Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 26 and Sept. 2. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat NameTypeDescription
Win.Dropper.DarkKomet-9966191-0DropperDarkKomet is a freeware remote access trojan that was released by an independent software developer. It provides the same functionality you would expect from a remote access tool: keylogging, webcam access, microphone access, remote desktop, URL download, program execution, etc.
Win.Packed.AgentTesla-9966126-1PackedAgentTesla is a Remote Access Trojan that records keystrokes and attempts to steal sensitive information from web browsers and other installed applications.
Win.Virus.Xpiro-9965977-1VirusExpiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.
Win.Dropper.Nanocore-9965501-0DropperNanocore is a .NET remote access trojan. Its source code has been leaked several times, making it widely available. Like other RATs, it allows full control of the system, including recording video and audio, stealing passwords, downloading files and recording keystrokes.
Win.Packed.Bandook-9965180-1PackedBandook is a remote-access trojan (RAT) written in C++ and Delphi. It provides attackers with several abilities common to RATs such as taking screenshots or file uploading, downloading or executing. Bandook is usually delivered through spear-phishing emails containing malicious attachments.
Win.Ransomware.BlackMatter-9965914-0RansomwareBlackCat ransomware, also known as "ALPHV", has quickly gained notoriety for being used in double ransom (encrypted files and stolen file disclosure) attacks against companies. It uses the combination of AES128-CTR and RSA-2048 to encrypt the files on victim's computer.
Win.Dropper.Formbook-9965920-0DropperFormbook is an information stealer that collects sensitive information from an infected machine by logging keystrokes, stealing saved web browser credentials, and monitoring information copied to the clipboard.

Threat Breakdown

Win.Dropper.DarkKomet-9966191-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 84 samples
Registry KeysOccurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST18
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList		12
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Windows\M-50504578520758924620\winmgr.exe		10
<HKCU>\SOFTWARE\DC3_FEXEC8
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Microsoft Windows Service		5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Microsoft Windows Service		5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Windows\M-5050756432604649683503740\winsvc.exe		3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DoNotAllowExceptions		2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: MicroUpdate		2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpqec.dll,-100		2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpqec.dll,-101		2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpqec.dll,-103		2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\dhcpqec.dll,-102		2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\napipsec.dll,-1		2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\napipsec.dll,-2		2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\napipsec.dll,-4		2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\napipsec.dll,-3		2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\tsgqec.dll,-100		2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\tsgqec.dll,-101		2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\tsgqec.dll,-102		2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\tsgqec.dll,-103		2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\eapqec.dll,-100		2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\eapqec.dll,-101		2
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @%SystemRoot%\system32\eapqec.dll,-102		2
MutexesOccurrences
t86
DC_MUTEX-<random, matching [A-Z0-9]{7}>5
t104
w33
w22
DCMIN_MUTEX-WG79R6U2
uxJLpe1m1
25621007961
lol1
FvLQ49IlzIyLjj6m1
e621ca05-Mutex1
{D9961D0B-0106-5584-AD6D-884HSI64CNI9}1
{D0001D0B-0106-5584-AD6D-884HSI64CNI9}1
TLS1
yourhavebecracked1
crapponce1
CCC1
7QSDIYQXU31
DCMIN_MUTEX-W1AEX561
2CC1
44441
55551
CC021
w41
e2b9ef1ee9bca34ce51187acb9a0f4111

*See JSON for more IOCs

IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
58[.]158[.]177[.]1023
35[.]205[.]61[.]671
198[.]49[.]23[.]144/311
20[.]72[.]235[.]821
20[.]81[.]111[.]851
23[.]221[.]227[.]1721
184[.]105[.]237[.]1961
188[.]165[.]227[.]651
140[.]228[.]29[.]1101
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
srv50[.]ru11
trik[.]su11
trkbox[.]ru6
srv60[.]su5
srv70[.]ru4
wrksrv[.]ru4
markben390[.]no-ip[.]org3
avget[.]ru2
microsoft[.]com1
bermanstreetllc[.]com1
biggymoney01[.]no-ip[.]biz1
biggymoney03[.]no-ip[.]biz1
biggymoney2[.]no-ip[.]biz1
businessswitchedmylife[.]biz1
nobemetalkam[.]com1
heavensbreedonline[.]com1
heavensbreedonline[.]biz1
heavensbreedonline[.]co1
heavensbreedonline[.]org1
seadeeponline[.]com1
eurofreightglobalonline[.]com1
swrenvgloballtd[.]com1
mailsecuredssl[.]com1
ssl32bit[.]com1
128bitsecured[.]com1

*See JSON for more IOCs

Files and or directories createdOccurrences
\autorun.inf11
\windrv.exe11
E:\autorun.inf11
E:\windrv.exe11
%SystemRoot%\M-5050457852075892462010
%SystemRoot%\M-50504578520758924620\winmgr.exe10
%APPDATA%\dclogs8
%SystemRoot%\M-50507564326046496835037403
%SystemRoot%\M-5050756432604649683503740\winsvc.exe3
%HOMEPATH%\Documents\MSDCSC\msdcsc.exe2
%TEMP%\a2
%TEMP%\incl22
%SystemRoot%\M-50507564324649683503740\winsvc.exe2
%TEMP%\c2
%TEMP%\incl12
%TEMP%\<random, matching '[a-z]{3}[A-F0-9]{3,4}'>.tmp2
%HOMEPATH%\Y44VPhclUOy\lib\images\cursors\win32_LinkNoDrop32x32.gif1
%HOMEPATH%\Y44VPhclUOy\lib\images\cursors\win32_MoveDrop32x32.gif1
%HOMEPATH%\Y44VPhclUOy\lib\images\cursors\win32_MoveNoDrop32x32.gif1
%HOMEPATH%\Y44VPhclUOy\lib\jce.jar1
%HOMEPATH%\Y44VPhclUOy\lib\jfr.jar1
%HOMEPATH%\Y44VPhclUOy\lib\jfr\default.jfc1
%HOMEPATH%\Y44VPhclUOy\lib\jfr\profile.jfc1
%HOMEPATH%\Y44VPhclUOy\lib\jsse.jar1
%HOMEPATH%\Y44VPhclUOy\lib\jvm.hprof.txt1

*See JSON for more IOCs

File Hashes

01d99de8be5d399beb94238ded93f68cecce9b05010ec2095fb88dfea30be905 01dc08a7611de9ed95addbdc484f028da8c4cc4f2f04bf007955e8e7771af2ad 0521c25b0e73636633fc888ecb616c71e37cc63cdef64d531938fb41cb5190c3 07fb7af6f5ebe683cea86ec012a0a002771d658873ea3428d989f8ecaccc2e0b 0b8d380e9ff7c2cdd17b4e95d6663d1b21db1c955b0c933d68bd66c9c8b1b74b 0ce96b476d6d0aeaa983de1cf41c4553f68156d6cbbe9d48ae852ef0e5143de7 0edde1077db95438d2598acd555a39b3c2ac432f98b60d3c77415fd650b13516 1a85cf3317d5a030ab87d02649769a6a0bfb1b342ecc46f1bc26e1f651fbb1ed 1abb5ce77ce286aac491f9363161554eb0894dfb425e4457aee3cd3fc22982e9 1dc5ac655a745dc442a017eb4fe0d86a0877726d4c84a026e8eb3dbe528953f9 234eb8f2d2c1a731eb5672006b5c449761e8536b2f6d4b40d20f54e74d631807 259941e22122288262ef81fd0d0412a9b2725a9a0d77f7c6442020b0733ebbed 2b6326b6b21207fd649683ac43062c06eace7074bbd3f726f200a8717b02c75f 2ba447c32a9cfa066bbc502772d11c9fb62404c090a9de7c83d9aa4151dbf35c 2bc2fc0088f069fb5bb5e448b106a6dc91e5177e00c443571baecac8b8afd8f9 2f6fa4f49fb85c80342285a08bd5fc0b9e3f3198f4854973824567fb131b07e0 32c9b04c79b44e5c331c6497b9c11ce942b53e9fe6d6b57211e2dac442bb4d8b 34e3b029473a25d0eed41532071b5fd8f217e24e31642985324e48e0cd832313 35a047096848277ecedf71875652c55466a6d1a167bb82e810591951d991c0ff 3adb310c1ed97474f55974c05a17c56a89d082eb3069592d5734f91b330a8d96 4326fb1eabf2fd7bde99777bc0283746791e7398cacdf575affe537ab33cf16f 433bedd8a7ee7e1585a93cc9076941d3d31c33c602f116e407da8bddd9db9ea6 44317a91b1c813dc8423423cc5a1130e34264f5ab8cc4b35e05da3b7eaacc3f2 483c61bf01f6404f78a83413bf011e0e86c6adae8cce6e1a622ff1ee6e95c1ee 4bb436856e6c78ebac6ef0f48a76fad96268add5dc1583a0e20b986d4532bce4*See JSON for more IOCs

Coverage

ProductProtection
Secure EndpointThis has coverage
CloudlockN/A
CWSThis has coverage
Email SecurityThis has coverage
Network SecurityThis has coverage
StealthwatchN/A
Stealthwatch CloudN/A
Secure Malware AnalyticsThis has coverage
UmbrellaN/A
WSAN/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK




Win.Packed.AgentTesla-9966126-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 11 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS11
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\OQBAZG7TYHTA203\ATJMVRXU7DWVTQMOVW75
Value Name: wNHJwQzhBIRVra53		11
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\OQBAZG7TYHTA20311
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\OQBAZG7TYHTA203\ATJMVRXU7DWVTQMOVW7511
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\YAPCUBB9WTPSKYCICPURQGTTVZSSZFZV9XZMYAD17311
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\YAPCUBB9WTPSKYCICPURQGTTVZSSZFZV9XZMYAD173\ZMD1ZDDSRHXRHJRA7YJEA5BX8K4IU8VF0XR17811
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\TNNOKQEOKS91GA2LCMWPH6IIE5111
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\TNNOKQEOKS91GA2LCMWPH6IIE51\WZHY5EK0J8ED5111
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\YAPCUBB9WTPSKYCICPURQGTTVZSSZFZV9XZMYAD173\ZMD1ZDDSRHXRHJRA7YJEA5BX8K4IU8VF0XR178
Value Name: m2shbluBdxk2hpHhWEya7LtO7ceN81		11
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\WNHJWQZHBIRVRA22411
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\TNNOKQEOKS91GA2LCMWPH6IIE51\WZHY5EK0J8ED51
Value Name: OqbazG7tyhTA228		11
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\WNHJWQZHBIRVRA224\B75311
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\WNHJWQZHBIRVRA224\B753
Value Name: YapCUbb9WtpskyCIcpUrqGtTVZssZFZv9xzmYaD128		11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: newApp		4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: newapp		4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableTaskMgr		2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SYSTEMRESTORE
Value Name: DisableSR		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Registry Key Name		1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList		1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\system32\DeviceCenter.dll,-2000		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: MyyyyZApp		1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: services		1
MutexesOccurrences
Global\536fbb71-288b-11ed-9660-00151721fd341
Global\5c7184b1-288b-11ed-9660-001517bb55ad1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
3[.]93[.]18[.]2441
3[.]217[.]248[.]281
34[.]200[.]207[.]311
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
checkip[.]amazonaws[.]com3
smtp[.]tetenel[.]com1
mail[.]orncbbq[.]com1
smtp[.]ssgtoolz[.]net1
Files and or directories createdOccurrences
%TEMP%\<random, matching '[0-9]{15}'>000_<random GUID>.db9
%APPDATA%\newapp4
%APPDATA%\newapp\newapp.exe4
%APPDATA%\Postbox\profiles.ini2
%System32%\drivers\etc\hosts1
%HOMEPATH%\subfolder1
%HOMEPATH%\subfolder\filename.exe1
%HOMEPATH%\subfolder\filename.vbs1
%APPDATA%\services1
%TEMP%\MyyyyZApp1
%TEMP%\MyyyyZApp\MyyyyZApp.exe1
%APPDATA%\jddbt225.sux1
%APPDATA%\jddbt225.sux.zip1
%APPDATA%\jddbt225.sux\Firefox1
%APPDATA%\jddbt225.sux\Firefox\Profiles1
%APPDATA%\jddbt225.sux\Firefox\Profiles\1lcuq8ab.default1
%APPDATA%\jddbt225.sux\Firefox\Profiles\1lcuq8ab.default\cookies.sqlite1
%APPDATA%\hqbkc1l0.fyj1
%APPDATA%\hqbkc1l0.fyj.zip1
%APPDATA%\hqbkc1l0.fyj\Firefox1
%APPDATA%\hqbkc1l0.fyj\Firefox\Profiles1
%APPDATA%\hqbkc1l0.fyj\Firefox\Profiles\1lcuq8ab.default1
%APPDATA%\hqbkc1l0.fyj\Firefox\Profiles\1lcuq8ab.default\cookies.sqlite1
%APPDATA%\services\services.exe1
%APPDATA%\jntv4ane.ztp1

*See JSON for more IOCs

File Hashes

02876781ecf3b9c9dfa90f74ef4fb7d6bb60a35a2c09d3895dff3b6d5a1ebb8b 3030ebe65fb01ddf2cbc83340226a872a0a156d8dc3b4a6faaaef651e3d83e1c 3cc3993e6a4ebfc9cb0f9b3b0859d067648d988b77f993aea203ac80179b97d4 5e87c3c6d7b7b6bacb185a11916876fff30634d7f62e4856634b2ee9238618de 671cd596e79c90f7c37085ba263ae4d677edfee99fc3c8306b8ec6d85133e2af 8e433d9d938adaad4c710c6ea1d24aad1689eb96e33d4cc2e81120c9c4d54197 9aa8ef433012e7b4662a4e36dd41df76b5be268f7cc2073a7361467509d5256a 9ffdf9f36b00abef356517cf38d5bf881959ebbf7af9474b1bd3e673db97cd54 b62a36fa9279443fd389580f809b95a37b0de981ec7c4338826e9ee859ce4847 b91c165d0aa38b11ab8dd8d8d00a460b78302c331478cc04b60f98eddecb1356 f8ce5974e752acd2cb2e90690eb86bb5246cc736482cae4578619cc861dcaaf5

Coverage

ProductProtection
Secure EndpointThis has coverage
CloudlockN/A
CWSThis has coverage
Email SecurityThis has coverage
Network SecurityN/A
StealthwatchN/A
Stealthwatch CloudN/A
Secure Malware AnalyticsThis has coverage
UmbrellaN/A
WSAN/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK




Win.Virus.Xpiro-9965977-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 45 samples
Registry KeysOccurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start		45
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start		45
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32
Value Name: Type		45
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64
Value Name: Type		45
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32
Value Name: Type		45
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32
Value Name: Start		45
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MOZILLAMAINTENANCE
Value Name: Type		45
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MOZILLAMAINTENANCE
Value Name: Start		45
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\OSE
Value Name: Type		45
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\OSE
Value Name: Start		45
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC\S-1-5-21-2580483871-590521980-3826313501-50045
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC\S-1-5-21-2580483871-590521980-3826313501-500
Value Name: EnableNotifications		45
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32
Value Name: Start		45
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64
Value Name: Start		45
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\MSSQLSERVER45
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\MSSQLSERVER\CLIENT45
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\MSSQLSERVER\CLIENT\DB-LIB45
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\MSSQLSERVER\CLIENT\SUPERSOCKETNETLIB45
<HKLM>\SOFTWARE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATE
Value Name: AccumulatedWaitIdleTime		45
<HKLM>\SOFTWARE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\LISTENEDSTATE
Value Name: RootstoreDirty		45
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATE
Value Name: AccumulatedWaitIdleTime		45
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\LISTENEDSTATE
Value Name: RootstoreDirty		45
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\MSSQLSERVER\CLIENT\SUPERSOCKETNETLIB
Value Name: Encrypt		45
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\MSSQLSERVER\CLIENT
Value Name: SharedMemoryOn		45
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_64
Value Name: Type		44
MutexesOccurrences
kkq-vx_mtx6245
kkq-vx_mtx6345
kkq-vx_mtx6445
kkq-vx_mtx6545
kkq-vx_mtx6645
kkq-vx_mtx6745
kkq-vx_mtx6845
kkq-vx_mtx6945
kkq-vx_mtx7045
kkq-vx_mtx7145
kkq-vx_mtx7245
kkq-vx_mtx7345
kkq-vx_mtx7445
kkq-vx_mtx7545
kkq-vx_mtx7645
kkq-vx_mtx7745
kkq-vx_mtx7845
kkq-vx_mtx7945
kkq-vx_mtx8045
kkq-vx_mtx8145
kkq-vx_mtx8245
kkq-vx_mtx8345
kkq-vx_mtx8445
kkq-vx_mtx8545
kkq-vx_mtx8645

*See JSON for more IOCs

Files and or directories createdOccurrences
%CommonProgramFiles%\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE45
%CommonProgramFiles(x86)%\microsoft shared\Source Engine\OSE.EXE45
%ProgramFiles(x86)%\Microsoft Office\Office14\GROOVE.EXE45
%ProgramFiles(x86)%\Mozilla Maintenance Service\maintenanceservice.exe45
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe45
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe45
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe45
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe45
%System32%\alg.exe45
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.log45
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log45
%SystemRoot%\SysWOW64\svchost.exe45
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log45
%SystemRoot%\SysWOW64\svchost.vir45
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat45
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock45
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat45
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock45
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat45
%CommonProgramFiles(x86)%\microsoft shared\source engine\ose.vir45
%ProgramFiles(x86)%\microsoft office\office14\groove.vir45
%ProgramFiles(x86)%\mozilla maintenance service\maintenanceservice.vir45
%CommonProgramFiles%\microsoft shared\officesoftwareprotectionplatform\osppsvc.vir45
%SystemRoot%\microsoft.net\framework64\v2.0.50727\mscorsvw.vir45
%SystemRoot%\microsoft.net\framework64\v4.0.30319\mscorsvw.vir45

*See JSON for more IOCs

File Hashes

07883b2bec4bb5804938dec4b37619c77ad9fc925b52bdd4368faa9416afdbf2 118989bae4bc156627ed91ecc03e9a9a01635f624b00dad94c801ba95da08130 127b5c9fee91c095376a75ee583bc452c269735a94a9381bd262c5cfd2163deb 150587b20269ad5520861cd61fd6eeceddd61e5e05ff27de39189542e1f6f45a 171d6d2f93370d7afd1875a1f7d0a59aef5d46a7d553df98d12855cca5d437a6 1bcb487b3582e158e38e1d76365254022f18a3033c9ca23b5da0c964ead1147a 1d2f153a4f58438ad61950c4468b95358d5aab9356f138d7b74dcadec2afdae1 22ccda550e90cbdc7b115fc3b2d082190df9935b01ea1d8c3923445c759aa477 270a4deb05747829e8a95f5718214bce934ab251f204d1828e3d2a1201caab1d 2817d1aa30164faad40ff66eea5743106219fe83b20ae96523be7691ffbf467b 2b89cd04def8bda3701849a58ebca23151b94b98db25351c7b98d0228d021db7 2d8fcc7e70b0b9721164bf886c297355030b7c7af7904898c96757c522fe051c 2ffe5d618f015af6681482a2347ccb631eb7df646d2d619c38fdb5fc70786ae3 3d61c2d8682ba543026d4a1afa98409938bc28fd09aa327e1058c8abbf9d44b8 3f11dec1f3cd0e3ef1fe0249d656394c2053ae2dd834328d82a7a5b8e7c75a88 44515f7babd049693c6941b93b09f39944caf9038e0216ecf3cdd5ec2a02bb19 4683415d7ef8a0aff6a2cba601d70a150391e59dd8dd4cdb71c6024bfffd9fd5 515cf18bdd0820d02b2233b2ff897e3e957db3d90c9b977ab3480dc4360bb749 537eb171bbe2059013f3b5335724a5da631085ca038e0e1c9082c352e9373d0f 565d18219289992baa30b55dc7d41f0eb74bd557c47305d80257aab8f2dd43f9 5de1d780d6bb9e646e53613cd36bede221b8fd79f2ebe461c075eb1c29fa596b 6e92ff9fc26469a4ab8d7e380a54192d9f3d9a8c7022797053734594b5ebfbc8 73505bcbd55074beee93cc69877a5c6fa1a52b21ef59c9935292daa776e79563 761445a4c924c9575115b2df05a6340b213b88ce4433ef81d0758ee5b794e42d 76f07678f7860611016dd78352f83e636be8686ec312ec869fc4a170249bb93a*See JSON for more IOCs

Coverage

ProductProtection
Secure EndpointThis has coverage
CloudlockN/A
CWSThis has coverage
Email SecurityThis has coverage
Network SecurityN/A
StealthwatchN/A
Stealthwatch CloudN/A
Secure Malware AnalyticsThis has coverage
UmbrellaN/A
WSAN/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK




Win.Dropper.Nanocore-9965501-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 12 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Firefox		6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Google Chrome		3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Rauzvon		2
MutexesOccurrences
Global\{507a688d-5e7f-4ee3-978d-22cfb8649ae5}6
IuRNZvTk9FliRK7fos3
85af4115-b1eb-4cf2-a465-c0c97232a10e2
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
208[.]95[.]112[.]13
194[.]233[.]95[.]521
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
maniac[.]http80[.]info6
ip-api[.]com3
zub[.]http80[.]info3
salak[.]pw2
methodist[.]sch[.]id1
Files and or directories createdOccurrences
%TEMP%\subfolder9
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C56
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs6
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs\Administrator6
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\run.dat6
%TEMP%\subfolder\firefox.exe6
%TEMP%\subfolder\firefox.vbs6
%APPDATA%\Logs3
%APPDATA%\Logs\08-27-20223
%TEMP%\subfolder\chromee.exe3
%TEMP%\subfolder\chromee.vbs3
%TEMP%\Rezmac2
%TEMP%\Rezmac\reuzcms.exe2
%TEMP%\Rezmac\reuzcms.vbs2

File Hashes

18402b2ca4fc7f307ac6df1c12224af6233b42e157d048524ff02eabc5574b3a 2ae13d3cf6ee39ceac1add91e50c25860fa9bc2a9768f1cc5e623211659b14f2 2f9bd77b89fd409ab141f02853f28979675cc109a5b0841476d23b046ffd1a1e 2fc799408a67dc0a572a65bb27b2390731a64984f60409ce054469e2a7a6a46b 374f83f762b8894f5cf1b48334e4ca74ba0664d39f0367e80e3065b138fc9643 83ed0a21ba22c6c5029a5c4d7bc520a6c01665a34d5a085baeb14299d2fb611e 8f1cf8c17179a49c27b10c2ab14b47a2f97b24dcf51483349138a2eb7e10be20 969401a830e00003b591c0123c7ded0e52ceb274b31714fb199bb1ed155a4e67 a51a1959e27231e0cfbecc2dae8144a3ddbca1721bafc8a4ff09e3dd2a6f65e2 ba08670b6879155fa420eed444e3835d2d5fa94061e87d5c27a0b0eaf8a1c847 d4624f001b7c6081a9fe97fa1385cb6ff0f78adeeb9408a4ac0bc26dd2e3925c eac6474104a6ccaa562bc3de90adaf756c236fcc19e3d9db96047c269f664cce

Coverage

ProductProtection
Secure EndpointThis has coverage
CloudlockN/A
CWSThis has coverage
Email SecurityThis has coverage
Network SecurityThis has coverage
StealthwatchN/A
Stealthwatch CloudN/A
Secure Malware AnalyticsThis has coverage
UmbrellaThis has coverage
WSAThis has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK




Win.Packed.Bandook-9965180-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 14 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION
Value Name: SysHelper		14
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList		14
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: SysHelper		14
MutexesOccurrences
{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}14
Global\<random guid>12
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
162[.]0[.]217[.]25414
149[.]154[.]167[.]9912
116[.]202[.]178[.]7811
211[.]53[.]230[.]675
116[.]121[.]62[.]2373
109[.]102[.]255[.]2302
115[.]88[.]24[.]2022
210[.]182[.]29[.]702
186[.]7[.]80[.]1972
41[.]41[.]255[.]2351
110[.]14[.]121[.]1251
222[.]236[.]49[.]1241
211[.]40[.]39[.]2511
211[.]171[.]233[.]1261
190[.]219[.]54[.]2421
195[.]158[.]3[.]1621
58[.]235[.]189[.]1921
187[.]190[.]48[.]1351
187[.]195[.]212[.]61
189[.]164[.]252[.]2071
88[.]198[.]122[.]1161
201[.]22[.]188[.]1191
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
api[.]2ip[.]ua14
rgyui[.]top14
acacaca[.]org14
t[.]me12
Files and or directories createdOccurrences
I:\5d2860c89d774.jpg14
\SystemID14
\SystemID\PersonalID.txt14
%LOCALAPPDATA%\bowsakkdestx.txt14
%System32%\Tasks\Time Trigger Task14
%LOCALAPPDATA%\3856b5d6-9eb0-496c-b0d1-db92b0f6ed6514
%ProgramData%\freebl3.dll12
%ProgramData%\mozglue.dll12
%ProgramData%\msvcp140.dll12
%ProgramData%\nss3.dll12
%ProgramData%\softokn3.dll12
%ProgramData%\vcruntime140.dll12
%LOCALAPPDATA%\7c34bb01-5d78-49c4-8bbb-73fdc7aa126212
%LOCALAPPDATA%\7c34bb01-5d78-49c4-8bbb-73fdc7aa1262\build2.exe11
%LOCALAPPDATA%\66848c81-aae5-4fb7-b7d5-caf7cfaf5685\build2.exe2
%ProgramData%\380043165773550914287197052
%ProgramData%\38004316577355091428719705-shm2
%ProgramData%\38004316577355091428719705-wal2
%ProgramData%\715844801189059641906901961
%LOCALAPPDATA%\3856b5d6-9eb0-496c-b0d1-db92b0f6ed65\e06bf2d61685bb0e8d57d45e278c965ea7a4fda6e9eae6a8ef9dea226f089dcd.exe1
%ProgramData%\742665666684919974342470381
%ProgramData%\088023761464199476480490531
%ProgramData%\789057014832516818480131931
%ProgramData%\871380390983651902294749471
%ProgramData%\117942139168328367501665261

*See JSON for more IOCs

File Hashes

01983ca201f706146be28b5533ee7d96bdf48dcb27e49859366ccb2c8ad86447 0ad916703820d701658f7a8979bad219b7785517a4d3756e9cd7f45018c88f2a 56cd4a53bf45294705a27acc356f8bc2621d48e902ef6ebc739622ae6f93ca6d 5aceb15695c7bb34d473ad77b0bd26e3c63d1b76e3ad4e9bdd5c790e16daf27a 649c98faeafe332823d7c78c2cad20f00f3e23ea85bfccc744a8ea003b58db07 71c7d15d6d1ec0964b2b5a53ff9c71377978e00b297dceb6d958d10a9d2c30a0 79e53831488d7cf38bb7d23afa49a79ff5ec83003dc5b7d061b25689af111a47 84fad9f56332fd8d21e6a4aa6e73b168a02603a8329fa084f11496484f1aeedb 8c61ec9a90c74ae499c8d62d81478addbed60084b54fdb7873edbd3fd604c3d0 a4c1acf7975cb9fa1e3c191dd6f644159e24008929d54b1fbf716523ad06508e afc2efd52b6d261df9f8e6f45a80480f6873281980ce5accc3b64cd00b630727 c31c18f761d14cbaaff14a15cb1c15937c9d9a9910f1db2823e8b89b1fbc14e3 c3f9b1f639069bea05ced05cb4971720f6ae0bdca58ac1d3be31829513ce4d58 e06bf2d61685bb0e8d57d45e278c965ea7a4fda6e9eae6a8ef9dea226f089dcd

Coverage

ProductProtection
Secure EndpointThis has coverage
CloudlockN/A
CWSThis has coverage
Email SecurityThis has coverage
Network SecurityThis has coverage
StealthwatchN/A
Stealthwatch CloudN/A
Secure Malware AnalyticsThis has coverage
UmbrellaThis has coverage
WSAThis has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK




Win.Ransomware.BlackMatter-9965914-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 17 samples
Registry KeysOccurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VSS
Value Name: DeleteFlag		17
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VSS
Value Name: Start		17
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER
Value Name: GlobalAssocChangedCounter		16
MutexesOccurrences
Local\SHResolveLibrary:C:/Users/Administrator/AppData/Roaming/Microsoft/Windows/Libraries/Music.library-ms2
Global\160e9ee717cce91f13d77a3a825f0c362
Global\97dd24c9bf8e7c0cbf96f37f872296981
Global\d33eaa6f804fb26ad354969330593cc21
Global\87157f060adf9f831ce0dc0cb3f236161
Global\894f56e5131f56d3248c4e688de24b701
Global\e3bb7e34789420de468428f3c22d9d741
Global\21cb1589097551b53e4b6dd91c431ec71
Global\1bb52c4380360c6c5ede0e9633f419051
Global\286849ac1f88a55fdd83f9a2fd92cc8c1
Global\911dfc525e2ca360ae05fdde5aa84df41
Global\64b3e687a1e5d07fe5e0c7a162866a7b1
Global\ca37097bb37bda10e9e84e42619ea25e1
Global\f95807e1444ab674c068082d2b3a48831
Global\9a70b72fa75e9f9c3e2497457d332c261
Global\ea05f6895900370af4c4072c97ed86a21
Global\00348b0aaf40155607fc2b57eb660ea01
Files and or directories createdOccurrences
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-1002\desktop.ini17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I08BO8F.xlsx17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I11KHR4.doc17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I5QKHLN.doc17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I62TWBD.ppt17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I6FZORX.doc17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IABMX83.pdf17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IAJ2Y6R.pdf17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IALGTCS.xlsx17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IAPSNOM.tsv17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IGORSF7.xsn17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IGTBBSA.accdb17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IH49RPF.ppt17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IH71GGR.ppt17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IJKODPH.pdf17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IJP965K.accdb17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IKY5R3M.pdf17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IMYCSIT.pdf17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$ISLP722.doc17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IXLC77A.pdf17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IXUL2U1.doc17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IYSR1FU.ppt17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IZ2GMJW.XLSX17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$R08BO8F.xlsx17
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$R11KHR4.doc17

*See JSON for more IOCs

File Hashes

00d3f19ff84cddc5b0cfc9d9b053a99b493add5a9bf8ec74659ef9b3d9298de6 0400ee8269aba8f79bfd0c65f64689b06febae22a7535c9fda728a7eaa29ae0d 060bd55768e0edc037651bf50c54248e9451d57d4da795b9d8ea03829085cea1 0bfd5fbf610b76c84abbdefcdaee8c0d09c002e40f69fe86db39478931aea73a 15f56da9d9888fbad8bc428b72b4d06c736b38392ff41b94ae06c27864a9dee1 2e641dbe994f931adeff6b65fb9db481a42717454a0ea6b1e2222ba24d890fa9 333f19529de011757c299888e57b8d37801b6adbf7e2d270b71726150aeef90c 4707b114756307df755bbe231a468d02503d82947d32f9037d011075d826445e 55b45145bf1ed50d1e72c74c0743ce36e279a10e55dada004824f3eb7db5646d 80e9ee47dafde64d31cf494ecea11923f5b1646d5e8bc9d7e51999bd79334db5 95ddbeacd79ad7d944e75f55ca323a13076b756c4accefd28e206a76b3ea268b 9c25081891c1c1ff09c6bde2e8a9bed6022d6cc9edda9abdd7a771f68264bce6 a24db7475958186ec57258d44edd465b1a060b52aff714e7f261cce41d052deb a6f7f973e63f3c2ef886a98663bd4aa08deb3ec9a4a8c60ead43ce5a9b9787f5 e4eda1e494929b5bf8a5affbbe56d8fa89e4868042cf844c9124d58c9094d77b e5bb89bea6c854818b9b5884bf9e46e51873ccba73e73ef61ff2e63def151ce0 fe20b163358d90a39f3afc632dedd029231428474dd42c71a333b2a6d514f1e8

Coverage

ProductProtection
Secure EndpointThis has coverage
CloudlockN/A
CWSThis has coverage
Email SecurityThis has coverage
Network SecurityN/A
StealthwatchN/A
Stealthwatch CloudN/A
Secure Malware AnalyticsThis has coverage
UmbrellaN/A
WSAN/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK




Win.Dropper.Formbook-9965920-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
MutexesOccurrences
8-3503835SZBFHHZ1
S-1-5-21-2580483-12442787911471
3Q694U0B59Bv9yz01
Files and or directories createdOccurrences
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\sdhoston.vbs1
%APPDATA%\sdhoston1
%APPDATA%\sdhoston\sdhoston.exe1
%APPDATA%\sdhoston\sdhoston.exe:ZoneIdentifier1

File Hashes

01bb00216bf6742ac525cb9c6bfefefd250ab0ad14f477c2aad4146b7ea3336e 0f32a114f06e8282588d6e5e47063bcf79348d49744f0acc72b01c296be229a0 103fa3b007fc5e06fccd36f15eddc56071666c220a74ae20d851e635a0aede78 142e773ad2c9e16c377fbf9c61e93eafac2bea3d863c360c8cbd6b2d54082a51 1cfad9e7b4cff0eb8814b80f2281980982f0b2085c6247eac8cc930db08a173b 1e7afe66d3b124abf916c542d5e5fbc1b8922bc928eba5e406bca0b39f0d7019 1fb04ac0a06d4f3598c0ee3533a28b87fe2a0e7af4e13e49e76b9e13a39bc256 215ab3d9e9b4caadde378383717a29b9a52f97ffdd38ef26dd5453b896c72442 24a08963a436434d2ed1a6f82fea0e7b18ad037e6a602ca5dfbe740a11f6fbcf 2c73b7270d050779ac974267fe31ce3ca2d93d8c6a2cc2b1dccef1ef358ffd95 30c8eaf7b304700c5b3a61fa740e3ebb930b03302ad2cc3805fa38d106d302d5 33773be67a946828b9d2c89ba742fbcf71ffd03988291e243ee3744081060cc3 375b00de8de38ec7af0a4b0bef42ed556ce7d5c141c8b72389700ad34d1bd461 3af09a9a2fd53cbafcbb7925f694b8d37f1fd2d40f0f1600288021909b7c4335 3c5895384984695318ac23be4049b059aa60980d614fac5c5a88bf6b0fdb22d5 4b98da8fd57d0c095683b4d3ce85b2120ac8759c184934528105eecd3cb1971b 4ba20254c0e238f1ca4c86b1ebd13536dbd2d7d5bd248ab60e887a22bba9fc26 5a2c975aaa1ed0b722bb5f4098be703728b5419ab1d52616866962bb0fc3c520 5a2eda2ada26ec8e4794d472275294cbd1de7acdad334182798a7a6a1ff4e194 5b24d13171a030fd84cf2638a9072121b1919aa8e02a1170bd247eb3f07fde6a 5f1f6aed00db04bcc2079784d758151589dbcf3eda4394711336cb0a7f7802e4 5ffa9c9d4e5f28a60c40c42b6ccb84eb39be453f556a18cc25ca2d7e3efc80f3 67081c3564081660f61db2b0e4ec525a16bfe0250d8d7496a49bb65aaafffd24 6d00edf9e45e24712b2aa52af50be59081ebf770571a09c6001046dd77ecdc53 6ff434f03d48677e5768cc58c83aa817790fd9506376837e802eaab90a9d5975*See JSON for more IOCs

Coverage

ProductProtection
Secure EndpointThis has coverage
CloudlockN/A
CWSThis has coverage
Email SecurityThis has coverage
Network SecurityN/A
StealthwatchN/A
Stealthwatch CloudN/A
Secure Malware AnalyticsThis has coverage
UmbrellaN/A
WSAN/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK