Threat Roundup for April 21 to April 28

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 21 and April 28. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name	Type	Description
Win.Dropper.Bifrost-9998862-0	Dropper	Bifrost is a backdoor with more than 10 variants. Bifrost uses the typical server, server builder, and client backdoor program configuration to allow a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. Bifrost contains standard RAT features including a file manager, screen capture utility, keylogging, video recording, microphone and camera monitoring, and a process manager. In order to mark its presence in the system, Bifrost uses a mutex that may be named "Bif1234," or "Tr0gBot."
Win.Dropper.Tofsee-9997698-0	Dropper	Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator's control.
Win.Virus.Ramnit-9997699-0	Virus	Ramnit is a banking trojan that monitors web browser activity on an infected machine and collects login information from financial websites. It also has the ability to steal browser cookies and attempts to hide from popular antivirus software.
Win.Dropper.Remcos-9998831-1	Dropper	Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, and capture screenshots. This malware is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Dropper.DarkComet-9998118-1	Dropper	DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.
Win.Virus.Xpiro-9998650-1	Virus	Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.
Win.Dropper.LokiBot-9997784-0	Dropper	Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.
Win.Downloader.Upatre-9998551-0	Downloader	Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.
Win.Ransomware.Cerber-9998102-0	Ransomware	Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension ".cerber," although in more recent campaigns other file extensions are used.

Threat Breakdown

Win.Dropper.Bifrost-9998862-0

Indicators of Compromise

IOCs collected from dynamic analysis of 36 samples

Registry Keys	Occurrences
`<HKCU>\SOFTWARE\FORUM SERVER`	6
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{OY2O4VXC-P514-O36S-5W0B-V135334Y4PE5}`	6
`<HKLM>\SOFTWARE\WOW6432NODE\FORUM SERVER`	6
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{OY2O4VXC-P514-O36S-5W0B-V135334Y4PE5} Value Name: StubPath`	6
`<HKCU>\SOFTWARE\FORUM SERVER Value Name: FirstExecution`	6
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: tbtrb`	6
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: bbbt`	6
`<HKCU>\SOFTWARE\FORUM SERVER Value Name: FileNameAtual`	6
`<HKCU>\SOFTWARE\FORUM SERVER Value Name: ByPersist`	6
`<HKCU>\SOFTWARE\FORUM SERVER Value Name: FileName`	6
`<HKLM>\SOFTWARE\WOW6432NODE\FORUM SERVER Value Name: HKLM`	6
`<HKCU>\SOFTWARE\FORUM SERVER Value Name: HKCU`	6

Mutexes	Occurrences
`Spy-Net`	6
`Spy-Net_Sair`	6
`Bif1234`	4
`stb`	1
`Global\71b0ff21-e3cc-11ed-9660-001517619ccc`	1
`Global\a08a09e1-e3cc-11ed-9660-0015178afdb9`	1
`Global\6bc18981-e3cd-11ed-9660-0015170e0b8c`	1
`Global\1dc44421-e3cd-11ed-9660-0015177d9b69`	1

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`mola1986[.]no-ip[.]org`	6

Files and or directories created	Occurrences
`%TEMP%\Decrypted.exe`	13
`%SystemRoot%\SysWOW64\btbrtb`	6
`%SystemRoot%\SysWOW64\btbrtb\btrbbtr.exe`	6

File Hashes

084dc3306858ab9f11034d16d0501a428d6bca1c87ff35f9e51f00309c372994
088094d805941273abfdb59e583ce17ec3aca62b4536c8c69fdb703118284862
0a9ee8eaad2a4f30d82b93ff3b5212b97ceb83e99410418ee37e151d0512fa97
1773cbf7d98b8c4e0c06ef18ba7184c2ced2b84160ab577a9ee75c583097c25a
1d03f8d2e3b50d152aad6c4b419771a947bdaaa34d7844306116fc033fa20804
1e4718f6a64a05bfab681396a29588bfb53c513daf5797e7637acc7144e86a07
255c46863d02a30cb9ee83df61cd7c64d0fdc07dca22b1dbff149d2905a2117c
38e152f0162531bec131cd72a1b2dabde9db05146f62c6b949ff22ac94a37aca
44e509007c8cbf8d218f8aa3cce3dfb9f95aaa1c16f4664125dbac54b6f0bf81
495ab6d9993d6ca3ba252a3399eea0eeb1024b7483bf599389da459ec366316e
4baa7eeb20a838eb0108cf84a4de3c4aad260e2b6077ccb2905cc5aa43e110bf
52a6dfd20dc733393c7e00ce86fcf1ea3519c776ea6a5d24cfd9b58dfba9d3ad
52c43009e2fe9ace2a375bf3ceee4f27bfb1133c451b96ed10cdda9a1469049b
64d6d35fe7a4d2d3026a9195fcec34ef2e1751e47b7aefb728dd2b558a619b5a
706929906d67d8670f15fe378c8dfd8df5eeaf29aba6689374dccec54a6df187
7484eff0c8ecd8ea6ed2efde9e65a3dfacfd286c676fe9d2159427ba7b0eae10
7c4dbab37a8702b4c3299a28349db3e1d36c307ecbe95330ea41a0c5426f862a
8049d025952335eeed26b713bd4d0e94e21270e503be8551d6a93c6a861554dd
8dea08009858acb2dc2ab5d37af86067cbd9117df76912a178f7a2bed9b6e9b0
959bf6dd78031b9c5479eb4a6bd1939e40e75865454b950ff2058bdd6a954bf4
a099bfd621d82bdaab9dfef4dc379ab5e018456eaf801b93e9b03740d7fdcc90
a6ed598c222d92a37d24d7f52c4589d7239d3d311737dfa83bab8dc46e7f662f
a781183870f48fdc2b9047f34dbd9c9a7104f55dec98c31d10405c3c6cdef3cd
ab311c9d88db2eaaeb33d41ed93b17f05eef0e7ad81d24588bcf1a8f60fd11c2
adcd113723cefba68b98d7f2ee7988fca18e826a46d723758a62d4949ba328b6
*See JSON for more IOCs

Coverage

Product	Protection
Secure Endpoint
Cloudlock	N/A
CWS
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Secure Malware Analytics
Umbrella	N/A
WSA	N/A

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Tofsee-9997698-0

Indicators of Compromise

IOCs collected from dynamic analysis of 245 samples

Registry Keys	Occurrences
`<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER Value Name: DisableAntiSpyware`	111
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND Value Name: Start`	111
`<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\AU`	111
`<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\AU Value Name: NoAutoRebootWithLoggedOnUsers`	111
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV Value Name: Start`	111
`<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\AU Value Name: NoAutoUpdate`	111
`<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\REAL-TIME PROTECTION Value Name: DisableBehaviorMonitoring`	111
`<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\REAL-TIME PROTECTION Value Name: DisableOnAccessProtection`	111
`<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\REAL-TIME PROTECTION Value Name: DisableScanOnRealtimeEnable`	111
`<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\REAL-TIME PROTECTION Value Name: DisableIOAVProtection`	111
`<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER`	111
`<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\REAL-TIME PROTECTION`	111
`<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE`	111
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS DEFENDER\FEATURES`	111
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS DEFENDER\FEATURES Value Name: TamperProtection`	111
`<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\REAL-TIME PROTECTION Value Name: DisableRealtimeMonitoring`	111
`<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER SECURITY CENTER`	111
`<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\AU Value Name: AUOptions`	111
`<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\AU Value Name: AutoInstallMinorUpdates`	111
`<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER SECURITY CENTER\NOTIFICATIONS`	111
`<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER SECURITY CENTER\NOTIFICATIONS Value Name: DisableNotifications`	111
`<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\AU Value Name: UseWUServer`	111
`<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE Value Name: DoNotConnectToWindowsUpdateInternetLocations`	111

Mutexes	Occurrences
`Random name`	3
`MSCTF.Asm.{00000009-4fb3f26-9d18-66b568-627b8a85e4b6}`	3
`Global\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620}`	3
`Session\1\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620}`	3
`Session\2\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620}`	3
`Session\3\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620}`	3
`Session\4\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620}`	3
`Session\5\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620}`	3
`Session\6\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620}`	3
`Session\7\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620}`	3
`Session\8\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620}`	3

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`176[.]113[.]115[.]145`	124
`185[.]11[.]61[.]125`	5
`179[.]43[.]154[.]216`	3
`192[.]229[.]211[.]108`	2
`69[.]192[.]209[.]23`	2

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`cacerts[.]digicert[.]com`	2
`download[.]microsoft[.]com`	2

Files and or directories created	Occurrences
`%LOCALAPPDATA%\Yandex`	89
`%LOCALAPPDATA%\Yandex\YaAddon`	89
`\x5c\x55\x73\x65\x72\x73\x5c\x41\x64\x6d\x69\x6e\x69\x73\x74\x72\x61\x74\x6f\x72\x5c\x41\x70\x70\x44\x61\x74\x61\x5c\x4c\x6f\x63\x61\x6c\x5c\x4d\x69\x63\x72\x6f\x73\x6f\x66\x74\x5c\x57\x69\x6e\x64\x43e\x77\x73`	4

File Hashes

00206b2f652aaec449943e55d93ab85e9e87ef25f95578bde2ceed78feae3e7b
00716c634467bb8fdf909ba82c19ab498f8ef0423fde2d52b87d7b1c6308c1a8
02f075f4410cd77c70e51d2cd3b3990845345e799b9d9e1c3a2f70871f3ccfa4
0383eb5111c99149f27feb3c4d216b8057424ed5dc107575eeab3384d667a7c1
03dd6172107745be428868d9dc148f027d332a488668b9d7e401f9e7d7345536
047e794c09e7a4e7641574373a003bdd135ecb533b854464756e70f6dc46d557
06116b9095938c053f1c92d0b959fafa15127c19b681d09e01d699d8b8d4245d
06a539bbb4c43074abf5434c7291eac3f9fcb54beede07e3ff2aa087675c380f
07075825ec1f57b3f3bfa84eb839d5013e53cfcf7970360b19607794ac9daa71
07a571c2ba97badc98d92e522c3c84d0a1146b8eeae0172525b4ecd4b0e9a5eb
07dfd38512fc0f4bc010f164a9bc16f5ae76f18567701f6c2fed14bc9b00e73c
09f29244d4c89254e02426a2e9f8d783a190656154fe71a26495be0db69c5c2b
0bfdb5d464b82ebedeef2fe7e0f78c7e802267e7702ea20bc72d4886afef099e
0cec4fdbfad160dee0d939291083ee7b74adecf772f369c4a29839d1f5ee2b61
0d06e6076b309edb93b3cc71011970f69c371ed897fec2fbffec3d91e9c280cb
0dc803cd1f73fbfd38c42e13ff263e64fffdaf624ed43c7cf6c477c702b92d2f
0e391c41a2b2438935e818df13db66da10990306c514f431434ce37b2e9ce5e7
0fcc2c5d723b5b418beb83b215cfb294ac80c4f57d549f4fea04933b03cf058e
118ad96124e17b7445562a4ef815719cc63b556a1f54db86bb8ab984e181d08a
127af8143d8badde9f311fb806815f1a5f6fcc2f6a2d9a614b8221a1ec4331f2
16637a60cc0ff214fcbbdbc71cd93789ca61140ed2cef23a7fafd4a4fa81bd6a
1682a7f8f229e62c379fca3c6c989c748aef985e51fc6bcf76d06bde9b0484cf
16f405d2c293aa64c8b2fbd020332db2d7ae0b5ce00f33d659db6a5174ac2725
1878a7910e7d8aa1062bd5c7a7530984b22f0c8112d26836e2bdd1b8abf726e2
189e0a0f6fdcc385d54bb131b256adf7e35e8e04b90f9d432047b2808d434f16
*See JSON for more IOCs

Coverage

Product	Protection
Secure Endpoint
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Secure Malware Analytics
Umbrella	N/A
WSA	N/A

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Virus.Ramnit-9997699-0

Indicators of Compromise

IOCs collected from dynamic analysis of 12 samples

Registry Keys	Occurrences
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER Value Name: AntiVirusOverride`	12
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER Value Name: AntiVirusDisableNotify`	12
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER Value Name: FirewallDisableNotify`	12
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER Value Name: FirewallOverride`	12
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER Value Name: UpdatesDisableNotify`	12
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER Value Name: UacDisableNotify`	12
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM Value Name: EnableLUA`	12
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE Value Name: EnableFirewall`	12
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE Value Name: DoNotAllowExceptions`	12
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE Value Name: DisableNotifications`	12
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC Value Name: Start`	12
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND Value Name: Start`	12
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC Value Name: Start`	12
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION Value Name: jfghdug_ooetvtgk`	12
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: JudCsgdy`	12
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV Value Name: Start`	12
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: Windows Defender`	12
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON Value Name: Userinit`	12
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON Value Name: Userinit`	12

Mutexes	Occurrences
`{7930D12C-1D38-EB63-89CF-4C8161B79ED4}`	12
`{79345B6A-421F-2958-EA08-07396ADB9E27}`	12

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`35[.]205[.]61[.]67`	12
`142[.]250[.]80[.]46`	12
`103[.]224[.]182[.]246`	11
`46[.]165[.]254[.]201`	11
`72[.]26[.]218[.]70`	11
`195[.]201[.]179[.]207`	11
`208[.]100[.]26[.]245`	11
`206[.]191[.]152[.]58`	11
`72[.]251[.]233[.]245`	11

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`google[.]com`	12
`testetst[.]ru`	12
`mtsoexdphaqliva[.]com`	11
`uulwwmawqjujuuprpp[.]com`	11
`twuybywnrlqcf[.]com`	11
`wcqqjiixqutt[.]com`	11
`ubgjsqkad[.]com`	11
`iihsmkek[.]com`	11
`tlmmcvqvearpxq[.]com`	11
`flkheyxtcedehipox[.]com`	11
`edirhtuawurxlobk[.]com`	11
`tfjcwlxcjoviuvtr[.]com`	11

Files and or directories created	Occurrences
`%LOCALAPPDATA%\bolpidti`	12
`%LOCALAPPDATA%\bolpidti\judcsgdy.exe`	12
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\judcsgdy.exe`	12
`\TEMP\nr3othpeM`	12

File Hashes

0fdd4e8b236b7b01e9745b40b2aa848c3184bc4096cb9bc76ddb2dbd71ccc093
5912fbc0929bfd2a39d4a2ac66a58fef95ff044958c81ce5d6698b4414b76cb2
6970bd6846357bbca2b52303d14264c191e386331a7d1559d2a9c0e14adf9b73
6c4b37cce41b603af1c66cca45b3046cf986de3e2e1b5fbd2aa99d6d1c75e6be
6df703d95ae69f56dffee813cbf5dc26f4345634b0227d539eb4a886387793aa
93de25c070a461c87ba30b2ebdbda3db2dacc313e67f857b58a5142530f9025c
99842408d235fe06c71037073a1b7bf137d983b6a10dfc73fbec2f7ae683d5d4
be88f9455c0409f685507107d010301af2d3d8f95354050e28e74e032655c215
d5aa9fdeeb12bc2d009ab44b490a53d6795f8e4fb11ef09ba87d9bfbc497baa9
d77f35323b96c301ea307d7858b5e795e13868b1a02a7f180ef44ade0e80a049
e2428ab7ee60ac074aec6c51a0c8522e639d054f3a5498876f2d3b9a643189f1
f2512b5637ddc1a42c03b8733aa7ec570cf9697825f8bf6fbcf23ed6a744a252

Coverage

Product	Protection
Secure Endpoint
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Secure Malware Analytics
Umbrella
WSA

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Remcos-9998831-1

Indicators of Compromise

IOCs collected from dynamic analysis of 10 samples

Registry Keys	Occurrences
`<HKCU>\SOFTWARE\MSWORDOFFICESVC-QHO80M`	10
`<HKCU>\SOFTWARE\MSWORDOFFICESVC-QHO80M Value Name: EXEpath`	10
`<HKCU>\SOFTWARE\MSWORDOFFICESVC-QHO80M Value Name: WD`	10

Mutexes	Occurrences
`Remcos_Mutex_Inj`	10
`Mutex_RemWatchdog`	10
`mswordofficesvc-QHO80M`	10

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`kelikjoinset[.]freedynamicdns[.]org`	10
`noblegas[.]myftp[.]org`	10

Files and or directories created	Occurrences
`%APPDATA%\remcos`	10
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\mswordsvc.vbe`	10
`%APPDATA%\mswordsvc.exe`	10

File Hashes

1068d5259b58c67b37559c2c5aaaffaa524cd38f05c99625b5b1bc97667388df
38606579b809ca28086c04af33a2bf54fbbd5a045ef60052dda6775a6e71a875
486aa0afed7943aed6838bce23d4d04410f9b5570ca90aa481f17ebecd2ad094
53718f911be349fb0bb16c2cd3464a4a786c41d1f34ec4830cd5d5a1a50a9fde
5678468ae9e47c877300c8de9d3f12dbd65f89bdc3af8838b30341f7451e3b7a
ba1a8e84a9bc1a73bfa49aeb376be2a18eff3a0e980fe0ebdb6ad5478b7e479d
cc0ca5bdd31ae56f5585b16988ef09ffd914d5bb461c6692e086484f892988d4
d2896ee59f6a2d1c1149c58e647e2c3dcdc7cb9011845a75254563f659298373
d3f05239dda9f9c81b42d7ad5f83459f8183b8592c323aa17fbb04103c08be3d
d74c4daab9d068fe6388596dc4daf7d93e61d1aa4868ec69f9ccd59eac2de1a8

Coverage

Product	Protection
Secure Endpoint
Cloudlock	N/A
CWS
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Secure Malware Analytics
Umbrella	N/A
WSA	N/A

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.DarkComet-9998118-1

Indicators of Compromise

IOCs collected from dynamic analysis of 23 samples

Registry Keys	Occurrences
`<HKCU>\SOFTWARE\DC3_FEXEC`	23
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: kb2456.exe`	23

Mutexes	Occurrences
`DC_MUTEX-13F3AYC`	23

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`162[.]125[.]4[.]15`	23

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`dl[.]dropbox[.]com`	23
`zoukiny[.]no-ip[.]biz`	23

Files and or directories created	Occurrences
`%APPDATA%\dclogs`	23
`%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp`	23
`%TEMP%\tmpBD03.tmp.exe`	3
`%TEMP%\temp_GujQurApmI`	2
`%TEMP%\temp_GujQurApmI\svchost.exe`	2
`%TEMP%\temp_AoPXtxyscR`	2
`%TEMP%\temp_AoPXtxyscR\svchost.exe`	2
`%TEMP%\tmpC06C.tmp.exe`	2
`%TEMP%\temp_MhOpOytNAS\svchost.exe`	1
`%TEMP%\tmpBF9C.tmp.exe`	1
`%TEMP%\temp_dgFaHSHFIP\svchost.exe`	1
`%TEMP%\tmpBAF0.tmp.exe`	1
`%TEMP%\temp_XbxDBxrtQM\svchost.exe`	1
`%TEMP%\temp_hYMuQAMQTy\svchost.exe`	1
`%TEMP%\tmpBF44.tmp.exe`	1
`%TEMP%\temp_AChkJWUFGO\svchost.exe`	1
`%TEMP%\tmpC28E.tmp.exe`	1
`%TEMP%\temp_ktuFuZaySw\svchost.exe`	1
`%TEMP%\tmpCC7D.tmp.exe`	1
`%TEMP%\temp_jTWgKpaNic\svchost.exe`	1
`%TEMP%\tmpC453.tmp.exe`	1
`%TEMP%\temp_gwLGQvZjwn\svchost.exe`	1
`%TEMP%\tmpFFFB.tmp.exe`	1
`%TEMP%\temp_gFRVVtvPLv\svchost.exe`	1
`%TEMP%\tmpC0BA.tmp.exe`	1

*See JSON for more IOCs

File Hashes

0405c695532cdfadb49cd6e5dc0175e2740a6b34df032e0d6370ac57781bc0b9
099393350020fa9d643c1fd02dd8e0c8e2c9090ff5d4ff96a807b03cc927dae6
0b9d53d8392c6af28951737704765fb1a7c75a849633ef4e4a1d7b7be861f6d7
1ba1034f63585a98afac1b985f866ec53e66ba500c8a7e499521e47e66e7867e
276e6b279f8cf83b531fcee7fe2f770f1814b5d63ba25aa407bf1676698d09c7
2d67a134e9a81d3f55017c4c3e395e90194d6ad6cf2d24b6f567f9df0729f55e
2ed27da0b1a0cf9949aba612b54427c7d104e1fe44c98e363b3cef43289d7924
37c13c62990a05a6105024b075eb672723a0838eadec043618b4222ca15520b5
3fe6cb53ea8f0a35f828fc1e87ad9cf6a27081695ef9b709fb3367c2e8c21e82
506a3537c3afbb25783fe817f230595b3c7369eaf737ee84475a6ed1d5c5c5ec
66d64aad782b2ba9baf1fa04c5738d55bd23754dba179b7c01fe15837ee6b6b7
781529034cef2a9316fb18187611f911d2d6463f56636e7d6393045a88302614
786be271e7f3f8249203417bd8547b42e3dceb9440e228d844a78c85f2dc7822
8534b61a4f0c0dc39da45ddf6a874edfbaf0ea9ab36c58f470ae3e062f81c6b2
88789c72981be3e3f57b31771ab73ad52089f65a8b5f0544d3ae5ed9e8b14f6e
889b3fe85d94c61276540ea86de2de983c7d7357eaf394717e0705cd365a307f
8f12b7340c8cc0c6c7c3c3f6ed64a3f8850fa035d1f811dc4255b128ab00d4c5
a7b80aea4110f98e399e64abb923dee60f70650041593358297542c33f6b8a8e
b83385710b54918cdb2814e555c0b6189a2c5ba46bc2cb0a435b5b8f5a5b51cb
b837289b0f42bdfbe726dfafbae51a0b5cb5af21a3a2859bedaea7ab770d2482
ca67b7e760c2d09004928da6736f4784cc05899ea7ae4bf19deb16d4fee047ce
d24f72779958896980e074e15cc9abb88daa041c13123525db3d6ee33be32b81
ffe2607eec8bda28fc38b19bbef00cfcd572f3335b3773c4df758526243f128b

Coverage

Product	Protection
Secure Endpoint
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Secure Malware Analytics
Umbrella	N/A
WSA	N/A

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Virus.Xpiro-9998650-1

Indicators of Compromise

IOCs collected from dynamic analysis of 18 samples

Registry Keys	Occurrences
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC Value Name: Start`	18
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND Value Name: Start`	18
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32 Value Name: Type`	18
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64 Value Name: Type`	18
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32 Value Name: Type`	18
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32 Value Name: Start`	18
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_64 Value Name: Type`	18
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_64 Value Name: Start`	18
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\COMSYSAPP Value Name: Type`	18
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\COMSYSAPP Value Name: Start`	18
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MOZILLAMAINTENANCE Value Name: Type`	18
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MOZILLAMAINTENANCE Value Name: Start`	18
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSISERVER Value Name: Type`	18
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSISERVER Value Name: Start`	18
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\OSE Value Name: Type`	18
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\OSE Value Name: Start`	18
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\UI0DETECT Value Name: Type`	18
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\UI0DETECT Value Name: Start`	18
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VDS Value Name: Type`	18
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VDS Value Name: Start`	18
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VSS Value Name: Type`	18
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VSS Value Name: Start`	18
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WBENGINE Value Name: Type`	18
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WBENGINE Value Name: Start`	18
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WMIAPSRV Value Name: Type`	18

Mutexes	Occurrences
`kkq-vx_mtx64`	18
`kkq-vx_mtx65`	18
`kkq-vx_mtx66`	18
`kkq-vx_mtx67`	18
`kkq-vx_mtx68`	18
`kkq-vx_mtx69`	18
`kkq-vx_mtx70`	18
`kkq-vx_mtx71`	18
`kkq-vx_mtx72`	18
`kkq-vx_mtx73`	18
`kkq-vx_mtx74`	18
`kkq-vx_mtx75`	18
`kkq-vx_mtx76`	18
`kkq-vx_mtx77`	18
`kkq-vx_mtx78`	18
`kkq-vx_mtx79`	18
`kkq-vx_mtx80`	18
`kkq-vx_mtx81`	18
`kkq-vx_mtx82`	18
`kkq-vx_mtx83`	18
`kkq-vx_mtx84`	18
`kkq-vx_mtx85`	18
`kkq-vx_mtx86`	18
`kkq-vx_mtx87`	18
`kkq-vx_mtx88`	18

*See JSON for more IOCs

Files and or directories created	Occurrences
`%ProgramFiles(x86)%\Microsoft Office\Office14\GROOVE.EXE`	18
`%ProgramFiles(x86)%\Mozilla Maintenance Service\maintenanceservice.exe`	18
`%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe`	18
`%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe`	18
`%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe`	18
`%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe`	18
`%System32%\FXSSVC.exe`	18
`%System32%\UI0Detect.exe`	18
`%System32%\VSSVC.exe`	18
`%System32%\alg.exe`	18
`%System32%\dllhost.exe`	18
`%System32%\msdtc.exe`	18
`%System32%\msiexec.exe`	18
`%System32%\snmptrap.exe`	18
`%System32%\sppsvc.exe`	18
`%System32%\wbem\WmiApSrv.exe`	18
`%System32%\wbengine.exe`	18
`%SystemRoot%\ehome\ehsched.exe`	18
`%SystemRoot%\SysWOW64\dllhost.exe`	18
`%SystemRoot%\SysWOW64\svchost.exe`	18
`%SystemRoot%\SysWOW64\dllhost.vir`	18
`%SystemRoot%\SysWOW64\msiexec.vir`	18
`%SystemRoot%\SysWOW64\svchost.vir`	18
`%ProgramFiles%\Internet Explorer\iexplore.vir`	18
`%CommonProgramFiles(x86)%\microsoft shared\source engine\ose.vir`	18

*See JSON for more IOCs

File Hashes

09088e115dd96c2940801cc32dc155226eb967a307b9015f889ec4683b71a48b
0a5eeac82828f8027cd544105cc76ba2d4d4eb2bbe409d1ef27835ce22a0ef06
2081057ccb7019073fe0b9606fe2a4e7258afc0644562c5458c41ede53c7b0b0
2f6c1972001b2d1f1d94916db33202cc724b5d18dca54867d5da63b8cc60a922
3c6d806fcb5c653732f48445a1dcbc1005e6ba80e1c38118662e2abb1791a101
3f77eca6fae88bb8491b548ed512e985f9cedc7e2dc8356a20050b388cc1fdd1
43d78d6a1608d210e08d0cddbc95f5408133b1b75f4b57ea3b452fddc1c78e1e
49efca6296124551bcca7ba1fea36a3fb0de419601db1756c83c9269c0359eb3
5a15877c52ca982117a6a00e50fc0e090937dcc52990baaad693934a750bc195
5c0cd3e42fc0b9b6c6fd054969d712c392db40a9280acbeeaa1149d42cae3422
6b33374ffb1cb5596388f80168376bb19776e526e02fbefc21bb971eed759667
75416463a1bd3c9d771a4cbcc092d6d13c5979659b47da3c45640a716fe9ada0
79e4f7df197ed82e1594e12db8a5d4374ed2cae15748861a8606391746503bfd
af1a241cf02027feaba30e34b6403204352384efe43269dd870a74b51ac77020
c2d4d9ba2963a5a20adab5d66cf0cbd62b2405159d01e60eb55a014a911a1d79
d2530371c070d1c6743d97850ed70999538019b088faf4231d67962f202971ef
ef64960868cb72ee318dcde7f5f50127587e7267f33f1a647ef05dfdb2071a28
f40dd15849f3a79ce8202325eb54b6dacf76346e593445a055014e43cf03cca6

Coverage

Product	Protection
Secure Endpoint
Cloudlock	N/A
CWS
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Secure Malware Analytics
Umbrella	N/A
WSA	N/A

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.LokiBot-9997784-0

Indicators of Compromise

IOCs collected from dynamic analysis of 46 samples

Registry Keys	Occurrences
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS Value Name: Path`	2
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS Value Name: Hash`	2
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS Value Name: Triggers`	2
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS Value Name: DynamicInfo`	2

Mutexes	Occurrences
`hGaolUAEhBhpUPhRKOMCEdZwRZtiMG`	20
`jXKhDsqpdQybVuPEmbAKwiHxLWIux`	18
`CbrYMlytSPCzlXpbEHuxopJkpncgG`	4
`3749282D282E1E80C56CAE5A`	1
`ATdPKSSVGkktNJiqkeIrKymIi`	1

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`34[.]229[.]94[.]227`	43

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`lancetasks[.]com`	43
`poyrezbunker[.]xyz`	1

Files and or directories created	Occurrences
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\windrive.exe`	43
`%APPDATA%\windrive.exe`	43
`%System32%\Tasks\windrive`	43
`%APPDATA%\Setupexe.exe`	42
`%APPDATA%\D282E1`	1
`%APPDATA%\D282E1\1E80C5.lck`	1
`%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5`	1

File Hashes

05c8ba64b02dc62aba0fb1455ec15e121b172acbba66e1954643a580ce310d57
0861738aaef9328d136bb3d07a3d64259ed5123ed9c473cb69d08357e2c0a57a
09403799c317cc67d029f6fbc01c8917e407cd9f26465f1580fa7607487e0d2c
0dab311d96dac557c4504b2879e33ba995f12e739b16b094a52e0839a9606c24
1142c0e37678c3940d80bc05bf0b2428774c24fe99256d265db84f3983fe0a95
1ee30c4b53bd334c22d4ae24ae5b9253f657ecfc15c9d85075ab21b71547b315
22272de4964a9f99e5eebf0f92c1c2a3a2ea7c858aa4f01aa274e100ef0f0474
2b1c6b2249d2c0a49e168341381431f8407b1871e3f1aa655cefd1f0e1e2d2ef
2e846d46ddb277cc24e6a5ee4147397d16ce4421d034860e504217511e7207fd
33f0e7d51bbef09378a752b47dffee4f6bb83c0042fecdf35e48323468b431e5
3409d8d2d1184a67cb56ef327383d00d8c749ece7732e952a78946e9925fad21
3d1dd0b1af801f27cb5639af28ed17f30900eaf4ceee050e2972303f92081960
470b8bd5cdec3257b91ef325a77521b4ab804d6827284ad5a6d3c0a6c1a96451
49566f476a01164aeee4f96a5321423eb718f19d97e04911e83b476a978432b8
4a1a9ee3a218ad5742a1f6fc58a14fedc56bb9fc35488ddfbf5a9ac660af7b98
4a3a2d78ca9cd193d984a2c511ee13afd818fa3b6df5b59a958c9b39d16838cb
4adae5139b791d9beb9c9ec8d852e763986b90cffd4fe3df5c3e8436a67623fd
50aa7ea0d282f6dfe7dd9ff774f254aa4375d50d0136460af8d15e571a0be797
5fb7d55abc605e56218b2593cc2ec3769500132a106ac13a0e62232c9e76a044
64b9769376d71aecd1383a5fe10fb8a3a95808dd9be96d02a5ce12b915c1795f
653e8125e67e0a9b845617e4bdbf5ee8fa3e36e2f01b5b663e43186d3fd31f0c
6b02d15580f3569d85f7514009d1619679571d23b25a6c0fea1947f4b8dd8544
802e1e558d1d054640db04009dbe3aa746e15b960765458870228c4553fe5095
85510cf15298da5d428c191cce0e5baecfaa37fe754fbd6be307b7b47645886b
88edc65514e9981fb2550061cccfad1e95fb642311fed93de4cfe854ec0d618a
*See JSON for more IOCs

Coverage

Product	Protection
Secure Endpoint
Cloudlock	N/A
CWS
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Secure Malware Analytics
Umbrella	N/A
WSA	N/A

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Downloader.Upatre-9998551-0

Indicators of Compromise

IOCs collected from dynamic analysis of 25 samples

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`51[.]222[.]30[.]164`	25

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`groupesorepco[.]com`	25
`bulkbacklinks[.]com`	25

Files and or directories created	Occurrences
`%TEMP%\hummy.exe`	25

File Hashes

022151901a9b9625c6e127c544e70a9b3fa199914bf85163abbf70002e4a4009
060f1a46303116655092db2863f1d3ecb84ec380e3d803ea6b337538fe0f4a3b
07a178595827a67016935658a6d367039aa83ba93b499f06d16732d7895403b4
08d692463f8a2faa215615bca8d468610861cff2ca6fca6b0b890ea5194818d0
0a49e94fe253fd7dd6e9320b741c89bd994ecdbcba78b4e7eaf7fffba21951dd
1225163fabc0b349956dd6967d665ab1fd2c8ce54766f55961292b3d62365dd1
264c2c7b692c6dc0c577837c0c88b06408e538edb3fb2b7b2079df1dc9fa15b8
2e887c52e98a43a06e5673d2dd960fcae7e1b769f02256972351e2b3304e7821
41c69fd6c43ddf1dd7a8334667709dd03782ed4b6f392032726cc0dd3bdf8cc8
44b445cc2e1ccf169d3630cdda3d6bdc1e72d949e38756410fc36116582774ce
49b33b88e96ce51cfbfb7fa518dcc312d8e018eed3b34a6d843de5c9e0797332
4af862559a2d8414ceab6bb806f20cb6a99de083c5d0f7a53ebe3f1d7a7914b9
4beda3336e7de2cb11541b84d0eb36f5347a2b15c8237c8ee07f6bac2ecfab1a
4fd5becb2403b41d495b6008ddf37353271def2fd941855a4914b48d3ca14807
5913746a050b223ed031f12e9726cf37a70bc38cd0799ac6d495223b6e19e722
64e01754390befb75a46a7ae6e4ab44945879826c53a5c72d747aacff513e3a9
6970374e466577dc8e6bc0251673d8bc148019febaf65adb8af01a1b2449a8d0
7131b420a9cfb3d58b0aa4010994cea8db6062ca4c58f8da2a1adf83572945d9
797e11c3221d0724b2f08121872f794d7fff9507305797610d99773f7cee1fcb
8018abd70eac615031bc1af69f0cda4b33a46bf8d8a0578614efcb43003dded7
8e19065c5857c931ff51fb58f697b256deb5cdfef8275c6c6cf66fd0a9b6a892
a0c1a6b20042c3640808263720c71219d096a43a9dd5668d05828b6c55ef6579
a3d887cc44c266383ac3ad501a5d85d6ddb5fb627e93f611ad216e5d9cf4a6ea
a4ce1f1428a91c501661ae4711fd08fbb63a2682424b09190858a41fe72ce90b
a58b24e3083bacf2f1d4918247415a91b7e420f52ed5ef7b32a9f929632eafd8
*See JSON for more IOCs

Coverage

Product	Protection
Secure Endpoint
Cloudlock	N/A
CWS
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Secure Malware Analytics
Umbrella	N/A
WSA	N/A

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Ransomware.Cerber-9998102-0

Indicators of Compromise

IOCs collected from dynamic analysis of 98 samples

Mutexes	Occurrences
`ipc.{8067AF37-05F3-E0A7-F91D-CF35012EB051}`	96
`itbeoinopoc`	96

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`19[.]48[.]17[.]0/27`	96
`77[.]12[.]57[.]0/27`	96
`87[.]98[.]176[.]0/22`	96
`178[.]128[.]255[.]179`	58
`104[.]20[.]20[.]251`	33
`104[.]20[.]21[.]251`	32
`172[.]67[.]2[.]88`	31
`104[.]26[.]8[.]86`	22
`172[.]67[.]74[.]49`	21
`104[.]26[.]9[.]86`	15

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`api[.]blockcypher[.]com`	96
`bitaps[.]com`	58
`chain[.]so`	58
`btc[.]blockr[.]io`	58
`qfjhpgbefuhenjp7[.]1bxzyr[.]top`	38

Files and or directories created	Occurrences
`%TEMP%\d19ab989`	96
`%TEMP%\d19ab989\4710.tmp`	96
`%TEMP%\d19ab989\a35f.tmp`	96
`%LOCALAPPDATA%\Microsoft\Office\Groove1\System\CSMIPC.dat`	96
`%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp`	96
`%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.bmp`	96
`<dir>\_R_E_A_D___T_H_I_S___<random, matching '[A-F0-9]{4,8}'>_.txt`	96
`<dir>\_R_E_A_D___T_H_I_S___<random, matching '[A-F0-9]{4,8}'>_.hta`	96
`\pc\users\public\recorded tv\sample media\win7_scenic-demoshort_raw.wtv`	69

File Hashes

002d43089d0c4ef3f41fda3ebffe0e392bd4115d91eb3964c459937d2972ccea
06fbbf4aa44810136e505633664deb2ff4e69e738b0c8f1cffe7ecbe452fba58
0fb57fbf3813e474e366359b9bbc5bec917ad5aeec20f7257948a58b9e9cbb52
10a4d53ec40c1458401eab89abdd5d03f4f95752d3f3acc714b0a156bc1c7ea6
1414ae8cf2ff8cd18b13fc9e982ee5e47afdd01ce2410bf14439bd21e574cd44
149a4a692b40f85e1f99c4a1f631c0bb992af72ac8eff6c08a6df80179dfbabb
1ada8fd30118dcc7fae7041c77b2dc77a4f844a4ca8daa146c1a436b4bf21855
1c28c2b98c6ab6b847913389ea8717e937edb24cd15302a37560d96ba2d2f02d
22d6fc92916deb2d4477c2ecaff01d67253e2f743f265b9848caef3b43a463ae
23ae4d7d6b10a77eb3b9a3899dd29292e866ffbea4623917e08374d1780223f1
256137af5a5461431c81be000cf5c2cf6643be5f87366e330e3ee3f2876847e9
2a943c6f4117f3dab6e00135c93de17ae26e4e5e62ffe5587534267535868641
361d0422b5b5e47076e0f0e4fa476649d3073e31b097572649e60d484fcfc31b
3c8bf29f6c52f87c6e08d72a28551b5569ef7951eb96b16b63411c8a3f132368
3d5349995dafd20c20632181b23fa5c12d63e3e086ffc2594ecf0373ac0d0ab5
3da3f20dc7ed83797ce0752b7f31c4008e5a08d3a27ce8a55d5a78ba5093fb51
3e541d44a3212fcb8c051aecdb6107814753bdd7644f7b982a098719eefe48db
3ebbfd0af3a85e6911f525726a80ebfc85aab7b1b7500d6fc102b13c16b1deb3
3feb42368dc1cefc4646912317a9eb3ce5d6e05c5ea0f123613c38e15d02d726
438b78222723877653f1fb18066a802f58374d5841cc1df518d83f1293052e5e
4965fd6dab40b061bfe2ca234e23b43a60de765958f59b327d3aec29077a13b7
4c41f045065a4fca849d0b189024c9aa734cc7e0a7805e5df8c9be222edaccb2
4dea0603c4c2148572b523417470fe7669cf671b9ea21ae8ffbff58ce21f23bd
4efd982fec1d05668ca457726e915887e1cc4ab6e1c735e8e11b9fd2b8530faa
524c3ef042a214e02c846d09cb3e394ce811638ba6d4000df3320f63aaf29a8b
*See JSON for more IOCs

Coverage

Product	Protection
Secure Endpoint
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Secure Malware Analytics
Umbrella	N/A
WSA	N/A

Cisco Talos Blog

Threat Roundup for April 21 to April 28

Threat Breakdown

Win.Dropper.Bifrost-9998862-0

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Tofsee-9997698-0

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Virus.Ramnit-9997699-0

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Remcos-9998831-1

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.DarkComet-9998118-1

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Virus.Xpiro-9998650-1

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.LokiBot-9997784-0

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Downloader.Upatre-9998551-0

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Ransomware.Cerber-9998102-0

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Share this post

Related Content

Threat Roundup for November 3 to November 10

Threat Roundup for October 27 to November 3

Threat Roundup for October 13 to October 20