Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 29 and Nov. 5. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org , or ClamAV.net .
For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.
The most prevalent threats highlighted in this roundup are:
Threat Name Type Description Win.Dropper.Tofsee-9905031-0
Dropper
Tofsee is multi-purpose malware that features multiple modules to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages to infect additional systems and increase the size of the botnet under the operator's control.
Win.Virus.Xpiro-9905216-1
Virus
Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.
Win.Dropper.Shiz-9905047-0
Dropper
Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information. It is commonly spread via droppers or by visiting a malicious site.
Win.Dropper.Remcos-9905709-0
Dropper
Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam and capture screenshots. This malware is commonly delivered through Microsoft Office documents with macros sent as attachments on malicious emails.
Win.Dropper.TrickBot-9905314-0
Dropper
TrickBot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts.
Win.Dropper.Formbook-9905387-0
Dropper
Formbook is an information stealer that attempts to collect sensitive information from an infected machine by logging keystrokes, stealing saved web browser credentials, and monitoring information copied to the clipboard.
Win.Packed.LokiBot-9905395-0
Packed
Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from several popular applications. It is commonly pushed via malicious documents delivered via spam emails.
Win.Dropper.Cerber-9905750-0
Dropper
Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension ".cerber," although in more recent campaigns, other file extensions are used.
Threat Breakdown Win.Dropper.Tofsee-9905031-0 Indicators of Compromise IOCs collected from dynamic analysis of 90 samples Registry Keys Occurrences <HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
63
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
63
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
63
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
63
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
63
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
63
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
63
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
63
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159
63
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
61
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config0
61
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config1
61
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config4
58
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2
58
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config3
58
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
32
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\haoutbhw
6
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\jcqwvdjy
5
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\yrflksyn
5
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\rkyedlrg
5
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\athnmuap
4
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\kdrxwekz
4
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\vocihpvk
4
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\unbhgouj
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\lesyxfla
3
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 43[.]231[.]4[.]7
63
185[.]215[.]113[.]58
61
185[.]7[.]214[.]171
54
185[.]7[.]214[.]210
54
45[.]9[.]20[.]187
54
45[.]9[.]20[.]178/31
54
142[.]250[.]80[.]100
41
104[.]47[.]53[.]36
30
157[.]240[.]229[.]174
28
192[.]0[.]47[.]59
23
125[.]209[.]238[.]100
23
208[.]76[.]51[.]51
20
40[.]112[.]72[.]205
20
208[.]76[.]50[.]50
20
208[.]71[.]35[.]137
18
216[.]146[.]35[.]35
17
199[.]5[.]157[.]131
17
217[.]69[.]139[.]200
17
142[.]251[.]40[.]195
16
40[.]76[.]4[.]15
15
103[.]224[.]212[.]34
15
195[.]46[.]39[.]39
14
84[.]200[.]69[.]80
13
40[.]113[.]200[.]201
13
74[.]6[.]143[.]26
13
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences microsoft-com[.]mail[.]protection[.]outlook[.]com
63
microsoft[.]com
63
lazystax[.]ru
63
249[.]5[.]55[.]69[.]in-addr[.]arpa
61
249[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net
58
249[.]5[.]55[.]69[.]bl[.]spamcop[.]net
57
249[.]5[.]55[.]69[.]cbl[.]abuseat[.]org
56
249[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org
56
249[.]5[.]55[.]69[.]zen[.]spamhaus[.]org
56
www[.]instagram[.]com
28
mta6[.]am0[.]yahoodns[.]net
27
yahoo[.]com
25
whois[.]arin[.]net
23
whois[.]iana[.]org
23
mail[.]ru
23
mx1[.]naver[.]com
23
www[.]msftncsi[.]com
23
wpad[.]example[.]org
23
www[.]google[.]co[.]uk
19
park-mx[.]above[.]com
15
www[.]youtube[.]com
12
mx4[.]beavis99[.]com
12
al-ip4-mx-vip1[.]prodigy[.]net
12
mta7[.]am0[.]yahoodns[.]net
10
www[.]google[.]co[.]nz
10
*See JSON for more IOCs
Files and or directories created Occurrences %TEMP%\<random, matching '[a-z]{8}'>.exe
74
%SystemRoot%\SysWOW64\config\systemprofile
61
%SystemRoot%\SysWOW64\config\systemprofile:.repos
61
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'>
61
%System32%\<random, matching '[a-z]{7,8}'>\<random, matching '[a-z]{6,8}'>.exe (copy)
19
\Documents and Settings\LocalService:.repos
18
\Users\user\AppData\Local\Temp\zyokrns.exe
2
\Users\user\AppData\Local\Temp\ssrxiwdg.exe
2
%TEMP%\ondzgch.exe
1
%TEMP%\baqmtpu.exe
1
%TEMP%\mlbxeaf.exe
1
\Users\user\AppData\Local\Temp\lumlugkb.exe
1
\Users\user\AppData\Local\Temp\ejwwzyot.exe
1
\Users\user\AppData\Local\Temp\vlrkltjs.exe
1
\Users\user\AppData\Local\Temp\vukgnjo.exe
1
\Users\user\AppData\Local\Temp\feqmrbly.exe
1
\Users\user\AppData\Local\Temp\lhbhnphy.exe
1
\Users\user\AppData\Local\Temp\kagzaiyh.exe
1
\Users\user\AppData\Local\Temp\hcjgfcyz.exe
1
\Users\user\AppData\Local\Temp\tkdgnaml.exe
1
\Users\user\AppData\Local\Temp\micioqiz.exe
1
\Users\user\AppData\Local\Temp\lsffitlg.exe
1
\Users\user\AppData\Local\Temp\vewvequl.exe
1
\Users\user\AppData\Local\Temp\jiuqvfpc.exe
1
\Users\user\AppData\Local\Temp\lcvyfsed.exe
1
*See JSON for more IOCs
File Hashes 016f7f0db9174d5b1eee7c9d75ca4eca4144f2f8022788a09aa5cccc5d23cf3c
04a4232005cd3a8d1ff7d68e62e60e182ead7f447d01fce4dfc8ab38c137de86
062b45c5f3c3ca89b1ffb4ba1dbc1bf00fe65bd359252c9d9c908176e46abb5a
09798abd4f801a9705ea91c9fe3bc45698581182e15e45fc226a77c57385dccd
0a41e5c1a46e76a6c1502a6bd039fbcdece4e005e0a2e1dfe90d3f7d3e528fe1
0adad073bf947a35c072e9c20c507d1c23f44b304300f6eb9f9b58cdf518a10a
10e264ab095c3cfb9584e75dbe655f195eeeb719d9b2b1c81d70bf5500e12d83
1253539181bdeb698e2612a4bfdb9e152bef83dfb9411fcff578930a8f1222e6
125461a8f5acca9fd1b36bd24b15f5db641a44467520dc47a7159b8976e25c2d
125608d7d07f55cca855f2ebce7a3e519c33a4a64878db723cc16491fdce8cdb
1283dd2dceb3b131e5d2f2d0a86ea8994d60eb91796c5e3f70beb3c68de47721
12fa15bc01b40464733a40f470cee3e010a8b447b87e0a89aa1906ddef931041
13573f98478916fb97b844eccb4881209c86d2c3f593bbd5833365c8bbfb7c05
152b8c286512f28b0aed6c46367b1618f8bc300ee9a171855e82ee6b68393c5e
160b00953ef50a50f115a5e1e29faf08d9f34198280df55bda66fd8c154eb76b
175f4dbb1e0afa10f100ac6d961f249058559cb8d7605adff11393ada7cb645a
1798ef38a8a03ba6b3a408d4aa72f0b4df542f9b7d47cb0842a29a3aa0f1eac3
187c81e2db643c99c75b95a646f9635d5dece15eaedb671c7743caa802f2f103
1c1a3d9d84c62f336842f59036d4a60ac23e00748b48822ca0c23acdbdd9aa38
1ebbf519c65821916d1d6b0b19941d2b5bd8aa034baebb3f35e2b2fcbf9cfc6b
1ef2998bb08d46eec2661851d56797a2125f369d56116ceb4a6120c033b24130
1fecaee82ad520795ab81ffd67758e9c6cda85083ee3faba41881b9a153c0682
210202282c617ec43a285f39b42507ef0a23075c393d424e88b0cd9cede1790b
216d9c0080c435c8a2bb79b9f80f4582be20297e1a2e0df6f01d43a6c6732ca0
21c317f718a5a3afe1fc316d0a4d5e55575d7f7b8694f171942bf658254f7519*See JSON for more IOCs
Coverage Product Protection Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK Win.Virus.Xpiro-9905216-1 Indicators of Compromise IOCs collected from dynamic analysis of 10 samples Registry Keys Occurrences <HKLM>\SYSTEM\CONTROLSET001\SERVICES\COMSYSAPP
Value Name: Type
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\COMSYSAPP
Value Name: Start
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSISERVER
Value Name: Type
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSISERVER
Value Name: Start
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AELOOKUPSVC
Value Name: Type
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\AELOOKUPSVC
Value Name: Start
10
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159
10
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101
Value Name: CheckSetting
10
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103
Value Name: CheckSetting
10
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100
Value Name: CheckSetting
10
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102
Value Name: CheckSetting
10
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104
Value Name: CheckSetting
10
Mutexes Occurrences kkq-vx_mtx73
10
kkq-vx_mtx74
10
kkq-vx_mtx75
10
kkq-vx_mtx76
10
kkq-vx_mtx77
10
kkq-vx_mtx78
10
kkq-vx_mtx79
10
kkq-vx_mtx80
10
kkq-vx_mtx81
10
kkq-vx_mtx82
10
kkq-vx_mtx83
10
kkq-vx_mtx84
10
kkq-vx_mtx85
10
kkq-vx_mtx86
10
kkq-vx_mtx87
10
kkq-vx_mtx88
10
kkq-vx_mtx89
10
kkq-vx_mtx90
10
kkq-vx_mtx91
10
kkq-vx_mtx92
10
kkq-vx_mtx93
10
kkq-vx_mtx94
10
kkq-vx_mtx95
10
kkq-vx_mtx96
10
kkq-vx_mtx97
10
*See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 3[.]223[.]115[.]185
8
37[.]48[.]65[.]152
2
Domain Names contacted by malware. Does not indicate maliciousness Occurrences www[.]msftncsi[.]com
10
hdredirect-lb7-5a03e1c2772e1c9c[.]elb[.]us-east-1[.]amazonaws[.]com
8
www[.]avcheck[.]ru
8
www[.]virtest[.]com
8
wpad[.]example[.]org
7
cashing[.]cc
2
computer[.]example[.]org
1
Files and or directories created Occurrences %SystemRoot%\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{33EC2C09-9668-4DE7-BCC0-EFC69D7355D7}.crmlog
10
%SystemRoot%\SysWOW64\dllhost.exe
10
%SystemRoot%\SysWOW64\msiexec.exe
10
%SystemRoot%\SysWOW64\svchost.exe
10
%SystemRoot%\SysWOW64\dllhost.vir
10
%SystemRoot%\SysWOW64\msiexec.vir
10
%SystemRoot%\SysWOW64\svchost.vir
10
%ProgramFiles%\7-Zip\Uninstall.exe
10
%ProgramFiles%\7-Zip\Uninstall.vir
10
%ProgramFiles%\7-Zip\7z.exe
10
%ProgramFiles%\7-Zip\7zFM.exe
10
%ProgramFiles%\7-Zip\7zG.exe
10
%ProgramFiles%\Windows Media Player\wmpnetwk.exe
10
%ProgramFiles%\Windows Media Player\wmpnetwk.vir
10
%System32%\FXSSVC.exe
10
%System32%\UI0Detect.exe
10
%System32%\WindowsPowerShell\v1.0\powershell.exe
10
%System32%\WindowsPowerShell\v1.0\powershell.vir
10
%System32%\fxssvc.vir
10
%System32%\ieetwcollector.exe
10
%System32%\ieetwcollector.vir
10
%System32%\msdtc.exe
10
%System32%\msdtc.vir
10
%System32%\snmptrap.exe
10
%System32%\snmptrap.vir
10
*See JSON for more IOCs
File Hashes 10fead5c5e63b2da718c7ad176ad4a1ca992ee19a8798c648e9eebe373f11729
17357a25014eb9981fd44462e8445b481b4d961b7ed1204b86572b3b12b7217d
423cdcd1d7d15c47c9171c55ec1eac9307ec21ca16432184fda784d4a34b7aec
65c88e70c8c39e359162e03b9a1891f7102b7a8f222692baf88cc2b7a93e4bbe
9a7fef02695a530298116ab323751fdfbcfa5d90604a3d57c07355cea6478df9
cb02d8cd06b60bdfa3c81212ddc7464d7f0267b3f670b9462b9ee2a6fa47f6a1
cf6c364b597f437f9eca4702ebbe9e8e649c79b7face2b04afaae4eb6a83943b
d89398f1dd0e31d0b8931b9fd135cdbf91d82fcdf0ae925904cbfbc5e3687f2e
df553fd479a2b4a17be627bcab912cdfba37e5b8b9b7a675ae8fd528160b0128
fbbb95ba11ceaedd432bdefbcc3f6e0a667b248f307d09daf7bb8597b4c81b92Coverage Product Protection Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK Win.Dropper.Shiz-9905047-0 Indicators of Compromise IOCs collected from dynamic analysis of 167 samples Registry Keys Occurrences <HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159
165
<HKLM>\SOFTWARE\MICROSOFT
Value Name: 67497551a
164
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: 98b68e3c
164
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: userinit
164
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: System
164
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: load
164
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: run
164
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: userinit
164
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\STARTPAGE
Value Name: StartMenu_Balloon_Time
2
Mutexes Occurrences Global\674972E3a
164
Global\MicrosoftSysenterGate7
164
internal_wutex_0x000000e0
164
internal_wutex_0x0000038c
164
internal_wutex_0x00000448
163
internal_wutex_0x<random, matching [0-9a-f]{8}>
42
internal_wutex_0x0000063c
37
internal_wutex_0x000006bc
35
internal_wutex_0x000007e0
21
internal_wutex_0x00000750
14
internal_wutex_0x000007c4
14
internal_wutex_0x000006b8
11
internal_wutex_0x00000310
11
Global\C3D74C3Ba
1
Global\53dc6781-38ee-11ec-b5f8-00501e3ae7b6
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 147[.]75[.]61[.]38
82
147[.]75[.]63[.]87
82
13[.]107[.]21[.]200
74
45[.]33[.]23[.]183
32
173[.]255[.]194[.]134
32
45[.]33[.]2[.]79
30
72[.]14[.]178[.]174
30
45[.]56[.]79[.]23
26
45[.]33[.]30[.]197
26
72[.]14[.]185[.]43
25
96[.]126[.]123[.]244
24
45[.]33[.]18[.]44
24
45[.]79[.]19[.]196
23
198[.]58[.]118[.]167
22
45[.]33[.]20[.]235
21
13[.]107[.]22[.]200
8
23[.]56[.]9[.]181
7
131[.]253[.]33[.]200
7
104[.]239[.]157[.]210
1
23[.]253[.]126[.]58
1
35[.]231[.]151[.]7
1
45[.]77[.]226[.]209
1
208[.]100[.]26[.]245
1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences qeguhapyrer[.]eu
164
puryxepenek[.]eu
164
lysowaxojib[.]eu
164
rydopapifel[.]eu
164
ciqukecywiv[.]eu
164
vonodecidid[.]eu
164
dimigesupew[.]eu
164
fobatesohek[.]eu
164
ryhadyvigis[.]eu
164
jeluzydyqej[.]eu
164
gacenysacew[.]eu
164
gatopuwenyq[.]eu
164
jewemurutyj[.]eu
164
qeqyvulidox[.]eu
164
kemuxurohym[.]eu
164
tucadilebix[.]eu
164
rynikulokop[.]eu
164
lyvoguraxeh[.]eu
164
xuxetiryqem[.]eu
164
puzewilurip[.]eu
164
cilynitiseg[.]eu
164
vojizitoken[.]eu
164
fogokozazit[.]eu
164
gadedozymiz[.]eu
164
masytoturen[.]eu
164
*See JSON for more IOCs
Files and or directories created Occurrences %TEMP%\<random, matching [A-F0-9]{1,4}>.tmp
164
%SystemRoot%\AppPatch\<random, matching '[a-z]{6,8}'>.exe
36
%SystemRoot%\apppatch\evqtpoy.exe:Zone.Identifier
1
%SystemRoot%\apppatch\gnhibb.exe:Zone.Identifier
1
%SystemRoot%\apppatch\qruqmmi.exe:Zone.Identifier
1
%SystemRoot%\apppatch\halmhrg.exe:Zone.Identifier
1
%SystemRoot%\apppatch\xxltdck.exe:Zone.Identifier
1
%SystemRoot%\apppatch\pwevjtc.exe:Zone.Identifier
1
%SystemRoot%\apppatch\jdtdlb.exe:Zone.Identifier
1
%SystemRoot%\apppatch\iktkuxx.exe:Zone.Identifier
1
%SystemRoot%\apppatch\lvgqbo.exe:Zone.Identifier
1
%SystemRoot%\apppatch\rgwontf.exe:Zone.Identifier
1
%SystemRoot%\apppatch\xpqohb.exe:Zone.Identifier
1
%SystemRoot%\apppatch\ortqeql.exe:Zone.Identifier
1
%SystemRoot%\apppatch\rjntclt.exe:Zone.Identifier
1
%SystemRoot%\apppatch\wcvjrfc.exe:Zone.Identifier
1
%SystemRoot%\apppatch\gwuasq.exe:Zone.Identifier
1
%SystemRoot%\apppatch\xhaper.exe:Zone.Identifier
1
%SystemRoot%\apppatch\nrnjgq.exe:Zone.Identifier
1
%SystemRoot%\apppatch\xpmify.exe:Zone.Identifier
1
%SystemRoot%\apppatch\mrmuqlx.exe:Zone.Identifier
1
%SystemRoot%\apppatch\pqfude.exe:Zone.Identifier
1
%SystemRoot%\apppatch\mwqaix.exe:Zone.Identifier
1
%SystemRoot%\apppatch\fgwcmsb.exe:Zone.Identifier
1
%SystemRoot%\apppatch\iwibxep.exe:Zone.Identifier
1
*See JSON for more IOCs
File Hashes 04f91e8e431e9a1fa07d70393a7a927062bc2342c4aaab91fca7309fa747ea14
0662cdf8f2b283940388af235c6eec863a9531833bbb584036931c769807ea57
0933d6962abc588189455f5104bc9aa3185650fb1193ba5835c48fd041500b84
0b842217f0d63a6d0f1d3a95387925771a8643dbd4de736f1522389e026cae5f
0c6cda02f0e9fa4918cda8e5c2a37fea0b8e42b5cc3d14cf22cd7fc9bc09d89c
0f1c0bf8e36fb46cdb5294338bf70b3e6b02ff696fa8978f6ad9b67e466cdf80
0f3e8740d9a93b2edb1ae56aa28cdc4cd4f22e8f47eb6df0825ce96c9349513e
0f9e878a61fc55fe29307a20621a5aa9a808da08fa5943c121a8300513b2cab3
11f5506c22eef1b12411321de9244af7283a2f04b6797b7f6f5a75c38407c405
15c20587aa400eab84217f8eb3488305598da3a63c5cc3482dcbb17ee1b25bb7
1790f9cbe4ed673828770b1009712e6909b3194290469a1c334a002fd9aa3815
1e36c2085f60d512890107d51ea1ba549414026f72fef067be9c209d6b0ec793
1fbcd93405a9f95bd57cf41bf0694042f90051669bfb547192303f22b88bfcbd
25584513100af73fbe0603f1c28a5d884951416cb6424893483c26576b894677
25aefdb28717eb2a9d819f551863f71ce47d03aec38706af8c7b97b7a615a218
25d65ddd388d8054ae9bb720d77e450a7c3f73ca2e3c6f889756f0796c2b0956
26acfec03c1e62b822951bab77a14215a91a8b8037cf217e208f384d3a5babc3
26da34606d0d85b84546b147312b8e8edb7c9ae82626d7cfa0a8c24336895908
28833224084ac9b028cb83334ab7d8595c6b98d0486de0d7efc0ade9c3370d47
2927806517447a4d9a2ce7155db74b86e3a0c5a0662a8eba5c49f2ca76ef52cb
2a79298f607fb0bab9a707ab721cef13475425f798697d2c6983852eb721dd2e
2b4769bedbb68c7d16ce8a24d11a71501251c087381e74fb442b3d18608f0593
2f0cbda2d3909186b4bfad72bae2aa2b37132c7f077378efebe683d946db1504
32066c0958d4e12e233bf8f51a041edc20190ee63721eb371407c588f7ba1794
3388b024c98ac0c78499f3a0012473d9085ef05b10b9ccb9045af090a2596ea8*See JSON for more IOCs
Coverage Product Protection Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK Win.Dropper.Remcos-9905709-0 Indicators of Compromise IOCs collected from dynamic analysis of 16 samples Registry Keys Occurrences <HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159
15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: remcos
13
<HKCU>\SOFTWARE\REMCOS-UPOF3W
Value Name: exepath
13
<HKCU>\SOFTWARE\REMCOS-UPOF3W
Value Name: license
13
<HKCU>\SOFTWARE\REMCOS-UPOF3W
13
<HKCU>\SOFTWARE\REMCOS-UPOF3W
Value Name: Inj
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: hpsupport
2
<HKCU>\SOFTWARE\HPSUPPORT-1H2OJB
Value Name: exepath
2
<HKCU>\SOFTWARE\HPSUPPORT-1H2OJB
Value Name: licence
2
<HKCU>\SOFTWARE\HPSUPPORT-1H2OJB
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\STARTPAGE
Value Name: StartMenu_Balloon_Time
1
Mutexes Occurrences Remcos_Mutex_Inj
15
Remcos-UPOF3W
13
hpsupport-1H2OJB
2
Domain Names contacted by malware. Does not indicate maliciousness Occurrences triggerd[.]ddns[.]net
13
cemileorucs[.]ddns[.]net
2
Files and or directories created Occurrences %SystemRoot%\win.ini
15
%TEMP%\install.vbs
15
%APPDATA%\remcos
13
%APPDATA%\remcos\logs.dat
13
%APPDATA%\remcos\remcos.exe
13
%APPDATA%\hpsupport
2
%APPDATA%\hpsupport\hpsupport.exe
2
%APPDATA%\hpsupport\logs.dat
2
File Hashes 0638d514c06090c3c344d59abbb458ca9ccde4e7e581faad880c58a15b2b10b4
0ba194872139ac85544213acbfd22b2cfb7642d1c486fd8ac66b5a3cea945744
15eb56af5d04ad3bad00b4193e5ee9e8b786b3d8d419291b33ca4fa8090a2f5b
1a8e73f191343894a2ff5c1f13a8cd0a29135bbd1b81f52212f28f6a50a8dc41
1ea753ece3d0ce52306ad167ddaabef9a739fd2c056a4d0b6be5104438ebf6ee
30115765f6834c4e1dae38aee7d469710d012350844890ce6da6a0e3a0a6a3c6
3690ed1fbc4eb8447a288a3bb28041e88fa1f8ff9c3ad020229edb3fb2f35cb1
4bce1b74cc45d0e5afe829b23fe3f684697006d4acb4262c57f0a20adecaed4a
4deb2cd7552e5f48d97d32aeb777b9a51b708a525832b1fa877b91cd78945df1
511bd9125a95cbf8f4a4aab0dfc9b1ee4118c4beb80811ce197c76a2dd16504d
64c068cd1fcfe8f86c6379b81428c890c350890437cddde3d8c5dd382b8d6021
7d3de42d191a1d5144d6ac2e63c8fb2be695d727ed1c6d42cc853e6566752b8a
c30119aa801e8225a001a6e0a68960e77b278259c49b948440806f71ce1bdae5
dda12f2ca191f8bc096987db988f1a56b9808b4efcae83cda5966a4dbce92453
ebb5d5b111e05511c5098832a5a71b82bf2b2fdd7f4c49bf8a84f1cbfc7a499a
f365cc666f3715d3b981f0cb97c8e3e60a0c7708d43d39915fd1868c7876ff82Coverage Product Protection Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK Win.Dropper.TrickBot-9905314-0 Indicators of Compromise IOCs collected from dynamic analysis of 26 samples Registry Keys Occurrences <HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159
25
Mutexes Occurrences 316D1C7871E00
25
785161C887200
3
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 116[.]203[.]16[.]95
6
34[.]117[.]59[.]81
6
92[.]53[.]66[.]81
4
92[.]53[.]78[.]189
4
212[.]14[.]51[.]43
4
80[.]87[.]199[.]45
3
95[.]213[.]252[.]113
3
194[.]87[.]237[.]175
3
195[.]133[.]196[.]72
3
62[.]109[.]16[.]17
3
149[.]154[.]68[.]34
3
69[.]120[.]56[.]211
3
194[.]87[.]235[.]41
3
185[.]236[.]130[.]84
3
146[.]255[.]36[.]1
2
194[.]87[.]235[.]76
2
82[.]202[.]246[.]171
2
92[.]53[.]66[.]78
2
160[.]72[.]43[.]233
2
82[.]202[.]246[.]76
2
82[.]146[.]56[.]193
2
95[.]213[.]191[.]147
2
104[.]18[.]114[.]97
2
109[.]234[.]36[.]168
2
94[.]103[.]82[.]230
2
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences ip[.]anysrc[.]net
6
checkip[.]amazonaws[.]com
4
icanhazip[.]com
3
api[.]ipify[.]org
3
wtfismyip[.]com
3
ipinfo[.]io
3
apps[.]identrust[.]com
3
ipecho[.]net
2
myexternalip[.]com
1
Files and or directories created Occurrences %APPDATA%\localservice\client_id
26
%APPDATA%\localservice\group_tag
26
%System32%\Tasks\services update
25
%APPDATA%\localservice
25
%APPDATA%\localservice\Modules
25
%SystemRoot%\Tasks\services update.job
3
%APPDATA%\localservice\ruonf.exe
1
%APPDATA%\localservice\9a855fa82e5e23c538500f6a9ff3bf79.exe
1
%APPDATA%\localservice\395833884.exe
1
%APPDATA%\localservice\395833892.exe
1
%APPDATA%\localservice\604abf5g5567g9f0fg6f6bagcb2e4c07a64ab5cbc6ee7a6603fgb0bg62763fa9.exe
1
%APPDATA%\localservice\248ce8389ee357f0e65479ea5g82064gf056b256f09gbf35ca56b329gb8a44a6.exe
1
%APPDATA%\localservice\0g3ae5f39b547ee265ag4e6535f73607b866206g07e632ac6e2298366f6965c4.exe
1
%APPDATA%\localservice\03e206584ac424b366259fgaa3f3446f72gg8806924af7655g6gc20768e0f6ge.exe
1
%APPDATA%\localservice\56392aef9c6364g6f077562727c987b4ebbc5gg6084fb804776b0667be2be83b.exe
1
%APPDATA%\localservice\377g59c74e2beb502b885556ag8079ge978280347560b6b3fa7e0ga6gefaf64f.exe
1
%APPDATA%\localservice\6ecb6a88683950ge069fbee87e98ac65fb8935af08b78cffba2a087476867b36.exe
1
%APPDATA%\localservice\6e95f945af6c24g0b68caa5eg3beg8e9b3a44gae627ae32cg6f59660c37352be.exe
1
%APPDATA%\localservice\776c6442g79e9a48c78745489b786f026g4ceec02686498a64209b43942c740c.exe
1
%APPDATA%\localservice\5720005g53fa6b59gff56a66ab96fgc257e825b8349fg260a29f3b355967744a.exe
1
%APPDATA%\localservice\69e9caeb7e682ec45288ef53g94696c3938e465390b605cb72fe54egcff63g95.exe
1
%APPDATA%\localservice\24efa5bf00653b4c445c40ccbce2a7ee209eg265bf09679cf02g904bca6459gc.exe
1
%APPDATA%\localservice\34bb49887b28479203bgggcae27gbbge37f7fa2bef0270e7e2f5966eae2eg299.exe
1
%APPDATA%\localservice\834e5b9g6fg806f476b3ae4267474336cc98f479b564208676g67452bb29503c.exe
1
%APPDATA%\localservice\a3ec43f9baf7702965ebgg2e2a08e70b3fg790733e3c46e236ff9698f8080b9e.exe
1
*See JSON for more IOCs
File Hashes 02d105483ac313b266149efaa2e2335e71ff8806913ae7644f5fc10768d0e6fd
0554a16cf259d2cc672c5b008987219382e098f35b7bfb84c14c0d29930c8eb7
0f2ad4e29b437dd164af3d6424e72607b866105f07d621ac5d1198266e6954c3
138cd8289dd247e0d64379da4f81053fe045b145e09fbe24ca46b219fb8a33a5
13dea4be00642b3c334c30ccbcd1a7dd109df154be09679ce01f903bca5349fc
1966429bfc1e9134d6226bce7666d987da9c606d9828d92174bbdc02e40c9039
1e0de5782d379b8bd2b29194b0240d325fb9e9b969eb46441d8644bc54ddbcfa
23bb39887b18379102bfffcad17fbbfd27e7ea1bde0170d7d1e4955dad1df199
277f49c73d1bdb401b884446af8079fd978180237450b6b2ea7d0fa5fdeae53e
35c5cacc06512a970751ac9a23237d803051bbc1cb4e0132dbb456a94471de4e
42ff5709a31263f210f7ca563e5f97cbca01998983fd6f70054c1061271ed83a
46291ade9c6253f5e077451717c987b3dbbc4ff5083eb803775b0567bd1bd82b
4710004f42ea6b49fee46a55ab95efc147d814b8239ef160a19e2b244967733a
4e785f03946f770582bb6bee35036b4c81eae14bb5a6240e2af5d1577eac529e
503abe4f4457f9e0ef5e6bafcb1d3c07a53ab4cbc6dd7a5502efb0bf51752ea9
59d9cadb7d581dc34188de42f93596c2928d354290b504cb71ed43dfcee62f94
5d94e934ae5c13f0b58caa4df2bdf8d9b2a33fad617ad21cf5e49660c27241bd
6dcb6a88682940fd059ebdd87d98ac64eb8924ae08b78ceeba1a087375857b25
74772f49ffb1f3e3721d843ceaf749baf84afe5f353a909f4be2d4ff8bf2dad1
74b3f69c29894846d7ec06c91762a7b533be45f8a8f9194ecce2385d3f6a55b0
775c5331f79d9a38c78734389b786e015f3cddc01686398a63109b32931c730c
823d4b9f6ef806e376b2ad3167373226cc98e379b453108676f57341bb19402c
9bfba44070ba59790b4a053b9869eca016b500660d6b0849abf0acb2085e2c19
9d1fc6d9a736aabd552e46eeca17073382264a261b80b38a51e9244c7f9045be
a2dc32e9bae7701954dbff1d1a08d70b2ef790722d2c36d125ee9598e8080b9d*See JSON for more IOCs
Coverage Product Protection Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
Screenshots of Detection Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK Indicators of Compromise IOCs collected from dynamic analysis of 16 samples Registry Keys Occurrences <HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159
7
<HKCU>\ENVIRONMENT
Value Name: windir
4
<HKCU>\SOFTWARE\ONEDRIVES-Y6FI41
4
<HKCU>\SOFTWARE\ONEDRIVES-Y6FI41
Value Name: exepath
4
<HKCU>\SOFTWARE\ONEDRIVES-Y6FI41
Value Name: licence
4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Vhjrhxr
4
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
2
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\INTELLIFORMS\STORAGE2
1
<HKLM>\SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA FIREFOX
1
<HKLM>\SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA FIREFOX\20.0.1 (EN-US)\MAIN
1
<HKLM>\SOFTWARE\WOW6432NODE\MOZILLA\MOZILLA THUNDERBIRD
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: H480CTW0_6U
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Agcwesm
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: ZTDDQPY80FE
1
Mutexes Occurrences Remcos_Mutex_Inj
4
onedrives-Y6FI41
4
8-3503835SZBFHHZ
1
L953C4A1G8ABxyJ2
1
OPA4OUV-9U54W082
1
9N96O9-QRT6IW-5Y
1
NK8R75A625ZDGyH1
1
S-1-5-21-2580483-9081837792465
1
JN29T2UVFA0I4YZF
1
J67BN9PRTB63BXFE
1
9K8-5Q8QF4DFBKB2
1
14LR7R1W3-YZDx8G
1
5173BA9QWY68WAXz
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 162[.]159[.]129[.]233
10
162[.]159[.]134[.]233
8
162[.]159[.]135[.]233
5
162[.]159[.]133[.]233
4
185[.]244[.]30[.]18
4
51[.]161[.]61[.]88
4
162[.]159[.]130[.]233
3
34[.]98[.]99[.]30
2
23[.]227[.]38[.]74
2
142[.]250[.]72[.]115
2
198[.]185[.]159[.]144
1
192[.]0[.]78[.]24
1
204[.]11[.]56[.]48
1
185[.]199[.]109[.]153
1
52[.]58[.]78[.]16
1
184[.]168[.]131[.]241
1
198[.]71[.]232[.]3
1
88[.]214[.]207[.]96
1
85[.]233[.]160[.]22
1
81[.]17[.]18[.]197
1
34[.]102[.]136[.]180
1
44[.]227[.]65[.]245
1
13[.]248[.]216[.]40
1
172[.]67[.]147[.]219
1
52[.]20[.]84[.]62
1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences cdn[.]discordapp[.]com
12
www[.]msftncsi[.]com
9
wpad[.]example[.]org
9
xchilogs[.]duckdns[.]org
4
xxxxza[.]dynamic-dns[.]net
4
www[.]glocp9[.]com
1
www[.]jqxfinance[.]com
1
www[.]mylife25[.]com
1
www[.]cataractmeds[.]com
1
www[.]anjanaonline[.]com
1
www[.]cabinetra[.]com
1
www[.]xn--v4q8fq9ps1clx5d774b[.]com
1
www[.]healthchu[.]com
1
www[.]whereistheherb[.]store
1
www[.]gun-stores[.]net
1
www[.]obersrock[.]com
1
www[.]blakedroberts[.]com
1
www[.]mbc-lucky[.]com
1
www[.]fsoinc[.]com
1
www[.]ue3uue[.]com
1
www[.]dongtaykethop[.]cloud
1
www[.]briankingfineart[.]com
1
www[.]listertarot[.]com
1
www[.]sexting-sites[.]com
1
www[.]studiodates[.]com
1
*See JSON for more IOCs
Files and or directories created Occurrences %PUBLIC%\nest
4
%PUBLIC%\KDECO.bat
4
%PUBLIC%\Trast.bat
4
%PUBLIC%\UKO.bat
4
%PUBLIC%\nest.bat
4
%APPDATA%\onedriveslogs
4
%APPDATA%\onedriveslogs\logs.dat
4
%PUBLIC%\Libraries\Vhjrhxr
4
%PUBLIC%\Libraries\Vhjrhxr\Vhjrhxr.exe
4
%PUBLIC%\Libraries\rxhrjhV.url
4
\Users\user\AppData\Local\Temp\WER2A24.tmp.appcompat.txt
1
%PUBLIC%\Libraries\Pqjpzgz
1
%ProgramFiles(x86)%\Gk4g4n4
1
%ProgramFiles(x86)%\Gk4g4n4\Cookiesdpx8ftbp.exe
1
%TEMP%\Gk4g4n4
1
%TEMP%\Gk4g4n4\Cookiesdpx8ftbp.exe
1
%PUBLIC%\Libraries\Fpqxvkm
1
%PUBLIC%\Libraries\Ghqhvyl
1
%PUBLIC%\Libraries\Agcwesm
1
%PUBLIC%\Libraries\Agcwesm\Agcwesm.exe
1
%PUBLIC%\Libraries\msewcgA.url
1
%PUBLIC%\Libraries\Cdkdwye
1
%PUBLIC%\Libraries\Qrzjmzb
1
\Users\user\AppData\Local\CrashDumps\512233356.exe.2812.dmp
1
\Users\user\AppData\Local\Temp\WAX5162.tmp
1
*See JSON for more IOCs
File Hashes 1c8044345a2bea4eaaebf8e61b0fb378e940944c0c1fb712bac3a07ca95fc39e
4dc16dae8f47287845279752dc52bbd24a61573e5cfba83180dc6de2a0b5ab85
4f88fcf537adbb598d8335dd88dba85c97ed666930084bf718502938eb75bc42
672f4709ac1b3b7738d6233e7e4d56510139db30a915a055c32e85dab8ca5a55
6b93224c145b221ac786bf10b1471af61722e45bbd41a029789170ea7f1c0751
727db4fa156692175943bef3ef7dbaa0cee2773ba328a96bf738921fbd0140fb
794e8844531d9ea6f37755360d429ed93827c79e77c7b5bf76ad08b4108549dd
98e51501b084abbd93a92f14bb01eabdda161b54940bbeb5eb296e20e99c398f
a118f0a92d575020353fefe21d2ed28ce02602a14b8aa04723846924d33c65e7
b04e08fbd45bee67a058b15628e924595f9510d84b8100902ebb39e4ac2768f5
b4f85b9bdb00281bad25634e199c2ab8d2fda045832b6b87aa677e4019f6e2bd
b7bcbf864fdf20b862d293bf7dc91d05dafc8d22fbb195597fd675e6d2b5a46d
c5209d3ef6131477df386baba66bba2f086d6d6625cb4164bb6e25af5c5b05f8
d3734658794b114956b89eed4855b01b3fb2ed70f5825c3d388847db02913da6
d4c4cf88609523920f8b06fd04a9422e7d1ea56001c698a78ab236fc67e98656
d9ba3ad58d7e437a966010e62cc58651a3ff2d0219013a40abd10d412763893eCoverage Product Protection Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK Win.Packed.LokiBot-9905395-0 Indicators of Compromise IOCs collected from dynamic analysis of 26 samples Registry Keys Occurrences <HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159
26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: zfsGyb
1
Mutexes Occurrences 3749282D282E1E80C56CAE5A
5
gPYvrIIZrEFX
1
uasoIDFPIcgkJxeWqiKzZE
1
PWgzPeLjlLlkGmOIueRUPGm
1
nZQavufWatZROFyXY
1
VQyRAKHjueyTAfuZbQuKXs
1
YPEDHDtuqLPYPAraHmyOkEh
1
bnOFTsdjxRmsAFrn
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 63[.]141[.]228[.]141
3
208[.]91[.]197[.]27
1
131[.]186[.]113[.]70
1
192[.]185[.]0[.]218
1
34[.]102[.]136[.]180
1
172[.]67[.]188[.]154
1
52[.]60[.]87[.]163
1
104[.]21[.]19[.]200
1
212[.]227[.]15[.]142
1
158[.]101[.]44[.]242
1
212[.]227[.]15[.]158
1
127[.]0[.]0[.]1
1
15[.]197[.]142[.]173
1
185[.]114[.]22[.]216
1
213[.]165[.]67[.]102
1
213[.]165[.]67[.]118
1
91[.]238[.]163[.]174
1
31[.]220[.]52[.]219
1
182[.]163[.]126[.]72
1
185[.]8[.]153[.]27
1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences www[.]msftncsi[.]com
17
wpad[.]example[.]org
17
manvim[.]co
2
checkip[.]dyndns[.]com
1
checkip[.]dyndns[.]org
1
freegeoip[.]app
1
smtp[.]1and1[.]es
1
computer[.]example[.]org
1
abslevha[.]com
1
www[.]israelemirates[.]travel
1
teachuswell[.]com
1
www[.]easx[.]systems
1
filmarabia[.]com
1
www[.]couragepennies[.]com
1
www[.]theshadedco[.]com
1
www[.]creativehuesdesigns[.]com
1
www[.]kellenkamm[.]com
1
www[.]abslevha[.]com
1
www[.]misteraircondition[.]com
1
www[.]filmarabia[.]com
1
www[.]dacyclinu[.]com
1
www[.]keminadentalcare[.]com
1
www[.]chinhhanghm46[.]site
1
www[.]wildslaskan[.]com
1
www[.]sex8e[.]com
1
*See JSON for more IOCs
Files and or directories created Occurrences %LOCALAPPDATA%\Microsoft\CLR_v4.0_32\UsageLogs\runme.exe.log
7
%APPDATA%\D282E1
5
%APPDATA%\D282E1\1E80C5.lck
5
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5
5
%System32%\Tasks\Updates
5
\Users\user\AppData\Roaming\7C7955\5D4644.lck
5
\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1160359183-2529320614-3255788068-500\a18ca4003deb042bbee7a40f15e1970b_24e2b309-1719-4436-b195-573e7cb0f5b1
5
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp
5
%System32%\drivers\etc\hosts
2
%APPDATA%\zfsGyb\zfsGyb.exe
1
%APPDATA%\weCBraw.exe
1
%APPDATA%\HSrKJAlLhQ.exe
1
%APPDATA%\JsDdfNd.exe
1
%System32%\Tasks\Updates\weCBraw
1
%APPDATA%\JhPpTk.exe
1
%System32%\Tasks\Updates\JhPpTk
1
%System32%\Tasks\Updates\JsDdfNd
1
%System32%\Tasks\Updates\HSrKJAlLhQ
1
%APPDATA%\kTlGZihJ.exe
1
%System32%\Tasks\Updates\kTlGZihJ
1
\Users\user\AppData\Local\Temp\WAX59FC.tmp
1
\Users\user\AppData\Local\Temp\WER713E.tmp.appcompat.txt
1
\Users\user\AppData\Local\Temp\WER7297.tmp.WERInternalMetadata.xml
1
\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\512234814.exe.log
1
\Users\user\AppData\Local\Temp\WAXF3C4.tmp
1
*See JSON for more IOCs
File Hashes 03f403b32fc64427ca194b41d99460191d799bb0b78142eb649d673d6346bae0
173256731ccf58460e223bac2eafd0f62f81b3e562fc9ee37625b9c603e3fbfa
1d6cac17381e03728882db8d50bef577b65ba46cacd96f12ba3953cd3a50dbc9
31b5a22b7f24374158a0f0efa300d17630c7f88ffcd5fb8626b076cacdd964a8
324e4fa910d84930f2e838e55a0279ca6b299a737a9817f67e847affb79f295b
360a5bae39929248684c319d768bcbcd87a8a1907e9926336b7a7d0c22cd17bb
393c48d1152773df832af27f58231b1ed12bbbc57f47eb8b7ed321e0417c9eaf
5fabc722c8b7c25ddd274453f8510b03c72d639ec1ef6a9541cfb6c3e4de9b13
626a90f43277d782b8e4a0b18576cad6dc33e3f547caea386cabe8971ec6f7b6
71a0771f80052557006cdda3c4c223e88269368324e07b5e58de7736f37ad985
866e6a5726ac586d1e09e2e1fc2dd34e738f3fcc15f598135e861f1c6d18ff11
9473ad59481f78b51f11d1577ff892294dd38ba9aec8c7eb8be6bef21f0e0df9
96e88a52bedfff7b7270c805e1e3e3069a3d4111210a6f568d37e9a9e0ebc88d
9c40045e4cbcdbb4e471da75ebfb077b0d12408a88aa1e925c6ba19fac1c8165
a280dde5cc8e380d57fb6ec9cb725dbe7cc2280c7487daf131c1bc7899177c74
a43e700d308ec72f30fd4098b7d4113b83c244d3679f4b59f26f7f309ebefdcc
ab8ce041e1aebd8028334fc076fe5dfb8c8ca7e057f75e856392f4cab449f8af
aebbab96f77fcb10285ed70e083e224cb62cbffbe19c9bf5983bbe14935b619b
b2637d91d5143b189c7e4a0ba6442ac794b959eaf9acb09a63b5217fda034726
b3ec5ff38b55a4301b8b4505aca5bee8f2409805eb4bee5594bf506bfe57b9b1
b975c7e1bd3e03de91c55dad66174c35f3e2d4416a9cd8f6ede8f7510eae296f
bb1317ced122d23448353be57ded7530347445fc3f14994ec293169a9dc628b9
d0a474ecce534b8ebc89fd05112692af4c6b6e948a72ee0b3a28f45ccd3095cf
d7cba0f9d81b66b68aae18b632473067fb4b20f540bbde54878f08ccac1dab61
d88c900359615b46fe1e2361268ba54d8f95696bade0644b35202bafc1ebc8c1*See JSON for more IOCs
Coverage Product Protection Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK Win.Dropper.Cerber-9905750-0 Indicators of Compromise IOCs collected from dynamic analysis of 38 samples Registry Keys Occurrences <HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159
37
<HKLM>\SOFTWARE\CLASSES\LNKFILE
Value Name: IsShortcut
9
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER
Value Name: GlobalAssocChangedCounter
9
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}
Value Name: FaviconPath
4
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}
Value Name: Deleted
4
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES
Value Name: DefaultScope
4
Mutexes Occurrences shell.{381828AA-8B28-3374-1B67-35680555C5EF}
17
m2562100796
9
{B4810E6F-AA5C-3E54-1818-CCDBE577D2BD}
7
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 149[.]202[.]122[.]0/27
17
149[.]202[.]64[.]0/27
13
149[.]202[.]248[.]0/22
13
172[.]67[.]2[.]88
7
104[.]20[.]20[.]251
6
104[.]20[.]21[.]251
4
87[.]98[.]175[.]85
3
23[.]94[.]5[.]133
3
45[.]56[.]117[.]118
3
5[.]9[.]49[.]12
3
144[.]76[.]133[.]38
3
89[.]18[.]27[.]34
2
108[.]61[.]164[.]218
2
45[.]63[.]99[.]180
2
141[.]138[.]157[.]53
2
45[.]32[.]28[.]232
2
45[.]63[.]25[.]55
2
213[.]161[.]5[.]12
2
13[.]107[.]21[.]200
1
185[.]133[.]72[.]100
1
96[.]90[.]175[.]167
1
5[.]135[.]183[.]146
1
193[.]183[.]98[.]154
1
84[.]201[.]32[.]108
1
104[.]238[.]186[.]189
1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences www[.]msftncsi[.]com
23
wpad[.]example[.]org
23
api[.]blockcypher[.]com
17
hjhqmbxyinislkkt[.]1j9r76[.]top
17
www[.]bing[.]com
9
btc[.]blockr[.]io
8
bitaps[.]com
8
computer[.]example[.]org
4
zz[.]dfkecvowerfwd[.]pro
3
health[.]worldwidecons[.]ltd
3
chain[.]so
1
isatap[.]example[.]org
1
_ldap[.]_tcp[.]dc[.]_msdcs[.]example[.]org
1
Files and or directories created Occurrences %TEMP%\d19ab989
17
%TEMP%\d19ab989\4710.tmp
17
%TEMP%\d19ab989\a35f.tmp
17
%LOCALAPPDATA%\Microsoft\Office\Groove1\System\CSMIPC.dat
17
\Users\user\AppData\Local\Microsoft\Office\15.0\OfficeFileCache\CentralTable.accdb
17
\Users\user\Documents\Documents\resume.docx
17
\Users\user\Documents\Documents\resume.pdf
17
\Users\user\Documents\Documents\resume.rtf
17
\Users\user\Documents\Documents\resume.x.odt
17
\Users\user\Documents\Presentations\Presentation 1.ppt
17
\Users\user\Documents\Presentations\Presentation 1.pptx
17
\Users\user\Documents\Sheets\budget.5.xls
17
\Users\user\Documents\Sheets\budget.xls
17
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp
17
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.bmp
17
<dir>\_READ_THI$_FILE_<random, matching [A-F0-9]{4,8}>_.hta
17
<dir>\_READ_THI$_FILE_<random, matching [A-F0-9]{4,8}>_.txt
17
<dir>\_READ_THI$_FILE_<random, matching [A-F0-9]{4,8}>_.jpeg
17
\Users\user\AppData\Local\Temp\24e2b309\1719.tmp
13
\Users\user\AppData\Local\Temp\24e2b309\4436.tmp
13
\Users\user\Documents\Documents\resume.docm
13
\Users\user\Documents\Documents\resume.dot
13
\Users\user\Documents\Documents\resume.dotm
13
\Users\user\Documents\Documents\resume.dotx
13
\Users\user\Documents\Documents\resume.x.xml
13
*See JSON for more IOCs
File Hashes 0085bd626daf5156f1a672802339e9ebbbe8f6a66c3bb13515cb1c49981ecec8
04e55f268a68c429344e533486adcd69d00863d415b40cd90f31f3753ede5fb9
0cbedf858fbd020acaffa48d12555bc1e994cce29dd331595f4e3203328de0fa
10835bc265400c7f33720d8ba9f7c6e6543c0ed871fd254436b245fa27d01283
1342077811316fa66f11d7970706df218ccad26f2f3748d485a2499e85d4fab9
1cae2c61a36a26906a5bbfd85a8c496437a394f1b0768ac2c3bceb145e1962d1
23c8721a7117f3b42b9e6fad0c7ca903b8e3129cbe820b8f6cee34d22655523a
24205c177a537ed399ce06f6a9ffc388f53edf9e7dd998f25e6c1a805ba96cde
298b36734b89ad5870f63024776b22a00a56e42e258bdf83dd09d9bcd7c5ddc6
307a6c1bce8bb09f91cb6aa33209e5554c37658a0bd088721c6bde45f63e1ac2
347df449a6a471ada6c093e0ef87a3f2f86b90b28a2bbe101c2ac28cfcdab970
4f1dade52ca6707976732a24a7122f72c980993c01d4b83ab83c995579c8787a
5081f1c6d6d0875f379607a33e46d2dc27ce5c75b560df0f622e61d91aa68897
5378ed0d2b83cd84c1d289b93c75ca5d6ebc2eb2de53c381f6304024a7d5543d
5f95fd5e52582a6590fe9111c7cda76d46174e9061d697b1d3a647d1feea8abc
609ff2be98c9dccc051d46e776e2ba480cb81e447cea240331390965fe4b37b1
62f268943ee600f2fd8334efe27a5123567c3077413cc593c3c90e71ff6e1540
6fafa62e3aff870e9ce357d44d4a14d3685581b95a6fdae336b3997f95128870
70d685d975aef0fc0dbc447107328b2ba3c39c1c6aad518d884d2bb4d68bc293
715a947394afb031f2dc3ef04df77d05512d82177b932d658d7a8d303d99b4eb
7762c920f5aeae107917ca16b0a336a382a1db8da1bf3bdb9d6a7f264b7960d9
795e415e33b3a05b0a05ac6ea20cd35484a9fde5e1e0053c579fc9c205f627f5
83ddd4dfb18009c5f2a566caaf1ddcc2e7817d68b8034d241c03dfa0e2c0f595
8e2884fd370a1ad78a9ca16464c8a7c38ed3fc9d75faf21833175725e45ce4ad
923d93d56bb66ca4dd50bcbaae74af4bd289a8acfa4c851b60f748aa5265706d*See JSON for more IOCs
Coverage Product Protection Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK Exploit Prevention Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.
Process hollowing detected - (11104)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Expiro Malware detected - (2031)
Expiro malware is unique in that it infiltrates executable files on both 32- and 64-bit Windows systems by appending its viral code to the host. It can be used to install malicious browser extensions, lower browser security settings, and steal account credentials.
A Microsoft Office process has started a windows utility. - (1902)
A process associated with Microsoft Office, such as EXCEL.exe, OUTLOOK.exe or WINWORD.exe, has started a Windows utility such as powershell.exe or cmd.exe. This is typical behavior of malicious documents executing additional scripts. This behavior is extremely suspicious and is associated with many malware different malware campaigns and families.
Excessively long PowerShell command detected - (1572)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
CVE-2020-1472 exploit detected - (828)
An attempt to exploit CVE-2020-1472 has been detected. Also known as "Zerologon". This is a privelege escalation vulnerability in Netlogon.
Dealply adware detected - (785)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Reverse tcp payload detected - (595)
An exploit payload intended to connect back to an attacker controlled host using tcp has been detected.
Malware dropper detected - (593)
A malware dropper has been detected. A dropper will download or unpack addtional malware during it's execution. A variety of techniques can be employed for the payload to gain persistence and escalate privelege if neccessary.
Crystalbit-Apple DLL double hijack detected - (588)
Crystalbit-Apple DLL double hijack was detected. During this attack, the adversary abuses two legitimate vendor applications, such as CrystalBit and Apple, as part of a dll double hijack attack chain that starts with a fraudulent software bundle and eventually leads to a persistent miner and in some cases spyware deployment.
Signed binary proxy execution using rundll32.exe or regsvr32.exe - (206)
Malware has been detected using rundll32.exe or regsvr32.exe to execute additional malicious code. Several different malware families, including Qakbot, BazarLoader, Hafnium and Maze use this techinque.
