Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Dec. 31 and Jan. 7. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org , or ClamAV.net .
For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.
The most prevalent threats highlighted in this roundup are:
Threat Name
Type
Description
Win.Trojan.Qakbot-9924229-1
Trojan
Qakbot, aka Qbot, has been around since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.
Win.Malware.Tofsee-9933691-0
Malware
Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and send large volumes of spam messages to infect additional systems and increase the size of the botnet under the operator's control.
Win.Trojan.Gh0stRAT-9928675-1
Trojan
Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.
Win.Downloader.Upatre-9934126-0
Downloader
Upatre is a malicious downloader often used by exploit kits and phishing campaigns. This malware downloads and executes malicious executables, often banking trojans.
Win.Packed.Zusy-9932471-0
Packed
Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.
Win.Dropper.DarkComet-9932930-1
Dropper
DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include downloading files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.
Win.Virus.Xpiro-9932984-1
Virus
Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.
Win.Dropper.Remcos-9933257-0
Dropper
Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, and capture screenshots. This malware is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Dropper.Kuluoz-9933836-0
Dropper
Kuluoz, sometimes known as "Asprox," is a modular remote access trojan that is also known to download and execute follow-on malware, such as fake antivirus software. It often is delivered via spam emails pretending to be shipment delivery notifications or flight booking confirmations.
Threat Breakdown Win.Trojan.Qakbot-9924229-1 Indicators of Compromise IOCs collected from dynamic analysis of 37 samples
Registry Keys
Occurrences
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
37
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK Value Name: bd63ad6b
37
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK Value Name: bf228d17
37
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159
37
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK Value Name: f7b512d3
37
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO
37
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO Value Name: ff0b3567
37
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO Value Name: fd4a151b
37
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\ProgramData\Microsoft\Ecrirfryzd
37
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Users\Administrator\AppData\Roaming\Microsoft\Xtuou
37
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO Value Name: b5dd8adf
37
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO Value Name: 80425a91
37
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK Value Name: c22ac29d
37
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO Value Name: ca94e529
37
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK Value Name: 79eea72
37
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK Value Name: 7a96a5f8
37
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO Value Name: 45f6727e
37
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO Value Name: 38fe3df4
37
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK Value Name: 5dfca0e
37
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK Value Name: 88fc7d25
37
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO Value Name: 47b75202
37
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\\SIGNATURES Value Name: bybpxju.job
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\\SIGNATURES Value Name: bybpxju.job.fp
1
Mutexes
Occurrences
Global\{06253ADC-953E-436E-8695-87FADA31FDFB}
37
{06253ADC-953E-436E-8695-87FADA31FDFB}
37
{357206BB-1CE6-4313-A3FA-D21258CBCDE6}
37
Global\{280C5EDE-5A47-4F1C-97D3-B8CFE4CF258D}
37
{280C5EDE-5A47-4F1C-97D3-B8CFE4CF258D}
37
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
wpad[.]example[.]org
17
isatap[.]example[.]org
5
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com
2
computer[.]example[.]org
1
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com
1
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com
1
Files and or directories created
Occurrences
%APPDATA%\Microsoft\Xtuou
37
%ProgramData%\Microsoft\Ecrirfryzd
37
\TEMP\sample.dll
1
%System32%\Tasks\uzzfcfeja
1
%System32%\Tasks\rgpagsnkum
1
%System32%\Tasks\nqlhmsvvr
1
%System32%\Tasks\rulrpoq
1
%System32%\Tasks\atedfbcijx
1
%System32%\Tasks\aniqbhus
1
%System32%\Tasks\ztzqhswde
1
%System32%\Tasks\vbtliwae
1
%System32%\Tasks\bvgluvp
1
%System32%\Tasks\eyevaabnzx
1
%System32%\Tasks\najlnxj
1
%System32%\Tasks\jvayiiiax
1
%System32%\Tasks\hdkofgb
1
%System32%\Tasks\ietqzlmnk
1
%System32%\Tasks\fhkjrymy
1
%System32%\Tasks\ysldzei
1
%System32%\Tasks\dniinjqzy
1
%System32%\Tasks\mqxdiwzkep
1
%System32%\Tasks\xjecbugqmj
1
%System32%\Tasks\bybpxju
1
%System32%\Tasks\bhioelzycq
1
%System32%\Tasks\iluzaryx
1
*See JSON for more IOCs
File Hashes 01e16f0b3d9a51d8d5ec1d955e1acbbb17cbb29b7272634ea7941331135e07ae
02241908fb5bb63858807d8b307cce9d6b03227958f3b401196239d8c6f19253
0297be18782977e4555405f89616c266f5f8e5640c49c4bda4785ffba10ae324
032550997e4a1487a526d92f0b3c42e3abe23784806d10b0e4f7ee0f180f4a5b
072b6c7647e7335b870392b325d44799c84bf99ea96dc904991e40656bf2c187
0870c2af5a5aae70c9aaf87156e8804411a42c06d6ffb06f25bc25a3bf4ed7ef
0baf6ecbcbb90241bf60015cf14b95945ae4b82125743a6aa486fd83aaca54df
0d43a3c205e8f0afab98b54c370837ceec490a11874a90d7589bd15e65f1901c
0d715e6881533e18a77c86f1a950e50cff677e9cd3078b895ac8aec98352b3c9
11713306b39ec65d73b1edc64aaab89546e881b3aece4edebbc0f056e7b62487
1736547c85a4702779713a248ced337011d5a4c47639535e98e98177896397da
17d57c8aa7536959e45dd55a6cae0b9b0c64c02f7a6b7545c2b5b1e350e70bd7
1c93d8de51131599bec513a1575f24bd858a490dccc724239984f8bf4882034e
1cb5a596781b8b41d6e7e6c2ede7e021dc7557b6a9207b7e6c918dfe1baf5fce
1d50fb2a219b8ad5901474cf59f1598832d1d89b208729803272d7cbf9231623
1f0b854919f8101ccd0d9f4b8073d3b4fcf7119a3e40389f25e74cea9f140553
1f7192c63a108a20f5d9021ef852ac26700290e05f9080ca1c915a4a2095530e
20212e75b0fc6545eb885e91a52c95566263ead049252e4ab3f6b9d304c43486
20359e35c0ecac74b431d40e0ab9b887947b00d14e1f6c65e093dc5e354e1e79
2075b7757cec5c14f3861042a302617c41deec3c5e181446259a9ae7cc64a45c
210b54b61ac8e02c786ece5df62a7fd47f5c86f958fbf9e19bd25c0a8f486b33
23ab8e0e718a7829cd0e73e6b626fadac4cf3d1064809f97604c9833dccf3105
25eb013528689123dbad237eb7f7e2477c96e22a4bc604d8b0d54f161ebeb08f
279a0df573e692a0a7f8f525d48e5ddd83a47c3b7bb1f139189dd825f4ddd027
2912768470005f80a6ff8cacb72e52ed6c2a929f65685188f5d6381e5d60ec51
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
✓
Cloudlock
N/A
CWS
✓
Email Security
✓
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
✓
Umbrella
N/A
WSA
N/A
Screenshots of Detection Secure Endpoint Secure Malware Analytics MITRE ATT&CK Win.Malware.Tofsee-9933691-0 Indicators of Compromise IOCs collected from dynamic analysis of 28 samples
Registry Keys
Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159
28
<HKU>\.DEFAULT\CONTROL PANEL\BUSES Value Name: Config4
7
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
7
<HKU>\.DEFAULT\CONTROL PANEL\BUSES Value Name: Config0
7
<HKU>\.DEFAULT\CONTROL PANEL\BUSES Value Name: Config1
7
<HKU>\.DEFAULT\CONTROL PANEL\BUSES Value Name: Config2
7
<HKU>\.DEFAULT\CONTROL PANEL\BUSES Value Name: Config3
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> Value Name: Type
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> Value Name: Start
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> Value Name: ErrorControl
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> Value Name: ImagePath
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> Value Name: DisplayName
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> Value Name: WOW64
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> Value Name: ObjectName
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> Value Name: Description
7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\tuawzulg
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\fgmilgxs
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\jkqmpkbw
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\wxdzcxoj
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\yzfbezql
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\mntpsnez
1
Mutexes
Occurrences
Global\551d9b41-6d47-11ec-b5f8-00501e3ae7b6
1
Global\53648161-6d47-11ec-b5f8-00501e3ae7b6
1
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
67[.]199[.]248[.]10/31
10
54[.]38[.]220[.]85
10
67[.]199[.]248[.]14/31
10
213[.]91[.]128[.]133
10
185[.]186[.]142[.]166
10
194[.]180[.]174[.]53
10
86[.]107[.]197[.]138
10
89[.]223[.]65[.]17
10
104[.]215[.]148[.]63
9
211[.]231[.]108[.]46/31
9
117[.]53[.]116[.]15
9
96[.]103[.]145[.]164/31
9
194[.]180[.]174[.]41
9
74[.]208[.]5[.]20/31
8
144[.]76[.]136[.]153
8
91[.]219[.]236[.]18
8
159[.]153[.]191[.]239
7
67[.]195[.]204[.]72/30
7
142[.]250[.]81[.]228
7
185[.]7[.]214[.]171
7
185[.]7[.]214[.]210
7
185[.]7[.]214[.]212
7
185[.]215[.]113[.]71
7
142[.]251[.]33[.]206
7
185[.]7[.]214[.]51
7
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
wpad[.]example[.]org
11
isatap[.]example[.]org
8
computer[.]example[.]org
8
249[.]5[.]55[.]69[.]bl[.]spamcop[.]net
7
249[.]5[.]55[.]69[.]cbl[.]abuseat[.]org
7
249[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net
7
249[.]5[.]55[.]69[.]in-addr[.]arpa
7
249[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org
7
249[.]5[.]55[.]69[.]zen[.]spamhaus[.]org
7
microsoft-com[.]mail[.]protection[.]outlook[.]com
7
microsoft[.]com
7
www[.]google[.]com
7
whois[.]arin[.]net
7
whois[.]iana[.]org
7
aspmx[.]l[.]google[.]com
7
mta5[.]am0[.]yahoodns[.]net
7
mx1[.]hanmail[.]net
7
host-data-coin-11[.]com
7
patmushta[.]info
7
www[.]instagram[.]com
6
mx01[.]oxsus-vadesecure[.]net
6
hanmail[.]net
6
mx37[.]mb5p[.]com
6
park-mx[.]above[.]com
6
mail[.]h-email[.]net
6
*See JSON for more IOCs
Files and or directories created
Occurrences
%System32%\config\systemprofile:.repos
16
%SystemRoot%\SysWOW64\config\systemprofile
7
%SystemRoot%\SysWOW64\config\systemprofile:.repos
7
%TEMP%\<random, matching '[a-z]{8}'>.exe
7
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'>
7
%ProgramData%\freebl3.dll
3
%ProgramData%\mozglue.dll
3
%ProgramData%\msvcp140.dll
3
%ProgramData%\nss3.dll
3
%ProgramData%\softokn3.dll
3
%ProgramData%\vcruntime140.dll
3
%APPDATA%\Mozilla\Firefox\Profiles\<profile ID>.default\places.sqlite-shm
3
%APPDATA%\Mozilla\Firefox\Profiles\<profile ID>.default\cookies.sqlite-shm
3
%APPDATA%\Mozilla\Firefox\Profiles\<profile ID>.default\cookies.sqlite-wal
3
%ProgramData%\sqlite3.dll
3
\Users\user\AppData\Local\Temp\dxvpqfnc.exe
2
\Users\user\AppData\Local\Temp\ibqvoqnw.exe
2
\Users\user\AppData\Local\Temp\grwwarcd.exe
1
\Users\user\AppData\Local\Temp\qbcuhfxi.exe
1
\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\9A36.exe.log
1
\Users\user\AppData\Local\Temp\pixcvxud.exe
1
\Users\user\AppData\Local\Temp\sqodvieh.exe
1
\Users\user\AppData\Local\Temp\odjdyomb.exe
1
\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\968C.exe.log
1
\Users\user\AppData\Local\Temp\cemlbbvs.exe
1
*See JSON for more IOCs
File Hashes 0ae852bbe8c30fa41de11c94daf008bc96c80be4230e91215b6c17c1f0a37fa6
0b769ae3a1ab07b3414b2fe5808b662237e8d3ea8d87c4550952f2adb4cfdfee
0cc22a85732d6748f0936c79e68c730bde531da31baebb6b1c8dd6e7f755a186
1108a10b143d94353cd0cad6bcc2f8bd57a9ea56945291fabcff56efe81ad910
124b3ea6d0e14ae41d0759bf0c34919f88417fcf4feccdd74de3bfbb56ed846e
12fb3b2deb9d723e2da17673475fe9e502f24b06b2cd194b1aa5d3f212f53058
18814124ba5985e9dfe57b3ce63e93c15a559e1d07dbaacb67ca461935d6d813
1955cce2e7bc2519db00d207e78d56f229515999e01e8b5ab40ea7a9a7d193c1
1a9573072e9afe029c6b702e4e0a29da0e71ed75c11b7f3a2c949047160f0bd1
1b77f4ff31294559619df3adfbfccab8980992764e63377f70c9c5b96ee618b1
46033bd204315a883f599a40dc6e27c86af574e05af915d39915f3840f8c07d3
4c9df4e198cfbbe3d19a2254614da33e5ac2658ade06f068c733b5118393cfac
594971e3c6eccf37a499985467286e0ac176f20ede2c87fd2c6d0ada3964429d
5a7434856e1ebc9505c879344c548105bfb31ddfe5a3931e90436ad90405db6a
7caa4a9307034a4315d31c23a9b8311274e9b822a15a724eb18363e74eada362
8c9b2c8c4f8ba33d638615bc3377ad4ef8f5eb8e508b532a0fd3eab1f960779b
a81b000c8092297045fc9e4747c27c633a3b25555a51f04785a136dd1a4f689a
b9355ca00910baf8db38b01ae66a211b5895a061ee27d715de210c3ba915bece
bcf64b263f8c0756d94a325b3a726f7eeb167b53c512d1dd973fd60f960b3853
c493f6064d4e5a6f5ba15457d4c4801376ed77cae36b71e988c3fc9d86dad1fb
c4d175ee93dac83fb8046a40f24a848a15a55040de3c30caa4126b194cde077f
c798a56771dd93d5cff37370f67394767a6027cf491a85e4997f9629386bb789
d6df00041280e81d38662a7bebaeeaa0d4175cd7b0043a7d00ed369b8a57ca47
e29d07c397855222a340994afe624e659864eead2b6eed5654360ecfd94f8495
e2e0fcbe61bd5439f825ed3f7f997ecae0e7674a154654b2c3f76b87f2bf190c
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
✓
Cloudlock
N/A
CWS
✓
Email Security
✓
Network Security
✓
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
✓
Umbrella
✓
WSA
✓
Screenshots of Detection Secure Endpoint Secure Malware Analytics MITRE ATT&CK Win.Trojan.Gh0stRAT-9928675-1 Indicators of Compromise IOCs collected from dynamic analysis of 26 samples
Registry Keys
Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159
26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: EvtMgr
26
Mutexes
Occurrences
67.198.215.213:3204
26
M67.198.215.213:3204
26
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
67[.]198[.]215[.]214
26
67[.]198[.]215[.]212/31
26
123[.]126[.]45[.]92
21
127[.]0[.]0[.]1
21
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
blogx[.]sina[.]com[.]cn
21
blog[.]sina[.]com[.]cn
21
wpad[.]example[.]org
21
isatap[.]example[.]org
14
computer[.]example[.]org
13
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com
11
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com
5
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com
4
Files and or directories created
Occurrences
\1.txt
26
\<random, matching '[a-z]{4,7}'>.exe
25
\<random, matching [a-z]{7,15}>
7
\unripft\xivhs.dll
1
\ccdcv\yspjgpw.dll
1
\etvduqkmd\nqvwmce.dll
1
\bfbqa\ynhdf.dll
1
\xlovl\dhvbqozo.dll
1
\mnqbgefzl\ihdxjewa.dll
1
\ccvefudy.exe
1
\jiqtj\mzbjz.dll
1
\smhmieb\rdhnee.dll
1
\qwhhw\xvozelqjz.dll
1
\lcmgxjlx.exe
1
\xpqbwm\rynae.dll
1
\vrbbr\wpdbq.dll
1
\pfdxkdiz.exe
1
\atpnv\bjklg.dll
1
\ertpt\vbwblka.dll
1
\tiblue\ayorce.dll
1
\xotiz\deblgig.dll
1
\dpokjp\uyvhx.dll
1
\kldyl\fkoyn.dll
1
\oodcm\sevjht.dll
1
\pzqqbwtkd.exe
1
*See JSON for more IOCs
File Hashes 030362794d0bd7ae6d968d3e1889bbfeb66f58ee0db67704469eedf9094d7871
0e0a0b46185e77f645b74e18b696e65aeca2089851db1b11ca9dfe13ce5ea0e7
0fb28ad4d4f0fa49d50e1e771b93330ec9a0be4aa6a4b8a4b55844df94eaa25c
2a7462cee6e834c3e5171bd94767fed3b58cc8e2d005d07cdb353d42594031ba
2c6a238df36443e93bdac060a6b3123f4f474c3b7b15baa672f1b14ff22f5b7a
35b0477ded22ab5b75de86f81cabae2f38557e8b99ee7d8c15feb71329d5afcb
3d8d8a0358fae0ed84f2c888be7debc97bf358920a7ef5be45a59e01dde2c96f
40c70bfe876c3cd2aae6b334885a34f5311cccd4ef1f00035935b83e4ee58e1d
53d477955586161565830662f46dbaddd969633d0f60245273667b6acd592dd6
5535c38614da6a5d19f18ecf4bfae1a839e133bb7ef263f613ae5cf069fdbde1
69a46f75ceb96cf6dbabc145ef2de4f2e0869915bd5fd902ade2891b3f14ce3d
6a4512becd91eb633c6618f6ea5ff11ad6b848377148515c979dc172c761ea79
6bbffe220f31d756c56484c6d8bdde65587b14f96670bbc269d6528645b6f726
6e12fe6cfea60ea1a62a27c4f58531ce95dc13d43b616e340cd406cd510b5307
708c9ce952229721ca3dbd0335314c130e1f8b14fd5ad4dfe345c53caff8e218
78af44d3e04c6f2ae327dcdc5d9dd515aeef9a5303accf728907f329df4ad1b1
8e4d4e4453d0fc449144b7bc95236b7e26383fd1c040cebc4733778721cbc89f
9577670a22f61939447e571eeddd6dc9cb3591d6249b227ec65a2290a9cef45c
a5b72bd2367be139b7c97f9599e49007e3dd1d49eec4693cfdd45f99580c1f34
b687a09b8ed0ac267b1fce38d1859e1a2e920beabeba8436c76d82ddc3324f3f
c9e2a16f1eed9770131953d73fe95c274827195dbb6ed2b31bceed993d433e65
cc15221bb779b96813ba6e125bcd5b668d43d2cdc1b21f6ea8c0bb054bb75a19
d0fbdaba4ff55a8a55a13a68154a77a5eafed027798b7bcc52ea7ef79b6a326c
d16d0152fdb6250c3c036a065ccabac5ea4c11f75c37b6cfc2d97e7840c35f6c
d410c5c55b60b38e6529e1c834e16312ebee734ade55deccf2c6e01ea9092961
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
✓
Cloudlock
N/A
CWS
✓
Email Security
✓
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
✓
Umbrella
N/A
WSA
N/A
Screenshots of Detection Secure Endpoint Secure Malware Analytics MITRE ATT&CK Win.Downloader.Upatre-9934126-0 Indicators of Compromise IOCs collected from dynamic analysis of 25 samples
Registry Keys
Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159
25
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
204[.]44[.]192[.]76
25
72[.]22[.]185[.]201
14
72[.]22[.]185[.]208
11
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
apps[.]identrust[.]com
25
leisuremaintenanceltd[.]com
25
Files and or directories created
Occurrences
%TEMP%\bhfsrfgs.exe
25
%TEMP%\pgengh.exe
25
File Hashes 0a80730a2ae557047a01cc6e827fe32a59013b03f6e58b2a2bfd1efea47d1a24
172a9b83bd59358801ff9c6523b373dc5347768dc11302ce536f03bd1dd596de
1782c42db8c20a8dd5bbf950a2d6d42010da4fe35a80aef175a0f48ceac54717
1c2212536e3a873021f62a091baaf1d79bae8fb24c7dfffcc764978548ab24c1
1d7edf1e37ea7b11167eb318fcc1acb94070757ca25bd11e84be8c2d8fe0154a
1e9a1e783678319854c65d8d3c334744553db83acdaf9d91cfaf738ffdebc1d2
2348e2111667d2f566f2bd35480eadb6e7abd2fe65961033cab774dd45a34ea2
2abcd9a59f3c69b297ef985fed980703a92da4bc39fb2c5fea33fb8d607e59bb
2e6633143345a549af8b11593e7c71311a8b8def13608c7b58dd3882dd35cdef
31b0f36ddce0eed570dcaf34e950856695ab0e487b4d6f7d0e29dcd57a296f13
32524ea5235bca3898a25d8a957caf807706ff7ba6f90ded68eaada47669223e
3bf006d46763841336b120412e60f7775fae2a413dcac49b4d459c93a978e9e2
3e02ce8274df79e15cf45c17435356238aaa13f7ae64cc7d26794b9bc60dcdc9
4013176e317de33e6128d8b1dcc307c785dd3d2c7cdf7c863b6d9c38cf78a76c
4eb73b5a36004c90aeb8c6ffe9b05e906495642fc4db52dff1a7e32459b650ea
4f1f60abc469669a8dc15a8e7c4d226a1bac5588f81c5a66eabed97081f15202
52c4868c8228abdd13a5776e89db2f076d4e06b04282ed1b24e9c4360dbb3078
602ba48eef6e4a667c0ed7e7fb8d050a569d90dc3abd0bb7c7be8a09133787db
608963dd078baa521fc0b70284d48745d223c1077b30e299abe2a7592bcc1fe7
61fdc16290150fcd7ec2e0cfed8b3fc564313d3cf6d9f5cbd138edb5e777f2b6
62e545097ed02c498f94adeef634bf3cddeb829421e5f511acfdd59ce68fb445
69119f039ccdb064b7bcdf48bc150061028dd2c79aa99519810388d49d3956ab
6f58f8cff540be89791a7ce777c897b84d4980dd7e543ba7f0d1c62725a1239e
77a45e959977fcfa67a86a6c9ad0ebf73850aa3a755daec14097990cb736ca68
7dafa943159f67d6b04e09723f320ae809d81df97e69ee03a49a8c3d37ad2011
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
✓
Cloudlock
N/A
CWS
✓
Email Security
✓
Network Security
✓
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
✓
Umbrella
N/A
WSA
N/A
Screenshots of Detection Secure Endpoint Secure Malware Analytics MITRE ATT&CK Win.Packed.Zusy-9932471-0 Indicators of Compromise IOCs collected from dynamic analysis of 23 samples
Registry Keys
Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159
23
Mutexes
Occurrences
ashot_st
23
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
104[.]208[.]16[.]94
8
52[.]182[.]143[.]212
3
20[.]42[.]73[.]29
3
20[.]189[.]173[.]22
3
52[.]168[.]117[.]173
2
20[.]189[.]173[.]20
1
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
wpad[.]example[.]org
23
clientconfig[.]passport[.]net
21
onedsblobprdcus16[.]centralus[.]cloudapp[.]azure[.]com
8
isatap[.]example[.]org
7
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com
7
computer[.]example[.]org
5
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com
5
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com
4
onedsblobprdwus17[.]westus[.]cloudapp[.]azure[.]com
3
onedsblobprdcus15[.]centralus[.]cloudapp[.]azure[.]com
3
onedsblobprdeus15[.]eastus[.]cloudapp[.]azure[.]com
3
www[.]msftncsi[.]com
2
onedsblobprdeus16[.]eastus[.]cloudapp[.]azure[.]com
2
windowsupdate[.]s[.]llnwi[.]net
1
onedsblobprdcus17[.]centralus[.]cloudapp[.]azure[.]com
1
onedsblobprdwus15[.]westus[.]cloudapp[.]azure[.]com
1
Files and or directories created
Occurrences
\Users\user\AppData\Local\Temp\WERE723.tmp.WERInternalMetadata.xml
1
%ProgramData%\Microsoft\Windows\WER\ReportArchive\AppCrash_loaddll32.exe_cf32f5149196789a81fecd6e57fad0fcb71e1b_b175e38d_034ce6f4\Report.wer
1
\Users\user\AppData\Local\Temp\WERD70A.tmp.WERInternalMetadata.xml
1
%ProgramData%\Microsoft\Windows\WER\ReportArchive\AppCrash_loaddll32.exe_cf32f5149196789a81fecd6e57fad0fcb71e1b_b175e38d_0e501105\Report.wer
1
\Users\user\AppData\Local\Temp\WERBB15.tmp.WERInternalMetadata.xml
1
\Users\user\AppData\Local\Temp\WAXD81.tmp
1
\Users\user\AppData\Local\Temp\WERE7C.tmp.appcompat.txt
1
\Users\user\AppData\Local\Temp\WEREDA.tmp.WERInternalMetadata.xml
1
%ProgramData%\Microsoft\Windows\WER\ReportArchive\AppCrash_loaddll32.exe_cf32f5149196789a81fecd6e57fad0fcb71e1b_b175e38d_02c82f1c\Report.wer
1
\Users\user\AppData\Local\Temp\WERD41C.tmp.WERInternalMetadata.xml
1
%ProgramData%\Microsoft\Windows\WER\ReportArchive\AppCrash_loaddll32.exe_cf32f5149196789a81fecd6e57fad0fcb71e1b_b175e38d_09913b63\Report.wer
1
\Users\user\AppData\Local\Temp\WERCC6D.tmp.WERInternalMetadata.xml
1
%ProgramData%\Microsoft\Windows\WER\ReportArchive\AppCrash_loaddll32.exe_cf32f5149196789a81fecd6e57fad0fcb71e1b_b175e38d_0d157521\Report.wer
1
\Users\user\AppData\Local\Temp\WER4A0F.tmp.WERInternalMetadata.xml
1
%ProgramData%\Microsoft\Windows\WER\ReportArchive\AppCrash_loaddll32.exe_cf32f5149196789a81fecd6e57fad0fcb71e1b_b175e38d_0739b4ec\Report.wer
1
\Users\user\AppData\Local\Temp\WER5B14.tmp.WERInternalMetadata.xml
1
%ProgramData%\Microsoft\Windows\WER\ReportArchive\AppCrash_loaddll32.exe_cf32f5149196789a81fecd6e57fad0fcb71e1b_b175e38d_0b2e9b87\Report.wer
1
\Users\user\AppData\Local\Temp\WER692D.tmp.WERInternalMetadata.xml
1
%ProgramData%\Microsoft\Windows\WER\ReportArchive\AppCrash_loaddll32.exe_cf32f5149196789a81fecd6e57fad0fcb71e1b_b175e38d_0a650fd8\Report.wer
1
\Users\user\AppData\Local\Temp\WERAA19.tmp.WERInternalMetadata.xml
1
%ProgramData%\Microsoft\Windows\WER\ReportArchive\AppCrash_loaddll32.exe_cf32f5149196789a81fecd6e57fad0fcb71e1b_b175e38d_0ef069b4\Report.wer
1
\Users\user\AppData\Local\Temp\WER16E1.tmp.WERInternalMetadata.xml
1
%ProgramData%\Microsoft\Windows\WER\ReportArchive\AppCrash_loaddll32.exe_cf32f5149196789a81fecd6e57fad0fcb71e1b_b175e38d_0a2b952f\Report.wer
1
\Users\user\AppData\Local\Temp\WER67F5.tmp.WERInternalMetadata.xml
1
%ProgramData%\Microsoft\Windows\WER\ReportArchive\AppCrash_loaddll32.exe_cf32f5149196789a81fecd6e57fad0fcb71e1b_b175e38d_033eac42\Report.wer
1
*See JSON for more IOCs
File Hashes 0aeb8bb69d4e8a6d4223693dc353f62430c0f4c16f1278f20042a9908a884420
174867d04fa7f99695368904f0e4b83994e2c72b231e4e39cebec3648d3878ae
17aebd0c16bd81bb37e7f0d398d909c50638b6d70b2181e4ac7ee35b6b23cfb6
1af1f7f5baf654eeb7cf885d9a83354804dffb364bd450ab0e919cb87d963421
307ae88c9bfc701c47db16e952ac930a19d84fc53f6246444264a41ca53c0c1c
488463853079ebd42263015cb085617c657598e5321583460b1b1dc2fca7684a
4d6aeee0e6a13420ccb4948646a9709b4a43bc8adcfdb682b881d88d2deac641
66064ce541047d9ffc659bdb5cd891032739040eb63b1f2c71dafa69251e5cb0
75d0e8c3cad8908948055ae798fe413ee9d0bd1b50865be47869ea8308cb3909
7b9a940f9dfe586dffe998ed13ad540c037ec3eccbdf804e5375fd580c1cd14f
7bac8ccfe2f46e859101851ba7fa3750c345fc3b2bdce2f99f6abd32c7a6e888
9d3875d4f8f4645d713a08e1b4beffb9ef3997892d75376e9d508b44a1f1e272
a0a1660a5d388b79ccc34f357754f088c8740109bc2347cb53d2ae06d5c6587e
a311dff286a0997be3a75a8bd3c09381c7b9be77c397636ce96fff38f4789224
a45b2a2c438ec83610c82eef0912a80dac39658d975f5a9aef3fd5b207f1e93a
aa3f81e3e9437fc2e214b7b5a445b7b04a7696848b6224833a75b829e1daf2c1
b66e3af15e2855c1080b841af82e7885086993933b494ba7d2ce73d830a85429
c31aa6a54c3e41f7a018f53d19e34f66458fbb83bb317c2207ed2666effc3cac
ca34ecd3ed96a2c89785ca8661fa814fd3dd0ea5b5c3abf12c468de1ceb56996
dfd3d7688d88fa9552a28af2f5b76b5cafb5fff87407b8ec0b15fa751edd91ec
e23667ff62e045397bb2a402df274edfefc6bf1a25d2e246f0472e2dc859e30c
e34a312ed5d22190d1b4240a8bcd83086b220fdeded228ab825697d6df3de176
e9b23d0f2b89494469738f1eb971603cc10a1600965e327928821bf3d1d38729
Coverage
Product
Protection
Secure Endpoint
✓
Cloudlock
N/A
CWS
✓
Email Security
✓
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
✓
Umbrella
N/A
WSA
N/A
Screenshots of Detection Secure Endpoint Secure Malware Analytics MITRE ATT&CK Win.Dropper.DarkComet-9932930-1 Indicators of Compromise IOCs collected from dynamic analysis of 49 samples
Registry Keys
Occurrences
<HKCU>\SOFTWARE\DC3_FEXEC
49
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159
49
Mutexes
Occurrences
gcc-shmem-tdm2-global_lock_spinlock
49
DCMIN_MUTEX-BNUVM5R
49
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
sure052[.]hopto[.]org
49
wpad[.]example[.]org
1
Files and or directories created
Occurrences
%APPDATA%\dclogs
49
%ProgramData%\Script Code
49
%ProgramData%\Script Code\ScirptCode.exe
49
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ScirptCode.org.url
49
%SystemRoot%\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log
1
\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ScirptCode.org.url
1
\Users\user\AppData\Roaming\dclogs\2022-01-02-1.dc
1
File Hashes 00ebc35361fe5684426a5c8b7c3d35c6258dfef425183e2599eea3e6258d555a
01962cc2da397d3d22f0efa3266094b5f115743345082349ceda7607250e573d
01e87628396262c96d858c73b9bacb8bed8ff66c963454594f70d856930a4c96
03c34a84b9a5218fdb8e4289b60f59ed82f0c31971b412106eeb11cf2aa0d9f1
0c1cd086912d10be794a8d600a7e58cfd8af3d4c84b73663630f600ecee358ae
0ef90630cc4c188568a6d41c6dffa382c70d5a0fa5cb33168fb22827886f8045
0f54fe7ea39aca5ea3adfc919a2eb1aa49e7eff8670463c58d0883c0260bad17
19c9226fa78491ea9c737c0641b2dc328ff4db05eb16e7cadc81ae3e4a87eae7
1e03d8aeed562585a2068fa2f6c89434eeb832c2b97a5b90c21ecaeec73a8660
200a9ad4c35e5b86a40203181239dd808540c6a1a4fcf482ff7cb815beb1524c
22ad2eb6af7ad4829e5e5ba2b57b74dfe9cc5f4df08659b978554450961ff153
2bd6201844d5e8bb11de482f3af321aee77fea3843ef3bc56d41e3851c70b8c0
2c6355caaff8d1a6a22f194205c13c69c8ef9d42f8581fb582f52f885e3cc57f
2c721d02e7bc49b5fa732bb8d04696b6268386b18e3b96237beba8d7f03a90ef
32a06f0808a79accc801ae855fd37a8e16158708d94017fb297e73394dd5dec9
336e70f824c8b75b7af305a30d7a30951230f7b9620db472f5b9e3b6b498ac65
343fcc60e38c1029dd47987989013c25c9f94777a3fde06d55fdd7f18687da50
34711eb40ed68a7c4bb0aa5854dd83cf4dc5b241ac51c4b911cd61e16bc0dc67
39b18030395e6fedf7fafa9a4dd9a4cc4f0b39b73bc77ba29d6ba9878d16ceaa
3a6a64646baea4c118e22d54ebaac75368c7fd200acf29776769700e05142569
3f38e55e17238844b9cffed80231074f946373717e2df5b308133fb3baab3294
404d69ad873e280aab7c640312c0cc54e39bd77daf1b91f4b9b617a8ad752449
40e16a252191a91c05f512645219a524542f4926d1cbd3707f593f18e002ec43
429fa9f299eb2a772aa2a110007b50c95300b495d052ce68aaecac5e40734f44
4384740f417019f446c16a1b3753290aff90fe68163ff934971731d10f81d1f1
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
✓
Cloudlock
N/A
CWS
✓
Email Security
✓
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
✓
Umbrella
N/A
WSA
N/A
Screenshots of Detection Secure Endpoint Secure Malware Analytics MITRE ATT&CK Win.Virus.Xpiro-9932984-1 Indicators of Compromise IOCs collected from dynamic analysis of 20 samples
Registry Keys
Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32 Value Name: Type
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64 Value Name: Type
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32 Value Name: Type
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32 Value Name: Start
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_64 Value Name: Type
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_64 Value Name: Start
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\COMSYSAPP Value Name: Type
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\COMSYSAPP Value Name: Start
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MOZILLAMAINTENANCE Value Name: Type
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MOZILLAMAINTENANCE Value Name: Start
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32 Value Name: Start
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ALG Value Name: Start
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EHRECVR Value Name: Start
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MICROSOFT SHAREPOINT WORKSPACE AUDIT SERVICE Value Name: Start
19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELL FOLDERS Value Name: Startup
19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\USER SHELL FOLDERS Value Name: Startup
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64 Value Name: Start
19
<HKLM>\SOFTWARE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATE Value Name: AccumulatedWaitIdleTime
19
<HKLM>\SOFTWARE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\LISTENEDSTATE Value Name: RootstoreDirty
19
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATE Value Name: AccumulatedWaitIdleTime
19
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\LISTENEDSTATE Value Name: RootstoreDirty
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ALG Value Name: ObjectName
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ALG Value Name: Type
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MICROSOFT SHAREPOINT WORKSPACE AUDIT SERVICE Value Name: ObjectName
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MICROSOFT SHAREPOINT WORKSPACE AUDIT SERVICE Value Name: Type
19
Mutexes
Occurrences
Global\mlbjlegc
19
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
20[.]36[.]252[.]129
19
104[.]18[.]11[.]39
12
104[.]18[.]10[.]39
7
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
wpad[.]example[.]org
20
cacerts[.]digicert[.]com
19
g[.]live[.]com
19
isatap[.]example[.]org
17
computer[.]example[.]org
12
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com
10
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com
5
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com
5
Files and or directories created
Occurrences
%CommonProgramFiles(x86)%\microsoft shared\Source Engine\OSE.EXE
19
%ProgramFiles(x86)%\Microsoft Office\Office14\GROOVE.EXE
19
%ProgramFiles(x86)%\Mozilla Maintenance Service\maintenanceservice.exe
19
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
19
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
19
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
19
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
19
%System32%\alg.exe
19
%System32%\dllhost.exe
19
%SystemRoot%\ehome\ehrecvr.exe
19
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
19
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log
19
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log
19
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log
19
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat
19
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat
19
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat
19
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock
19
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat
19
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock
19
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat
19
%LOCALAPPDATA%\rqboqelc
19
%LOCALAPPDATA%\rqboqelc\cmd.exe
19
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat
19
%SystemRoot%\Microsoft.NET\ngenservice_pri1_lock.dat
19
*See JSON for more IOCs
File Hashes 1c274f2fd7723cb45f0291b2133f2039268620cc56350f282ad8df4745f162d9
263e898f8887a4b29bf9967e7cbbc4715ea4a66b542425ea35a7005b93eeabf0
292e736944678b2c8e12b02848803dc045fe3ad35ff9a2082a3efe6f629b0f40
305ff0ca1e7b01f179ae3d24b22b9d6658218eac9675288de1c2e088964c5c7b
34bbf8f00daf0369aa27ba7894041ae6aa5e34464b40e3a73194d507322f6abf
549c81447bbf0374a09494e50c310ad4a642816f0d079a21cd447a49e59b09fa
57c947a131966a2e297e8e0d237f67984cc22fa8672b879b893afe60c6a383e6
5bcd32596530cafb7239bf7f768f1fe361ea4199c2358b8f14300143f0a6468e
6b894476e61687cdee381dcae921eb71f37c856e931d81cbc11227ac2f615993
780c2bd0e4bbae90adb2f77a06097431cc8774770a7dba4e84011969f7e1d5dc
7eaa0aad3ddf0d6e124581b1aa4c2b9762f576e8637493dd122ec2e9c670ca9f
8888b3c34cdb5a777c09746d0bc4be2578480f73b201ada7f7144f008afce606
9084355a3acbb14e2cb5f8f5f200040c3b07b7c6d923b39ac1636c29342cadcd
960f3d585fa14c93d343d662d6e89f3d26ef3a7f6974a910a89e98054ed06ec0
a3446721087c18519f408f50d7775d8033d9a8e3267b7dabb21141e81d06a7d4
a7341a6fd6ca44a43982558461f1e3309fb9fab6fd17103f648247ecc16a8e74
aaa9bc6679655f6295e6e278acf2cb47d05d42e7a466c4a1a96f4cd1b7e52a2b
f440562aed34967e7be0c63bd0dbc6e9faf85eac7af8a95327c0a8e93749a410
f6b99c6e972a798bd45d6140020735992a2f6de18f7b09776f3503c883fd88d8
fb25f0ae22545094cbea3ce5996365c81c7565bee6b78ce60ad1a1d2da60d613
Coverage
Product
Protection
Secure Endpoint
✓
Cloudlock
N/A
CWS
✓
Email Security
✓
Network Security
✓
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
✓
Umbrella
N/A
WSA
N/A
Screenshots of Detection Secure Endpoint Secure Malware Analytics MITRE ATT&CK Win.Dropper.Remcos-9933257-0 Indicators of Compromise IOCs collected from dynamic analysis of 17 samples
Registry Keys
Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159
17
Mutexes
Occurrences
7BmKnW0JUV99OHo4kyukabIU
17
VcR4^@&2XJ1cx2&(450x-4GP23C
2
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
51[.]91[.]236[.]193
16
72[.]22[.]185[.]208
9
72[.]22[.]185[.]201
7
192[.]35[.]177[.]64
1
205[.]185[.]216[.]42
1
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
apps[.]identrust[.]com
16
www[.]royerconseil-finances[.]ch
16
newpkmdhhsddg[.]xyz
1
File Hashes 181ab75f2bdae575e5542a13b1522ad692f38af0856657dc9b976ef8582f647e
2df20feb158d1fd59acc38775a791ac1ee3093bffe2add9e568825b4e6700cb3
39f305a03168b3cca7605f3f99424437f1e328703a7c7ffa6db12342402e1f7b
44f6f2bb5311838d857aa4e0271d1f1292ad116d5428185249b827b744023a45
77648eecce4bc3c7ba51115391fddcaf87b85eaaf39d7f52e8db67a265467d0a
8a834f4e2a840c91d06290c8dd64bc17b003706829c208c439d8270ce683d18b
8ca2f44a3e92a7a6ac1d5f67d8faa2bb811ace96513e8f489b3ea206f27b3971
8d329c068bd720cbc781d32f5b18037ad52fef296ce6bcbe14a462c9f1071661
98c8ac6434ebca027b504274f032810f113141869f0723d9ee14b41ce5687cec
a8e39f0c32e61bb63d407b62042fa2e63602ee3efda145acdb939644850dac31
a8f8da85066d1c19257135bd264d5373ebb151fe330d16fedb093d441ecc1989
c23f82d2083cc69a7510f4ae7d321c3d5a22ae58132eb2461111986d9b7c61c9
defd887bca57c8169f8b613e0368f63627cc65437abd9e094d8b0587870c2f29
e46e6196ab59cc732a35998900b6008b6629b515c7666d83ee053cc3c2ef8aa4
ecfc7d6cf284dc8cdd7fd02e7193319c0ec75e3c0e38be530c21bc0c01d36728
f58667964733c487833e7d7e506db5c1dbf21a0f0aef3a93fee6be52cf47a12f
fcac3792d1de7bac9a6dc38dfffa35717cec2ac4d867210a647ab0a2d49035b9
Coverage
Product
Protection
Secure Endpoint
✓
Cloudlock
N/A
CWS
✓
Email Security
✓
Network Security
✓
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
✓
Umbrella
N/A
WSA
N/A
Screenshots of Detection Secure Endpoint Secure Malware Analytics MITRE ATT&CK Win.Dropper.Kuluoz-9933836-0 Indicators of Compromise IOCs collected from dynamic analysis of 296 samples
Registry Keys
Occurrences
<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'>
294
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159
293
<HKCU>\SOFTWARE\RJPEUNNT Value Name: tksadhql
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: qntkmrgf
1
<HKCU>\SOFTWARE\PLDRDUJG Value Name: qgpvxdew
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: kpxncbnv
1
<HKCU>\SOFTWARE\HFJWFKRT Value Name: cpidsppg
1
<HKCU>\SOFTWARE\JUFXXQNQ Value Name: bjndblob
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: vtvscuku
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: hbpscdtd
1
<HKCU>\SOFTWARE\VSQSKALW Value Name: xkudedwt
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: pvmkkhpt
1
<HKCU>\SOFTWARE\KTCNFHAK Value Name: jgopihal
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: mpmivkbw
1
<HKCU>\SOFTWARE\OQLRUIHD Value Name: rulopwsa
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: nrwadbro
1
<HKCU>\SOFTWARE\MTCUUATK Value Name: akenqcjl
1
<HKCU>\SOFTWARE\ETNPQCGM Value Name: cmhsegcd
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: vqvejfug
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: euqlmwfj
1
<HKCU>\SOFTWARE\TMQVEIXX Value Name: akiccmar
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: haiqbmtd
1
<HKCU>\SOFTWARE\CUCUXKTL Value Name: xvwdqfoq
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: tpxxxphg
1
<HKCU>\SOFTWARE\JHQMKJCB Value Name: fjifcswx
1
Mutexes
Occurrences
aaAdministrator
3
abAdministrator
3
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
64[.]91[.]226[.]48
167
198[.]57[.]205[.]18
164
80[.]93[.]28[.]65
160
109[.]68[.]191[.]186
159
103[.]27[.]108[.]199
153
216[.]250[.]125[.]30
19
111[.]67[.]14[.]19
18
65[.]181[.]127[.]125
15
192[.]163[.]219[.]183
15
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com
8
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com
8
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com
7
wpad[.]example[.]org
4
computer[.]example[.]org
3
isatap[.]example[.]org
1
Files and or directories created
Occurrences
%LOCALAPPDATA%\<random, matching '[a-z]{8}'>.exe
294
%HOMEPATH%\Local Settings\Application Data\xknjctgm.exe
1
%HOMEPATH%\Local Settings\Application Data\dphhlajg.exe
1
%HOMEPATH%\Local Settings\Application Data\rlwfnogd.exe
1
\Users\user\AppData\Local\jhpqfmat.exe
1
\Users\user\AppData\Local\uekmeaxo.exe
1
\Users\user\AppData\Local\cimfjovj.exe
1
\Users\user\AppData\Local\ujntigkx.exe
1
\Users\user\AppData\Local\mkpfcqoi.exe
1
\Users\user\AppData\Local\bspcovtb.exe
1
\Users\user\AppData\Local\fvrwacwq.exe
1
\Users\user\AppData\Local\enraxmii.exe
1
\Users\user\AppData\Local\vkxqgkdo.exe
1
\Users\user\AppData\Local\ggiqquda.exe
1
\Users\user\AppData\Local\udarbmmk.exe
1
\Users\user\AppData\Local\pvbgvxog.exe
1
\Users\user\AppData\Local\akpfgmxe.exe
1
\Users\user\AppData\Local\bqbidpmd.exe
1
\Users\user\AppData\Local\ghiulumw.exe
1
\Users\user\AppData\Local\mmajgwmj.exe
1
\Users\user\AppData\Local\ndoanhcd.exe
1
\Users\user\AppData\Local\etslkokr.exe
1
\Users\user\AppData\Local\vpbuxipr.exe
1
\Users\user\AppData\Local\wluwmjno.exe
1
\Users\user\AppData\Local\pjhtddap.exe
1
*See JSON for more IOCs
File Hashes 00821b577f7436541761c9ba039087b88054ebdc64445a63940c62119ec0c368
01f9a0a5cc46be71f9d14f679a8dfbad9a82aa5727a1fdbca7802b2d4d890ca5
039e8d3046195c432e932e7c79e56d82eccc3f413e1e350540ac9339c69b9166
04052884207b2ff302cdcc73fc8997278d4ca3d505b82a96d9f5c0ebe39c3327
0483261bfc9791b6866efbc506390aadc901056a5e73c142b192f8336c596d03
04b27a851e607b2845e488e4e41a0d5e85187e11c1585e92392607751152927f
0644c40a3bb058c6fb64f3d57c83624e1a90db440f0122ec5eda0c9798f53369
09d2a012e974436dc8d767368512e7b1ee5425d7d3d6ed2c9ba753a1335fcade
0a783435ad220b4432e4b0e1af38af98e89d42aa3c9193e48ce1e5cc04251d0c
0ab99b6c5ad749a602354b6525fcbce76b109c12d25bd4983384cc141a60da55
0b932135b31b8de131eabfc23bbaf57af505fc5c492b59486f66aa227c1e3ab1
0b9942f06184d9d96c67f40f35d9e9a39fd1ffd404794f5bc269e35111c8a852
0c96d07fbeaf26651fd3522856bd547e3a0eb7d9d3071dfa263055afde6e19cd
0d16279827f8590217c26fcd71df64db85cbe59c9586957d55bd8608aaa47094
0d650e473de170caf6cb66d90fa03f58bafb0a9011e99d76bf05d045d615e2b6
0db8f23e7d335575756e93958fb75d716ad6d44f04e7bc0595540638fa3a7f26
0e650fd74e9358b8fdedf27d05ebb2db7eafd903c3d16e0c3f3f7fa57ba531d0
113b2ac10b0ea7a4a91b874d27c5f51545d81f561755cb1e29861ee7b76cdd78
13b0ebb6ab2cd8ec71b7ad1b626d88db253300faabfadee288765cde290c91c8
1414657fa4d9190fe64fa69d9790a24e54757189bb1ba3a243ae7471bc4904c3
143688ae9ac7b8a95e0dc714ae4d2df925c399d2fe2a9d0bd5105e38eb929eb3
1447b894dcabff4299275bf3ebe64c963e2f90fe6f114d64c60e46a5ff99cee9
14733d3ff31310695f39dc6792befdd25f92de6ba0a98f76b11da6f5cb55ad89
14e251578492927e95d99b39405db2ebfea8eccd9da372f14adfa5c5f0167a9d
1621e3da2f4a25a71d402afa336230c2671518aec5945eb5418a8e0ff38274e7
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
✓
Cloudlock
N/A
CWS
✓
Email Security
✓
Network Security
✓
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
✓
Umbrella
N/A
WSA
N/A
Screenshots of Detection Secure Endpoint Secure Malware Analytics MITRE ATT&CK