Threat Roundup for October 28 to November 4

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 28 and Nov. 4. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name	Type	Description
Win.Dropper.Ramnit-9976458-0	Dropper	Ramnit is a banking trojan that monitors web browser activity on an infected machine and collects login information from financial websites. It also has the ability to steal browser cookies and attempts to hide from popular antivirus software.
Win.Ransomware.TeslaCrypt-9976475-0	Ransomware	TeslaCrypt is a well-known ransomware family that encrypts a user's files with strong encryption and demands Bitcoin in exchange for a file decryption service. A flaw in the encryption algorithm was discovered that allowed files to be decrypted without paying the ransomware, and eventually, the malware developers released the master key allowing all encrypted files to be recovered easily.
Win.Dropper.Nanocore-9976516-0	Dropper	Nanocore is a .NET remote access trojan. Its source code has been leaked several times, making it widely available. Like other RATs, it allows full control of the system, including recording video and audio, stealing passwords, downloading files and recording keystrokes.
Win.Ransomware.Expiro-9976530-0	Ransomware	Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.
Win.Dropper.NetWire-9976531-0	Dropper	NetWire is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, remote desktop and read data from connected USB devices. NetWire is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Trojan.Zegost-9976584-0	Trojan	Zegost is a remote access trojan designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. Zegost appears to be derived from Gh0stRAT, which is a well-known remote access trojan that had its source code leaked, significantly lowering the barrier to entry for actors looking to modify and reuse the code in new attacks.
Win.Dropper.Formbook-9976602-0	Dropper	Formbook is an information stealer that attempts to collect sensitive information from an infected machine by logging keystrokes, stealing saved web browser credentials and monitoring information copied to the clipboard.
Win.Malware.Qbot-9976624-0	Malware	Qakbot, aka Qbot, has been around since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.
Win.Packed.Mikey-9976634-0	Packed	Mikey is a trojan that installs itself on the system, collects information and communicates with a C2 server, potentially exfiltrating sensitive information. This threat can also receive additional commands and perform other malicious actions on the system, such as installing additional malware upon request.

Threat Breakdown

Win.Dropper.Ramnit-9976458-0

Indicators of Compromise

IOCs collected from dynamic analysis of 11 samples

Registry Keys	Occurrences
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER Value Name: AntiVirusOverride`	11
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER Value Name: AntiVirusDisableNotify`	11
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER Value Name: FirewallDisableNotify`	11
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER Value Name: FirewallOverride`	11
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER Value Name: UpdatesDisableNotify`	11
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER Value Name: UacDisableNotify`	11
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM Value Name: EnableLUA`	11
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE Value Name: EnableFirewall`	11
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE Value Name: DoNotAllowExceptions`	11
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE Value Name: DisableNotifications`	11
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC Value Name: Start`	11
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND Value Name: Start`	11
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC Value Name: Start`	11
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION Value Name: jfghdug_ooetvtgk`	11
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: JudCsgdy`	11
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV Value Name: Start`	11
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: Windows Defender`	11
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON Value Name: Userinit`	11
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON Value Name: Userinit`	11

Mutexes	Occurrences
`{7930D12C-1D38-EB63-89CF-4C8161B79ED4}`	11

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`217[.]20[.]116[.]138`	10
`72[.]26[.]218[.]70`	10
`195[.]201[.]179[.]207`	10
`208[.]100[.]26[.]245`	10
`35[.]205[.]61[.]67`	10
`142[.]250[.]80[.]46`	10
`64[.]225[.]91[.]73`	10

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`ltvfyknd[.]com`	10
`nwgehuej[.]com`	10
`ochmemne[.]com`	10
`ovedpgmh[.]com`	10
`plsjybruf[.]com`	10
`qqximuos[.]com`	10
`qsatesrenfj[.]com`	10
`qymovaxblw[.]com`	10
`rohpwrralh[.]com`	10
`rybnpwpdxp[.]com`	10
`shlbftknj[.]com`	10
`urnjufcm[.]com`	10
`wevufrlvbmp[.]com`	10
`xdxocfqkpfs[.]com`	10
`xkluqdruhdy[.]com`	10
`yhvvaanlaw[.]com`	10
`augrkyqwgni[.]com`	10
`gsxgbfendh[.]com`	10
`rqcryxlm[.]com`	10
`acwuxyrasn[.]com`	10
`weyvrdbd[.]com`	10
`tqfgavkr[.]com`	10
`spbmrgvk[.]com`	10
`arkdnbwpf[.]com`	10
`hxblclgkdw[.]com`	10

*See JSON for more IOCs

Files and or directories created	Occurrences
`%LOCALAPPDATA%\bolpidti`	11
`%LOCALAPPDATA%\bolpidti\judcsgdy.exe`	11
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\judcsgdy.exe`	11

File Hashes

05137f6ab767b193b5c4f93848348f54c7b16e3934db1749d4a2df611137f385
061947fa22ca40de1b07fa6e681021ac77fd1586846056a84f2325712c378d1a
0f647586c3d93ecc3af4028b0584353adfe2b9a60ffdcde3fbbfc5e0a3584492
24a2edb8efdf3e34cda083e4d17e1ff661ecd52d4cd3f0d3fe02e44774373432
293c97369187dca742a5679bc1111d89f113a7c2fe6973dc2d1199f5b6a1fbdb
3a87f11dddfdb3914035a2bd4b62de3196651dfad874e1b502ae12c485399622
67f7b5fd32444e240ea880a668ef980317c2fafdbb0ef627c06f172a08c10416
6a188dd1314a3d2bd6a5769c712f79c7719874e7ece53c045a22ba6f52be61d2
892cdf46d7b2754c273f0996fba8ef71554bea80b47f55a0ede6728f5eb73225
c496b66c5758ba90b111d94d63cfa75fa915926933222c04d3e827fa194037ee
ea0db1aa89275513d8001b6b5f62dd2198b659663294cdbc36070c1e98b99e03

Coverage

Product	Protection
Secure Endpoint
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Secure Malware Analytics
Umbrella
WSA

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Ransomware.TeslaCrypt-9976475-0

Indicators of Compromise

IOCs collected from dynamic analysis of 14 samples

Registry Keys	Occurrences
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM Value Name: EnableLinkedConnections`	11
`<HKCU>\SOFTWARE\ZSYS`	11
`<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E Value Name: LanguageList`	11
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0 Value Name: CheckSetting`	11
`<HKCU>\SOFTWARE\ZSYS Value Name: ID`	11
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: Acronis`	11
`<HKCU>\Software\<random, matching '[A-Z0-9]{14,16}'>`	11
`<HKCU>\Software\<random, matching '[A-Z0-9]{14,16}'> Value Name: data`	11
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\\PARAMETERS\PORTKEYWORDS\DHCP Value Name: Collection`	1

Mutexes	Occurrences
`78456214324124`	11
`Global\3621b8e1-598a-11ed-9660-001517124ddd`	1
`Global\361f20d1-598a-11ed-9660-0015171d8840`	1

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`178[.]33[.]117[.]45`	11
`34[.]160[.]111[.]145`	11
`216[.]245[.]213[.]77`	6
`18[.]232[.]18[.]135`	6
`52[.]202[.]227[.]125`	5
`77[.]247[.]182[.]251`	4
`77[.]247[.]182[.]243`	1

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`myexternalip[.]com`	11
`irseek[.]com`	11
`djepola[.]com`	11
`aprenderabailarsevillanas[.]com`	11
`apotheke-stiepel[.]com`	11
`woodenden[.]com`	11

Files and or directories created	Occurrences
`\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I08BO8F.xlsx`	11
`\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I11KHR4.doc`	11
`\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I5QKHLN.doc`	11
`\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I62TWBD.ppt`	11
`\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I6FZORX.doc`	11
`\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IABMX83.pdf`	11
`\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IAJ2Y6R.pdf`	11
`\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IALGTCS.xlsx`	11
`\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IGTBBSA.accdb`	11
`\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IH49RPF.ppt`	11
`\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IH71GGR.ppt`	11
`\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IJKODPH.pdf`	11
`\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IJP965K.accdb`	11
`\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IKY5R3M.pdf`	11
`\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IMYCSIT.pdf`	11
`\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$ISLP722.doc`	11
`\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IXLC77A.pdf`	11
`\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IXUL2U1.doc`	11
`\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IYSR1FU.ppt`	11
`\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IZ2GMJW.XLSX`	11
`\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$R08BO8F.xlsx`	11
`\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$R11KHR4.doc`	11
`\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$R5QKHLN.doc`	11
`\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$R62TWBD.ppt`	11
`\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$R6FZORX.doc`	11

*See JSON for more IOCs

File Hashes

30614f6bbaf10137089bb8b1c1bf69b8b131052750b96db1f26e689e59dcc5bb
312f7e1c6a5b1e71dfce6edf658aff098118eb0bccb3676878aba4ca55e8ce53
5917d58345869b83616cb51ce33331f96a23a8c72b6529342c08c0980d481ea4
5d7d96c5024591d45d2bd92329981945eb6400453547df0711e445b66da1c740
679cb4ef0c102db6bc4d6a8dcc15a0a8728c8f1714eec55253a41a29e76cf956
975676952320d4ad6516b9ed31dd1373e9f828e602e7690f55782fc30cb5ba8b
a4e2d68231dd5b9dd62a072082b68d2688de0441596c3b1c927989995afe5a0b
c6867c81e37c2574297f01f95953b71e89f6b9f513bc7fbd6278cb0d9d6031ed
d07d13129187b86b7550e32804201beda9338f33232b122886d35adb55edf73e
d5003563374846618799b3c82852aa90fbf0bd5de8e2c6f50b4c4ae8dd78bb00
d5ae4f92b78010fdc637e4ae606e00ab8be0a7bf02d3d33116b558cf5d0df3bb
e0de998f6a4c61df0aab37eb1c3e169f608235c42daf4a17a70de00ae1321ec4
e0f1b11228df0ae77c74fb87f229c1a0edc8f3a2e5d385f32eee5b47f15855bb
ebf67e0c91d02c84b17dcf1ef61c12c8f5e4c5e5c789db3fa240f1f1c516c672

Coverage

Product	Protection
Secure Endpoint
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Secure Malware Analytics
Umbrella	N/A
WSA	N/A

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Nanocore-9976516-0

Indicators of Compromise

IOCs collected from dynamic analysis of 14 samples

Registry Keys	Occurrences
`<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E Value Name: LanguageList`	8
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: AGP Manager`	5
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: WindowsUpdate`	5
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: AutoUpdate`	4
`<HKCU>\ENVIRONMENT Value Name: SEE_MASK_NOZONECHECKS`	2
`<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E Value Name: @%SystemRoot%\system32\dhcpqec.dll,-100`	2
`<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E Value Name: @%SystemRoot%\system32\dhcpqec.dll,-101`	2
`<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E Value Name: @%SystemRoot%\system32\dhcpqec.dll,-103`	2
`<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E Value Name: @%SystemRoot%\system32\dhcpqec.dll,-102`	2
`<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E Value Name: @%SystemRoot%\system32\napipsec.dll,-1`	2
`<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E Value Name: @%SystemRoot%\system32\napipsec.dll,-2`	2
`<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E Value Name: @%SystemRoot%\system32\napipsec.dll,-4`	2
`<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E Value Name: @%SystemRoot%\system32\napipsec.dll,-3`	2
`<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E Value Name: @%SystemRoot%\system32\tsgqec.dll,-100`	2
`<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E Value Name: @%SystemRoot%\system32\tsgqec.dll,-101`	2
`<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E Value Name: @%SystemRoot%\system32\tsgqec.dll,-102`	2
`<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E Value Name: @%SystemRoot%\system32\tsgqec.dll,-103`	2
`<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E Value Name: @%SystemRoot%\system32\eapqec.dll,-100`	2
`<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E Value Name: @%SystemRoot%\system32\eapqec.dll,-101`	2
`<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E Value Name: @%SystemRoot%\system32\eapqec.dll,-102`	2
`<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E Value Name: @%SystemRoot%\system32\eapqec.dll,-103`	2
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: 20744aa7e3ab56e90a843fa06bd99e6d`	2
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: 20744aa7e3ab56e90a843fa06bd99e6d`	2
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM Value Name: DisableTaskMgr`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM`	1

Mutexes	Occurrences
`8-3503835SZBFHHZ`	3
`Global\{d0691a45-4fc4-42f8-9eb9-754e345ceb2c}`	3
`20744aa7e3ab56e90a843fa06bd99e6d`	2
`73M9N-T0-UB83K6J`	1
`S-1-5-21-2580483-12441695089072`	1
`S-1-5-21-2580483-12443106840201`	1
`1N6PO-QCTT825WY-`	1
`S-1-5-21-2580483-12443999912674`	1
`073A3D-6T418-C-B`	1
`Global\{042723c4-0804-4212-bf56-4b1b2669ca7c}`	1
`O5L2BA2WRAFEx2MB`	1
`7P2MN2S27-74YFZB`	1
`Global\{0aeffa29-f3e3-4c27-b5c4-5ee7e27a451f}`	1
`Global\{0fd7962c-bd41-4ed0-bcf3-944f142a1566}`	1

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`34[.]102[.]136[.]180`	3
`194[.]5[.]98[.]213`	3
`194[.]55[.]186[.]129`	2
`198[.]54[.]117[.]218`	1
`198[.]54[.]117[.]212`	1
`195[.]110[.]124[.]133`	1
`66[.]96[.]160[.]130`	1
`217[.]19[.]248[.]132`	1
`192[.]169[.]69[.]26`	1
`75[.]2[.]115[.]196`	1
`75[.]2[.]26[.]18`	1
`104[.]21[.]83[.]149`	1
`209[.]17[.]116[.]163`	1
`34[.]117[.]168[.]233`	1
`54[.]91[.]59[.]199`	1
`64[.]190[.]63[.]111`	1
`31[.]31[.]196[.]51`	1
`194[.]5[.]98[.]219`	1
`199[.]59[.]243[.]222`	1
`23[.]230[.]152[.]134`	1
`45[.]33[.]6[.]223`	1
`45[.]77[.]55[.]161`	1
`202[.]61[.]84[.]210`	1
`38[.]6[.]77[.]91`	1
`76[.]76[.]21[.]9`	1

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`nexaustin[.]ddns[.]net`	3
`www[.]xn--agroisleos-09a[.]com`	1
`www[.]cacconsults[.]com`	1
`411speed[.]duckdns[.]org`	1
`lowaspeed[.]ddnsfree[.]com`	1
`www[.]thespecialtstore[.]com`	1
`www[.]sqlite[.]org`	1
`www[.]fbo[.]app`	1
`www[.]fabricsandfashion[.]com`	1
`www[.]stjohnzone6[.]com`	1
`www[.]co-gpco[.]com`	1
`www[.]tigermedlagroup[.]com`	1
`www[.]www1111cpw[.]com`	1
`www[.]duetpbr[.]com`	1
`www[.]duenorthrm[.]com`	1
`www[.]bbobbo[.]one`	1
`www[.]onlyonesolutions[.]com`	1
`www[.]ndppoc[.]info`	1
`www[.]confurn[.]net`	1
`www[.]nyhedsbrev671[.]shop`	1
`www[.]blast4me[.]com`	1
`www[.]3egcfl[.]cyou`	1
`www[.]fistfulofeuros[.]org`	1
`www[.]8065yp[.]com`	1
`www[.]azalpay[.]site`	1

*See JSON for more IOCs

Files and or directories created	Occurrences
`%HOMEPATH%\temp`	14
`%TEMP%\RegSvcs.exe`	7
`%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5`	6
`%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs`	6
`%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs\Administrator`	6
`%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\run.dat`	6
`%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp`	6
`%ProgramFiles(x86)%\AGP Manager`	5
`%ProgramFiles(x86)%\AGP Manager\agpmgr.exe`	5
`%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\task.dat`	5
`%System32%\Tasks\AGP Manager`	5
`%System32%\Tasks\AGP Manager Task`	5
`%TEMP%\8_56\mlknlqw.pif`	1
`%TEMP%\8_56\ofstkibdks.mp3`	1
`%TEMP%\8_56\pdofc.pdf`	1
`%TEMP%\8_56\rejtghdwwt.icm`	1
`%TEMP%\8_56\snmgega.dll`	1
`%TEMP%\8_56\swev.dll`	1
`%TEMP%\8_56\tbhdnssur.gcf`	1
`%TEMP%\8_56\uopse.ini`	1
`%TEMP%\8_56\wkgwwrb.docx`	1
`%TEMP%\8_56\wwikp.exe`	1
`%TEMP%\8_56\xawk.msc`	1
`%TEMP%\8_56\xtcwtnqb.exe`	1
`%TEMP%\10_71\biciulubl.mp3`	1

*See JSON for more IOCs

File Hashes

0015048adbf3c3c9e4d685430113d63866e2a2f44d68cb3ee84274b4e2936638
1544ca80f8a8b8b9b87a1f9cf1e223c73a30bebe20ef7954f083ccb14275a519
62b5227656a58b1358c35100d0b5e8116ebe5b891a69f0a6f3ece869305e3193
6a4d2f72c82049aaec9996ed5de2756862f32678c33751e1ce449036cd66bf67
6ef54172371d62f47ca10add5d4e16991c08ab1c43effec3d1caf25718d2ed08
7cd5d3d08b5baa37925bbcac0fc1a5d6c72bcbf72d134b20d2fec7a19ea04e4b
98c63a20b549889019289912d4cffdf6b167585bdfdd0b1b0d9993da3c62ca63
b1f692dd52aae8317db7cfd262a4bcc053cf721fc7a00bf66f4acc7cb5cc6cbc
bb1de2f25a652c68b959b1dd2a0b379a71c052ec5a3810f5363fe5e8f172764d
bc10c1fdffe23e13bf9cfc59b5e85e1db2f4f99af014d775a24cdc47920c3fec
cd7309e874f6ca76a451bb90026e79736afdf309cc853948424b00ffa7985b73
dcff2133f606823c5704cde43408c1d49f76fec97a1fcc973d4d3dc69651a4ed
dd0ec4c79c60c7e53fc117800214901f5c55b04aceb455ecb88ceeb12958df60
f8ddc46b03f741a383da261761ed44b95fa58135b64a7b4577f8e08443d9f4bb

Coverage

Product	Protection
Secure Endpoint
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Secure Malware Analytics
Umbrella
WSA

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Ransomware.Expiro-9976530-0

Indicators of Compromise

IOCs collected from dynamic analysis of 12 samples

Registry Keys	Occurrences
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: Bandera`	12

Mutexes	Occurrences
`Local\Kasimir_C`	12
`Local\Kasimir_E`	12
`Local\azov`	12

Files and or directories created	Occurrences
`%ProgramFiles%\Zulu\zulu-8\demo\jvmti\mtrace\RESTORE_FILES.txt`	12
`%ProgramFiles%\Zulu\zulu-8\demo\jvmti\mtrace\lib\RESTORE_FILES.txt`	12
`%ProgramFiles%\Zulu\zulu-8\demo\jvmti\versionCheck\RESTORE_FILES.txt`	12
`%ProgramFiles%\Zulu\zulu-8\demo\jvmti\versionCheck\lib\RESTORE_FILES.txt`	12
`%ProgramFiles%\Zulu\zulu-8\demo\jvmti\waiters\RESTORE_FILES.txt`	12
`%ProgramFiles%\Zulu\zulu-8\demo\jvmti\waiters\lib\RESTORE_FILES.txt`	12
`%ProgramFiles%\Zulu\zulu-8\demo\management\FullThreadDump\RESTORE_FILES.txt`	12
`%ProgramFiles%\Zulu\zulu-8\demo\management\JTop\RESTORE_FILES.txt`	12
`%ProgramFiles%\Zulu\zulu-8\demo\management\MemoryMonitor\RESTORE_FILES.txt`	12
`%ProgramFiles%\Zulu\zulu-8\demo\management\RESTORE_FILES.txt`	12
`%ProgramFiles%\Zulu\zulu-8\demo\management\VerboseGC\RESTORE_FILES.txt`	12
`%ProgramFiles%\Zulu\zulu-8\demo\nbproject\RESTORE_FILES.txt`	12
`%ProgramFiles%\Zulu\zulu-8\demo\nbproject\jfc\FileChooserDemo\RESTORE_FILES.txt`	12
`%ProgramFiles%\Zulu\zulu-8\demo\nbproject\jfc\FileChooserDemo\nbproject\RESTORE_FILES.txt`	12
`%ProgramFiles%\Zulu\zulu-8\demo\nbproject\jfc\Font2DTest\RESTORE_FILES.txt`	12
`%ProgramFiles%\Zulu\zulu-8\demo\nbproject\jfc\Font2DTest\nbproject\RESTORE_FILES.txt`	12
`%ProgramFiles%\Zulu\zulu-8\demo\nbproject\jfc\Metalworks\RESTORE_FILES.txt`	12
`%ProgramFiles%\Zulu\zulu-8\demo\nbproject\jfc\Metalworks\nbproject\RESTORE_FILES.txt`	12
`%ProgramFiles%\Zulu\zulu-8\demo\nbproject\jfc\Notepad\RESTORE_FILES.txt`	12
`%ProgramFiles%\Zulu\zulu-8\demo\nbproject\jfc\Notepad\nbproject\RESTORE_FILES.txt`	12
`%ProgramFiles%\Zulu\zulu-8\demo\nbproject\jfc\SampleTree\RESTORE_FILES.txt`	12
`%ProgramFiles%\Zulu\zulu-8\demo\nbproject\jfc\SampleTree\nbproject\RESTORE_FILES.txt`	12
`%ProgramFiles%\Zulu\zulu-8\demo\nbproject\jfc\SwingApplet\RESTORE_FILES.txt`	12
`%ProgramFiles%\Zulu\zulu-8\demo\nbproject\jfc\SwingApplet\nbproject\RESTORE_FILES.txt`	12
`%ProgramFiles%\Zulu\zulu-8\demo\nbproject\jfc\TableExample\RESTORE_FILES.txt`	12

*See JSON for more IOCs

File Hashes

1404a5b4c34cf6e2975a2600ffaa778ae2d2b4fee305a64a122ea8269bcd4a72
154f2b05a85946c0ad74802f75dc8f9fdb79130b0450415f8354b619a7e03683
18a681a88dc35e4ff7c9e67eac567023c29f7944db294fb77b556950b7f83232
1c1e53930a9863e3f862acb6774f858c91c9bc51c77587c79313755b617b7b51
1ee2e603fb17105558daef8fad81f052d36a71636fdf3ed38fd0b4d924081c56
22caaaef25d4d59ad771969e3ba361d5e33fcd5fb7a25d8875fe6bc51a0acb13
4ea0c9a1843a89fb4c469053eb0b817ae4eec70d91f93ef2683a4731ac30030a
606ac339cab05c2641f30a6deee5eddcdb5a82ad94430e8250ed2dc429754ae9
66a01949db2504792ef56fe73352fe75bab35f5995ff94114d7e98bcbebb7b04
7c6d05752c07f45b057b47bd3102dec87b9cea071c8b9ecd12455b0fb123529f
d0a92b410313e350366ab68993db429ac1c99f2e82c7437d13d8736b5716dc19
fd95d28ea97ac602301b212c5fda3e7c9974531a9d2e6c2f72990579248c40b9

Coverage

Product	Protection
Secure Endpoint
Cloudlock	N/A
CWS
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Secure Malware Analytics
Umbrella	N/A
WSA	N/A

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.NetWire-9976531-0

Indicators of Compromise

IOCs collected from dynamic analysis of 16 samples

Registry Keys	Occurrences
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON Value Name: Shell`	11
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: Images`	4
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\PMT3XT1Q2K`	4
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\PMT3XT1Q2K Value Name: inst`	4
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: remcos`	2
`<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E Value Name: LanguageList`	2
`<HKCU>\SOFTWARE\NETWIRE`	1
`<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E Value Name: @C:\Windows\system32\DeviceCenter.dll,-2000`	1
`<HKCU>\SOFTWARE\NETWIRE Value Name: HostId`	1
`<HKCU>\SOFTWARE\NETWIRE Value Name: Install Date`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\4JAOA17T9V`	1

Mutexes	Occurrences
`<32 random hex characters>`	6
`Remcos_Mutex_Inj`	2
`4K4OB47WX4V4CKL5`	2
`65RNS1Q-967B20H8`	2
`remcos_lxsjaviytncaprp`	2
`-`	1
`Mutex`	1
`Global\{341de909-532f-4e88-9ebb-7d3eb122bb6e}`	1
`Global\563b8e01-5a4b-11ed-9660-001517ee0131`	1
`ITVC9`	1
`Global\{cdbf811f-ed5e-4c07-872b-324356f515af}`	1

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`103[.]168[.]204[.]152`	4
`150[.]242[.]14[.]61`	4
`34[.]102[.]136[.]180`	2
`3[.]64[.]163[.]50`	2
`1[.]2[.]3[.]4`	1
`103[.]224[.]182[.]210`	1
`51[.]159[.]67[.]135`	1
`20[.]103[.]85[.]33`	1
`23[.]221[.]227[.]169`	1
`3[.]19[.]100[.]43`	1
`13[.]248[.]243[.]5`	1
`188[.]126[.]90[.]9`	1
`74[.]201[.]28[.]109`	1
`184[.]105[.]237[.]194`	1
`192[.]227[.]130[.]26`	1
`136[.]243[.]154[.]115`	1
`3[.]136[.]101[.]224`	1
`170[.]106[.]49[.]122`	1
`50[.]87[.]196[.]120`	1

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`iphanyi[.]webredirect[.]org`	4
`jlf716galpha[.]ddns[.]net`	2
`www[.]destinny[.]com`	2
`www[.]iregentos[.]info`	2
`www[.]socia1security[.]net`	2
`microsoft[.]com`	1
`apps[.]identrust[.]com`	1
`iphanyi[.]edns[.]biz`	1
`www[.]movementspecialistslv[.]com`	1
`h[.]top4top[.]io`	1
`www[.]blossomenterpriseuganda[.]com`	1
`www[.]rubenvdsande[.]com`	1
`amnartrat[.]ddns[.]net`	1
`www[.]agencybuilderforum[.]com`	1
`www[.]thegolfclubatcirclec[.]com`	1
`www[.]alfrednelson[.]com`	1
`www[.]communityinsuranceut[.]com`	1
`www[.]qqbokep[.]com`	1
`www[.]dotalogy[.]com`	1
`www[.]elegancescent[.]com`	1
`www[.]blkdenim[.]com`	1
`www[.]paintedinafrica[.]com`	1
`www[.]onurtel[.]com`	1
`www[.]tqiawy[.]xyz`	1
`www[.]rainbowbanks[.]com`	1

*See JSON for more IOCs

Files and or directories created	Occurrences
`%ProgramFiles%\Microsoft DN1`	5
`%LOCALAPPDATA%\Microsoft Vision`	5
`%ProgramData%`	4
`%ProgramData%\images.exe`	4
`%ProgramData%:ApplicationData`	4
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat`	4
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start`	4
`%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5`	2
`%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs`	2
`%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs\Administrator`	2
`%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\run.dat`	2
`%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\task.dat`	2
`%System32%\Tasks\AGP Manager`	2
`%APPDATA%\remcos`	2
`%APPDATA%\remcos\remcos.exe`	2
`%TEMP%\install.bat`	2
`%APPDATA%\pbfK0ESxVB628Cf2`	2
`%APPDATA%\Install`	1
`%APPDATA%\Install\Host.exe`	1
`%TEMP%\System`	1
`%APPDATA%\Sqlite3`	1
`%APPDATA%\Sqlite3\sqlite3.dll`	1
`%APPDATA%\1jL8REIPgFpnQFM4`	1
`%APPDATA%\4nTKFdOD39Vq0zE3`	1
`%TEMP%\System\xmrig.exe`	1

*See JSON for more IOCs

File Hashes

04d5963e859229bb3c0bb76c311867a0fb150029bd580cdc22118eaabf17516d
058feb3df2afbd547d12bca6ca4d28b2b393ff3c6fc71f325f264cae9143b6a6
0619a227ff1e3c46b54a03797cdc0054afa0e24137596fdae7676a70f2175710
1efc23c2527eb5ba80630a9610b6ef71709a90ed8f06716588b6fea6c4a55134
42e74142a3bf1fc2f2ccbfa3efd76a8e2752eade8d373cc88b8b537fddbe91e3
514bf43a45b1c5e689a005653f1cf352efb81f051a5259c8e5b9c6b42bce8537
53084f740ea9d129f3bcb5ba899de173a2bbe8f6689f9112c9de6a6c8c9db9e2
574efe8cce09da26ed0ae70376857c12d1282c55e113ad65523307364900de16
6b07a24b6a25c6dd641bd3ba5296d6e5ba702722b27b5640855c14973d1aff17
970fe6d1c87273191ee73f2dadea1f9e25d456676ecd6997acd30bbda05de43a
9affeeb392ec57f487776cb8da8e8abb89b3250aefa2d2f0b29997b0bd33d00f
a996609920ba3ed689dbe009d3e81128c097de7ec043def6074c57b408576b86
b37072cc25f1b87fd2f44abc257bb98d49a91b1621d79e794076f2f24bc18ba0
d14d3980e62e5da9ca4d13e777ee3502875f3b9799f9ed6b963b2518661d4edc
d2d127529cae65a8a493f03533a2ecb698a185ad2d137cb539884d3858189ee9
eb0c8f8343c74cd148800ed8fe373f25a0c719503fb71c9852bda347527fb8d4

Coverage

Product	Protection
Secure Endpoint
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Secure Malware Analytics
Umbrella
WSA

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Trojan.Zegost-9976584-0

Indicators of Compromise

IOCs collected from dynamic analysis of 25 samples

Registry Keys	Occurrences
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: Kris`	25

Mutexes	Occurrences
`chinaheikee__inderjns`	25

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`67[.]198[.]148[.]52`	25

File Hashes

133716a04bbffa588c6db4e5e669cd9472999d2e85720b9e529c0201adbca5cc
1443bd94987127cdf9f5e2ef166c68bc84cdff73321f4ad2544cdb5e6afb003a
1cdc8ea3feb05cc2dc3a115d1a7cce4a2f0f49d3d1dac38dc0db79888f2da044
23c85949bfbca0b3cf200e3c2b0f5f532c9fdea0f2bd76981800f36006234ba8
241b4c0e102739a369cf75446395ddc4aedf8a6adf70b389aacdf9756b81e4b2
253a67526137ded4e31148bbd0f626c4958c0b9556b84eedb5ab0089de5a93c6
27b1ccae49978938d337d25867d53edaa85c79de960630e716bfef7bc970681b
27e92dc76eb5b788f97234b0864ec5790786ed2952db7b1d3276230b794c456a
2809026f932fa0d4f4b9dc7581b0bea9fc7f89ae4c089762c3ba15cdc4125033
2c7e1c403507e3a670e55301487f201ea7d809ae36ea5366ae2334dd4e2272ab
2eeeaf618db3e354eb28cbad932d8719daed755fed0562356188261708d2c329
3189468e0a1d64542850814df7c29408a686dca7575237ce0a48390805e88768
331b3bac64be57f59d637a6c629a53712edd6a1001e0df2c21a29f982cb48e6a
34f85da54491fec5b9d76fc50972ab2f263f00f55a6f5cbde0af8ffec790e156
428b563c09c494f6b8359bbcbc1d3035c39bee5693540c7727281cb945edd10c
45c726068a37dd7290bcd1a7e24f6b49b2b6216291ed4c39225f4eb31ccadded
4ef5bbdf5a5812adb57f26b798a18c3657ae799d8e71495103b0c7b16e0b8dbf
56ea4f3e4216bd917a9c45aac3f7079b930bceb9ad01ac5663c641d0b80d10a3
5777c12ea053512d4437a9548e2967b55736fc6f65b56c3609ef3681fb235961
57c3bb5da234d033fb6c8ac120dab66d6c021af2ea16348bd17315fad6a38cf4
5ddb66a224d7d8feea79bafbf7d8fd5e7e73ddff1437546003dc28eb0e733126
6199b3083e824fdef37a97b3116812ffd846d26124ad8a454444ba2dd9d4f028
6334aa60d77d8c4c9e06cbfcdbd13f23bae6d29876708805403721cd4bfed588
6424ccc4b554e23138adeb7a8926d8c651838fc161e7c9ae8bdfb56f9775cdaa
6ae30d306a4bfaa65465d1c26b13645c9ba3fb1e90960fa8f19bf82d02294e03
*See JSON for more IOCs

Coverage

Product	Protection
Secure Endpoint
Cloudlock	N/A
CWS
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Secure Malware Analytics
Umbrella	N/A
WSA	N/A

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Formbook-9976602-0

Indicators of Compromise

IOCs collected from dynamic analysis of 24 samples

Registry Keys	Occurrences
`<HKCU>\SOFTWARE\APPSTORE`	24
`<HKCU>\SOFTWARE\APPSTORE Value Name: LastTime`	24
`<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E Value Name: LanguageList`	1
`<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E Value Name: @explorer.exe,-7001`	1

Files and or directories created	Occurrences
`%TEMP%\ns<random, matching '[a-z][A-F0-9]{1,4}'>.tmp`	24
`%TEMP%\ns<random, matching '[a-z][A-F0-9]{4}'>.tmp\System.dll`	24
`%TEMP%\ns<random, matching '[a-z][A-F0-9]{4}'>.tmp\NSDIALOGS.DLL`	24
`%TEMP%\nsm373D.tmp\modern-wizard.bmp`	1
`%TEMP%\nsr3624.tmp\modern-wizard.bmp`	1
`%TEMP%\nsh3412.tmp\modern-wizard.bmp`	1
`%TEMP%\nsc3C7B.tmp\modern-wizard.bmp`	1
`%TEMP%\nsm3A97.tmp\modern-wizard.bmp`	1
`%TEMP%\nsm3D07.tmp\modern-wizard.bmp`	1
`%TEMP%\nsc3663.tmp\modern-wizard.bmp`	1
`%TEMP%\nsn355A.tmp\modern-wizard.bmp`	1
`%TEMP%\nst2544.tmp\modern-wizard.bmp`	1
`%TEMP%\nsy3EFB.tmp\modern-wizard.bmp`	1
`%TEMP%\nsi41D.tmp\modern-wizard.bmp`	1
`%TEMP%\nscAF0B.tmp\modern-wizard.bmp`	1
`%TEMP%\nsi527B.tmp\modern-wizard.bmp`	1
`%TEMP%\nstE97C.tmp\modern-wizard.bmp`	1
`%TEMP%\nsxDF5E.tmp\modern-wizard.bmp`	1
`%TEMP%\nsi51EF.tmp\modern-wizard.bmp`	1
`%TEMP%\nsdD0CE.tmp\modern-wizard.bmp`	1
`%TEMP%\nstC9CC.tmp\modern-wizard.bmp`	1
`%TEMP%\nsnE0C.tmp\modern-wizard.bmp`	1
`%TEMP%\nsg832B.tmp\modern-wizard.bmp`	1
`%TEMP%\nss9F81.tmp\modern-wizard.bmp`	1
`%TEMP%\nsi5191.tmp\modern-wizard.bmp`	1

*See JSON for more IOCs

File Hashes

0a781b03d64413436c911a3994d95af5d2a45ee649f707a979fbe88337a51215
0b36838cf62eb07200b7a91385ce85aba4d028889f3bdd9002ff6a7c133f2936
13c8649974576fe8448a569f3831e67ac2ec41f65ae2605c55cdbe8520f57c9d
1b5c03dad39a612f4b79925343278bb7a0c4466a15bdd5a601f1314e6e58a0e0
286c3326921512170ca8c9318173773b47bfdb8b825358942b4c33f4c26f9f23
31c0a24d60b818ea8e7b17d3547559376b0dd22a24dc41325aff268e0bd8918a
46efe9c4fb87fa2dc79398c2bfbef1fceef22eb9a3b8a9cfc8ae7f293f143736
56e020e483283b6b1974a5808d8ff19cf9023fcc928a643fcc26b030a6f8c1e3
653211977632579659671c25632f882b3aaa56f8030036b0e32e648b44930e24
66e3237dc10316747f42a9423021483168b1332b8077f8dbba44272a5e84b5e2
69d2c94c148875e54384537664abe487d1565d21a89d893df3ff169f7d952d14
6a788c3e4b5b68a65562bf5e8ef8e2dd3b3ba7f71edfe757d351d9ee4d516ec9
72ef1f44392e726243c6f7c74cc7deb2aa0c1880d6248ce2000ed0462858baf3
7968bd184b3752a316f9f25b8e22b8ba14c3270eb9b7fb46eb3b46d4ad557fe9
9428f34d7862cd99d41a50f9085c77d096cf7eddf0cedf889adeb754f623f368
b8416e5271bd5d02808e330d25f4f57cff0cb5a8e1487dad21b392e26d42488b
c95fc54d4fcdb80609d8e4fdfb04596296a9bdece21d3429bafa48a191006840
d17383a87703f33ddd7c968d39d9a9aa07153d65fdb37423490d2118c22a3ca4
d2024286d06081a3119a548ab80551b8d3ea12d2fdc2b399026d23508c2a1380
eb1951d80eac5104f5b02793df52ce540e4a0843494e816541334a09b31c0f08
f24740999c04fb15e868d5e62d79043e84b9ecc7956c6ffeeb0bee76a9c25793
f4090c819f4a5d1da2245244c2e786bceae53a9ba3065f5ffd89588bf8e516be
fb32b93c36578ec09eafe1375538a392d114d3f695400b0720bbb95b70b9b203
fc004c3d0dfdf7d5433da40be3b6e048a6490fe959eaf6af74d0b580256e9dc3

Coverage

Product	Protection
Secure Endpoint
Cloudlock	N/A
CWS
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Secure Malware Analytics
Umbrella	N/A
WSA	N/A

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Malware.Qbot-9976624-0

Indicators of Compromise

IOCs collected from dynamic analysis of 15 samples

Registry Keys	Occurrences
`<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK`	15
`<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK Value Name: bd63ad6b`	15
`<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK Value Name: bf228d17`	15
`<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK Value Name: 79eea72`	15
`<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK Value Name: 7a96a5f8`	15
`<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK Value Name: c22ac29d`	15
`<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK Value Name: 5dfca0e`	15
`<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK Value Name: 88fc7d25`	15
`<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK Value Name: f7b512d3`	15

Mutexes	Occurrences
`Global\{06253ADC-953E-436E-8695-87FADA31FDFB}`	15
`{06253ADC-953E-436E-8695-87FADA31FDFB}`	15
`{357206BB-1CE6-4313-A3FA-D21258CBCDE6}`	15

Files and or directories created	Occurrences
`%APPDATA%\Microsoft\Xtuou`	15
`\TEMP\10fb7039d24f8593a7de808f8204ead1.dll`	1
`\TEMP\3ffe560127804443b98953de7c9dd5fa.dll`	1
`\TEMP\ecd95a8bfe2510b6591a9d1d23defcb0.dll`	1
`\TEMP\73c5c9c056a12cd9ea3d4976f90a1757.dll`	1

File Hashes

086bcf673f9fcd920b1c91ff72db4677f48fd4c0ff13f80544fd258384c3acd4
14a953b85f253f28776ef4a5e4f5a7e6932b419f0d671ef1e9ffe94fb038b1cc
1683d02dece55de1ebf9d12b206a1533a6883949a178241d8176fce48f7ce734
433214982d46f0de6929708e2c7d667eec2206ae23c707099f6866dae0ae672b
67f064cd7d5dd94f7521f32fd858804535a84d506758069453f7c9f2b41fd0e1
68497fe4d9c25c38e9419c4d617a62fedbbe272ef2623c6d61d6794fb047338a
6d85b2269488db695e8168433ef58626d5b9bb4b9ee38b02057067d941be2d4f
7e861ab117b7a9dd4f4460956d921209124a5e9a2e735d1e05b267f424c2fd99
a50452279e028138c0ddfdc852f860b951a097b9e1615449007f4ac06bdb8e29
ac3dab50e68f843d869d6d1fdd756c9da8a4482e204f5f7d050fa7ceb1fdcbef
b2917acf6f61cf328fa6f010519a49e8ce3d6b1407abb833e73e078559a8dd41
b5c7ad50f7d8bf745718dcc5a6ddd1a33a1303eecf14bf66e2fbeffd87ad9b53
c4033d78ebb05d37ed2604b75521690298172240fbbc74e4409d63fd4cc9046c
d4d435b2af9729aa9ce933182024508b8d89be94e88a91734f8d8719bb660f9a
f2c0e1729b763502229cc520e4171fa5c0d1c5e5bf1168c2500c1b973da618e0

Coverage

Product	Protection
Secure Endpoint
Cloudlock	N/A
CWS
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Secure Malware Analytics
Umbrella	N/A
WSA	N/A

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Packed.Mikey-9976634-0

Indicators of Compromise

IOCs collected from dynamic analysis of 21 samples

Registry Keys	Occurrences
`<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E Value Name: LanguageList`	5
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\USER SHELL FOLDERS Value Name: Startup`	2
`<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E Value Name: @explorer.exe,-7001`	1

Mutexes	Occurrences
`MSCTF.Asm.{00000009-1cb50e6c-089e-d5d99e-08d9da5805ba}`	4
`Random name`	4
`Global\MSCTF.Asm.{1cb50e6c-089e-d5d9-9e08-d9da5805ba7f}`	4
`Session\1\MSCTF.Asm.{1cb50e6c-089e-d5d9-9e08-d9da5805ba7f}`	4
`Session\2\MSCTF.Asm.{1cb50e6c-089e-d5d9-9e08-d9da5805ba7f}`	4
`Session\3\MSCTF.Asm.{1cb50e6c-089e-d5d9-9e08-d9da5805ba7f}`	4
`Session\4\MSCTF.Asm.{1cb50e6c-089e-d5d9-9e08-d9da5805ba7f}`	4
`Session\5\MSCTF.Asm.{1cb50e6c-089e-d5d9-9e08-d9da5805ba7f}`	4
`Session\6\MSCTF.Asm.{1cb50e6c-089e-d5d9-9e08-d9da5805ba7f}`	4
`Session\7\MSCTF.Asm.{1cb50e6c-089e-d5d9-9e08-d9da5805ba7f}`	4
`Session\8\MSCTF.Asm.{1cb50e6c-089e-d5d9-9e08-d9da5805ba7f}`	4
`80b59841e5c6230bb2c2395854fd58ec`	2
`3d2ace6bf496d0362e6311d6f3ab2f72`	2

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`185[.]145[.]245[.]124`	4
`176[.]113[.]115[.]201`	2

Files and or directories created	Occurrences
`%APPDATA%\80b59841e5c623`	2
`%APPDATA%\80b59841e5c623\cred64.dll`	2
`%TEMP%\b667dbdcd8`	2
`%TEMP%\b667dbdcd8\rovwer.exe`	2
`%System32%\Tasks\rovwer.exe`	2
`\{76ad8643-0fa0-8a34-e3e6-855ab584454b}`	2
`\{bfcdf716-5376-3d0b-37b8-f83bc96ca105}`	1
`\{4feb3bef-c8f9-d16c-dfb8-933e58354094}`	1
`%APPDATA%\nsis_uns6586659e.dll`	1
`%APPDATA%\nsis_uns6586683c.dll`	1
`%APPDATA%\nsis_uns6586688a.dll`	1
`%APPDATA%\nsis_uns658666c6.dll`	1

File Hashes

01ef4643d1e6b32b776171f9ec4cd10b106df2d9a3afd82b174853f5527f4266
0b33b93e1503e4bbfbc7663d3357258f82b3f7ccaf4ba5c8f8353b42b5430d80
1297db9855e033cf1c70e8fb96bc291f7d7c74ae5d00c4f70ecdde7f2057aa54
29257b30851aa0df37a1269dcf77e9ba8b3cd2912d756ade0e79e0c8db55b3fc
2f1c704a20e3c7c5be880100c738b41d7de78ff04afc57535fff5d214a398deb
378e3a598411255a14dbacfcffc5960fe0d23aec0b3dd663d1911e24788da102
5dce0bc4ba91282cf1d3d27b9ded68aceee6cbbe58ae9981e251dc8b14736fff
68cd610e711daa31bd85fc81f5a7dfa50d618d411f7467d002857d95b666c0dc
7f88baec6154d6732b3e13cd276c7441e8f37ab3f35aa523d94abc2b4c919585
84320852144e6e6ce1ac0b0c55befd0a12d6a54a30de8d08fa917b7eae359a21
8f9bf2229781003441216a27f9df7d0777de8a7feea2f556ea814947dfc9d475
9fa86bc700a7300a5d4d93dd0cb71bed89caf84a4b083ef2df7018bc2af8c5f5
a4b16a87e46909a520a164c53b224a0d37a885a0739d943123b4d344e30ca394
aaf12c7de031abcec3aa0b0600d5c01f6e630a4a3efddc0237e5438b7d968811
b8b36f9b4df37140b223bf5231e8c8ee77f8f7626e6d2d07e402b427d398e52d
dc0890d6cb1ef700bc2f34d1ae3c4ffb30a7456240a1cfbb3e6cccd4f5c516ce
e3851ff15b556b1a8151c2affd2206710b5cc3f399b994a929d847ebb083c5d9
e4081543d232f6f966b7d54ac6c5d2e8a69395104737fe1e770ee96c3c47c0f9
f5e4d8fd09515cc543fe9e0743e8231eb343402045ac0979de9b67c7b30c6905
f9cbf22948c123667716f8635fe7dd706241b4437446a90db98847041c659a71
fc4172d3f52ab6d0e8cff6ba1690b82d3315b76d72ab6ba78df012470d215ec0

Coverage

Product	Protection
Secure Endpoint
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Secure Malware Analytics
Umbrella	N/A
WSA

Cisco Talos Blog

Threat Roundup for October 28 to November 4

Threat Breakdown

Win.Dropper.Ramnit-9976458-0

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Ransomware.TeslaCrypt-9976475-0

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Nanocore-9976516-0

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Ransomware.Expiro-9976530-0

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.NetWire-9976531-0

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Trojan.Zegost-9976584-0

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Formbook-9976602-0

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Malware.Qbot-9976624-0

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Packed.Mikey-9976634-0

Indicators of Compromise

File Hashes

Coverage

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Share this post

Related Content

Threat Roundup for November 3 to November 10

Threat Roundup for October 27 to November 3

Threat Roundup for October 13 to October 20