πŸ”’
❌
There are new articles available, click to refresh the page.
Today β€” 8 August 2022Cisco Talos

Small-time cybercrime is about to explode β€” We aren't ready

8 August 2022 at 12:42

The cybersecurity industry tends to focus on extremely large-scale or sophisticated, state-sponsored attacks. Rightfully so, as it can be the most interesting, technically speaking.

When most people think of cybercrime they think of large-scale breaches because that's what dominates the headlines. However, the problem is much bigger. In 2021, the Internet Crime Complaint Center (IC3) received a staggering 847,376 complaints, with each victim losing a little more than $8,000 on average. Once you account for the high-value breaches, the true impact is even lower. The average person is far more likely to have their identity stolen or fall victim to some other sort of scam than be directly affected by a large-scale breach β€” and business is booming.

A deeper look at the data from IC3 shows that the amount of complaints and revenue being generated from cybercrime continues to rise. Interestingly there is a huge jump in cybercrime during the pandemic with a staggering increase of more than 60% in complaints between 2019 and 2020, with it increasing further in 2021. It's clear that cybercrime is on the rise, but what's driving it?

There have been a variety of reports that criminals are turning increasingly to cybercrime instead of traditional drug crimes, with which they were commonly associated in the past. This is both a blessing and a curse β€” it removes a lot of violence and crime from the streets but is adding a significant amount of pressure on local law enforcement. This is an international problem. Several recent reports highlight that this is also an issue in Italy and Spain.

There are cybercriminals everywhere and the U.S. is no exception. What's changed is who is involved. Historically, cybercrime was considered white-collar criminal behavior perpetrated by those that were knowledgeable and turned bad. Now, technology has become such an integral part of our lives that anyone with a smartphone and desire can get started in cybercrime. The growth of cryptocurrencies and associated anonymity, whether legitimate or not, has garnered the attention of criminals that formerly operated in traditional criminal enterprises and have now shifted to cybercrime and identity theft.

Cybercrime is a local law enforcement problem


For cybercrime to get the attention of national law enforcement, it needs to rise to a certain level. In most cases, that means the monetary value of the crimes. Effectively, a criminal needs to steal a lot of money to get the attention of the FBI or other national law enforcement agencies β€” and criminals know it. The majority of the cybercrime street criminals are operating in doesn't garner the attention of national law enforcement, since it's much easier to cash out a small payday than it is to cash out large lump sums of cash. A criminal can walk into a big box store and buy a couple hundred dollars worth of gift cards using a stolen credit card relatively easily. Trying to cash out the $100,000 in Bitcoin they just stole in a scam is much more challenging.

The wave of cybercrime that's coming isn't going to be targeting huge multinational corporations looking for millions of dollars, it's going to scam folks out of their tax return or sign them up for fraudulent unemployment benefits. One thing that might become increasingly popular is the return of identity theft and associated credit card fraud. Ransomware cartels dominate the headlines with the tens or hundreds of millions of dollars they are taking in, but it's the low-level criminal compromising those around you that will be an urgent challenge in the months and years ahead.

Quantifying criminal activity presents challenges with interesting results


The IC3 data clearly shows that cybercrime is on the rise, but can it be correlated with a decrease in other forms of crime, or is it net-new bad actors? When initially looking at this topic, we were curious if there are trends pointing to reduced crime rates in some categories. The thought is that as more criminals move into cybercrime, we would see reductions in other types of crime. However, not all crime is created equal, and the challenge becomes, "How do you compare criminal behavior?" We started looking at the types of felonious crime that are commonly prosecuted in America and there were two big buckets of potential crossover criminals: violent crime and drug crime. We decided to focus specifically on felony drug crime since both drug and cybercrime tend to be non-violent offenders but wanted to include the violent crime landscape to see if there have been any noticeable shifts.

Being in a pandemic means we needed to look at a larger dataset extending beyond the pandemic, as some of the data could be skewed. Granular data on crime isn't widely available, but some of the larger police departments in the U.S. do publicly expose some of that data, most notably the New York Police Department. These larger cities are often considered a bellwether for the way the country as a whole will shift in the months and years ahead.

The NYPD breaks out data in a variety of categories, including various types of felonies. We focused specifically on the non-seven major felony offenses that included felonies for drugs and weapons. To avoid biased data from the pandemic, we began looking at the data beginning in 2013 and ending with the end of 2021, as the 2022 data is still being gathered. The resulting data paints a pretty clear picture of how crime has changed in the past eight years.

Clearly, the amount of drug felonies over the past eight years has dropped off drastically before stabilizing during the pandemic. Interestingly, over the same period, the amount of weapons-related felonies has stayed largely static, with small shifts from year to year. The question then becomes, "Did a large number of people decide to stop committing crime or have criminals moved into different criminal ecosystems?"

It seems unlikely that we would see this significant dropoff in drug crime, especially as the percentage of people abusing drugs hasn't likewise dropped significantly. It's important to note that shifts in cannabis laws may have affected the number of arrests, but cannabis wasn't fully legalized in New York state until March 2021.

Additionally, initial data indicates that some crimes including murder, assaults, robberies and grand larceny thefts are decreasing. Major cities in the U.S. reported decreases in said crimes between 30% and 42% following the implementation of stay-at-home orders due to COVID-19. Although the problem may have been exacerbated during the pandemic, it's been around a lot longer.

A recent Forbes article notes that this behavior is a trend that started about a decade ago but has since begun to accelerate. Street gangs are moving away from drugs and toward fraud fueled by cybercrime in the U.S. and around the world. These criminals can operate in two different modes: one where they are actively gathering the data which can require specific expertise in technology, hacking, and malware or the data can just be bought. There are numerous forums where enterprising criminals can buy stolen data including names, addresses, social security numbers and other relevant information required to commit fraud and identity theft. Then, the issue is just monetizing it, and business is booming.

The fact that it is typically a smaller monetary crime makes it easier to accomplish. From a criminal's perspective, it's far easier and safer to take a stolen credit card and buy a $500 gift card from a big box store than it is to launder and process $10,000 stolen through similar means. The larger the denomination and the larger the scale, the more likely you are to draw the interest of federal law enforcement, who have far deeper pockets and much more sophisticated capabilities when it comes to prosecuting cybercrime. The pandemic has introduced additional avenues of fraud that criminal gangs have capitalized on, including COVID-19 relief funds and associated unemployment benefits fraud. In addition to the increases in available funds, the application processes were moved online to ensure the health of those involved, a boon for would-be criminals. Combining these with the already ongoing fraud and identity theft crime and the amount of money these groups are obtaining is significant.

Law enforcement challenges lie ahead


This brings us to the organizations tasked with bringing this new wave of cyber criminals to justice: law enforcement. However, since the majority of this crime is small time, the majority of the responsibility is going to fall on local law enforcement instead of state or federal agencies that tend to cover more significant financial crimes. Unfortunately, that benefits the criminals in some ways. Local law enforcement has many challenges they face daily, including drug and violent crime, to which they are highly trained. These types of arrests can be dangerous and require a very specific skill set.

Cybercrime, on the other hand, is a completely different type of problem to deal with. Instead of breaking down doors and dodging gunfire, law enforcement officers are pouring over data from the criminal themselves and the organizations/people they target with their fraud, trying to tie together transactions to build a solid, forensically sound case.

The real challenge lies in how to effectively deal with these two problems that require completely different skills. This is the dilemma that local law enforcement departments face in the coming years. As we are all aware, information security professionals are highly sought after and can demand significant compensation, and training existing law enforcement officers on how to build cases of cybercrime can be challenging.

Law enforcement can take some cues from private industry here. One trend we are increasingly seeing to address the security talent shortage is to look elsewhere in your organization for those with a penchant for security and the investigative drive necessary to succeed. There are ample investigators inside police departments, look for those with skills in online-based investigations and leverage them for cybercrime in the future.

Additionally, looking to the youth in your community could be another powerful resource for building a talent pipeline. Building relationships with existing computer science programs or high schools in the area to identify this talent could be a great resource. We're already seeing this applied around the world. For instance, in the UK, an investment of seven million pounds in a single year helped lead to the creation of cybercrime units in every police force in England and Wales.

There aren't any easy answers here, but likely will require a shift in the way we handle policing in the future. As more criminals begin to hide beyond keyboards and phones, away from the streets, traditional law enforcement is going to have challenges and what may initially appear to be a reduction in certain types of crime may be accompanied by a similar spike in fraud and cybercrime that isn't as easy to quantify. The future of policing is going to require an increased ability to identify and prosecute more high-tech crime, while still maintaining control over potential drug and violence issues in the jurisdiction.

Conclusion


As we've seen repeatedly over the years, we don't typically see new types of crime, just crime taking new forms. The world today is run by technology and it is becoming an ever-increasing part of our lives, as such, criminal activity is bound to increase. Criminals may seem like they are just out to commit crimes, but in reality, most criminals are choosing to live a life of crime to support themselves and their families. They, like anyone else, are familiar with risk assessment and now it may make more sense to commit crime with a keyboard instead of selling drugs as the risks are lower across the board. It's a lot less likely to draw immediate law enforcement response and there typically aren't turf wars in cyberspace and if they are they tend to be less violent. Furthermore. the margins in cybercrime are significant and in the end the goal is to make as much money as quickly as possible: technology is the key to scale and speed.

Law enforcement, especially at the local level, is going to need to evolve along with the criminals as they are tasked with protecting the general public. The future criminal is going to be aware of operational security and technologies like Tor to make their arrests increasingly difficult. The time is now to start building the capabilities into police departments to be able to handle the shift that has already been happening for a decade but is poised to explode, as people have been locked away for several years during the pandemic. The question becomes β€” how did criminals make use of that time?
Before yesterdayCisco Talos

Threat Roundup for July 29 to August 5

5 August 2022 at 19:54

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between July 29 and Aug. 5. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found herethat includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name Type Description
Win.Dropper.TrickBot-9958804-0 Dropper TrickBot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts.
Win.Ransomware.Cerber-9958814-0 Ransomware Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension ".cerber," although in more recent campaigns other file extensions are used.
Win.Virus.Xpiro-9958895-1 Virus Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.
Win.Dropper.Remcos-9960040-0 Dropper Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam and capture screenshots. This malware is commonly delivered through Microsoft Office documents with macros sent as attachments on malicious emails.
Win.Dropper.Shiz-9958984-0 Dropper Shiz is a remote access trojan that allows an attacker to access an infected machine to harvest sensitive information. It is commonly spread via droppers or by visiting a malicious site.
Win.Dropper.HawkEye-9959777-0 Dropper HawkEye is an information-stealing malware that targets usernames and passwords stored by web browsers and mail clients on an infected machine. It is commonly spread via email and can also propagate through removable media.
Win.Worm.Kuluoz-9959792-0 Worm Kuluoz, sometimes known as "Asprox," is a modular remote access trojan that is also known to download and execute follow-on malware, such as fake antivirus software. Kuluoz is often delivered via spam emails pretending to be shipment delivery notifications or flight booking confirmations.
Win.Dropper.DarkComet-9959797-1 Dropper DarkComet and related variants are a family of remote access trojans that provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.
Win.Dropper.Ramnit-9960101-0 Dropper Ramnit is a banking trojan that monitors web browser activity on an infected machine and collects login information from financial websites. It can also steal browser cookies and attempts to hide from popular antivirus software.

Threat Breakdown

Win.Dropper.TrickBot-9958804-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 46 samples
Mutexes Occurrences
5502606391408671395 4
32899542343072484998 4
1124524871971925691 3
24112587554236391103 3
39744624822682236206 3
23819686304274202058 2
31572222973474305701 2
38648211142506533958 1
33656147683147949452 1
7918010151544240523 1
38748932962513239244 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
wequinc[.]pl 4
patardd[.]pl 4
rydedun[.]pl 3
boristh[.]pl 3
lionopp[.]pl 3
matesic[.]pl 2
zanouns[.]pl 2
beryofn[.]pl 1
cabolth[.]pl 1
risiert[.]pl 1
githyet[.]pl 1

File Hashes

01a4f86457a252ffc23117ba653a2093902d0160140a3fda03e3cb9595f6d652 04a8a18b801bf158717c49444c3148f56fb1c23b6781b589106b848fad13557f 04d4ecf05a7bcc6ca0f318bacaa6087ea1e5badc14ca9eebec52aaff791718bc 08a004e94ce71ee0d239e38242283544f530996f4785924f85616040b278bef4 094f5c76889cd9f3f9357d72eda49a962eedc8457a77d586459dbd5968f85aef 0c25f673e25e8c9bb066ae56c41a83e28ef40a9da8327c9f7cd09f663b9a4614 0ef6c2cc035d61abd0f221d2bb8d6c0f5fc1e2e87cd5001f47861435fded326b 12eb4eb5dd38c776ec50166596c5e4ffda47108ce709990ae84a33a3a91776ed 1f14d617fd53588a36cd26c19e6f306fad28bac24140e9083986bb0cac607bc5 2184130eb8a891000fee1e343a5634531d72e05a7893fbafd6d53e52350bae19 23d19c57bacf51421505125da6917c815a1aa0d5c7346cf42c47f6667df0599d 2549d2a70d146340d14d981ecd9c33ce384bc743d4ed258f1eb9740c30792429 26851fc35426f83e70d1542cc4f00a3dd16222de418d2e0727a4ab9d5218c22b 28d1f82ea2f237ae643e442adae17449dadb8ad93397bf2299b0b53abeee45cb 2d05858c463ea267870ff964d9f9779def1ca711586dcfea58745ebe6675ff1f 2d1e5cc0f414d6cc94ec251605c68c32c442740e129d7af97f8293844aecca6a 30636b11d051121251b2051971223e6e294dfaf917338239deb5b8edf5bce20b 39d4446bb6b1c8cbf319fe02f1316897f22a6b00633af1b7e6159dbd7b837556 3a0c89d07193ae260ced7a04873117af0213c43407248d2ff7edf95bd3b32421 3b5e722ae23b3656cfb17fcb9fd218b92c5e4f24c241c3f1c37bded99d92c035 3f32a6229d93292633dc3c9af4dcf7360463cd9fcc72bfc68bfc68afa666316d 4f47c12806778d27afa43905ebb5b2079a451da93237899167d6420333cfe9a8 50543f06717e0d022a4b58043861f0a38ab82e068f07414adc5be142a66c6cec 513125bc77c78f24fc6a29a125c0d5373d5b365f476ba496f90d8dc952fd4441 5584279c960a9a7aeb97ececdb90adc01da3dab0f1fe1cbf8c10e67f14d19c0d
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Ransomware.Cerber-9958814-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 16 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: Run
16
<HKCU>\SOFTWARE\MICROSOFT\COMMAND PROCESSOR
Value Name: AutoRun
16
<HKCU>\PRINTERS\DEFAULTS\{21A3D5EE-E123-244A-98A1-8E36C26EFF6D} 16
<HKCU>\PRINTERS\DEFAULTS 16
<HKCU>\PRINTERS\DEFAULTS\{21A3D5EE-E123-244A-98A1-8E36C26EFF6D}
Value Name: Component_01
16
<HKCU>\PRINTERS\DEFAULTS\{21A3D5EE-E123-244A-98A1-8E36C26EFF6D}
Value Name: Component_00
16
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: fc
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: fc
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ntoskrnl
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: ntoskrnl
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: grpconv
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: grpconv
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: hh
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: hh
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: WerFaultSecure
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: WerFaultSecure
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: javaws
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: javaws
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: at
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: at
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Dism
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Dism
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: sc
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: sc
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: expand
1
Mutexes Occurrences
shell.{381828AA-8B28-3374-1B67-35680555C5EF} 16
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
85[.]93[.]0[.]4 16
85[.]93[.]0[.]118 16
85[.]93[.]0[.]2/31 16
85[.]93[.]0[.]92/30 16
85[.]93[.]0[.]96/28 16
85[.]93[.]0[.]112/30 16
85[.]93[.]0[.]116/31 16
85[.]93[.]3[.]224/27 16
85[.]93[.]4[.]0/25 16
85[.]93[.]4[.]128/26 16
85[.]93[.]4[.]192/27 16
85[.]93[.]4[.]224/29 16
85[.]93[.]4[.]232/30 16
85[.]93[.]4[.]236/31 16
85[.]93[.]39[.]8/29 16
85[.]93[.]39[.]16/28 16
85[.]93[.]39[.]32/27 16
85[.]93[.]39[.]64/26 16
85[.]93[.]39[.]128/25 16
85[.]93[.]40[.]0/21 16
85[.]93[.]48[.]0/24 16
85[.]93[.]49[.]0/25 16
85[.]93[.]49[.]128/28 16
85[.]93[.]49[.]144/31 16
Files and or directories created Occurrences
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2} 16
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\fc.lnk 2
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\fc.exe 2
%System32%\Tasks\fc 2
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\ntoskrnl.lnk 1
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\ntoskrnl.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\WerFaultSecure.lnk 1
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\WerFaultSecure.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\ndadmin.lnk 1
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\ndadmin.exe 1
%System32%\Tasks\ndadmin 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\grpconv.lnk 1
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\grpconv.exe 1
%System32%\Tasks\grpconv 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\sdchange.lnk 1
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\sdchange.exe 1
%System32%\Tasks\sdchange 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\at.lnk 1
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\at.exe 1
%System32%\Tasks\at 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\hh.lnk 1
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\hh.exe 1
%System32%\Tasks\hh 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\javaws.lnk 1
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\javaws.exe 1
*See JSON for more IOCs

File Hashes

13cb0416ecaedac2d05c117c68d7745d2f2ef8d2e41a5522ae28a9fdbe1cc464 18e9f9e0f0584b662165a2c78ca155ec06b59f48bfb09655929aaf6e4d3e04b6 273e649cfa2dba65d23094955a8901b2d8bcabd9d883eb53db97da09b2dc7257 37ce9b3d448b8d7ced3c71deebe8a826aa27095d155bbb08f5fe945edcaa665d 396c12c17e7de26873a87c37724b30ebeee8a246cb9f4dd8c81c4eb28e5a36ec 62e12d7f62c7c9826d8b20334d6bf5a9b9367cc92735c4c0ee0b9b04c68ebb30 636bb6784c21658f113ea4dcc00a82f0aa2c1e68927f3bb398d57ab5fcb6bc53 7017f1de73c8949efa7b04eb9973d73b712af738d2faf268cf32be7dea92b136 73fd26b7ee1d7939a55ee17a0ea15fc4a3aa85d417f9d19ec33230e71d21ac11 80574eb815087be8ead2c679474b8cf100a5a4db41cd3e012eff0c3e50ed900a 910aad5d8e14a47c2882531c587ceb7836af31e2c09296c43877a3ed2cc044e6 a340be1e9fe2140662c6bb04f1280eb91b1b1b1bd76c8e484ab4058ff25d5cf3 c41250c29a915060c509cb390c8dac68029067c1537707742ed211866ae2bff4 caba5cbc3931965b5f478934e02d20775413e15bcc559a684c632cfa9b151583 f6c4639bcabd34e8b2e9cf8323e07416a11bc4d579b910405880a8950128cfb1 fc73adec96749e88de8fb29777f1b4c27439c24690236857576076f545c8deb5

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Virus.Xpiro-9958895-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 37 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: HideSCAHealth
37
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32
Value Name: Type
37
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64
Value Name: Type
37
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32
Value Name: Type
37
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32
Value Name: Start
37
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\COMSYSAPP
Value Name: Type
37
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\COMSYSAPP
Value Name: Start
37
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IEETWCOLLECTORSERVICE
Value Name: Type
37
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IEETWCOLLECTORSERVICE
Value Name: Start
37
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MOZILLAMAINTENANCE
Value Name: Type
37
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MOZILLAMAINTENANCE
Value Name: Start
37
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSISERVER
Value Name: Type
37
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSISERVER
Value Name: Start
37
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\OSE
Value Name: Type
37
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\OSE
Value Name: Start
37
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\UI0DETECT
Value Name: Type
37
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\UI0DETECT
Value Name: Start
37
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SYSTEM
Value Name: EnableSmartScreen
37
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC\S-1-5-21-2580483871-590521980-3826313501-500 37
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\SVC\S-1-5-21-2580483871-590521980-3826313501-500
Value Name: EnableNotifications
37
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32
Value Name: Start
37
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64
Value Name: Start
37
<HKLM>\SOFTWARE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATE
Value Name: AccumulatedWaitIdleTime
37
<HKLM>\SOFTWARE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\LISTENEDSTATE
Value Name: RootstoreDirty
37
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATE
Value Name: AccumulatedWaitIdleTime
37
Mutexes Occurrences
kkq-vx_mtx61 37
kkq-vx_mtx62 37
kkq-vx_mtx63 37
kkq-vx_mtx64 37
kkq-vx_mtx65 37
kkq-vx_mtx66 37
kkq-vx_mtx67 37
kkq-vx_mtx68 37
kkq-vx_mtx69 37
kkq-vx_mtx70 37
kkq-vx_mtx71 37
kkq-vx_mtx72 37
kkq-vx_mtx73 37
kkq-vx_mtx74 37
kkq-vx_mtx75 37
kkq-vx_mtx76 37
kkq-vx_mtx77 37
kkq-vx_mtx78 37
kkq-vx_mtx79 37
kkq-vx_mtx80 37
kkq-vx_mtx81 37
kkq-vx_mtx82 37
kkq-vx_mtx83 37
kkq-vx_mtx84 37
kkq-vx_mtx85 37
*See JSON for more IOCs
Files and or directories created Occurrences
%CommonProgramFiles%\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE 37
%CommonProgramFiles(x86)%\microsoft shared\Source Engine\OSE.EXE 37
%ProgramFiles(x86)%\Microsoft Office\Office14\GROOVE.EXE 37
%ProgramFiles(x86)%\Mozilla Maintenance Service\maintenanceservice.exe 37
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe 37
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe 37
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 37
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 37
%System32%\FXSSVC.exe 37
%System32%\UI0Detect.exe 37
%System32%\alg.exe 37
%System32%\dllhost.exe 37
%System32%\ieetwcollector.exe 37
%System32%\msdtc.exe 37
%System32%\msiexec.exe 37
%System32%\snmptrap.exe 37
%System32%\sppsvc.exe 37
%System32%\vds.exe 37
%SystemRoot%\ehome\ehrecvr.exe 37
%SystemRoot%\ehome\ehsched.exe 37
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.log 37
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log 37
%SystemRoot%\SysWOW64\dllhost.exe 37
%SystemRoot%\SysWOW64\msiexec.exe 37
%SystemRoot%\SysWOW64\svchost.exe 37
*See JSON for more IOCs

File Hashes

013aa31a250e2858846c6f078e12a5132abbc0fad271365d3b67527fa2c2f402 05c2e245c5f3a325472cf34f42093931e48d181c0f17caf9add2b35e7a3e828c 0aee33737e3213c74bb671a1ab7b9485e00ade57ade144e2be354f67506a7290 0af8855eff016554c3ddf0ce82bb61859ac3986ee4136ee06e7fe5d5a6d89788 0ca2f5ca6ce21bacf1b26601c214a36766a0c911320bec0c184b5a18923ece23 128d57cca2eae54f5754a5f1730a05df82d942a11764d0595e6c920498e9565f 1397eff74a13595ea3fcb206a76977d1447997680fdf81163c2b985a009b080c 13dd82a41add2789b1ea617cded11cf9bdbc143082372dcc2b26b2ae2616dbba 14e5e9016d589d815058b09845af3b2fc2781b9815a493499664f29e9832e9fa 16fcdd9f0950eda4799c80afd354767feefb725c58d82022c2d1385e25d48e96 1b0665bd149dd3b9ae9a3b19c7be06b5ddcd53da461f91cda65365b94b7a288b 1cf200ce049a09ea6f18ff56f65c651d519d6096d6eaf94331351c1217d2e002 1f98e6f12d028379751c4e5f6efe96e0fe8a286c7448513dda93c980e3d8acf6 26bd53dc56ec5c20627d67c8bdce2f67c3325bd6421a87319e3694abcf73867e 28664a444ff8d844816b801fcf92199100cad7375ebaedea96020b2f7e2c664b 290be865ff04b744f3f34e17cded589f11519cb10d5d186535cd5a21de8dd650 29e70dc26eb00d9ff16ed8864b2583dde97e70d6f7dc074c50f3665ad7f8b2dc 2c52d85ad0e41acf5112bccbbdde281950692c0e100e499a15b170d66d0154d0 30ed57cfe6626a3e05de88be3207d4524311c62a6a2b5647f9359a620ed22f11 3134096945a4cea5132ea9d0ad9b1a6925da40d2d4e86c8f8c8f4d3795b962ca 35f44b47ad1e072f2030291462cedd654234eb0575883ae8f8d5978c051d78e1 35fcd428c89e9586460cb2701ca4cb378824a32d497366a96fa234caf54d8048 3c8477fdcd2719855d6b38cf29849d36dca6bf90805f996286bf77fff7ba1fa3 3eb5cdb190ee1efbea012512c3ed6afd6215473bf208a1853f37701a3f7ba13a 3f53b25ccced470ef2b1eb2edb4b839099a0ca597f4dbcc3aa590b260d727ab0
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.Remcos-9960040-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 21 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
7
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}
Value Name: FaviconPath
2
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}
Value Name: Deleted
2
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES
Value Name: DefaultScope
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} 2
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVED EXTENSIONS
Value Name: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
2
<HKCU>\SOFTWARE\REMCOS-SFLVDU
Value Name: licence
1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\system32\DeviceCenter.dll,-2000
1
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @explorer.exe,-7001
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: mea
1
<HKCU>\SOFTWARE\REMCOS-SFLVDU 1
<HKCU>\SOFTWARE\REMCOS-SFLVDU
Value Name: exepath
1
<HKCU>\SOFTWARE\REMCOS-1MSE40 1
<HKCU>\SOFTWARE\REMCOS-1MSE40
Value Name: exepath
1
<HKCU>\SOFTWARE\REMCOS-1MSE40
Value Name: licence
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Un9
1
<HKCU>\SOFTWARE\REMCOS-A21G8J 1
<HKCU>\SOFTWARE\REMCOS-A21G8J
Value Name: exepath
1
<HKCU>\SOFTWARE\REMCOS-A21G8J
Value Name: licence
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: re
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: dr
1
Mutexes Occurrences
Remcos_Mutex_Inj 3
Local\55C37268-60E9-964A-3299-E2046F3CC613 2
Remcos-SFLVDU 1
Remcos-1MSE40 1
Remcos-A21G8J 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
13[.]225[.]214[.]71 4
13[.]225[.]214[.]108 4
37[.]19[.]193[.]217 3
95[.]211[.]75[.]16 2
162[.]210[.]195[.]111 1
13[.]225[.]214[.]91 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
piloresi[.]top 7
dioneras[.]top 7
downloadmirror[.]intel[.]com 5
uniresio[.]top 4
emperimen[.]com 3
www[.]bing[.]com 2
busyboydesign[.]xyz 2
toptoptop2[.]site 1
toptoptop3[.]site 1
toptoptop3[.]online 1
toptoptop2[.]online 1
lutheatre[.]com 1
fallium[.]com 1
sheaffic[.]com 1
Files and or directories created Occurrences
%SystemRoot%\win.ini 21
%LOCALAPPDATA%\Administrator 8
%HOMEPATH%\kmm 1
%HOMEPATH%\kmm\Cam.exe 1
%HOMEPATH%\kmm\Cam.vbs 1
%HOMEPATH%\Dul\Slu6.exe 1
%HOMEPATH%\Dul\Slu6.vbs 1
%HOMEPATH%\Dul 1
%HOMEPATH%\Uds 1
%HOMEPATH%\Uds\sov.exe 1
%HOMEPATH%\Uds\sov.vbs 1
%HOMEPATH%\Sv9 1
%HOMEPATH%\Sv9\BUT.exe 1
%HOMEPATH%\Sv9\BUT.vbs 1
%HOMEPATH%\ref 1
%HOMEPATH%\ref\Bar.exe 1
%HOMEPATH%\ref\Bar.vbs 1
%HOMEPATH%\ma\No.exe 1
%HOMEPATH%\ma\No.vbs 1
%HOMEPATH%\ma 1
%HOMEPATH%\Oxy\Bru4.exe 1
%HOMEPATH%\Oxy\Bru4.vbs 1
%HOMEPATH%\tr\TEL.exe 1
%HOMEPATH%\tr\TEL.vbs 1
%HOMEPATH%\Oxy 1
*See JSON for more IOCs

File Hashes

1990701e4db9f573be94dbfd0e9edcb826c4a0ba858b42249812acb12cea572f 201ecff5a0b06b1401158972176bf3af310e1a25a9f603ea902b340f15262130 667fcc41313580c1c5dd3f74e84f13a4431a8b1daf4e1c60d5f3ab0c657e95ef 6754bcad108371e4192bc126187cf7ac07c39ea3f5ed7d975402a4c20d7fbcd4 68183c5baad715853bf2a38a2384288803a431ef4881be8c33b473f7e97d0186 6f70b508bcf39a1de4371f080c51bbf569ff5be7bf0f91793519c3c511710386 72d305998919d0c14d44659c0427e1130b9cf6539f386d328879c7d416ac085a 7cbbe9909fc023294a209ecf1b3882a02cb198d6841a129471201ce105c10d7f 905d2ba08aa3c839dfb815a373c5e2d0ae71badcbb1a70be1ef2683381dcb257 96eba5d5846bbcb803ffbac64ea5adf52fcb736ebda11abd466d509314dcc216 c2bfc250e5a0f8047d8eeb2bab36669e2d20becf57ddfa1e0ff5c33ff63864d5 cad62477913555b37902a162c9b437af27182fb219aa14647f257a0c48ddd556 d2a181619dc5bce7506d65bd893b411772de00c9ffdcbbcb9e3a78ab029a4997 d6e619e7f6f7578cef21ad4bea1ed94f397c0063aee69df329bc0aab3ea0b177 d9f6c0ffc135785c9c0355bad4cc4b8884f6f655c6e336c14b1b7a27568ddda9 dcd1f707b263fe1c37b94944b8399d92675d215d76aca304f0c7455250627d68 e9877a7c8d2daca6b15131b26a583695e4d5e2c05023b764f24a551666055b0a f22c91af53fd11dae4ebeeca1886c5a3355f68970cb554be7eb10affbb547341 f57f13ef3d153621588b9aa9a273e08a77069dd2b9b7d5ad08c579f24feedc41 f7ac5679a471bbc48cb5af2fd54ea2e4621f7e825c06fba59a1690fa6745e56f fd4de71e56062003053b8f93f6bb84188666361a07c415e56a4b015802237289

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.Shiz-9958984-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 88 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT
Value Name: 67497551a
33
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: 98b68e3c
33
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: userinit
33
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: System
33
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: load
33
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: run
33
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: userinit
33
Mutexes Occurrences
Global\674972E3a 33
Global\MicrosoftSysenterGate7 33
internal_wutex_0x000000e0 33
internal_wutex_0x0000038c 33
internal_wutex_0x00000448 33
internal_wutex_0x<random, matching [0-9a-f]{8}> 29
internal_wutex_0x000007d0 12
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
13[.]107[.]21[.]200 16
45[.]33[.]23[.]183 9
96[.]126[.]123[.]244 8
198[.]58[.]118[.]167 7
45[.]56[.]79[.]23 6
45[.]33[.]30[.]197 6
45[.]79[.]19[.]196 5
173[.]255[.]194[.]134 5
72[.]14[.]178[.]174 5
72[.]14[.]185[.]43 4
45[.]33[.]2[.]79 3
45[.]33[.]18[.]44 3
45[.]33[.]20[.]235 2
85[.]94[.]194[.]169 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
fodakyhijyv[.]eu 33
qekusagigyz[.]eu 33
maxyjofytyt[.]eu 33
xudylenyrob[.]eu 33
pufepepazyd[.]eu 33
vopibycywow[.]eu 33
fotoxysupyd[.]eu 33
gaqehysohec[.]eu 33
lyxaxududes[.]eu 33
rycovuvutiq[.]eu 33
kevimudyqec[.]eu 33
jewidonevin[.]eu 33
tulekuvigij[.]eu 33
vocupotusyz[.]eu 33
galavozaxog[.]eu 33
divufozutog[.]eu 33
kefidaxupif[.]eu 33
jejykaxymob[.]eu 33
xutevexecif[.]eu 33
puryxepenek[.]eu 33
lysowaxojib[.]eu 33
dimigesupew[.]eu 33
fobatesohek[.]eu 33
ryhadyvigis[.]eu 33
qekikyvutic[.]eu 33
*See JSON for more IOCs
Files and or directories created Occurrences
%TEMP%\<random, matching [A-F0-9]{1,4}>.tmp 33

File Hashes

0426a2801b985679944d7956d57df0c195e4871cb5fa9ae5d3cb864600883613 06748264e401a4fcf30a802df0f390a75a14a3ff6148b8f064ee3e2585c742d9 09bf6eb80568c5d370d52e77ca1eddea41f0eb7e458549c994620b3e6af3967c 0affbf8c7691eaaab70491418b6db92cced36ff4a0a482673a4ebdd5492ad6c8 0fbe21b7ff8392a707d0d871494c2298e88e723ebcd7a4495c6a037232d4899b 11b3839df1c31d6c2f15591a0fa013c8b41862dd522d106c85876b49e7d561c0 11b6cfd9b8f56c8107511151282335f7b5f5d555665bec7506908515dcb6acab 11c19ec5a341f6a6bfa86170ea383439466f008ff42ec6dc04bd0445a658ba63 1641e6a92c47304c11521b9c875029a387e49b511438b3ac4c122ee7b14519de 1cac14ca2ad5715132446d1bb0503a6f783577d15f8fb97611dac9b7177903cc 1f4e2901cf95c9ca682d9e5c24235c11da57a47153969203e58b5528bd37b411 1f83440aab9dc62a6c4726b35ee58355b1cf76d23d194250397069423b17d281 237bf6bd91b6301dd01456859507771ed5fc2eda62f67e207bea6928f69573b9 253dc24fa6384c2c2757acc74ecfb88a231ab434c718e5b044a47e3fec4515f7 25525b728590f243275c528727c4887c3521fc16c25f60e3b364fb21e8b64dab 2553d02ff7f59fc5e0830783a508b4a5e8daff585bb4e5411c49bb34217f1b3d 259d0e1eb7a6ab82cfef210054b7cedd069d331455d6c0effff450c514fef6b1 2796098904f867adffd735f528461e5fb8be9f33ebd22bc37fb58684c3476112 27de5dc0ae67097bc22a0bcb3381dcebc372c469c4b8effe2b83d87f85f01cc1 2a6f60367dc3d70d2db9926e28dba4d79f20e319ceaf839c094cf85c9850c99a 2c729b76866357b2fae9d51f4d5f69c1554b18b5be35f896300631b7409e49e7 319155806bbb3e74cc753ed768a13455965e1fa7a175155f5862c2e030c2e35a 34b2879998dfd238977cf19e5f4e3d4cbccfa61a9b0688e43a569e19a75a2844 3578be24b2fe30600747846c30c1e286622e1906fce1a801e10b87117bf37ef4 385ddefdb0c298b4cd194b165f82e9ddec8c8e6616160e432125e576dae5603c
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.HawkEye-9959777-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 15 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: Hidden
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Update
10
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Shell
5
<HKCU>\SOFTWARE\[email protected] 3
<HKCU>\SOFTWARE\[email protected]
Value Name: NewIdentification
3
<HKCU>\SOFTWARE\[email protected]
Value Name: NewGroup
3
<HKCU>\SOFTWARE\[email protected]
Value Name: FirstExecution
3
Mutexes Occurrences
<random, matching '[A-Z0-9]{14}'> 4
X43238C48CI4NY_SAIR 1
M21V21V8G7Q66R_SAIR 1
05V015TT37XDUJ_SAIR 1
Global\07657600-129e-11ed-9660-0015174b6151 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
104[.]16[.]155[.]36 6
104[.]16[.]154[.]36 5
77[.]88[.]21[.]158 2
142[.]251[.]16[.]109 2
208[.]91[.]199[.]224 1
208[.]91[.]198[.]143 1
208[.]91[.]199[.]223 1
192[.]99[.]212[.]64 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
whatismyipaddress[.]com 11
kalashas[.]no-ip[.]biz 3
smtp[.]gmail[.]com 2
smtp[.]yandex[.]ru 2
mail[.]siliconsss[.]com 2
smtp[.]impexservicesindia[.]com 2
smtp[.]vsnl[.]net 1
smtp[.]thanawalagroup[.]net 1
Files and or directories created Occurrences
%APPDATA%\pid.txt 11
%APPDATA%\pidloc.txt 11
%TEMP%\holdermail.txt 10
%APPDATA%\WindowsUpdate.exe 10
\Sys.exe 3
\autorun.inf 3
E:\autorun.inf 3
%TEMP%\Administrator7 3
%TEMP%\Administrator8 3
%TEMP%\Administrator2.txt 3
\directory 3
\directory\CyberGate 3
\directory\CyberGate\install 3
\directory\CyberGate\install\server.exe 3
%APPDATA%\Administratorlog.dat 3
%TEMP%\SysInfo.txt 3
%APPDATA%\Windows Update.exe 3
E:\Sys.exe 3
%System32%\drivers\etc\hosts 1
%TEMP%\oUK6NMZIZls5Ku6i.exe 1
%APPDATA%\6tOsSNNvNp7JOgxS 1
%APPDATA%\g3h44Njnele2nJzi 1
%APPDATA%\g3h44Njnele2nJzi\ZOqlaWVQEXMz.exe 1
%APPDATA%\6tOsSNNvNp7JOgxS\ChSV1JzLaHOS.exe 1
%APPDATA%\hAtRUbl2c5ywfar3 1
*See JSON for more IOCs

File Hashes

04e516d05c22e5489ba47b5e1bd03f6cb8bcf2b084e2b3dae23acbe25d4b4591 21e52c431fce5ea651800127be440f447fafd20c3d74f34b0d712e140b0c138d 21e949c72bc90a7b4647b305dd306e343f732ad2b898dba5e9b920edc33fc9a0 220c6f3ffe28c8c7cd3f3b669b47bccdde30b200ab1de9bd0cca55c475ad62cb 2f656303daecf2322749ed2a4b69b7124433dfea94d658c9e1e18d415db16456 32a841f8eaf7fa85d3c78469a9890988c1c9b90c97cfba674ac8f9f991bd3a94 4000b5bce992bdbdd73174fbe1e8d9b0fd65ad6c88f282889a8604dfa9fe0f59 5291c5d0bd7eaee2402fb660be1b8501c3a712471e9d66062b6728794909263a 5393c5a558225a02a03ee8ea46968d53a72b57194261e17dc7e35f0bd9b630ea 628eb845ab8309303d0ebb7448063dbafd36954a66596977a272d5806cacaeca 656d25151b846944e11c7ba03ce4fae066f7a8c29cdce84d0b241d4305a4245c 6d155125192252b756c6af33bca25810ab9a19be347e5793b534802662eb00a4 9a8797b6c2753e70ce0888185473510f40d3c0ff45b81b639dc8c077cb3679ec ad52ce9456cb87f713ad43de89835e0c882fd3a77389bb41ab50396efd59088a c4bf7dbe799d71e8e16c1aa5ca3f3af04f174b91e1a357a02e38b0155a46a600

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Worm.Kuluoz-9959792-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'> 26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: uecguckk
1
<HKCU>\SOFTWARE\AEAKVJGE
Value Name: ujaduqcw
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: cuhmadmx
1
<HKCU>\SOFTWARE\UDVFKDFC
Value Name: vdqcxwxs
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: lhelwsfg
1
<HKCU>\SOFTWARE\SFLQPFKG
Value Name: pvgxfqel
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: wrbmmivh
1
<HKCU>\SOFTWARE\SMXPKGUG
Value Name: cdjmiong
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: agokwqgv
1
<HKCU>\SOFTWARE\NGWWUMBN
Value Name: fpesjwgk
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: bomrkrmk
1
<HKCU>\SOFTWARE\LSCPUEQM
Value Name: lsekxadg
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: bxvvsgvr
1
<HKCU>\SOFTWARE\HIDBXWKK
Value Name: wudcreed
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: snwmmmvf
1
<HKCU>\SOFTWARE\TCUDAEVA
Value Name: dfvkflcs
1
<HKCU>\SOFTWARE\MNQGHNOP
Value Name: dlirvvqw
1
<HKCU>\SOFTWARE\MNFTGNBG
Value Name: csfqppjx
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: imcfhgpa
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: oqpeifcm
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: lhxptbjv
1
<HKCU>\SOFTWARE\HQMHIWJP
Value Name: durqeakc
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: hsrhcrvj
1
<HKCU>\SOFTWARE\CGOEUIAE
Value Name: htpvdufk
1
Mutexes Occurrences
2GVWNQJz1 26
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
173[.]203[.]97[.]13 15
76[.]74[.]184[.]127 13
37[.]59[.]82[.]218 13
94[.]32[.]67[.]214 13
212[.]45[.]17[.]15 13
142[.]4[.]60[.]242 13
50[.]57[.]139[.]41 12
82[.]150[.]199[.]140 12
92[.]240[.]232[.]232 10
113[.]53[.]247[.]147 10
203[.]157[.]142[.]2 9
176[.]31[.]181[.]76 9
188[.]165[.]192[.]116 7
Files and or directories created Occurrences
%LOCALAPPDATA%\<random, matching '[a-z]{8}'>.exe 26

File Hashes

01d6c50b70eb28d693e74b7ad15158707b8f57a9711e35c07d3d1c4ee7f630ee 08c25287e368a2158b029684e74626ba867a606837cce07ea2837b6ed78857a4 09bb26d956e0eb8aba714e836c041d844ac01eb4ccb3e498382c07ae3e267ff4 0bf1e31c2a0fe232876deef8bad8cbe1e08a3ad377db920ffc27c4852ef1dc89 0c6ec5510575da4416321eb58b20d3e447746e0cea1ffd06241f8a1e6bbb2837 0dd0361ead8f0e962be7a115dd8a4fa9d1a12b88c11633f82cfeae655a59f809 0fb3d456de4717b29c3a332e29a10cc9c52c94c92f6438f32791f5a5785b603b 1052ac160c67084f7dae6af5d9ee545fb0df20b99b8e989177ffb795a32aa35c 192d087160aad1afdb5ed06eb4128d997e578af554a626887746d91e66bc688a 1f4a448e60174255ef3d7492e60464ef4cfd84f65acb8c9824493b71d6864b8f 1f7810a638c2f1825276f2784cf557d7610ca0eabb463d06e6b25597fd077043 230a54a47fed1921adb452b5e88f1467e021dd85aac8f0d60a5a41912b991d28 26cad8fc0603c849db06f59e46b452bb4c3fe5cadfd46e344ce9a7f10365ddb8 276bb12ea62aa7f7ffce0531b84bbe1f7f2e6a19f4150ca6a7b1c69f4662b595 286bc1cee4c188350c8bb50812e30f7bec0b794efca5a2eb0b12368b479211b3 2938109eee69fe708fa15752e0723d110a01ee4e3e1e804cc97bbde01267fdb8 2a850531aeb725e5f138b9b1158640fe41c05a25560e2550fa2b070d96490a8e 31266599481409d70b317821d5af1aea693e7c1c7cedd04fd5dec0008bd816a7 384b51772d288e63038e146446e6e84b1f737cd3d8d34c3871d875fda77ff29a 38e1edffa779f9e2dd16104c35fc7a6c4a21dff7f3ad9bc8233b5817e8666441 3949d166ce5f75648fcb66ea3f9aaf251aa9847d576aef7d10b2830a295e2096 3ffee22fa7f00e260b92385c8cda56eee17c133b7c47cb33cf701d0c9e2ae89e 419c33660b59de42d150f8c1163873db94fa59e8d684bb44d0ec866eaebd00a7 441c34ba7b9ee2d7b0506013a2fb9fd5c5b517d38a66e1228edf4d7e1e20b9e8 446d8276a7008c24317b101c5d7050da5f1a51301a47842cd35f5d8a362eee83
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.DarkComet-9959797-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 11 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\DC3_FEXEC 11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
11
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify
11
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: UserInit
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: MicroUpdate
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM 11
<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList
11
Mutexes Occurrences
DCPERSFWBP 11
DC_MUTEX-01SYFCM 11
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
zapto666[.]zapto[.]org 11
sildelanoe2[.]zapto[.]org 11
Files and or directories created Occurrences
%ProgramData%\Microsoft\Windows\Start Menu\Programs\MSDCSC 11
%ProgramData%\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe 11

File Hashes

236c360d988e5b28b1a4eee229d0f3b5baa203043fc5ae8f016519f753e6b6bf 27990599b2e3ae192d5a897ed30cb98a20eae1d3ed8506dac8d82fef9ed9442e 53cd48d7d092d55fdc35966cfbd01861bf7304f9dc694237d322ff189adb32a4 55754ae53d9555a67d25be9cd73b5d85141d4ef43cd55ae2cf237be1cfa0d965 5dcd64134e33496cdd5ad13012b35834164d59d470a17359710a335469fdf35a 6e0d5bd7c55c9ec287377f8cadd342768c887a8901d015253996112442ff5d6f a53ebd4f480bdf3cf2199692af1d27c2864fc5c038fefed214688416cc2a1066 acaf2d6a74e24b2ab85338fa62efc85d76f6ec9c1cd11657230d975fd0dcde42 c4c677ab5115a0a568d1817528005ad24d0dc06ddd9d738d5f1fb75a3074b3f0 d2e83abd3d779b825e4088f53b43aa8521131a9ebd0dad8006e70fcc0e249e8d eea1adee202040b2c06dfb226eacd4c662b57714f44ffcc0561ff8cb2ec2a6d6

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.Ramnit-9960101-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 15 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
15
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT
Value Name: AlternateShell
15
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Userinit
15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: WlkSgauv
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MICORSOFT WINDOWS SERVICE
Value Name: Type
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MICORSOFT WINDOWS SERVICE
Value Name: ErrorControl
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MICORSOFT WINDOWS SERVICE
Value Name: ImagePath
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MICORSOFT WINDOWS SERVICE
Value Name: DisplayName
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MICORSOFT WINDOWS SERVICE
Value Name: WOW64
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MICORSOFT WINDOWS SERVICE
Value Name: DeleteFlag
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MICORSOFT WINDOWS SERVICE 15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MICORSOFT WINDOWS SERVICE
Value Name: Start
15
Mutexes Occurrences
{79345B6A-421F-2958-EA08-07396ADB9E27} 15
{7934684F-421F-2958-EA08-07396ADB9E27} 15
{7934723B-421F-2958-EA08-07396ADB9E27} 15
{7934684E-421F-2958-EA08-07396ADB9E27} 15
{<random GUID>} 15
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
82[.]112[.]184[.]197 15
72[.]26[.]218[.]70 15
195[.]201[.]179[.]207 15
208[.]100[.]26[.]245 15
35[.]205[.]61[.]67 15
142[.]250[.]80[.]14 15
75[.]2[.]18[.]233 15
172[.]105[.]157[.]192 15
46[.]165[.]220[.]150 15
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
kbadlfpgtec[.]com 15
ymcwineqkj[.]com 15
tupexbvpmsc[.]com 15
mwsjitqbf[.]com 15
ccsnpnqxii[.]com 15
dpdadshi[.]com 15
eljmrnwualb[.]com 15
hjxrksvo[.]com 15
lfnjosunfd[.]com 15
paoxlrmbg[.]com 15
qekgxfrk[.]com 15
uhjwxipj[.]com 15
mkmngqxwk[.]com 15
ybmhumhymqj[.]com 15
qopdypfxhda[.]com 15
pfkilgedjhq[.]com 15
sgimiytkanu[.]com 15
leqnxekmi[.]com 15
ieugluxmlx[.]com 15
elieidkolpc[.]com 15
oluddrbaeb[.]com 15
skroackqs[.]com 15
pbfttfgw[.]com 15
ujypninrop[.]com 15
qpvvabbaqcn[.]com 15
*See JSON for more IOCs
Files and or directories created Occurrences
%LOCALAPPDATA%\wblmbpwi.log 15
%LOCALAPPDATA%\xrpatmbf.log 15
%LOCALAPPDATA%\ntqipnfr 15
%LOCALAPPDATA%\ntqipnfr\wlksgauv.exe 15
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\wlksgauv.exe 15
%TEMP%\dljcankv.sys 15
%TEMP%\oqinictcdtumygeo.exe 15
%LOCALAPPDATA%\ntqipnfr\px1F71.tmp 1
%LOCALAPPDATA%\ntqipnfr\px26AF.tmp 1
%LOCALAPPDATA%\ntqipnfr\px203A.tmp 1
%LOCALAPPDATA%\ntqipnfr\px1CC1.tmp 1
%LOCALAPPDATA%\ntqipnfr\px2B70.tmp 1
%LOCALAPPDATA%\ntqipnfr\px2BFD.tmp 1
%LOCALAPPDATA%\ntqipnfr\px1EB4.tmp 1
%LOCALAPPDATA%\ntqipnfr\px1B98.tmp 1
%LOCALAPPDATA%\ntqipnfr\px2365.tmp 1
%LOCALAPPDATA%\ntqipnfr\px2307.tmp 1
%LOCALAPPDATA%\ntqipnfr\px28A3.tmp 1
%LOCALAPPDATA%\ntqipnfr\px25C5.tmp 1
%LOCALAPPDATA%\ntqipnfr\px2DD1.tmp 1
%LOCALAPPDATA%\ntqipnfr\px2BED.tmp 1
%LOCALAPPDATA%\ntqipnfr\px2529.tmp 1

File Hashes

10df6ef7114ab16c25690d0183960e51d80488690e4f52680be2cf38d4aeb85b 1b39ecf9dc61b7e01c410b02eb8cb5c01ccdb1346474c62d7b916a9fb136681e 25354347217865d4e0a18080a942021de378cdcdff3633edc32583d892639569 265febc90d4163d2d1f29c0f07c8b003002ec7ee9ca4a3f8607ca5364cf06dc3 370c3bdde1b51bf0b9d079e644871b79848ac588c37ea7f89c94a2e2c3103642 3b955ab71c4147497bb1aa0fd65ee9b94bb1cbc897a0be46427f0f66a829de5d 55835f514e7ab6da28a6c69a3ffbe2d356b8ca987a274bc7a190689a57cbfbf2 615c3bfaa531cda8c1ac55bf9d5d93598617cd208702a7ce4c26cd94b2f2d4fd 61657d27b739df7dd856194cc29354ebf9d4a9abe3cb37d8782b5e6bddcba23c 7227840a73bce222d285d89cb1f528a5f5caf230af943a78f85f5e07136f1c4f 91cec64e347f7355c3dabb30b6e70c73d8a16890aa698ef526476930b998dd78 b70d31148f0b79548b7a2fd3a16228b32b0c52432b19b9d651fc9d6f9458c845 b7841d3db93f9a48887fdb82d3492b43f33f36ee8959e4f26a74c77962793e65 e80bad25222ffce33d1fa8c5962b235fecdce744b6dcf9c35db869844802573c ee4d65ec638095b28ec9c1290bf3edac8c767fb2a094c00925fabcde83dfb205

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





  • There are no more articles
❌