Friday, November 12, 2021

Threat Roundup for November 5 to November 12


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 5 and Nov. 12. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name Type Description
Win.Dropper.Kuluoz-9906192-0 Dropper Kuluoz, sometimes known as "Asprox," is a modular remote access trojan that is also known to download and execute follow-on malware, such as fake antivirus software. Kuluoz is often delivered via spam emails pretending to be shipment delivery notifications or flight booking confirmations.
Win.Trojan.Tofsee-9906687-1 Trojan Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click-fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages to infect additional systems and increase the size of the botnet under the operator's control.
Win.Dropper.Fareit-9906313-1 Dropper The Fareit trojan is primarily an information stealer that can download and install other malware.
Win.Dropper.Nymaim-9906679-0 Dropper Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain-generation algorithm to generate potential command and control (C2) domains to connect to additional payloads.
Win.Dropper.TrickBot-9906689-0 Dropper Trickbot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VBScripts.

Threat Breakdown

Win.Dropper.Kuluoz-9906192-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 69 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 69
<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'> 69
<HKCU>\SOFTWARE\XNDQWFAL
Value Name: saalmdpq
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: vrdsuanh
1
<HKCU>\SOFTWARE\UBKDDXHX
Value Name: mdjrdtlb
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: dekjtufv
1
<HKCU>\SOFTWARE\SXLEVULR
Value Name: kmaxhebd
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: rhexocwd
1
<HKCU>\SOFTWARE\CPLFEVDG
Value Name: srslhwbv
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: oawidcqj
1
<HKCU>\SOFTWARE\CPAGQABV
Value Name: imlvmnbi
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: joocbsdq
1
<HKCU>\SOFTWARE\BNTIPEWG
Value Name: ueangwke
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: jgpdveiv
1
<HKCU>\SOFTWARE\QTTISAMA
Value Name: rnvaxhxh
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: qfhrdtpr
1
<HKCU>\SOFTWARE\GNBKNCFN
Value Name: jnrqktqb
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: fwhpibmc
1
<HKCU>\SOFTWARE\PQTDJSEE
Value Name: rbcxmjse
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: tfoxxhqg
1
<HKCU>\SOFTWARE\JRMMRSGV
Value Name: bemwgapm
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: xrjbjxre
1
<HKCU>\SOFTWARE\GWKSMKND
Value Name: sdkabnue
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: wmrdbsbk
1
<HKCU>\SOFTWARE\FVCPXDNG
Value Name: cebigupq
1
Mutexes Occurrences
aaAdministrator 69
abAdministrator 69
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
37[.]59[.]24[.]98 51
96[.]30[.]22[.]96 50
74[.]221[.]221[.]58 46
195[.]28[.]181[.]184 46
110[.]77[.]220[.]66 45
85[.]12[.]29[.]254 44
82[.]165[.]155[.]77 44
69[.]64[.]32[.]247 43
Files and or directories created Occurrences
%LOCALAPPDATA%\<random, matching '[a-z]{8}'>.exe 69
%HOMEPATH%\Local Settings\Application Data\efcggqxj.exe 1

File Hashes

000bea950f66052cf937547d1f18bc47a1c6ff6d2d7d03bc09d60aa9c9b1c770 00e8fa17d90f77afadd8f255dca53b15d7f4c91719452d616b0cf663f9aeea99 033755fcc85dad80db7a94ea2dc178dc2cc823fe7b46084fd0ed20645b593290 037e90d5a83ea1360c1c74b34e3d648ba8645b32d9de456756e8ba6acac86d6d 04c74fa81fdd718c985fde6a502f1ed93a0d34255dc21b546fcc25425da9f31e 086985abecc0ee9c6b4caa28e74d3190994dbddae40524eb955526ad5be9f067 08de3a669a95eab65d9b95ecf7ed4085e162badd7b11b3ad126be4d9836d33e4 1ba2d5d15ede307fa5a969eb66654f4d485fc144e370531451c43dc6409737d9 1f18d7fcd14fa41d8256a373437ccfd3e0d0d4f80c41daeda99cfd493735acc8 1fb1390e6f86cc5eb108a6a38484fa91baf867622e7384d4777b7b12215cab8c 27862adbd6ba16a82915102b7cfbf36f25c7be6b7e0464a7bcd731c9c5c67316 36971d72adc866b317be68ddf5b3471825049a81231b53c5cfdacb292d49b4d6 39781b0d4b88226ae7cc4711c9d4724ee9010e9f543be7fbd3d31564d89546dd 3a36245e815538d2f84d05af6b1d71f81dd9c284cac1c0ceb2145d9f1bb9a7e9 3ca7c310670af06b7e57e5317283e03c2aa630b72f2d99f93734d960bf19040b 40023d8e643d0c49199f1d34beb4c79856f30cc155ff8f93300b9cca70affb0c 410c8127cf6d7bac2cb13d84dd8415aabc5831bdb617b49e8d28d024db906c51 42ca7b17fa816bf7dfdee073fd077f2327e31ae15f386c087912757894e2ac0a 44837ce7705a1c03338d220d186564930bcb1e739af90f04cd415b37b5719b90 48179cd3f777d239fb1f14ac8ed1472dd8c9dec65414b92953b5d67faad4f9b7 50fd2544836d5623d86f94307583fe7a4c88b11cdaa84f3f6b5a03a8631e8c0a 64d3d27a53d3cde1729f8897a09aac19557121ede477e4a1d18a86ef33b2d675 656ee6200af32f34de24c591ebb45d5652f30a435ce84abb6c8c04cd91e07500 696629d6b4f9965ec8cf1cc9cefe973f907731e8c6fadd1189413d63f4390b30 6a338dd0339ab184d2fa547e4a05b6cf94632dc3a03fb351ca703cea3f7f2262
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Trojan.Tofsee-9906687-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 56 samples
Registry Keys Occurrences
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config4
56
<HKU>\.DEFAULT\CONTROL PANEL\BUSES 56
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 56
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 56
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
56
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
56
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
56
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
56
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
56
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
56
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
56
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config0
56
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config1
56
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2
56
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config3
56
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
35
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\ffbmdows
4
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\ccyjaltp
4
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\bbxizkso
4
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\vvrctemi
4
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\eealcnvr
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\qqmxozhd
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\ttparckg
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\xxtevgok
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\hhdofqyu
3
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
185[.]7[.]214[.]171 56
185[.]7[.]214[.]210 56
185[.]7[.]214[.]212 56
45[.]9[.]20[.]187 56
45[.]9[.]20[.]178/31 56
85[.]143[.]175[.]153 56
193[.]56[.]146[.]146 56
192[.]0[.]47[.]59 54
157[.]240[.]229[.]174 53
144[.]160[.]235[.]143 50
103[.]224[.]212[.]34 49
125[.]209[.]238[.]100 49
211[.]231[.]108[.]46 48
74[.]208[.]5[.]20 47
117[.]53[.]116[.]15 46
96[.]114[.]157[.]80 45
212[.]77[.]101[.]4 45
64[.]98[.]36[.]4 44
67[.]231[.]149[.]140 44
64[.]136[.]44[.]37 43
51[.]81[.]57[.]58 43
216[.]146[.]35[.]35 36
67[.]231[.]144[.]94 35
172[.]65[.]252[.]97 35
193[.]222[.]135[.]150 34
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
249[.]5[.]55[.]69[.]bl[.]spamcop[.]net 56
249[.]5[.]55[.]69[.]cbl[.]abuseat[.]org 56
249[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net 56
249[.]5[.]55[.]69[.]in-addr[.]arpa 56
249[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org 56
249[.]5[.]55[.]69[.]zen[.]spamhaus[.]org 56
microsoft-com[.]mail[.]protection[.]outlook[.]com 56
microsoft[.]com 56
www[.]google[.]com 56
quadoil[.]ru 56
aspmx[.]l[.]google[.]com 55
whois[.]arin[.]net 54
whois[.]iana[.]org 54
www[.]instagram[.]com 53
mail[.]h-email[.]net 50
al-ip4-mx-vip1[.]prodigy[.]net 50
mx1[.]naver[.]com 49
park-mx[.]above[.]com 49
mx1[.]hanmail[.]net 49
mx-aol[.]mail[.]gm0[.]yahoodns[.]net 48
naver[.]com 48
hanmail[.]net 47
mx00[.]mail[.]com 47
www[.]youtube[.]com 46
nate[.]com 46
*See JSON for more IOCs
Files and or directories created Occurrences
%SystemRoot%\SysWOW64\config\systemprofile 56
%SystemRoot%\SysWOW64\config\systemprofile:.repos 56
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'> 56
%TEMP%\<random, matching '[a-z]{8}'>.exe 52
\Users\user\AppData\Local\Temp\wfowkckt.exe 2
%TEMP%\zsnzdsd.exe 1
%TEMP%\afpfty.exe 1
%TEMP%\atoaete.exe 1
%TEMP%\cvqcgvg.exe 1
\Users\user\AppData\Local\Temp\hdssxekb.exe 1
\Users\user\AppData\Local\Temp\gzkalibu.exe 1
\Users\user\AppData\Local\Temp\hzryxozg.exe 1
\Users\user\AppData\Local\Temp\cumtsjub.exe 1
\Users\user\AppData\Local\Temp\xtiinuar.exe 1
\Users\user\AppData\Local\Temp\fsbyzeqd.exe 1
\Users\user\AppData\Local\Temp\xhmzgbap.exe 1
\Users\user\AppData\Local\Temp\pqoybuzk.exe 1
\Users\user\AppData\Local\Temp\jwfcdiuh.exe 1
\Users\user\AppData\Local\Temp\lqaqej.exe 1
\Users\user\AppData\Local\Temp\msnqziid.exe 1
\Users\user\AppData\Local\Temp\uniuyny.exe 1
\Users\user\AppData\Local\Temp\xqbrczsl.exe 1
\Users\user\AppData\Local\Temp\vocogacp.exe 1
\Users\user\AppData\Local\Temp\uzjzns.exe 1
\Users\user\AppData\Local\Temp\yvgljtqn.exe 1
*See JSON for more IOCs

File Hashes

0116e2cc42cc67d4ee0fbd26b113a2883c9ef920dc84bb7ab622d1bf8851763f 02c7359dcb84754d1582eab7ef5f16938ee9cf88a83d150c1470a6b3b24bf31c 03fb15b85a5b40369f8e392427ea5f004447c90273b01ccbcbdff27d0fd5620b 0c4c84401bc57951c1add588817d96cae70469c0ad699b2c154855a730cf8afa 11bb33bf6c4dcf920e28a36b061353e87e314236faebe4563c3fa5c877230404 158001d30d5d3768e6fe0f1a1d7bf1ad0da65241a6f01196150b5cf8a52b9623 1d5f62d3687343709946d1bf46ed5e91b4659e376261a499722cf071d14a2e32 20db1c12886f165778eaabff78196c7166b43b18767d802373150408870b7d99 2a6ff1d92b275b5479f724cacbef20a3757227d7bf7f943c5a91609a370cf006 2aa24f0c26531e9222de7e2ce6f0453e0465a6545ac7accb5f9ffc1983fa4f9d 2ee90707f21676ebaf7e821bf02f24d56d1a7be273c8aa129eb60cacd09f19df 2fbb49dd038c61306b7c32663dcf6f6f5545b1538c90464c148980c69f4331b3 322f25513dc717ec609771e4988d5a962dd5b980bc4bf372d206ab991c092382 345af13820aaefd07456b97821b597c8c020c907541e25c32f304c4a1a3f324a 348d21e49e7bad86d434423c8052dd72bb27d9a9f43d6b2471a1063261c69c35 354f4a167b2bbdbdd1e8d36f26c4524f1454abb79e745c1a0a3945e9bb1ddeef 35b7bbf1581e93fad329c50307ae2f68964bf8866e437d308c56eda819acb8d7 40bfcd3518b19ded7d92a6930ab6e410002c333fe327044800599a95ee67e225 41f7a9f6f6ec0cd336288c833ba746c5d40dc7d49f3f5717e89d8dc74714d478 4de8148701b1fe0a054b13829fb3763a8645b6468463de3e38f33526307f9e8b 5d21753e0586d127c06cde17551bd702e449dfa8a4aca6ff1116251ff1fe7177 5e6fb10b614e5ea6832ca853f3c43c4943499ac63097fd57c980babf7e707cd4 5f5b0da28419c1a133e4949a129f2ae17db34fb3e64ce2c9dc84d91239c50082 5faa85eae77192413b213ae22e30a68a6e0b20e1c1d78a2663ed0c70a713be67 61cbe9585ff80a96da97ce3afcaccce268b72d089ba88abc417642aa3365dddf
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.Fareit-9906313-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 17 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\WINRAR 17
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 17
<HKCU>\SOFTWARE\WINRAR
Value Name: HWID
17
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003E9
Value Name: F
17
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000001F5
Value Name: F
17
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003EC
Value Name: F
17
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
192[.]187[.]111[.]219 7
63[.]141[.]242[.]46 4
81[.]17[.]18[.]194 3
81[.]17[.]29[.]146 3
209[.]85[.]201[.]94 1
173[.]194[.]204[.]94 1
101[.]99[.]75[.]152 1
74[.]125[.]192[.]138 1
173[.]194[.]206[.]100 1
209[.]85[.]144[.]99 1
173[.]194[.]205[.]84 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
ru[.]agulino[.]com 17
wpad[.]example[.]org 2
computer[.]example[.]org 1
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com 1
clientconfig[.]passport[.]net 1
Files and or directories created Occurrences
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\filename.vbe 17
%APPDATA%\subfolder 17
%APPDATA%\subfolder\filename.bat 17
%TEMP%\-<random, matching '[0-9]{9}'>.bat 17
%HOMEPATH%\Start Menu\Programs\Startup\filename.vbe 1
%TEMP%\748562.bat 1
\Users\user\AppData\Local\CrashDumps\506825654.exe.2384.dmp 1
\Users\user\AppData\Local\Temp\WAXBDBC.tmp 1
\Users\user\AppData\Local\Temp\WERBF82.tmp.appcompat.txt 1
\Users\user\AppData\Local\Temp\WERBFB2.tmp.WERInternalMetadata.xml 1
\Users\user\AppData\Local\Temp\WERCABC.tmp.WERInternalMetadata.xml 1
\Users\user\AppData\Local\CrashDumps\506825708.exe.3876.dmp 1
\Users\user\AppData\Local\Temp\WAX3C1E.tmp 1
\Users\user\AppData\Local\Temp\WER3F0D.tmp.appcompat.txt 1
\Users\user\AppData\Local\Temp\WER3F6C.tmp.WERInternalMetadata.xml 1

File Hashes

03eee9c470a2987fe0a045530c2efd0bbbab9eeb5b91a893e682cf144e252107 18e5a593d4a89648b43f86383568469612c4f61d4b8361df299e1fdbe9ac42f5 34c862548b46506e25df6187be15486a2bc0de85b7e2b02b12745df7145faf5d 56d50fb071eb481a83ae011eb7a31fd6bee268fba1b0fe7aa880f6a108f9f682 5bdaafdaeb1ad0f8455de525022d95d40362d2766e78bd9eeecf7acf3426564e 666fdac0254a22535178f4cc056de7c43372359a1a9fc83c9b558770d278bc84 6be0f0991eebcdd021444994c3c812a89924b04b8ed27282e18b747305f27bf7 71ca1ab8c327e81b97f9b93684f6a2f8de7b194f4d20b65bad89660fdb04982c 94c9c78a6d2e0b1808bbbde2a69f32464c74c8ad0f902b0a7aea75d443db1866 9523e53935a018bbe2a297ba95578a7e988a0a402eed2a97cf46a41f797de971 9edb3091593479d03685b13b2eaa0104fb84bdc785c46cf70bb8e105e6589620 b46d16b74e5c430126372a5027108704074ebf5a87b1dc0634f41bc119b460dc c94368d73c897f193f7dd20d749d2348fa80f818d19b27888c28bc8e41ccd262 d3873c324768de351219c9e50a33cecc3d15ab568064591ff9857fff86780c76 e0e0854a4bcd7bb49292b001954e76ea3aaa8639839073e35a72adf88e3a25cc e1a572394b381e7ae7cca254ab171eb975f9e4e0be7480b01fb751be14712fe0 ea1c77d4d703fe6825dfa9e406b84375384719f21f3250b93cd3e7550c685bec

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.Nymaim-9906679-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 23 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\GOCFK 23
<HKCU>\SOFTWARE\MICROSOFT\GOCFK
Value Name: mbijg
23
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 22
Mutexes Occurrences
Local\{1181F583-B634-69BF-E703-D4756599024F} 23
Local\{180BBEAD-0447-044A-68BD-247EB6D0E352} 23
Local\{18DD7903-1E96-FEAF-92BF-014008A1248C} 23
Local\{92502033-C012-7F46-D6A8-0AC972DF6662} 23
Local\{25754F3F-7A37-56CA-31BB-3C9D33DA226B} 23
Local\{8B75523D-CAF4-D06B-A2AD-13EEF593AC52} 23
Local\{D2CC4CCA-CB77-CF10-8293-17C78DEC853F} 23
Local\{67EB9FBC-0AC5-BAD6-80A0-015E2C7D43E8} 23
Local\{F78DA135-BD1C-3BA1-2EC7-6B375301FFDF} 23
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
microsoft[.]com 23
google[.]com 23
hkzqekcz[.]net 23
zrailjorqed[.]pw 23
nckynkrjg[.]in 23
xxrwudfhbr[.]net 23
iuojcbwlb[.]in 23
gjlngkx[.]net 23
nmovreiit[.]in 23
gpuxnhtdhztg[.]in 23
xpbyti[.]pw 23
nlaoyufe[.]in 23
syffllqlu[.]pw 23
phgrcrm[.]net 23
qbpqbucz[.]in 23
hdrqny[.]pw 23
emcqaelhfn[.]pw 23
www[.]msftncsi[.]com 4
wpad[.]example[.]org 4
neolx[.]com 1
rqdptmnlyy[.]pw 1
arlllswc[.]com 1
gjyttpvb[.]net 1
ytfalkcclaw[.]in 1
afoctlamhq[.]in 1
*See JSON for more IOCs
Files and or directories created Occurrences
%ProgramData%\ph 23
%ProgramData%\ph\fktiipx.ftf 23
%TEMP%\gocf.ksv 23
%ProgramData%\<random, matching '[a-z0-9]{3,7}'> 23
%APPDATA%\<random, matching '[a-z0-9]{3,7}'> 23
%LOCALAPPDATA%\<random, matching '[a-z0-9]{3,7}'> 23
%ProgramData%\jzk\icolry.ylg 5
\Users\user\AppData\Local\Temp\qnvgtx.eww 5
%TEMP%\aneba.qsz 1
\Documents and Settings\All Users\wrg\orjdwj.ppt 1

File Hashes

0a5a39e943850137bf7296a9b11e9af5c0e05e391c3381733cc2f03020208b12 1657415b3e51540e23ecb6fdc619978af4463ce9e9c880f5e4f0ef1558297040 1984124ab6ba6f3fdb04ff885408c9f4f35f22d8d07746ddd2a585cb412fde6a 2f9fd8377a8e7bfbe6b13198d578d06b883402a5084f6c1c5c4cdebabfbd8fce 305b0c43a3c29d6153f0636d77032debf4fceabc2c035d48268a09692ae6cd20 31181eee5991422042784e1f845d11a32e1381aea1d8009e7090d88393ba98bc 386f665bedb4efaef8d7c12d11e49d1fd488a5a2a543588762897fdc64caf858 3a95f93f80be8d0cd76705da445da77c1d498a8aba99ee222f8e451e81aa1454 3f438f5360c449ba9d1d9349c6a0fa2fcab962a89cdc16581ebc1fea79051768 51e01e124b5faa392ae3517603049fea41a5c13a6ec82aa3fc23c2db41961189 5395c7598ca1145728fe0ed9f2422bf8d7cdc5a4aefee9c66e9a4be014a39753 5d94592ee0b18888cec53c526984a7a2505c757b66d17986f3f237c3ac843c20 61753686a9b172316b339850fe425602122dadc8b9a880b6d8fe11a2061faf77 6300fa292145cb7ad0810ae32eb5742f3eb71fe36986eb15bc5bccf6a7c15b50 73f6323cdc4c439a7ee8626daf5a8219f5d2d91498acf3161abc8764e3150277 75df28107d722b325ca55f1639be556839b1ab5ae99256008edc8bcd469b30f8 84d6081d0a956de98053024cc863b23e15b842d6677a4ee22b00c5d63b10ee6b a9c642d3899cf12cceff9fef3c83a36794b6ccb6539c8a778b0809ecc74ee6ce b28275a44a8d9a4e8ac0740384d48df297fd59b12d6c0a22c74256bc6cbc4cb5 d91e71f0ccf719c2242aa8ffa03d675ce6c536c50b5da571f6ae87f1076c7c9b dad54799bb4ffc4866978c7c655eae50bb1274b586dcf194f3fd64863d301e84 de1c74e3225d1170fa8494b327b2944b7e31968f4f5fedf17390ead6f3fd7691 f79946e8464c138f028b3d4ce15f04579b16600f49680a5e53a1c99ffae31007

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.TrickBot-9906689-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER
Value Name: DisableAntiSpyware
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: DeleteFlag
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
25
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\REAL-TIME PROTECTION
Value Name: DisableBehaviorMonitoring
25
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\REAL-TIME PROTECTION
Value Name: DisableIOAVProtection
25
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER 25
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\REAL-TIME PROTECTION 25
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\REAL-TIME PROTECTION
Value Name: DisableOnAccessProtection
25
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\REAL-TIME PROTECTION
Value Name: DisableScanOnRealtimeEnable
25
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 25
Mutexes Occurrences
Global\316D1C7871E10 25
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
72[.]22[.]185[.]200 15
72[.]22[.]185[.]208 9
160[.]72[.]43[.]240 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
crl[.]microsoft[.]com 25
Files and or directories created Occurrences
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5 25
%ProgramData%\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_d19ab989-a35f-4710-83df-7b2db7efe7c5 25
%System32%\Tasks\Windows Network 25
%APPDATA%\wnetwork 25
%APPDATA%\wnetwork\Data 25
%APPDATA%\WNETWORK\<original file name>.exe 25
%System32%\Microsoft\Protect\S-1-5-18\User\496a850c-d71a-4ccc-b3de-e64e84a540af 18
%System32%\Microsoft\Protect\S-1-5-18\User\13022768-a353-4a4c-8032-ece2f429bad3 7
%TEMP%\<random, matching '[a-f0-9]{3,5}'>_appcompat.txt 7
%TEMP%\<random, matching '[A-F0-9]{4,5}'>.dmp 7

File Hashes

0205f7cb31c95adeab976245edd2808d58a066e39f8bc953a3e10347189f61ca 0295aa15b36df5df2c8beba2e056a50efe5a88bcc8d07adefaf262a54d27ac18 0ec324720fb6f0af3f230556949689f2fee2ecd529c8a513c7f12c096eae0758 157958a490ec7591a3318c783691ce26e8f525f5c88367341cbfa5aca577586e 1a3cd06480513c10bd6c487e9bb015111ec4e17bfe26312f769233ab7e22f7f7 2413d734d5844c4bda1641d3a06669c6918f22308f45fef63e0b3a3d32c815a6 342477e56614066942a58b31dfb00f2dbaddc041738bde17bb701eb7c2a6c012 442cf13192bc89185839b955a2a21f6a16a1ca028208cb332f930a33367e2814 4bb1d3c102a9319ee88afed519dea172735f763b55859085ca0a145ceeee6b82 54eec51d0cc063797c45dc68f4a0b4376246893b8c799cabaa62be3b288947b7 586126be0b9bf36790dfbd9dea8ceb927df1d4c94745c306e93062aec647b0b0 6086f48f02196b9db367b87819e0d4b8ecc381971c63fde3b8dbb871341a2e5a 7fc8d238f3ff3bd7d77e18111763ac554c2d289643dc077b2253f8ee1d575926 94b83154ffbc39c28cd5a461ad264bb5cea73822d7d1a4ca5471a6ff8b28569c 967366fbebcf26142423b0df333ea09ae01cc728d5ab54edbcd387030afcccde a36b2cac421b101c599d704dd66407e652cc056e9d58abf52d46b5f8b23f20f1 a3bf700a4f33a7852820daa9d580c2e9f8a9e21e04670212d64a9a4884ae065c a412aa575f67c189ea62191942acbe30db28548f2a900019c8a3368ce8d3ec81 ba1ff4f69508562ea2c62a39861c7281176b979e200d1ebb95e32338f936a490 bc775c4705a8724ff10e0a946b510017c5e762ea1877a22a1897db34a1e6fabe c082233374ed32db6a234c6901cda079466eb9e0746a07c4625c1e68d2ffbccc c4c1ced7f088f61260705540b870ffe4e33af54ef4a1e86f1ef5729ef349bb75 cd133a17f8aeaa36f510595c5fc11e22fb40fbb88150fab1971d1094e75e7611 d294e9b17cbda134bfe607cc2e214d2c689c582bc7a94f24588df028814bd928 d32532cc718758d511caf22a6238049d422c0e12b60a0146a845e760b34e2d1a
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





No comments:

Post a Comment

Note: Only a member of this blog may post a comment.