Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 21 and Jan. 28. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found herethat includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted.  There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name Type Description
Win.Trojan.Gh0stRAT-9937599-1 Trojan Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the Internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.
Win.Malware.Barys-9937004-0 Malware This is a trojan and downloader that allows malicious actors to upload files to a victim's computer.
Win.Trojan.Emotet-9937498-0 Trojan Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads that is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Ransomware.TeslaCrypt-9937465-0 Ransomware TeslaCrypt is a well-known ransomware family that encrypts a user's files with strong encryption and demands Bitcoin in exchange for a file decryption service. A flaw in the encryption algorithm was discovered that allowed files to be decrypted without paying the ransomware, and eventually, the malware developers released the master key allowing all encrypted files to be recovered easily.
Win.Virus.Xpiro-9937153-1 Virus Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.
Win.Trojan.Gamarue-9937156-0 Trojan Gamarue, also known as Andromeda, is a botnet used to spread malware, steal information and perform activities such as click fraud.
Win.Dropper.LokiBot-9937195-0 Dropper Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from several popular applications. It is commonly pushed via malicious documents delivered via spam emails.
Win.Worm.Ruskill-9937238-1 Worm Ruskill, also known as Dorkbot, is a botnet client aimed at stealing credentials and facilitating distributed denial-of-service (DDoS) attacks. It spreads via removable media and through instant messaging applications.
Win.Malware.Swisyn-9937249-0 Malware Swisyn is a family of trojans that disguises itself as system files and services, and is known to drop follow-on malware on an infected system. Swisyn is often associated with rootkits that further conceal itself on an infected machine.

Threat Breakdown

Win.Trojan.Gh0stRAT-9937599-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 15 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Vicity
15
Mutexes Occurrences
107.163.241.193:6520 15
M107.163.241.193:6520 15
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
107[.]163[.]241[.]193 15
107[.]163[.]241[.]185 15
107[.]163[.]241[.]186 15
123[.]126[.]45[.]92 15
127[.]0[.]0[.]1 15
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
blogx[.]sina[.]com[.]cn 15
blog[.]sina[.]com[.]cn 15
wpad[.]example[.]org 15
isatap[.]example[.]org 12
computer[.]example[.]org 12
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com 10
www[.]msftncsi[.]com 9
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com 8
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com 3
Files and or directories created Occurrences
\1.txt 15
%TEMP%\<random, matching '[a-z]{4,9}'>.exe 15
%ProgramFiles%\<random, matching '[a-z]{5,9}\[a-z]{3,9}'>.exe 15
%ProgramFiles%\<random, matching '[a-z]{5,9}\[a-z]{3,9}'>.dll 15
%ProgramFiles%\<random, matching '[a-z]{5,8}'> 14
%ProgramFiles%\wqlnh\11121541 2
%ProgramFiles%\ttyab\11121541 2
%ProgramFiles%\ypjyu\11121541 1
%ProgramFiles%\ylyaf\11121541 1
%ProgramFiles%\wuywxip\11121541 1
%ProgramFiles%\qoljnjtig 1
%ProgramFiles%\fdglc\11121541 1
%ProgramFiles%\cjrta\11121541 1
%ProgramFiles%\qoljnjtig\11121541 1
%ProgramFiles%\ljxmc\11121541 1
%ProgramFiles%\qvmsi\11121541 1
%ProgramFiles%\tgujy\11121541 1
%ProgramFiles%\txyht\11121541 1
%ProgramFiles%\aeimva\11121541 1
\Users\user\AppData\Local\Microsoft\Windows\INetCookies\F1Q15FWK.txt 1
\Users\user\AppData\Local\Temp\jnpxp.exe 1
\Users\user\AppData\Local\Microsoft\Windows\INetCookies\OPEM3C0J.txt 1
\Users\user\AppData\Local\Temp\yqjbz.exe 1
\Users\user\AppData\Local\Microsoft\Windows\INetCookies\CCVG1JNG.txt 1
\Users\user\AppData\Local\Temp\jcmex.exe 1

*See JSON for more IOCs

File Hashes

0013fc5b7e07f0f06844e261f00f50200d0fe3411bdf38ed6f6655ad298df174
2836737970fbda61a07469d8f39968b79147055818d9e4ae85734321a1d46bfc
3378940f5207dff8db9df41a405f8bedf8b89356215b01d5e8e3b954f9946734
448e61411c386eb4d6957930887ec3f5b3f9bfb98878e39be6507ef9ae8c4f48
60bb92e9d7d7cd4d6137e17e4b084cf04b3a6a90c67c3ab69c1e78c33a5efa2f
6226be638e8f7d40afd624f3eb10b4800d5cf19dcd225f07e3791dab43de93ae
6f964e2cf1d5e507d111086230d93153c49e4f23d236fc32980eeec6b6cdbedb
84d94a886082a4e5315753020f77b65d9bbe5c1e0da8f10a72dad39cb6fce8d7
96229c19d2695b9b745677ee982178f9a1b74c3314121f35a5ef83682384e10b
9ddaff6849586a28db826517031fbbb7c5db226310318d11163a9ed21020ff6b
9f5a76b780a94b32417b4ae65e535cfa399a567cc525ba2f22db11acc53b2592
d0ae8ca797a14cb5e5c04716c18785c5cd28067d668a754f25f4f97186bfa45a
ee63476984a4d4ddfcdb26a439c1368a4ded8d345aaefae89cabe7d1b2d94a37
f8a2478c21bc4cd08b849636bb49818f92096929863cac9d9d7f651dec829ff8
fe72de54ba6bbfd9e59c78f7fb2d55b2bd0c30cad1a5976a1ab9d926a63d233d

Coverage

Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK


Win.Malware.Barys-9937004-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 12 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\POLICIES\MICROSOFT\INTERNET EXPLORER 12
<HKCU>\SOFTWARE\POLICIES\MICROSOFT\INTERNET EXPLORER\CONTROL PANEL 12
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABC2.0 12
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABC2.0
Value Name: Type
12
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABC2.0
Value Name: ErrorControl
12
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABC2.0
Value Name: DisplayName
12
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABC2.0
Value Name: WOW64
12
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABC2.0
Value Name: DeleteFlag
12
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ABC2.0
Value Name: Start
12
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNETEXPLORER 12
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNETEXPLORER\MAIN 12
<HKCU>\SOFTWARE\POLICIES\MICROSOFT\INTERNET EXPLORER\MAIN 12
<HKCU>\CLSID 12
<HKCU>\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} 12
<HKCU>\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\SHELL 12
<HKCU>\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\SHELL\OPENHOMEPAGE 12
<HKLM>\SYSTEM\CONTROLSET001\HARDWARE PROFILES\0001\SOFTWARE\POLICIES 12
<HKLM>\SYSTEM\CONTROLSET001\HARDWARE PROFILES\0001\SOFTWARE\POLICIES\MICROSOFT 12
<HKLM>\SYSTEM\CONTROLSET001\HARDWARE PROFILES\0001\SOFTWARE\POLICIES\MICROSOFT\INTERNET EXPLORER 12
<HKLM>\SYSTEM\CONTROLSET001\HARDWARE PROFILES\0001\SOFTWARE\POLICIES\MICROSOFT\INTERNET EXPLORER\CONTROL PANEL 12
<HKLM>\SYSTEM\CONTROLSET001\HARDWARE PROFILES\0001\SOFTWARE\POLICIES\MICROSOFT\INTERNET EXPLORER\CONTROL PANEL
Value Name: Homepage
12
<HKCU>\SOFTWARE\POLICIES\MICROSOFT\INTERNET EXPLORER\CONTROL PANEL
Value Name: HomePage
12
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNETEXPLORER\MAIN
Value Name: Start Page
12
<HKCU>\SOFTWARE\POLICIES\MICROSOFT\INTERNET EXPLORER\MAIN
Value Name: Start Page
12
<HKCU>\SOFTWARE\POLICIES\MICROSOFT\INTERNET EXPLORER\MAIN
Value Name: Search Bar
12
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
47[.]246[.]136[.]160 10
172[.]67[.]182[.]98 8
58[.]215[.]157[.]250 7
218[.]94[.]207[.]228 7
58[.]216[.]118[.]230 7
13[.]107[.]21[.]200 5
106[.]11[.]84[.]7 3
58[.]215[.]145[.]95 3
104[.]21[.]83[.]224 3
203[.]119[.]146[.]29 3
106[.]11[.]84[.]4 2
23[.]225[.]145[.]234 2
104[.]193[.]90[.]80 1
125[.]64[.]104[.]38 1
13[.]107[.]22[.]200 1
111[.]225[.]213[.]36 1
58[.]218[.]215[.]129 1
61[.]160[.]228[.]202 1
106[.]11[.]43[.]128 1
106[.]11[.]43[.]154 1
115[.]238[.]187[.]36 1
121[.]32[.]228[.]38 1
104[.]193[.]88[.]112 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
www[.]bing[.]com 12
www[.]baidu[.]com 12
download[.]kulove123[.]com 12
www[.]zhaodnf[.]com 11
c[.]cnzz[.]com 10
cnzz[.]mmstat[.]com 10
v1[.]cnzz[.]com 10
z6[.]cnzz[.]com 10
www[.]2345[.]com 9
hectorstatic[.]baidu[.]com 2
t9[.]baidu[.]com 2
www[.]30dnf[.]com 2
pss[.]bdstatic[.]com 2
sp1[.]baidu[.]com 1
Files and or directories created Occurrences
%TEMP%\432a7.exe 1
%TEMP%\~abc8lHjj.sys 1
%TEMP%\~abckpth3.sys 1
%TEMP%\~abc8J7dP.sys 1
%TEMP%\~abcES4R3.sys 1
%TEMP%\05FAV4.exe 1
%TEMP%\~abcY5qL3.sys 1
%TEMP%\~abcZEyTM.sys 1
%TEMP%\~abcbL3Jz.sys 1
%TEMP%\~abcz5kQ9.sys 1
%TEMP%\BaRit8M.exe 1
%TEMP%\~abc4F7R1.sys 1
%TEMP%\~abc8yG4t.sys 1
%TEMP%\~abcXABOb.sys 1
%TEMP%\~abcoWncl.sys 1
%TEMP%\32066mk066.exe 1
%TEMP%\~abc4p8bE.sys 1
%TEMP%\GM5g79q7JF7X.exe 1
%TEMP%\~abc9Cx5A.sys 1
%TEMP%\~abcazY5g.sys 1
%TEMP%\~abco75kB.sys 1
%TEMP%\UzYq0.exe 1
%TEMP%\~abc1JHqG.sys 1
%TEMP%\~abcHsrtM.sys 1
%TEMP%\01r7f3w5F1nK.exe 1

*See JSON for more IOCs

File Hashes

07c1528aeacbbfdf186e73fe90272e646f7ac1aa1ceb7ac7a577a1b8e3b1e14e
0df03393012dd3a5a936ed12dad59ca9cda851e13363296a63b75046e20dc597
0e7e81e174b3de52530edcb8dd894987e64b6e29d38deef5057b4fcfdd93ace3
3ea52308a85c2ff3ae8b4aefe8beefa0365dfc1b1f7f42cdf01800c657211001
54a6718eda59c2fe84b8e624b2a425834622d7e69fc12d8f71cae5c07d3fd245
6369a7fdebe936b15be512b7e819a2525ad3d4a1cb07e5e6ecd813234dceb664
80d861eabbedb4e941692f2b1a703e7a9ece2b80c7ae319b4db0fc96c412c899
b942322a810d397513dec26963156c954fd60d5d6f5dc4ec61e321db76734859
c849af32cd14b67eec72a28861b069eeacfbe154f921d6c9214ad62b7fa4a500
cedba3722dff5437696a6403c62b4d16e7c8f93dbb0910f02872e78129511343
f3de30c39b2a7deb49d6122b86505bc772d7d2c0e85bf92acf44f4e52dcb495f
fe6143b7ba1f75eb6f1ad5d34b7f75640e93601ba41ed90242a9881f732937f9

Coverage

Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK


Win.Trojan.Emotet-9937498-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CMZYNTUVPXDV.PSU 25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CMZYNTUVPXDV.PSU
Value Name: Type
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CMZYNTUVPXDV.PSU
Value Name: Start
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CMZYNTUVPXDV.PSU
Value Name: ErrorControl
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CMZYNTUVPXDV.PSU
Value Name: ImagePath
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CMZYNTUVPXDV.PSU
Value Name: DisplayName
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CMZYNTUVPXDV.PSU
Value Name: WOW64
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CMZYNTUVPXDV.PSU
Value Name: ObjectName
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CMZYNTUVPXDV.PSU
Value Name: Description
25
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
45[.]80[.]148[.]200 25
80[.]211[.]3[.]13 25
45[.]142[.]114[.]231 8
131[.]100[.]24[.]231 8
110[.]232[.]117[.]186 8
45[.]118[.]135[.]203 2
41[.]76[.]108[.]46 2
212[.]237[.]56[.]116 2
107[.]182[.]225[.]142 2
164[.]68[.]99[.]3 2
104[.]168[.]155[.]129 1
58[.]227[.]42[.]236 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
wpad[.]example[.]org 25
computer[.]example[.]org 21
isatap[.]example[.]org 19
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com 9
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com 8
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com 7
Files and or directories created Occurrences
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml 25
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml 25
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml 25
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml 25
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml 25
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml 25
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml 25
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml 25
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml 25
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PCALSGUV\ErrorPageTemplate[1] 25
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FNF9BE4O\green_shield[1] 25
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OSZC6DKG\red_shield[1] 25
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OSZC6DKG\securityatrisk[1] 25
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PCALSGUV\background_gradient_red[1] 25
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\XN0IX3V7\shield[1] 25
%SystemRoot%\SysWOW64\Qohugesysvrubfz 25
\Users\user\AppData\Local\Temp\~DFB6326F0AD1C59ADB.TMP 1
\Users\user\AppData\Local\Temp\~DF0B1E14F5C685C6EE.TMP 1
\Users\user\AppData\Local\Temp\~DF2E178FE77A110E1B.TMP 1
\Users\user\AppData\Local\Temp\~DFA22E5F19D6DC8F51.TMP 1
\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5BE6E9C8-7DB5-11EC-93F9-00007D808132}.dat 1
\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{5BE6E9CA-7DB5-11EC-93F9-00007D808132}.dat 1
\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{5BE6E9CB-7DB5-11EC-93F9-00007D808132}.dat 1
\Users\user\AppData\Local\Temp\~DF5B954E5B0464B537.TMP 1
\Users\user\AppData\Local\Temp\~DF89D636048ED00F65.TMP 1

*See JSON for more IOCs

File Hashes

07b7c3ff5d0f14b41a74649e4884cae00d8a7c22892bc7fca39548d8ced97f2c
08cc0c1e58a73ea86bb9cad32adb721562b586d5048c5a2f3475be125265f13c
09b33550f4883ad389feac766004ccf5043df7474342edada1defe70121675c6
0fef3250167a91dcc53aad262b8f95f7a9819f2ade891f3da9e8601ccd86265b
1531e2071c94bdd3370ebd3357e53a0cf6a8aa1149b00f7cba9e838f17230f78
1b90c32e481d832a0ba8d20051b743fbe3c867eb6236f354de605716791e7a42
2b09bf52d46f2eef37c5c75576d2fbc89c7c5806e29159251a79e9b963f39978
2d9c3790557cc6c0d123393ea71bd93adc85009255bb67a485122b424f4a6bae
343ba3d2e33758e189b2aac48be4d1a95afa1f4dacd6757eb2077884532ee3fd
38f603740fe8a6b42ef61a9d617e086dabf033bee1419be64e377128976464f7
3e3d939401e0d9f9ed2f993b3243b7a24be9bc4928be7e9baf19b27827fea043
3ea895f029ca3ff1fa9197a0a83d988667fe0013fc83bd58eefab3dce1ed358e
3f066a1f1c8aadf008bd2d8c8c97a30fce06cd74d9eac1e323b846a984377b0c
4594c1499579798ad2f30e508b1586af11b6a3cca26a7a0dbd81113c17ed10a9
48d2fb43b4c53208b072cbe4d8729022123dcf949d28523b5083738eb75260ca
5b4216e4816daa3df239ff33c66a365d1e037768c40cc6f4b43fc1b2fdd5f777
5df273f89c797913cb340bd81c0803cc23767ee1e218d2b4705cc8f939d3900a
5df60a3b1928f810408c19311730fef9990d1ef22d3749db402b1866d3d46fc2
81ebaabb2c3d9b2c7a30d86a2ec0c6c1c03ff7775b3d628700aafaa61571bbe6
8ab86d16e1e6eea4dd51eb510f97b26b4444fc8210de873d9fc5e7cef85a3178
9c56df23f94c3c511aa921e0b2cba930cb056800492ca9c316acceaa152f41f5
a72f396f4c398d7f02c6c286630308e8cab80efab11da6857ecbce082bd5df6c
ae384e89f98e22ba0797fca5b5fc13992a01ec45c556c58c89de599fe42fb67f
b03103c4a17030f15c2c0bd5c4549195b03581eaf123afdecdbc2718c9d94ea7
fee0a29d44cae89b4306a1e6b02b16646b02d8df06299b92ffa946e5d2fa55f6

Coverage

Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella N/A
WSA

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK


Win.Ransomware.TeslaCrypt-9937465-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 15 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLinkedConnections
14
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 14
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0
Value Name: CheckSetting
14
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: bssimgujogdp
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: bssimgxydrif
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: bssimgtldepr
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: bssimgeuyoiq
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: bssimgnhrpot
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: bssimgjaoinw
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: bssimgxwjvao
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: bssimgmuwqpn
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: bssimgvawyeg
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: bssimgepwfls
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: bssimgdeprwf
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: bssimgrtfpyw
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: bssimgncdaon
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: bssimgrricjk
1
Mutexes Occurrences
__uuewr__jfj 14
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
35[.]205[.]61[.]67 14
173[.]236[.]155[.]29 13
107[.]180[.]58[.]44 13
23[.]199[.]63[.]83 4
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
addagapublicschool[.]com 14
helpdesk[.]keldon[.]info 14
coldheartedny[.]com 14
closerdaybyday[.]info 13
studiosundaytv[.]com 13
thejonesact[.]com 13
apps[.]identrust[.]com 4
Files and or directories created Occurrences
%APPDATA%\wlrmdr.exe 14
%ProgramFiles%\7-Zip\Lang\kaa.txt 14
%ProgramFiles%\7-Zip\Lang\kab.txt 14
%ProgramFiles%\7-Zip\Lang\kk.txt 14
%ProgramFiles%\7-Zip\Lang\ko.txt 14
%ProgramFiles%\7-Zip\Lang\ku-ckb.txt 14
%ProgramFiles%\7-Zip\Lang\ku.txt 14
%ProgramFiles%\7-Zip\Lang\ky.txt 14
%ProgramFiles%\7-Zip\Lang\lij.txt 14
%ProgramFiles%\7-Zip\Lang\lt.txt 14
%ProgramFiles%\7-Zip\Lang\lv.txt 14
%ProgramFiles%\7-Zip\Lang\mk.txt 14
%ProgramFiles%\7-Zip\Lang\mn.txt 14
%ProgramFiles%\7-Zip\Lang\mng.txt 14
%ProgramFiles%\7-Zip\Lang\mng2.txt 14
%ProgramFiles%\7-Zip\Lang\mr.txt 14
%ProgramFiles%\7-Zip\Lang\ms.txt 14
%ProgramFiles%\7-Zip\Lang\nb.txt 14
%ProgramFiles%\7-Zip\Lang\ne.txt 14
%ProgramFiles%\7-Zip\Lang\nl.txt 14
%ProgramFiles%\7-Zip\Lang\nn.txt 14
%ProgramFiles%\7-Zip\Lang\pa-in.txt 14
%ProgramFiles%\7-Zip\Lang\pl.txt 14
%ProgramFiles%\7-Zip\Lang\ps.txt 14
%ProgramFiles%\7-Zip\Lang\pt-br.txt 14

*See JSON for more IOCs

File Hashes

02ae28b81353314bb9f541071da270fc4906a8a475de7ebd0317e2f67783a820
180b475f2f847d430dd9f662862c194bcc9788a825823ddeea8d34e971bc9bab
4ab52db52bfa565112e60c1b5f60acfb849345b2d3ee03f65a6e802c6d62ccc3
55d8c0a64529ab6c5a445321e8ca203c49310325271084d0c0e1d20741600c23
69122e7fde342ae2bd2941c1abc87c5e993e6ec511ac8b6ed6ff5337ef0fdde2
718a628056c97d819676b90f7580cde3d69faec1b51ecb2c9509d9acb0211e70
7cdb98edf9a7e7ec7ed149cd1b558345958e5b560e69783ed58f735f3bdc8089
9f0255cf9c39bb8360373f206b1b6fddbd178153b145c8effb70ddebfaca91c4
ac98b4da2a06090bca91fa6ccb40b36a3e3fdce37c1b269f62cf9a8b1b1f758e
b0694de949ad735fdf2c0772a5247c78fb7997f47f64288c94212e94c017c164
bb6d6ab6817f2759d8016afd127fc4028f11b3e48ef88e6a97a183bacebde93b
ccac1ade2adf449892f51797647b682ceddd8903677b31e4509e08d6b8a34e83
df3ee617bee5a4982bd77f731180d981e4e344fd260b9b2a928d88dcd70ebd2f
e8a7b3ea611d7652c365ab9840f7fdcdba3f0c20f33086da0a95161a3e840a51
ffca96118a2ea9b5b6faf570305a5a174a1319bf321520446223dff4e073c208

Coverage

Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella
WSA

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK


Win.Virus.Xpiro-9937153-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 72 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
72
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
72
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: HideSCAHealth
72
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV
Value Name: Start
72
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32
Value Name: Type
72
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64
Value Name: Type
72
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32
Value Name: Type
72
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32
Value Name: Start
72
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_64
Value Name: Type
72
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_64
Value Name: Start
72
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MOZILLAMAINTENANCE
Value Name: Type
72
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MOZILLAMAINTENANCE
Value Name: Start
72
<HKLM>\SOFTWARE\MICROSOFT\SECURITY CENTER\SVC\S-1-5-21-2580483871-590521980-3826313501-500 72
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SYSTEM
Value Name: EnableSmartScreen
72
<HKLM>\SOFTWARE\MICROSOFT\SECURITY CENTER\SVC\S-1-5-21-2580483871-590521980-3826313501-500
Value Name: EnableNotifications
72
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32
Value Name: Start
72
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ALG
Value Name: Start
72
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MICROSOFT SHAREPOINT WORKSPACE AUDIT SERVICE
Value Name: Start
72
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELL FOLDERS
Value Name: Startup
72
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\USER SHELL FOLDERS
Value Name: Startup
72
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64
Value Name: Start
72
<HKLM>\SOFTWARE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATE
Value Name: AccumulatedWaitIdleTime
72
<HKLM>\SOFTWARE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\LISTENEDSTATE
Value Name: RootstoreDirty
72
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATE
Value Name: AccumulatedWaitIdleTime
72
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\LISTENEDSTATE
Value Name: RootstoreDirty
72
Mutexes Occurrences
Global\mlbjlegc 72
eed3bd3a-a1ad-4e99-987b-d7cb3fcfa7f0 - S-1-5-18 61
Global\Media Center Tuner Request 61
Global\441f7121-26c9-11ec-b5f8-00501e3ae7b6 1
Files and or directories created Occurrences
%CommonProgramFiles(x86)%\microsoft shared\Source Engine\OSE.EXE 72
%ProgramFiles(x86)%\Microsoft Office\Office14\GROOVE.EXE 72
%ProgramFiles(x86)%\Mozilla Maintenance Service\maintenanceservice.exe 72
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe 72
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe 72
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 72
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 72
%System32%\alg.exe 72
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.log 72
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log 72
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock 72
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat 72
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock 72
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat 72
%LOCALAPPDATA%\rqboqelc 72
%LOCALAPPDATA%\rqboqelc\cmd.exe 72
%System32%\<random, matching '[a-z]{8}'>.tmp 72
%SystemRoot%\microsoft.net\framework\v2.0.50727\<random, matching '[a-z]{8}'>.tmp 72
%SystemRoot%\microsoft.net\framework64\v2.0.50727\<random, matching '[a-z]{8}'>.tmp 72
%SystemRoot%\microsoft.net\framework\v4.0.30319\<random, matching '[a-z]{8}'>.tmp 72
%SystemRoot%\microsoft.net\framework64\v4.0.30319\<random, matching '[a-z]{8}'>.tmp 72
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log 64
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat 64
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat 64
%SystemRoot%\Microsoft.NET\ngenservice_pri1_lock.dat 64

*See JSON for more IOCs

File Hashes

00ca549f437720afb0ef44befc214e762edf35b5dce176b016fc2564aba7518b
0a9ae5188e896f9909a9b3f4c0fe872d8d88c7b1927690843d714f67e26f1379
0b2471d3c62308005826ef46d1476c49d4d96276c137f59979d92c801dc8c6b1
0c371e761cf44e9435d5f52a044fb73dc3a1a0ca63d65418e0b9fe0cc3a0ed3e
0c9b3c6dee4ed03b8eb6776738ad9d4e0f19865f0628ac0103f0ca5394f0e861
0f582b076a8cba17f4817b2f59ddadcf51f6b669c9defcd651bc88a3b0b378ba
115e30f1895c0ff7862633ee4f53ed78120b9ff3265dac47434e222c8a3649f4
15f3a4eb914bc388978493587a2cc681eceada9300b140431f74ddda59ab4a37
161e6687b1a9748d30f7aed02bc8024e6a7f2a5ce6858c8423a1d25e83cd192b
19c2d4545efef18ad58943cd5466d9c38cffd9e3c672b5e86c5e375a680c74e4
1a401fe5496a114a4542e44fa22ecb4efca3de7bdee44434851df3e5aae823cb
1a688abaf134ed5a4eba2c5f397086425a7c922bea833696252deca2760ff6d8
268df4745383da3dffc5d2cb7e5b17458b39089756fa8454da734c0312c7e4fc
26a0e91a7e9da3aeaf711e22da999934de89b4c186dceebf53d598ad3abd844a
27b662eab515630f563bbebed6a79ae6a1e2cc873e4d881d54b4ae347a002686
2b5bd59630aa3c9cdf38cec9430d23dd7337a0ba2ef9678689a815e0fe4e7810
306414d64e64a00f457708c99d365aeba39ba6f6c894944ec32934d1d18b11c3
30ea06e5d88fab4eea5ff4864d0272f9fe29491bdc5d7a7619db7e96c81f1feb
342c7954a0d7465cebd36a553b4c25d11b8dbfbbdb57db7f006a730facd99db2
371f7a9c78d046349ef71eb187045137704c89480bccc1b4d1ad231216445f8e
37e00f509942cedae861f0c62c57bd7e40b9f8e78686326785ce48b6249b2c2f
3e4674715bc0f67639b204e97a91e27edd929b98926d6546f1911b170fb4c21a
40036e4f087b9e44dbaef289ae094e0524796ad5a7f849a717a1e2ff48268d26
4235fce2e83e0fd93107981ebc5e397da504967d7563a0debb1e836ce08dc1cc
43e04ad66759e0df82783c2d61fea39587a02626bdb5fc2f932f0e8fc199e9f6

*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK


Win.Trojan.Gamarue-9937156-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: allkeeper
26
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 26
Mutexes Occurrences
qazwsxedc 26
conlhost.exe 26
<original file name>.exe 25
7e7a1653a703e5097a098e2568c4f853.exe 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
46[.]45[.]169[.]106 26
104[.]16[.]144[.]212 10
104[.]16[.]147[.]212 7
104[.]16[.]146[.]212 7
104[.]16[.]143[.]212 2
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
blockchain[.]info 26
Files and or directories created Occurrences
%PUBLIC%\Pictures\Sample Pictures\Chrysanthemum.jpg 26
%PUBLIC%\Pictures\Sample Pictures\Desert.jpg 26
%PUBLIC%\Pictures\Sample Pictures\Hydrangeas.jpg 26
%PUBLIC%\Pictures\Sample Pictures\Jellyfish.jpg 26
%PUBLIC%\Pictures\Sample Pictures\Koala.jpg 26
%PUBLIC%\Pictures\Sample Pictures\Lighthouse.jpg 26
%PUBLIC%\Pictures\Sample Pictures\Penguins.jpg 26
%PUBLIC%\Pictures\Sample Pictures\Tulips.jpg 26
%PUBLIC%\conlhost.exe 26
%PUBLIC%\del.bat 26
\FILES_BACK.txt 26
\PerfLogs\FILES_BACK.txt 26
%HOMEPATH%\Documents\FILES_BACK.txt 26
%HOMEPATH%\Documents\OneNote Notebooks\FILES_BACK.txt 26
%HOMEPATH%\FILES_BACK.txt 26
%HOMEPATH%\Favorites\FILES_BACK.txt 26
\Users\FILES_BACK.txt 26
%PUBLIC%\FILES_BACK.txt 26
%PUBLIC%\Music\FILES_BACK.txt 26
%PUBLIC%\Pictures\FILES_BACK.txt 26
%PUBLIC%\Recorded TV\FILES_BACK.txt 26
%PUBLIC%\Videos\FILES_BACK.txt 26
%PUBLIC%\files 26
%PUBLIC%\testdecrypt 26
%PUBLIC%\time.e 26

File Hashes

0493365762614e6eba5f9199e76f19976a9575c42e5d1443e0dfc3e442c53fe7
05e8cb58b0984f300288d9ebf18d04f1310e063b4ae79ae89e1790d730202552
072ceb7d7c95290eda6cc6a1c4e0532eb6ca7c22fbdc332622c32c8d0e03bcd8
0f3ab65080ab5f9aa3b6d4517e0f28fc610ef84e072bafcf90b9c83fd6c8513d
11918f21b3a9fe82e7ffbf6821a83f03990763f1b178b5364cde511f9726ff2e
11a5293092ff429be5b84f75d3ace3b3dd298465a3291fd22bafa45995d24751
20296dd679612080fc1e4ec04e190516110dd0cec8b9677b5fcf46afa4687af4
2422824b1fb812643a4a51b6d69186bb520606d9de53e5c7c1334b3be5487649
24520068c46b0f3883796c761eb466304bdd771dd96c7ea167d15efd618252c8
259c361e5601f454429fe5ad00fa2f4219a130aea6d02379fdb0b388dfccef87
264a7d92784ea5bd643da0f814a39a6421fa39352507cbb2a2f35ad648d60a0c
28905801964a0703608a1671d8c11e1433d6f990225843d28c36825c6070985c
2a73f7264420ac3eaa2c9c128dd7495d8ffc70b65db8ef16f845a9281ff8b0b0
2bad223e1239b20e82cbd72ef1e255debbc1045def546a972a77527bf4645216
2d20c3847813e6ebf2effdef48dc4659c6df4c4f6cf30ffdd1000d7a39372373
2d2a6de4d021bb22c472357a3a2590b21af9ca5fd63e4aedec371448de0ffdaf
31869b5ef90a4ec38ef874a2638281fb8ef8e54ac612e44e0852a45c4724097f
3366e66ce18736179d9618ad6f93769e8bc8eb427a23a529e291d78ac64dc0bf
34b9f275fbc4d50d072e00d70fa02fa3bf6eaa7fe3514e9017429bb80947b507
367c29e07eca250c502a2c56a34efa99ae7e5827a274959ac8440b5a7eaf421a
3d77166a82cc7145161d47fe11f603ae8c491052ee3732601fb457d3cd34a18a
43b20f2b25b16d6d8d4e353c95a7f2e6d22fcbda4e79c1b78c4e68d7a03dac08
46ad4673fa5e695c6a588e70fbf2c048d11adc66f8d5699ad5add5e7673c08cf
4897e4acf0d0b0a0b5b90ca1bb0b85167b4d51a6087ffc7a246218779b612a2e
4b6675b3d05045b5cff6ec3fcbcb930b45b3d8ffce54d227d32e96a914c8c88f

*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK


Win.Dropper.LokiBot-9937195-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 15 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 15
Mutexes Occurrences
ITHelper 15
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
104[.]18[.]30[.]113 9
104[.]18[.]31[.]113 8
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
pcacceleratepro[.]com 15
wpad[.]example[.]org 14
isatap[.]example[.]org 9
computer[.]example[.]org 7
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com 6
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com 5
windowsupdate[.]s[.]llnwi[.]net 3
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com 2
Files and or directories created Occurrences
\Users 15
%ProgramFiles(x86)%\ITHelper 15
%ProgramFiles(x86)%\ITHelper\config.json 15
%TEMP%\ns<random, matching '[a-z][A-F0-9]{1,4}'>.tmp 15
%TEMP%\ns<random, matching '[a-z][A-F0-9]{4}'>.tmp\System.dll 15
%TEMP%\ns<random, matching '[a-z][A-F0-9]{4}'>.tmp\DIALOGS.DLL 15
%TEMP%\ns<random, matching '[a-z][A-F0-9]{4}'>.tmp\INETC.DLL 15
%TEMP%\ns<random, matching '[a-z][A-F0-9]{4}'>.tmp\MUDDLE.DLL 15
%TEMP%\ns<random, matching '[a-z][A-F0-9]{4}'>.tmp\NSJSON.DLL 15
%ProgramFiles%\ITHelper\config.json 14
%TEMP%\nsaD8FE.tmp\TopLogo1.bmp 1
%TEMP%\nsyA080.tmp\TopLogo1.bmp 1
%TEMP%\nsk5992.tmp\TopLogo1.bmp 1
%TEMP%\nsy64C8.tmp\TopLogo1.bmp 1
%TEMP%\nsf836F.tmp\TopLogo1.bmp 1
%TEMP%\nseD334.tmp\TopLogo1.bmp 1
%TEMP%\nsp6593.tmp\TopLogo1.bmp 1
%TEMP%\nsqBC0C.tmp\TopLogo1.bmp 1
%TEMP%\nsfE721.tmp\TopLogo1.bmp 1
%TEMP%\nsp7A4B.tmp\TopLogo1.bmp 1
%TEMP%\nslDD71.tmp\TopLogo1.bmp 1
%TEMP%\nsjE241.tmp\TopLogo1.bmp 1
%TEMP%\nsp65A3.tmp\TopLogo1.bmp 1
%TEMP%\nsfA7FF.tmp\TopLogo1.bmp 1
%TEMP%\nsk9F58.tmp\TopLogo1.bmp 1

*See JSON for more IOCs

File Hashes

5c7fb2630e623fa6aed074651ae005239387bd7c8aa0307592f11402f7f7b517
7797185ba10900476185f535ef8e90d5688a0b560c0fe221372d0ca0a8217bab
7dca90a08402db46b048cc955e10a4ee2a4f02b7817f8095a0cc1061c2b987d8
7e0ed2ef8138e5d744f9cfccf243b038c3e0819a2d417d38f7dc63e31a32256a
83395ca9f9421264cdda9b9c2e1100ad53d8896484fa50d07cd2186e108b5195
84d2db179dbb73f9eef631eb7b303d639eec2f98341f68bd660a15044adda159
949ce87d857af2e20f3d3e9af1ff2bee964565c3b3375e0d5e404f61ce213b2b
a08ce24ed53cd016708fd79ec1ffe881eed4c076a92cb112bed80582c0f61eb3
aa103dda5cb64d2f92a00a080432834e5018fbd162d36d1924352ad7be105f16
b4f9c1067e14406bc9d63d08894b1d4115ef1bdd8ae4ae25c48a1502c76cbdf1
bbbdac70f1e997762e3b2855d3e0d8c65e2af23a825af29229d422397818809f
c0fbb0a18e41bff9865f2b9e6dc1cc07a06f3e3d2b71c99954f3ebd0b0557848
e13b31a52bf78150d85cfc1dce4ee493cc3ff5e4ec91d0843a6f2cf332f073f8
f0df5acc48e4f0827fd012f2e1ab49ce9b6936fbffb273ce613fe6468b36cbb9
f3013918553b5c3531c6a7786b7a4caf77ec6631cc024ac0d015f23308996ace

Coverage

Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK


Win.Worm.Ruskill-9937238-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Eoawaa
25
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: BCSSync
25
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 25
Mutexes Occurrences
c731200 25
-9caf4c3fMutex 25
FvLQ49I›¬{Ljj6m 25
SSLOADasdasc000900 25
SVCHOST_MUTEX_OBJECT_RELEASED_c0009X00GOAL 25
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
api[.]wipmania[.]com 25
s[.]albrrualt[.]ru 25
s[.]eiwmqmkjl[.]ru 25
s[.]etrszktqr[.]ru 25
s[.]ezszjaijy[.]ru 25
s[.]ijrjnpnzj[.]ru 25
s[.]isolohxyr[.]ru 25
s[.]lnfwfygux[.]ru 25
s[.]mztkrriji[.]ru 25
s[.]omwsgcjzr[.]ru 25
s[.]owsqcjijt[.]ru 25
s[.]tjpuxuwrg[.]ru 25
s[.]trxspgpzz[.]ru 25
s[.]uusgbprgo[.]ru 25
s[.]vkpjlqvhp[.]ru 25
s[.]zltuxtlsr[.]ru 25
wpad[.]example[.]org 25
s[.]yvjznwcnk[.]ru 16
isatap[.]example[.]org 11
computer[.]example[.]org 9
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com 6
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com 4
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com 4
Files and or directories created Occurrences
\$RECYCLE.BIN.lnk 25
\System_Volume_Information.lnk 25
\jsdrpAj.scr 25
E:\$RECYCLE.BIN.lnk 25
E:\System_Volume_Information.lnk 25
E:\c731200 25
%APPDATA%\c731200 25
%TEMP%\c731200 25
%APPDATA%\Microsoft\Windows\Eoawaa.exe 25
E:\jsdrpAj.scr 25

File Hashes

048c7925d6802cf382d0fe466f318568503c477355ebd9a67dde414d64f1064b
143baa3a8b18881120e68d0f85b037fcc2027c7b75cfa46c2edbc28e50866ea4
19e4209f1a454e251a9a7036350c2688a34baf44097ccf5ca8fba872f0ef7397
1c45277bb464dd6ec461978fb7016196345a56e81b7fe12de1f1ff1af02233a8
1d4aae96ac824c3686017e123e83297aa1abd4b4aa998ba937a9d70785da4539
209f20ae547ae26058e6002a0e3e27e4488d2b2844d60ecee256858c63632133
3485d752112588b28d60e0b5ad81d90547a8a1ad835a4c53d8f9ec7a88f3b3cd
38237d79b3478d9847df5644fd92cab832ae34615b081d14d3f537e4b9862882
39ec73dda85ddb00198e3e1e6350a479b31a1b45ccbf0bbe542ea4aa79016ce2
3d433ab571b767667434f514a68b18901d0ca66086497db929690bd92a68dbb5
44427013ac93ab4ebe877f9966b267276c2319b7ad0c8cc0eabc45c2dbd6e7da
5896a1849c0748e298b54bad686dbc170f35fc59f8a85b6facd691a59d5e0d4c
5b46aee11e14550f51c945e3bd694c1d15cb8e7d6ad917510f80e718c90ef561
738cb2bf37b31277a44cdcd0f255bc3458200040a86ae6e3a951a1c19ce30550
752b037798e11ecc3986e27535e1c7784475e929cd6f655b6e5946b24dfe6127
80839540546bc3467f20f39844ba91a3ae007d7e1575147a2ab63b965ff4d795
8d7e2abde500c6a76063c37357b17df7875fcd108551e8c070be061b50a1619f
9712152acb13955bbc6180a6cfb5c83d398a2771fe378260edb3a3716bec2535
9e1da676534bdd79ab7744705aa6b8c9ed6ee2dc7560277277f6da8bbb65d99d
acdc38f1d6034224232502fb5426eb16508cf4b606fc606bdf58375999fedeca
b291490be97d5342e812cb088cfb41bf9aef78920304154516de32aae33d211a
b42c048faf7c65c475cb0e921bf3049cc2a5497cf1819beb331018cc7967ad41
be08ac29f1563e835a01467e9087a9f7479e28efcb3060943a69b2618d73f676
c0be08f13337c039a8ca74d22d4e03cfd544fa397de614cbbe8865d9c1be6e52
c5a4d307e7343087a69d77a0cf058d3290dad5bdf33af968d65d9bd33c980a2f

*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella
WSA

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK


Win.Malware.Swisyn-9937249-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\EXPLORER\PROCESS
Value Name: LO
26
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Explorer
26
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Svchost
26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: ShowSuperHidden
26
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SCHEDULE
Value Name: Start
26
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: Start
26
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Explorer
26
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Svchost
26
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS 26
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\EXPLORER 26
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\EXPLORER\PROCESS 26
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 26
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
172[.]253[.]115[.]82 25
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
googlecode[.]l[.]googleusercontent[.]com 25
wpad[.]example[.]org 25
codecmd01[.]googlecode[.]com 25
codecmd03[.]googlecode[.]com 25
codecmd02[.]googlecode[.]com 25
computer[.]example[.]org 20
isatap[.]example[.]org 19
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com 13
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com 7
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com 6
Files and or directories created Occurrences
%System32%\Tasks\svchost 26
%SystemRoot%\Resources\Themes\tjcm.cmn 26
%SystemRoot%\resources\spoolsv.exe 26
%SystemRoot%\resources\svchost.exe 26
%SystemRoot%\resources\themes\explorer.exe 26

File Hashes

000c757c3784bac66400f4dbed7a60b37ec8f0403b50bd8837c2f753365d2350
01fba4a11db636726c46af120699865db21170bde639ef8510bd51b3f97c2ab3
051b401e95eebbb223bb4755ac76d8659bf2246cda5b55da8a207dd763c48adf
05638b94ab4a43c213f886b4ace44f058dbf5dae3ed7223226e071f4296b6f61
05cb81b1ffb6506c064cc5d58df8a5c518a7608cc41f07c2c9ba63111791cdf8
06e1f1994a4648b0f1dd5262f74fabd172844bcf0b0844d4168a9f0fce580b4d
07408e5f71626c28e9c54579b653d905b2c51c0a34737a33d5a55d7b1767e06b
07577e1428978d9e1c73586a0ac91d764d59a21143096ef714d98313f0c81dba
077a300cb592dadecafbb2f8f653698f8e340773cb49ec23e34e60891591036f
07c760352f2cccb9f99c53d18a9dbe0c055aea6130b2dee09be2a03931a83229
0a0abff09371956ed89382ae73ecb8b515352c269f7bf40f4d2d9e3e7a3c40c7
0d9a16dbc8d8744875446f0029472b2909f2f2153aafc1bfffc44707d1ce6a93
0ddb7b8539f746db5ce0d7f10f555ab7d97ef46de19915fe9adc92199f160cae
10a596b1f9b020a77bc9ef40269d297c8ef308b04ad70915be54e972b0a7ca29
14327f14b0c8a16371c2dc5ad499374b4cf191e2df7cc6ae176b26d0e7fee168
147507dffb35a791f8ff30aefbc3b0d41556a2db29f0240745a751e454206152
14b86c7a2bdf1419276fc70c8234ae4ab4f594d458519490eb62150d62f01978
14c8ce0874b627eb7d9523101f438b8b8b1a90fd5bdd6c13e5f89b49f2910fcc
14eda0c80623c5b5bfe670f1a1e51351b360c2280233dc96473bac293eaa413e
151fabc9e5478a31cff6453a084a58de9d4378b176c8d03d281cd1086f7b8778
166f1b9a0e7faed9af53140e3541d5bf0199cb68847a4719205b59bada51f6c7
1756e4139201bd58a4be119358c46743800d80dc5bec4126a85e0a93e1fc6c37
18453a1ec6d458e8eef0438c43734c31f7b448eaa30749649d6624e6bf4050c2
188a98ed0b73905ab082d43d6a3531eef34269350bc1a9766de482c6dba63c4c
19e7b29cf59133d9ff940e952eb976d0a786c599e4ccde82e4a2ec3a4f387799

*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint
Cloudlock N/A
CWS
Email Security
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK