Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 5 and Nov. 12. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org , or ClamAV.net .
For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.
The most prevalent threats highlighted in this roundup are:
Threat Name Type Description Win.Dropper.Kuluoz-9906192-0
Dropper
Kuluoz, sometimes known as "Asprox," is a modular remote access trojan that is also known to download and execute follow-on malware, such as fake antivirus software. Kuluoz is often delivered via spam emails pretending to be shipment delivery notifications or flight booking confirmations.
Win.Trojan.Tofsee-9906687-1
Trojan
Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click-fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages to infect additional systems and increase the size of the botnet under the operator's control.
Win.Dropper.Fareit-9906313-1
Dropper
The Fareit trojan is primarily an information stealer that can download and install other malware.
Win.Dropper.Nymaim-9906679-0
Dropper
Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain-generation algorithm to generate potential command and control (C2) domains to connect to additional payloads.
Win.Dropper.TrickBot-9906689-0
Dropper
Trickbot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VBScripts.
Threat Breakdown Win.Dropper.Kuluoz-9906192-0 Indicators of Compromise IOCs collected from dynamic analysis of 69 samples Registry Keys Occurrences <HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159
69
<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'>
69
<HKCU>\SOFTWARE\XNDQWFAL
Value Name: saalmdpq
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: vrdsuanh
1
<HKCU>\SOFTWARE\UBKDDXHX
Value Name: mdjrdtlb
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: dekjtufv
1
<HKCU>\SOFTWARE\SXLEVULR
Value Name: kmaxhebd
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: rhexocwd
1
<HKCU>\SOFTWARE\CPLFEVDG
Value Name: srslhwbv
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: oawidcqj
1
<HKCU>\SOFTWARE\CPAGQABV
Value Name: imlvmnbi
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: joocbsdq
1
<HKCU>\SOFTWARE\BNTIPEWG
Value Name: ueangwke
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: jgpdveiv
1
<HKCU>\SOFTWARE\QTTISAMA
Value Name: rnvaxhxh
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: qfhrdtpr
1
<HKCU>\SOFTWARE\GNBKNCFN
Value Name: jnrqktqb
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: fwhpibmc
1
<HKCU>\SOFTWARE\PQTDJSEE
Value Name: rbcxmjse
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: tfoxxhqg
1
<HKCU>\SOFTWARE\JRMMRSGV
Value Name: bemwgapm
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: xrjbjxre
1
<HKCU>\SOFTWARE\GWKSMKND
Value Name: sdkabnue
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: wmrdbsbk
1
<HKCU>\SOFTWARE\FVCPXDNG
Value Name: cebigupq
1
Mutexes Occurrences aaAdministrator
69
abAdministrator
69
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 37[.]59[.]24[.]98
51
96[.]30[.]22[.]96
50
74[.]221[.]221[.]58
46
195[.]28[.]181[.]184
46
110[.]77[.]220[.]66
45
85[.]12[.]29[.]254
44
82[.]165[.]155[.]77
44
69[.]64[.]32[.]247
43
Files and or directories created Occurrences %LOCALAPPDATA%\<random, matching '[a-z]{8}'>.exe
69
%HOMEPATH%\Local Settings\Application Data\efcggqxj.exe
1
File Hashes 000bea950f66052cf937547d1f18bc47a1c6ff6d2d7d03bc09d60aa9c9b1c770
00e8fa17d90f77afadd8f255dca53b15d7f4c91719452d616b0cf663f9aeea99
033755fcc85dad80db7a94ea2dc178dc2cc823fe7b46084fd0ed20645b593290
037e90d5a83ea1360c1c74b34e3d648ba8645b32d9de456756e8ba6acac86d6d
04c74fa81fdd718c985fde6a502f1ed93a0d34255dc21b546fcc25425da9f31e
086985abecc0ee9c6b4caa28e74d3190994dbddae40524eb955526ad5be9f067
08de3a669a95eab65d9b95ecf7ed4085e162badd7b11b3ad126be4d9836d33e4
1ba2d5d15ede307fa5a969eb66654f4d485fc144e370531451c43dc6409737d9
1f18d7fcd14fa41d8256a373437ccfd3e0d0d4f80c41daeda99cfd493735acc8
1fb1390e6f86cc5eb108a6a38484fa91baf867622e7384d4777b7b12215cab8c
27862adbd6ba16a82915102b7cfbf36f25c7be6b7e0464a7bcd731c9c5c67316
36971d72adc866b317be68ddf5b3471825049a81231b53c5cfdacb292d49b4d6
39781b0d4b88226ae7cc4711c9d4724ee9010e9f543be7fbd3d31564d89546dd
3a36245e815538d2f84d05af6b1d71f81dd9c284cac1c0ceb2145d9f1bb9a7e9
3ca7c310670af06b7e57e5317283e03c2aa630b72f2d99f93734d960bf19040b
40023d8e643d0c49199f1d34beb4c79856f30cc155ff8f93300b9cca70affb0c
410c8127cf6d7bac2cb13d84dd8415aabc5831bdb617b49e8d28d024db906c51
42ca7b17fa816bf7dfdee073fd077f2327e31ae15f386c087912757894e2ac0a
44837ce7705a1c03338d220d186564930bcb1e739af90f04cd415b37b5719b90
48179cd3f777d239fb1f14ac8ed1472dd8c9dec65414b92953b5d67faad4f9b7
50fd2544836d5623d86f94307583fe7a4c88b11cdaa84f3f6b5a03a8631e8c0a
64d3d27a53d3cde1729f8897a09aac19557121ede477e4a1d18a86ef33b2d675
656ee6200af32f34de24c591ebb45d5652f30a435ce84abb6c8c04cd91e07500
696629d6b4f9965ec8cf1cc9cefe973f907731e8c6fadd1189413d63f4390b30
6a338dd0339ab184d2fa547e4a05b6cf94632dc3a03fb351ca703cea3f7f2262
*See JSON for more IOCs
Coverage Product Protection Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK Win.Trojan.Tofsee-9906687-1 Indicators of Compromise IOCs collected from dynamic analysis of 56 samples Registry Keys Occurrences <HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config4
56
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
56
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159
56
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
56
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
56
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
56
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
56
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
56
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
56
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
56
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
56
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config0
56
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config1
56
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2
56
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config3
56
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
35
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\ffbmdows
4
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\ccyjaltp
4
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\bbxizkso
4
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\vvrctemi
4
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\eealcnvr
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\qqmxozhd
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\ttparckg
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\xxtevgok
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\hhdofqyu
3
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 185[.]7[.]214[.]171
56
185[.]7[.]214[.]210
56
185[.]7[.]214[.]212
56
45[.]9[.]20[.]187
56
45[.]9[.]20[.]178/31
56
85[.]143[.]175[.]153
56
193[.]56[.]146[.]146
56
192[.]0[.]47[.]59
54
157[.]240[.]229[.]174
53
144[.]160[.]235[.]143
50
103[.]224[.]212[.]34
49
125[.]209[.]238[.]100
49
211[.]231[.]108[.]46
48
74[.]208[.]5[.]20
47
117[.]53[.]116[.]15
46
96[.]114[.]157[.]80
45
212[.]77[.]101[.]4
45
64[.]98[.]36[.]4
44
67[.]231[.]149[.]140
44
64[.]136[.]44[.]37
43
51[.]81[.]57[.]58
43
216[.]146[.]35[.]35
36
67[.]231[.]144[.]94
35
172[.]65[.]252[.]97
35
193[.]222[.]135[.]150
34
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences 249[.]5[.]55[.]69[.]bl[.]spamcop[.]net
56
249[.]5[.]55[.]69[.]cbl[.]abuseat[.]org
56
249[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net
56
249[.]5[.]55[.]69[.]in-addr[.]arpa
56
249[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org
56
249[.]5[.]55[.]69[.]zen[.]spamhaus[.]org
56
microsoft-com[.]mail[.]protection[.]outlook[.]com
56
microsoft[.]com
56
www[.]google[.]com
56
quadoil[.]ru
56
aspmx[.]l[.]google[.]com
55
whois[.]arin[.]net
54
whois[.]iana[.]org
54
www[.]instagram[.]com
53
mail[.]h-email[.]net
50
al-ip4-mx-vip1[.]prodigy[.]net
50
mx1[.]naver[.]com
49
park-mx[.]above[.]com
49
mx1[.]hanmail[.]net
49
mx-aol[.]mail[.]gm0[.]yahoodns[.]net
48
naver[.]com
48
hanmail[.]net
47
mx00[.]mail[.]com
47
www[.]youtube[.]com
46
nate[.]com
46
*See JSON for more IOCs
Files and or directories created Occurrences %SystemRoot%\SysWOW64\config\systemprofile
56
%SystemRoot%\SysWOW64\config\systemprofile:.repos
56
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'>
56
%TEMP%\<random, matching '[a-z]{8}'>.exe
52
\Users\user\AppData\Local\Temp\wfowkckt.exe
2
%TEMP%\zsnzdsd.exe
1
%TEMP%\afpfty.exe
1
%TEMP%\atoaete.exe
1
%TEMP%\cvqcgvg.exe
1
\Users\user\AppData\Local\Temp\hdssxekb.exe
1
\Users\user\AppData\Local\Temp\gzkalibu.exe
1
\Users\user\AppData\Local\Temp\hzryxozg.exe
1
\Users\user\AppData\Local\Temp\cumtsjub.exe
1
\Users\user\AppData\Local\Temp\xtiinuar.exe
1
\Users\user\AppData\Local\Temp\fsbyzeqd.exe
1
\Users\user\AppData\Local\Temp\xhmzgbap.exe
1
\Users\user\AppData\Local\Temp\pqoybuzk.exe
1
\Users\user\AppData\Local\Temp\jwfcdiuh.exe
1
\Users\user\AppData\Local\Temp\lqaqej.exe
1
\Users\user\AppData\Local\Temp\msnqziid.exe
1
\Users\user\AppData\Local\Temp\uniuyny.exe
1
\Users\user\AppData\Local\Temp\xqbrczsl.exe
1
\Users\user\AppData\Local\Temp\vocogacp.exe
1
\Users\user\AppData\Local\Temp\uzjzns.exe
1
\Users\user\AppData\Local\Temp\yvgljtqn.exe
1
*See JSON for more IOCs
File Hashes 0116e2cc42cc67d4ee0fbd26b113a2883c9ef920dc84bb7ab622d1bf8851763f
02c7359dcb84754d1582eab7ef5f16938ee9cf88a83d150c1470a6b3b24bf31c
03fb15b85a5b40369f8e392427ea5f004447c90273b01ccbcbdff27d0fd5620b
0c4c84401bc57951c1add588817d96cae70469c0ad699b2c154855a730cf8afa
11bb33bf6c4dcf920e28a36b061353e87e314236faebe4563c3fa5c877230404
158001d30d5d3768e6fe0f1a1d7bf1ad0da65241a6f01196150b5cf8a52b9623
1d5f62d3687343709946d1bf46ed5e91b4659e376261a499722cf071d14a2e32
20db1c12886f165778eaabff78196c7166b43b18767d802373150408870b7d99
2a6ff1d92b275b5479f724cacbef20a3757227d7bf7f943c5a91609a370cf006
2aa24f0c26531e9222de7e2ce6f0453e0465a6545ac7accb5f9ffc1983fa4f9d
2ee90707f21676ebaf7e821bf02f24d56d1a7be273c8aa129eb60cacd09f19df
2fbb49dd038c61306b7c32663dcf6f6f5545b1538c90464c148980c69f4331b3
322f25513dc717ec609771e4988d5a962dd5b980bc4bf372d206ab991c092382
345af13820aaefd07456b97821b597c8c020c907541e25c32f304c4a1a3f324a
348d21e49e7bad86d434423c8052dd72bb27d9a9f43d6b2471a1063261c69c35
354f4a167b2bbdbdd1e8d36f26c4524f1454abb79e745c1a0a3945e9bb1ddeef
35b7bbf1581e93fad329c50307ae2f68964bf8866e437d308c56eda819acb8d7
40bfcd3518b19ded7d92a6930ab6e410002c333fe327044800599a95ee67e225
41f7a9f6f6ec0cd336288c833ba746c5d40dc7d49f3f5717e89d8dc74714d478
4de8148701b1fe0a054b13829fb3763a8645b6468463de3e38f33526307f9e8b
5d21753e0586d127c06cde17551bd702e449dfa8a4aca6ff1116251ff1fe7177
5e6fb10b614e5ea6832ca853f3c43c4943499ac63097fd57c980babf7e707cd4
5f5b0da28419c1a133e4949a129f2ae17db34fb3e64ce2c9dc84d91239c50082
5faa85eae77192413b213ae22e30a68a6e0b20e1c1d78a2663ed0c70a713be67
61cbe9585ff80a96da97ce3afcaccce268b72d089ba88abc417642aa3365dddf
*See JSON for more IOCs
Coverage Product Protection Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK Win.Dropper.Fareit-9906313-1 Indicators of Compromise IOCs collected from dynamic analysis of 17 samples Registry Keys Occurrences <HKCU>\SOFTWARE\WINRAR
17
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159
17
<HKCU>\SOFTWARE\WINRAR
Value Name: HWID
17
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003E9
Value Name: F
17
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000001F5
Value Name: F
17
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003EC
Value Name: F
17
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 192[.]187[.]111[.]219
7
63[.]141[.]242[.]46
4
81[.]17[.]18[.]194
3
81[.]17[.]29[.]146
3
209[.]85[.]201[.]94
1
173[.]194[.]204[.]94
1
101[.]99[.]75[.]152
1
74[.]125[.]192[.]138
1
173[.]194[.]206[.]100
1
209[.]85[.]144[.]99
1
173[.]194[.]205[.]84
1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences ru[.]agulino[.]com
17
wpad[.]example[.]org
2
computer[.]example[.]org
1
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com
1
clientconfig[.]passport[.]net
1
Files and or directories created Occurrences %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\filename.vbe
17
%APPDATA%\subfolder
17
%APPDATA%\subfolder\filename.bat
17
%TEMP%\-<random, matching '[0-9]{9}'>.bat
17
%HOMEPATH%\Start Menu\Programs\Startup\filename.vbe
1
%TEMP%\748562.bat
1
\Users\user\AppData\Local\CrashDumps\506825654.exe.2384.dmp
1
\Users\user\AppData\Local\Temp\WAXBDBC.tmp
1
\Users\user\AppData\Local\Temp\WERBF82.tmp.appcompat.txt
1
\Users\user\AppData\Local\Temp\WERBFB2.tmp.WERInternalMetadata.xml
1
\Users\user\AppData\Local\Temp\WERCABC.tmp.WERInternalMetadata.xml
1
\Users\user\AppData\Local\CrashDumps\506825708.exe.3876.dmp
1
\Users\user\AppData\Local\Temp\WAX3C1E.tmp
1
\Users\user\AppData\Local\Temp\WER3F0D.tmp.appcompat.txt
1
\Users\user\AppData\Local\Temp\WER3F6C.tmp.WERInternalMetadata.xml
1
File Hashes 03eee9c470a2987fe0a045530c2efd0bbbab9eeb5b91a893e682cf144e252107
18e5a593d4a89648b43f86383568469612c4f61d4b8361df299e1fdbe9ac42f5
34c862548b46506e25df6187be15486a2bc0de85b7e2b02b12745df7145faf5d
56d50fb071eb481a83ae011eb7a31fd6bee268fba1b0fe7aa880f6a108f9f682
5bdaafdaeb1ad0f8455de525022d95d40362d2766e78bd9eeecf7acf3426564e
666fdac0254a22535178f4cc056de7c43372359a1a9fc83c9b558770d278bc84
6be0f0991eebcdd021444994c3c812a89924b04b8ed27282e18b747305f27bf7
71ca1ab8c327e81b97f9b93684f6a2f8de7b194f4d20b65bad89660fdb04982c
94c9c78a6d2e0b1808bbbde2a69f32464c74c8ad0f902b0a7aea75d443db1866
9523e53935a018bbe2a297ba95578a7e988a0a402eed2a97cf46a41f797de971
9edb3091593479d03685b13b2eaa0104fb84bdc785c46cf70bb8e105e6589620
b46d16b74e5c430126372a5027108704074ebf5a87b1dc0634f41bc119b460dc
c94368d73c897f193f7dd20d749d2348fa80f818d19b27888c28bc8e41ccd262
d3873c324768de351219c9e50a33cecc3d15ab568064591ff9857fff86780c76
e0e0854a4bcd7bb49292b001954e76ea3aaa8639839073e35a72adf88e3a25cc
e1a572394b381e7ae7cca254ab171eb975f9e4e0be7480b01fb751be14712fe0
ea1c77d4d703fe6825dfa9e406b84375384719f21f3250b93cd3e7550c685bec
Coverage Product Protection Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK Win.Dropper.Nymaim-9906679-0 Indicators of Compromise IOCs collected from dynamic analysis of 23 samples Registry Keys Occurrences <HKCU>\SOFTWARE\MICROSOFT\GOCFK
23
<HKCU>\SOFTWARE\MICROSOFT\GOCFK
Value Name: mbijg
23
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159
22
Mutexes Occurrences Local\{1181F583-B634-69BF-E703-D4756599024F}
23
Local\{180BBEAD-0447-044A-68BD-247EB6D0E352}
23
Local\{18DD7903-1E96-FEAF-92BF-014008A1248C}
23
Local\{92502033-C012-7F46-D6A8-0AC972DF6662}
23
Local\{25754F3F-7A37-56CA-31BB-3C9D33DA226B}
23
Local\{8B75523D-CAF4-D06B-A2AD-13EEF593AC52}
23
Local\{D2CC4CCA-CB77-CF10-8293-17C78DEC853F}
23
Local\{67EB9FBC-0AC5-BAD6-80A0-015E2C7D43E8}
23
Local\{F78DA135-BD1C-3BA1-2EC7-6B375301FFDF}
23
Domain Names contacted by malware. Does not indicate maliciousness Occurrences microsoft[.]com
23
google[.]com
23
hkzqekcz[.]net
23
zrailjorqed[.]pw
23
nckynkrjg[.]in
23
xxrwudfhbr[.]net
23
iuojcbwlb[.]in
23
gjlngkx[.]net
23
nmovreiit[.]in
23
gpuxnhtdhztg[.]in
23
xpbyti[.]pw
23
nlaoyufe[.]in
23
syffllqlu[.]pw
23
phgrcrm[.]net
23
qbpqbucz[.]in
23
hdrqny[.]pw
23
emcqaelhfn[.]pw
23
www[.]msftncsi[.]com
4
wpad[.]example[.]org
4
neolx[.]com
1
rqdptmnlyy[.]pw
1
arlllswc[.]com
1
gjyttpvb[.]net
1
ytfalkcclaw[.]in
1
afoctlamhq[.]in
1
*See JSON for more IOCs
Files and or directories created Occurrences %ProgramData%\ph
23
%ProgramData%\ph\fktiipx.ftf
23
%TEMP%\gocf.ksv
23
%ProgramData%\<random, matching '[a-z0-9]{3,7}'>
23
%APPDATA%\<random, matching '[a-z0-9]{3,7}'>
23
%LOCALAPPDATA%\<random, matching '[a-z0-9]{3,7}'>
23
%ProgramData%\jzk\icolry.ylg
5
\Users\user\AppData\Local\Temp\qnvgtx.eww
5
%TEMP%\aneba.qsz
1
\Documents and Settings\All Users\wrg\orjdwj.ppt
1
File Hashes 0a5a39e943850137bf7296a9b11e9af5c0e05e391c3381733cc2f03020208b12
1657415b3e51540e23ecb6fdc619978af4463ce9e9c880f5e4f0ef1558297040
1984124ab6ba6f3fdb04ff885408c9f4f35f22d8d07746ddd2a585cb412fde6a
2f9fd8377a8e7bfbe6b13198d578d06b883402a5084f6c1c5c4cdebabfbd8fce
305b0c43a3c29d6153f0636d77032debf4fceabc2c035d48268a09692ae6cd20
31181eee5991422042784e1f845d11a32e1381aea1d8009e7090d88393ba98bc
386f665bedb4efaef8d7c12d11e49d1fd488a5a2a543588762897fdc64caf858
3a95f93f80be8d0cd76705da445da77c1d498a8aba99ee222f8e451e81aa1454
3f438f5360c449ba9d1d9349c6a0fa2fcab962a89cdc16581ebc1fea79051768
51e01e124b5faa392ae3517603049fea41a5c13a6ec82aa3fc23c2db41961189
5395c7598ca1145728fe0ed9f2422bf8d7cdc5a4aefee9c66e9a4be014a39753
5d94592ee0b18888cec53c526984a7a2505c757b66d17986f3f237c3ac843c20
61753686a9b172316b339850fe425602122dadc8b9a880b6d8fe11a2061faf77
6300fa292145cb7ad0810ae32eb5742f3eb71fe36986eb15bc5bccf6a7c15b50
73f6323cdc4c439a7ee8626daf5a8219f5d2d91498acf3161abc8764e3150277
75df28107d722b325ca55f1639be556839b1ab5ae99256008edc8bcd469b30f8
84d6081d0a956de98053024cc863b23e15b842d6677a4ee22b00c5d63b10ee6b
a9c642d3899cf12cceff9fef3c83a36794b6ccb6539c8a778b0809ecc74ee6ce
b28275a44a8d9a4e8ac0740384d48df297fd59b12d6c0a22c74256bc6cbc4cb5
d91e71f0ccf719c2242aa8ffa03d675ce6c536c50b5da571f6ae87f1076c7c9b
dad54799bb4ffc4866978c7c655eae50bb1274b586dcf194f3fd64863d301e84
de1c74e3225d1170fa8494b327b2944b7e31968f4f5fedf17390ead6f3fd7691
f79946e8464c138f028b3d4ce15f04579b16600f49680a5e53a1c99ffae31007
Coverage Product Protection Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK Win.Dropper.TrickBot-9906689-0 Indicators of Compromise IOCs collected from dynamic analysis of 26 samples Registry Keys Occurrences <HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER
Value Name: DisableAntiSpyware
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: DeleteFlag
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
25
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\REAL-TIME PROTECTION
Value Name: DisableBehaviorMonitoring
25
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\REAL-TIME PROTECTION
Value Name: DisableIOAVProtection
25
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER
25
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\REAL-TIME PROTECTION
25
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\REAL-TIME PROTECTION
Value Name: DisableOnAccessProtection
25
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\REAL-TIME PROTECTION
Value Name: DisableScanOnRealtimeEnable
25
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159
25
Mutexes Occurrences Global\316D1C7871E10
25
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 72[.]22[.]185[.]200
15
72[.]22[.]185[.]208
9
160[.]72[.]43[.]240
1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences crl[.]microsoft[.]com
25
Files and or directories created Occurrences %APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5
25
%ProgramData%\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_d19ab989-a35f-4710-83df-7b2db7efe7c5
25
%System32%\Tasks\Windows Network
25
%APPDATA%\wnetwork
25
%APPDATA%\wnetwork\Data
25
%APPDATA%\WNETWORK\<original file name>.exe
25
%System32%\Microsoft\Protect\S-1-5-18\User\496a850c-d71a-4ccc-b3de-e64e84a540af
18
%System32%\Microsoft\Protect\S-1-5-18\User\13022768-a353-4a4c-8032-ece2f429bad3
7
%TEMP%\<random, matching '[a-f0-9]{3,5}'>_appcompat.txt
7
%TEMP%\<random, matching '[A-F0-9]{4,5}'>.dmp
7
File Hashes 0205f7cb31c95adeab976245edd2808d58a066e39f8bc953a3e10347189f61ca
0295aa15b36df5df2c8beba2e056a50efe5a88bcc8d07adefaf262a54d27ac18
0ec324720fb6f0af3f230556949689f2fee2ecd529c8a513c7f12c096eae0758
157958a490ec7591a3318c783691ce26e8f525f5c88367341cbfa5aca577586e
1a3cd06480513c10bd6c487e9bb015111ec4e17bfe26312f769233ab7e22f7f7
2413d734d5844c4bda1641d3a06669c6918f22308f45fef63e0b3a3d32c815a6
342477e56614066942a58b31dfb00f2dbaddc041738bde17bb701eb7c2a6c012
442cf13192bc89185839b955a2a21f6a16a1ca028208cb332f930a33367e2814
4bb1d3c102a9319ee88afed519dea172735f763b55859085ca0a145ceeee6b82
54eec51d0cc063797c45dc68f4a0b4376246893b8c799cabaa62be3b288947b7
586126be0b9bf36790dfbd9dea8ceb927df1d4c94745c306e93062aec647b0b0
6086f48f02196b9db367b87819e0d4b8ecc381971c63fde3b8dbb871341a2e5a
7fc8d238f3ff3bd7d77e18111763ac554c2d289643dc077b2253f8ee1d575926
94b83154ffbc39c28cd5a461ad264bb5cea73822d7d1a4ca5471a6ff8b28569c
967366fbebcf26142423b0df333ea09ae01cc728d5ab54edbcd387030afcccde
a36b2cac421b101c599d704dd66407e652cc056e9d58abf52d46b5f8b23f20f1
a3bf700a4f33a7852820daa9d580c2e9f8a9e21e04670212d64a9a4884ae065c
a412aa575f67c189ea62191942acbe30db28548f2a900019c8a3368ce8d3ec81
ba1ff4f69508562ea2c62a39861c7281176b979e200d1ebb95e32338f936a490
bc775c4705a8724ff10e0a946b510017c5e762ea1877a22a1897db34a1e6fabe
c082233374ed32db6a234c6901cda079466eb9e0746a07c4625c1e68d2ffbccc
c4c1ced7f088f61260705540b870ffe4e33af54ef4a1e86f1ef5729ef349bb75
cd133a17f8aeaa36f510595c5fc11e22fb40fbb88150fab1971d1094e75e7611
d294e9b17cbda134bfe607cc2e214d2c689c582bc7a94f24588df028814bd928
d32532cc718758d511caf22a6238049d422c0e12b60a0146a845e760b34e2d1a
*See JSON for more IOCs
Coverage Product Protection Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK