c75b560df0f622e61d91aa68897 5378ed0d2b83cd84c1d289b93c75ca5d6ebc2eb2de53c381f6304024a7d5543d 5f95fd5e52582a6590fe9111c7cda76d46174e9061d697b1d3a647d1feea8abc 609ff2be98c9dccc051d46e776e2ba480cb81e447cea240331390965fe4b37b1 62f268943ee600f2fd8334efe27a5123567c3077413cc593c3c90e71ff6e1540 6fafa62e3aff870e9ce357d44d4a14d3685581b95a6fdae336b3997f95128870 70d685d975aef0fc0dbc447107328b2ba3c39c1c6aad518d884d2bb4d68bc293 715a947394afb031f2dc3ef04df77d05512d82177b932d658d7a8d303d99b4eb 7762c920f5aeae107917ca16b0a336a382a1db8da1bf3bdb9d6a7f264b7960d9 795e415e33b3a05b0a05ac6ea20cd35484a9fde5e1e0053c579fc9c205f627f5 83ddd4dfb18009c5f2a566caaf1ddcc2e7817d68b8034d241c03dfa0e2c0f595 8e2884fd370a1ad78a9ca16464c8a7c38ed3fc9d75faf21833175725e45ce4ad 923d93d56bb66ca4dd50bcbaae74af4bd289a8acfa4c851b60f748aa5265706d
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

Process hollowing detected - (11104)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Expiro Malware detected - (2031)
Expiro malware is unique in that it infiltrates executable files on both 32- and 64-bit Windows systems by appending its viral code to the host. It can be used to install malicious browser extensions, lower browser security settings, and steal account credentials.
A Microsoft Office process has started a windows utility. - (1902)
A process associated with Microsoft Office, such as EXCEL.exe, OUTLOOK.exe or WINWORD.exe, has started a Windows utility such as powershell.exe or cmd.exe. This is typical behavior of malicious documents executing additional scripts. This behavior is extremely suspicious and is associated with many malware different malware campaigns and families.
Excessively long PowerShell command detected - (1572)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
CVE-2020-1472 exploit detected - (828)
An attempt to exploit CVE-2020-1472 has been detected. Also known as "Zerologon". This is a privelege escalation vulnerability in Netlogon.
Dealply adware detected - (785)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Reverse tcp payload detected - (595)
An exploit payload intended to connect back to an attacker controlled host using tcp has been detected.
Malware dropper detected - (593)
A malware dropper has been detected. A dropper will download or unpack addtional malware during it's execution. A variety of techniques can be employed for the payload to gain persistence and escalate privelege if neccessary.
Crystalbit-Apple DLL double hijack detected - (588)
Crystalbit-Apple DLL double hijack was detected. During this attack, the adversary abuses two legitimate vendor applications, such as CrystalBit and Apple, as part of a dll double hijack attack chain that starts with a fraudulent software bundle and eventually leads to a persistent miner and in some cases spyware deployment.
Signed binary proxy execution using rundll32.exe or regsvr32.exe - (206)
Malware has been detected using rundll32.exe or regsvr32.exe to execute additional malicious code. Several different malware families, including Qakbot, BazarLoader, Hafnium and Maze use this techinque.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.