Threat Roundup for September 16 to September 23
Discription

[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDbBfe7re3_GTXSXxhXHE2wNeKNUPJ-Odym2Hj407JIEsoqhaRncqbWWVdFGF8HVFeuFf-9tRYJTDr5Yv3KtHFWHwNNCw0SfBhK253m7gw8NPS3_tw9byysNDzJXeSV6PpKRjM8ZQ31WcZe4BeFH6I-QvghzbC5suPfKxL3LS5jWtvSbxbS7DCiyVI/s16000/threat%20roundup.jpg)]()

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Sept. 16 and Sept. 23. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, [Snort.org](), orokibot [ClamAV.net]().

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found [here]()that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name | Type | Description
—|—|—
Win.Dropper.NetWire-9970213-0 | Dropper | NetWire is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, remote desktop and read data from connected USB devices. NetWire is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Trojan.LokiBot-9970418-0 | Trojan | Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.
Win.Ransomware.Cerber-9970426-0 | Ransomware | Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension “.cerber,” although in more recent campaigns, other file extensions are used.
Win.Packed.Gamarue-9970619-0 | Packed | Gamarue, also known as Andromeda, is a botnet used to spread malware, steal information and perform activities such as click fraud.
Win.Packed.Nanocore-9970631-0 | Packed | Nanocore is a .NET remote access trojan. Its source code has been leaked several times, making it widely available. Like other RATs, it allows full control of the system, including recording video and audio, stealing passwords, downloading files and recording keystrokes.
Win.Dropper.Formbook-9970817-0 | Dropper | Formbook is an information stealer that attempts to collect sensitive information from an infected machine by logging keystrokes, stealing saved web browser credentials, and monitoring information copied to the clipboard.
Win.Ransomware.BlackMatter-9970818-0 | Ransomware | BlackCat ransomware, also known as “ALPHV”, has quickly gained notoriety for being used in double ransom attacks against companies in which attackers encrypt files and threaten to leak them. It uses the combination of AES128-CTR and RSA-2048 to encrypt the files on the victim’s computer.
Win.Dropper.DarkKomet-9970824-0 | Dropper | DarkKomet is a freeware remote access trojan released by an independent software developer. It provides the same functionality you would expect from a remote access tool: keylogging, webcam access, microphone access, remote desktop, URL download and program execution, etc.

* * *

## Threat Breakdown

### Win.Dropper.NetWire-9970213-0

#### Indicators of Compromise

* IOCs collected from dynamic analysis of 12 samples
Registry Keys | Occurrences
—|—
`LOCAL SETTINGSMUICACHE8252C64B7E
Value Name: LanguageList ` | 7
`SOFTWAREWOW6432NODEMICROSOFTWINDOWSCURRENTVERSIONRUN
Value Name: WindowsUpdate ` | 7
Mutexes | Occurrences
—|—
`8-3503835SZBFHHZ` | 5
`73M9N-T0-UB83K6J` | 2
`S-1-5-21-2580483-12441695089072` | 2
`S-1-5-21-2580483-12443106840201` | 2
`1N6PO-QCTT825WY-` | 2
`S-1-5-21-2580483-1244465298972` | 1
`3MAM487FD866043M` | 1
IP Addresses contacted by malware. Does not indicate maliciousness | Occurrences
—|—
`149[.]154[.]167[.]220` | 7
`34[.]102[.]136[.]180` | 4
`198[.]54[.]117[.]215` | 2
`198[.]54[.]117[.]210/31` | 2
`99[.]83[.]154[.]118` | 2
`54[.]251[.]110[.]33` | 2
`198[.]54[.]117[.]217` | 1
`198[.]71[.]232[.]3` | 1
`2[.]57[.]90[.]16` | 1
`185[.]107[.]56[.]59` | 1
`52[.]20[.]84[.]62` | 1
`34[.]117[.]168[.]233` | 1
`69[.]163[.]224[.]231` | 1
`109[.]123[.]121[.]243` | 1
`216[.]40[.]34[.]41` | 1
`199[.]59[.]243[.]222` | 1
`31[.]220[.]126[.]24` | 1
`172[.]96[.]191[.]143` | 1
`45[.]224[.]128[.]33` | 1
`207[.]244[.]241[.]148` | 1
`162[.]213[.]255[.]94` | 1
`172[.]67[.]180[.]112` | 1
`23[.]230[.]152[.]134` | 1
`154[.]86[.]220[.]203` | 1
`104[.]247[.]82[.]53` | 1

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness | Occurrences
—|—
`api[.]telegram[.]org` | 7
`www[.]wearestallions[.]com` | 2
`www[.]intelsearchtech[.]com` | 2
`www[.]kigif-indonesia[.]com` | 2
`www[.]homecrowds[.]net` | 2
`www[.]beachloungespa[.]com` | 2
`www[.]northpierangling[.]info` | 1
`www[.]xn--agroisleos-09a[.]com` | 1
`www[.]cacconsults[.]com` | 1
`www[.]fdupcoffee[.]com` | 1
`www[.]drivemytrains[.]xyz` | 1
`www[.]banchers[.]com` | 1
`www[.]olympushotel[.]xyz` | 1
`www[.]imbtucan[.]site` | 1
`www[.]leeanacosta[.]com` | 1
`www[.]searchnewsmax[.]com` | 1
`www[.]supera-digital[.]com` | 1
`www[.]fitnesshubus[.]com` | 1
`www[.]kettlekingz[.]co[.]uk` | 1
`www[.]meditgaming[.]store` | 1
`www[.]alpenfieber-events[.]com` | 1
`www[.]bobijnvidit[.]xyz` | 1
`www[.]thespecialtstore[.]com` | 1
`www[.]momotou[.]xyz` | 1
`www[.]tricon[.]info` | 1

*See JSON for more IOCs

Files and or directories created | Occurrences
—|—
`%HOMEPATH%temp` | 12
`%TEMP%RegSvcs.exe` | 7
`9_101jhipudjmrh.pdf` | 1
`%TEMP%5_610wuqiiqpl.cpl` | 1
`9_101kxfbovr.dll` | 1
`%TEMP%5_610xjusg.bin` | 1
`9_101lbmnehl.log` | 1
`%TEMP%5_610xpdmnqvrj.cpl` | 1
`9_101lexccit.txt` | 1
`%TEMP%5_610xxnvjp.log` | 1
`9_101lpuhp.docx` | 1
`9_101lresp.xl` | 1
`9_101mitwohb.dll` | 1
`9_101mnxau.jpg` | 1
`9_101mrbwugug.ico` | 1
`9_101mvevanqm.pdf` | 1
`9_101nimkrnwadi.mcq` | 1
`9_101njbrtxdts.xls` | 1
`9_101njxivhu.ppt` | 1
`9_101nnnbox.exe` | 1
`9_101nxvix.log` | 1
`9_101oavf.xml` | 1
`9_101ocuqib.dll` | 1
`9_101oipjamjjo.jpg` | 1
`4_58vxgw.cpl` | 1

*See JSON for more IOCs

#### File Hashes

` 17d3937fb3aceacc0ac99f94a2347b87b22cbc2e7c341830ad9ad0a8f88babee 27288965d55cf7459cfa35b7a37ab9298f34e6e7734f6d6609527d573e5db71e 3788fc76ea84b87735527d224d39b4672b970c6bbcdd59b60978945b76d0fb1b 39ef261dd5ada5c7b29412ca0e95e6950de77ac8ab9f6e096692fd553a6e3ace 4101b1f2efa7e4ac9711140c8e5e724bf5a74ac0b4ab76f0d6c4e23374977627 49f2bb5892eda8223f4709f6b84366911b000652eb19085b09dc5998fe8c8259 815132096b824dbe0c8497cfd85f7508eeac3718c147541c791701df09b6f196 8f8813e3ed0cdb3ac92de8e6003bc83c0ec859fc717748cab6a45f56a98a9201 a96ccfc5b5b64660b986d22b9bcc96cb5e178d3d506893bd24a959a5338a4a32 d22989a65a91ee78b6af2fd2a9cadf2656637959cc07cd1b92baeb8c5950b45d e2ad52e5cc9b5e5a51811e13daeed3f6d61e239a079ec3617f2c1a4400f6dcaf f7a74e6284a41f39cba3f0c186c61ad96fac8a3099b88e04071fdd8e1eabe9bf `

#### Coverage

Product | Protection
—|—
Secure Endpoint | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg)
Cloudlock | N/A
CWS | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg)
Email Security | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg)
Network Security | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg)
Stealthwatch | N/A
Stealthwatch Cloud | N/A
Secure Malware Analytics | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg)
Umbrella | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg)
WSA | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg)

#### Screenshots of Detection

#### Secure Endpoint

[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxBDGyr_hEjc-Eewc0TRjNG3Ul5eUZSGQw3-j-HkLHB2T0TmkqCufarIFxKMFuNLvllNrNt0pjD_i6xDX4U7ZZ78o_LH3o1GG0FvmeBtmc_RBhm5SCMwBfJLbXymA21VMDW51NE5tJE12awEI53lDyaQKv58ewIQJ0KRFBCeSvSVhr40nwVNG9CXry/w400-h274/amp_815132096b824dbe0c8497cfd85f7508eeac3718c147541c791701df09b6f196_20220920.png)]()

#### Secure Malware Analytics

[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEir-Dqn-BgHJbTiP_LPvnwSw5mq3BU4IGLaeyu7tklhcuoZc5rY10ziCoe4XQ21n4IFWRudfP3eMhosxbclOD7M1M_AMLH00-n4AvdbOTwveoGlXOIkyGy_bY3sTmJ6e38zDX0GgrI16b6RoqtYJLA-UhgIMEO_y2dCpkziU3T068w1Gkb5NVLyeFp-/w640-h532/tg_d22989a65a91ee78b6af2fd2a9cadf2656637959cc07cd1b92baeb8c5950b45d_20220920.png)]()

#### MITRE ATT&CK

[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkRFJEoCEnIagQRRKNrqGNRz7AucfAHGY7Qiy6SWnKwy6BThKNzXJpdj0-kFvEyPyxpfxtqoKW8-W3JVMJALJpNPHHegBO6Ypjba0ezm4mTJQuTyrTj1Ldmvl4sMpHcDxgs-2T_djVyW2EML5zCSf5CbjXDWReXT1mnTLLIIkdN7blmpUjR5-QVitF/w640-h398/mitre_attack_30938.png)]()

* * *

### Win.Trojan.LokiBot-9970418-0

#### Indicators of Compromise

* IOCs collected from dynamic analysis of 11 samples
Registry Keys | Occurrences
—|—
`SOFTWAREWOW6432NODEPAADMME ` | 11
`SOFTWAREWOW6432NODEPAADMMENEAPOLITANERE ` | 11
`SOFTWAREWOW6432NODEPAADMMENEAPOLITANEREBINOCLES ` | 11
`SOFTWAREWOW6432NODEPAADMMENEAPOLITANEREBINOCLESUDPRINT ` | 11
`SOFTWAREWOW6432NODETOXOSIS ` | 11
`SOFTWAREWOW6432NODETOXOSISBENZENSULFONAT ` | 11
`SOFTWAREWOW6432NODETOXOSISBENZENSULFONATINGEVALDS ` | 11
`SOFTWAREWOW6432NODEMICROSOFTWINDOWSCURRENTVERSIONUNINSTALLSKABHALS ` | 11
`SOFTWAREWOW6432NODEMICROSOFTWINDOWSCURRENTVERSIONUNINSTALLSKABHALSAMARYLLIS ` | 11
`SOFTWAREWOW6432NODEMICROSOFTWINDOWSCURRENTVERSIONUNINSTALLSKABHALSAMARYLLISRECHARTING ` | 11
`SOFTWAREWOW6432NODEPAADMMENEAPOLITANEREBINOCLESUDPRINT
Value Name: Girleen ` | 11
`SOFTWAREWOW6432NODETOXOSISBENZENSULFONATINGEVALDS
Value Name: befugteres ` | 11
`SOFTWAREWOW6432NODEMICROSOFTWINDOWSCURRENTVERSIONUNINSTALLSKABHALSAMARYLLISRECHARTING
Value Name: Krogfiskeri ` | 11
IP Addresses contacted by malware. Does not indicate maliciousness | Occurrences
—|—
`103[.]170[.]254[.]140` | 1
Files and or directories created | Occurrences
—|—
`%LOCALAPPDATA%Konstellations` | 11
`%LOCALAPPDATA%KonstellationsMateres` | 11
`%LOCALAPPDATA%KonstellationsMatereswindow-restore-symbolic.symbolic.png` | 11
`%TEMP%ns.tmp` | 11
`%TEMP%ns.tmpSystem.dll` | 11
`%LOCALAPPDATA%KonstellationsMateresArider.bmp` | 1
`%LOCALAPPDATA%KonstellationsMateresFROSSEN.bmp` | 1
`%LOCALAPPDATA%KonstellationsMateresPraktikleder8.bmp` | 1
`%LOCALAPPDATA%KonstellationsMateresDigoxins6.bmp` | 1
`%LOCALAPPDATA%KonstellationsMateresBIOSYNTHESIZE.bmp` | 1
`%LOCALAPPDATA%KonstellationsMaterescountertime.bmp` | 1
`%LOCALAPPDATA%KonstellationsMateresACRITOL.bmp` | 1
`%LOCALAPPDATA%KonstellationsMatereslnlige.bmp` | 1
`%LOCALAPPDATA%KonstellationsMateresKloakeringsomraadet.bmp` | 1
`%LOCALAPPDATA%KonstellationsMateresCoitalt.bmp` | 1
`%LOCALAPPDATA%KonstellationsMateresCharlies.bmp` | 1

#### File Hashes

` 14d11fc331b5d9a84a42fa8b6b2155f687cf66c1af5bd32ae1347fda6667fa60 2d15ef038e1702ebcd7b6d50eab97db925195cb382a9cabcf6a70ac62452d39c 418a2c968f439988a20034816348d47e0ba3fa2a6150a1f5760202a8b3a5621e 7d48995a3e95a8f0f758601cc5fbedbda1570eb17fd73e3091e6690a4f423a45 a0f0783a36626040af491251f7fc77bdfd3fdc89ee7d8ade8a289828c35e9280 a4238922317136e633e9dd9d654fd89cc47414766a658a3bdcb16963aa191ed0 a72cbeca7367862e3597f4923b36ef84c534d771aa1d439ab21bc74de1dde400 ca449b3e0e043546c5746fa6787b29c94ecb86b3f42de21e944d704502ade3da d4912d4d34d11e30c5859742186d8355a42b1e83fb54ac2a121186fa46234862 d93f4740ef92a826d328f73dea62803903254fbcdb1e02aeb6dc78e214bc0645 f0ece4c4a676aef252751fa3277e1ad4a3e1050c177bd289994c63852ae3198e `

#### Coverage

Product | Protection
—|—
Secure Endpoint | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg)
Cloudlock | N/A
CWS | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg)
Email Security | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg)
Network Security | N/A
Stealthwatch | N/A
Stealthwatch Cloud | N/A
Secure Malware Analytics | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg)
Umbrella | N/A
WSA | N/A

#### Screenshots of Detection

#### Secure Endpoint

[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEid58L4bhqa4T1fJEA5-DH_tWvlfDJ42wMLrda_6vALeILxYS08YE_HM6BdPJpbbNY5Fpc3mmIhWA956Sqbz-27_R11DEbHJgJ7PRIpcQlyg74Jtjnstxdd9tjSyDpu9ow4CNUKr2ivyW8GzW3Y2Zfh2guXcy898-EJtZqAddp1-YhLsYH6aeQovrVC/w400-h274/amp_ca449b3e0e043546c5746fa6787b29c94ecb86b3f42de21e944d704502ade3da_20220920.png)]()

#### Secure Malware Analytics

[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKKNjiqUqlrA8FIWd2iSdheOEbnU7yWQ94hU7E5hHJBJdEYWWIGndKlLTvS94RpEhC54z0coe2FstiECRx8zNH3kJSgGcMNyzcxEocsaFOA8nG4Xy3SXsei8_j4rc6Vb3ePEk3mxhYXScNukzsi32OwJHDkdSp9x27e0pNeWcnYlScVv9WCLOXNGZ2/w640-h184/tg_ca449b3e0e043546c5746fa6787b29c94ecb86b3f42de21e944d704502ade3da_20220920.png)]()

#### MITRE ATT&CK

[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMpKrMAthXidw-9OaVUIn4vHwaC2VBGMJ0sy-Oqa__-DSlUo_MXirfX4gRLdKiDofh0vv009-ksddORTqr2o3ytu0Ux2UcW0SCVXhL8GxxGJcMm53fIKOMDBRXOAGOJWC1EWpsAKc-cNDhP3BmFX701yjCtF8XVDif2BWQg9SFqXfhaeVpIFUJmMVa/w640-h398/mitre_attack_30932.png)]()

* * *

### Win.Ransomware.Cerber-9970426-0

#### Indicators of Compromise

* IOCs collected from dynamic analysis of 24 samples
Registry Keys | Occurrences
—|—
`LOCAL SETTINGSMUICACHE8252C64B7E
Value Name: LanguageList ` | 24
`LOCAL SETTINGSMUICACHE8252C64B7E
Value Name: @%SystemRoot%system32dhcpqec.dll,-100 ` | 24
`LOCAL SETTINGSMUICACHE8252C64B7E
Value Name: @%SystemRoot%system32dhcpqec.dll,-101 ` | 24
`LOCAL SETTINGSMUICACHE8252C64B7E
Value Name: @%SystemRoot%system32dhcpqec.dll,-103 ` | 24
`LOCAL SETTINGSMUICACHE8252C64B7E
Value Name: @%SystemRoot%system32dhcpqec.dll,-102 ` | 24
`LOCAL SETTINGSMUICACHE8252C64B7E
Value Name: @%SystemRoot%system32napipsec.dll,-1 ` | 24
`LOCAL SETTINGSMUICACHE8252C64B7E
Value Name: @%SystemRoot%system32napipsec.dll,-2 ` | 24
`LOCAL SETTINGSMUICACHE8252C64B7E
Value Name: @%SystemRoot%system32napipsec.dll,-4 ` | 24
`LOCAL SETTINGSMUICACHE8252C64B7E
Value Name: @%SystemRoot%system32napipsec.dll,-3 ` | 24
`LOCAL SETTINGSMUICACHE8252C64B7E
Value Name: @%SystemRoot%system32tsgqec.dll,-100 ` | 24
`LOCAL SETTINGSMUICACHE8252C64B7E
Value Name: @%SystemRoot%system32tsgqec.dll,-101 ` | 24
`LOCAL SETTINGSMUICACHE8252C64B7E
Value Name: @%SystemRoot%system32tsgqec.dll,-102 ` | 24
`LOCAL SETTINGSMUICACHE8252C64B7E
Value Name: @%SystemRoot%system32tsgqec.dll,-103 ` | 24
`LOCAL SETTINGSMUICACHE8252C64B7E
Value Name: @%SystemRoot%system32eapqec.dll,-100 ` | 24
`LOCAL SETTINGSMUICACHE8252C64B7E
Value Name: @%SystemRoot%system32eapqec.dll,-101 ` | 24
`LOCAL SETTINGSMUICACHE8252C64B7E
Value Name: @%SystemRoot%system32eapqec.dll,-102 ` | 24
`LOCAL SETTINGSMUICACHE8252C64B7E
Value Name: @%SystemRoot%system32eapqec.dll,-103 ` | 24
Mutexes | Occurrences
—|—
`shell.{381828AA-8B28-3374-1B67-35680555C5EF}` | 24
IP Addresses contacted by malware. Does not indicate maliciousness | Occurrences
—|—
`178[.]128[.]255[.]179` | 24
`149[.]202[.]64[.]0/27` | 24
`149[.]202[.]122[.]0/27` | 24
`149[.]202[.]248[.]0/22` | 24
`172[.]66[.]42[.]238` | 16
`172[.]67[.]2[.]88` | 11
`172[.]66[.]41[.]18` | 8
`104[.]20[.]20[.]251` | 7
`104[.]20[.]21[.]251` | 6
Domain Names contacted by malware. Does not indicate maliciousness | Occurrences
—|—
`api[.]blockcypher[.]com` | 24
`bitaps[.]com` | 24
`chain[.]so` | 24
`btc[.]blockr[.]io` | 24
`xxxxxxxxxxxxxxxx[.]1k1dxt[.]top` | 24
Files and or directories created | Occurrences
—|—
`%TEMP%d19ab989` | 24
`%TEMP%d19ab9894710.tmp` | 24
`%TEMP%d19ab989a35f.tmp` | 24
`%LOCALAPPDATA%MicrosoftOfficeGroove1SystemCSMIPC.dat` | 24
`%TEMP%tmp.tmp` | 24
`%TEMP%tmp.bmp` | 24
`_READ_THIS_FILE__.hta` | 24
`_READ_THIS_FILE__.txt` | 24
`_READ_THIS_FILE__.jpeg` | 24

#### File Hashes

` 05602feb977139c96c226969997d8bc55bd47b1d142252d3ec4067591dda85f2 06cba247d80b0c6c4f5865e34ad3c33fc1ef5ffd0a285f3009d64109b0ee3d22 09768afcaa8eae74f05841e49ece1ac338318c0d5f0153c2db6cecf169718698 0fb820719ef10ee032dbb69607c6fc222fa70b64844af4f04f6eecafc08345a7 2738e1df3421ba011f912c22e19bdae3b29d1fb1092be51174da6dbbbc72df8d 3c6776dd10054cad73b50c96d62e3b7a1e807ef1f8e6355d097cac12ddccb8c8 3eb0b591eb274fa052c4a7cdfcb6c943361c9a199ca33679678791399e8b8988 4505a343015d3ef0ad624e61ecfc61e2fc499a11fc5a52911c424de5ccd99d9e 52573c863390fde5244133cc965bf2501f0eb28e7d76a9996bc300070d41941b 5ce6f26a04a5bf871018eecafb8e9f8f7284ebbd134230574da1574830d4646e 5ed48cdf13e9681085390956e25883680a6b1b4600d99608d84c126d57832025 61a051fabbf66383709e43bf77fb49c6a645f2f479eaddffa6769010cb690eea 74c864c6b31afa1db6c8d6fb2bb8860b655d3554c8d309a91d894fd210351b7e 8642a1c54c99774f7ffc1ade073f2ccc90b6e2fcacb0118f1eca20b20018d590 9d14c9d7fca8e623607986ac1c27a149dfa9a82ac267475bed080636a5870269 a8d9f9469418516807ac7ce3dbf50de0ef3e0d2ef122b2932ba908cdadc3a5bb b289bcb40e6ee16638ae7bdadb95ebbebae75568e751820d261959394d7e7f02 b86d1564a606793a4427d5795a37825eeb11296b01cae339da01ab64feb73922 c4698b067e10ecf2ac5a4e318703d46b33cbdcd9803ffabc4a9da147e5d271f1 dee4d4d3b765fc0ad7ba88d69104b5cf90a448eaf1623445033a0f671e44ffd1 e50306b8c8b4bfd52da321a30e3e28bbef41b333e5803a303791f27798a1299c e5af2faef6688bf5e5889e78357bf993e13a1d21086dfb8a4ae268ae2004068f f330c988680055316a3aa2bc341e409096517381395469a32aa369a1940e9e5c ff2c3f6c56786af4fea96c55bb7877094ea482a162050721397dda1d82246ea0 `

#### Coverage

Product | Protection
—|—
Secure Endpoint | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg)
Cloudlock | N/A
CWS | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg)
Email Security | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg)
Network Security | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg)
Stealthwatch | N/A
Stealthwatch Cloud | N/A
Secure Malware Analytics | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg)
Umbrella | N/A
WSA | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg)

#### Screenshots of Detection

#### Secure Endpoint

[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjd-DCc2-fW5lEQLmwxT0avdiuNQOxmOLZty_PXgY1hXmDX0tRBhiX3HORAbO6HyVwftDBq00Uk7upa49ErMkScFisZVu_3d6Ot6EdaYmduY1elHdwejMKv3eFqpNAl1v3rmYCmrwAiIgU3hzswikxpyP-NVQfRnMhQn63ph0TfYgKAhMRKKrACWHuo/w400-h274/amp_e50306b8c8b4bfd52da321a30e3e28bbef41b333e5803a303791f27798a1299c_20220921.png)]()

#### Secure Malware Analytics

[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjks0v7Ci1X4RlsZGZs6Iix05orLesk58VmJBNkpukzVt3OKzFvLJZyHigpmqyyHkr5N2WP4N8eCYvfTEl5V8JGX9maUxC5AS48KyZ7WCzlCnDkt17kDh-SU8RgnkskTFKvXwE93XUYth3VKW0RjtQSoS2M2cgsMtnbBEMuYdodV4Ft-Mau3UWR7wOx/w640-h532/tg_e50306b8c8b4bfd52da321a30e3e28bbef41b333e5803a303791f27798a1299c_20220921.png)]()

#### MITRE ATT&CK

[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcDxoshgal_LI7PdXAo9X8IQVqsCZtqU2453f-QDAv_FU2uo4wLcKGtvONcmcQzY-FRZKNTp1OTylKRlFDv-DTo3jtf-GyvqYRyyfKlvHRjvhm1CYRzcUYqyDb88xzAcdoeLKUspPoOPuIvq9ECbIte4nDNBVd9lly2QqSpQ8qbSAuiTDCD_edLXL6/w640-h398/mitre_attack_30928.png)]()

* * *

### Win.Packed.Gamarue-9970619-0

#### Indicators of Compromise

* IOCs collected from dynamic analysis of 25 samples
Registry Keys | Occurrences
—|—
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN
Value Name: apdsdtsh ` | 25
`SOFTWAREAPPDATALOWD31CC7AF-167C-7D04-B8B7-AA016CDB7EC5 ` | 25
`SOFTWAREAPPDATALOWD31CC7AF-167C-7D04-B8B7-AA016CDB7EC5
Value Name: Install ` | 25
`SOFTWAREMICROSOFTWINDOWS DEFENDEREXCLUSIONSPATHS
Value Name: C:Windowssystem32Authias.exe ` | 25
`LOCAL SETTINGSMUICACHE8252C64B7E
Value Name: LanguageList ` | 25
`SOFTWAREAPPDATALOWD31CC7AF-167C-7D04-B8B7-AA016CDB7EC5
Value Name: Client ` | 25
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONACTION CENTERCHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.106
Value Name: CheckSetting ` | 25
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONACTION CENTERCHECKS{01979C6A-42FA-414C-B8AA-EEE2C8202018}.CHECK.100
Value Name: CheckSetting ` | 25
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONACTION CENTERCHECKS{852FB1F8-5CC6-4567-9C0E-7C330F8807C2}.CHECK.100
Value Name: CheckSetting ` | 25
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONACTION CENTERCHECKS{852FB1F8-5CC6-4567-9C0E-7C330F8807C2}.CHECK.101
Value Name: CheckSetting ` | 25
`SOFTWAREMICROSOFTWINDOWSSHELL
Value Name: NodeSlots ` | 1
`SOFTWAREMICROSOFTWINDOWSSHELL
Value Name: MRUListEx ` | 1
`LOCAL SETTINGSSOFTWAREMICROSOFTWINDOWSSHELL
Value Name: NodeSlots ` | 1
`LOCAL SETTINGSSOFTWAREMICROSOFTWINDOWSSHELL
Value Name: MRUListEx ` | 1
Mutexes | Occurrences
—|—
`Local{7FD07DA6-D223-0971-D423-264D4807BAD1}` | 25
`{}` | 25
Domain Names contacted by malware. Does not indicate maliciousness | Occurrences
—|—
`alrthesecuritywith[.]su` | 25
Files and or directories created | Occurrences
—|—
`{4BC230AC-2EB3-B560-90AF-42B9C45396FD}` | 25
`%LOCALAPPDATA%MicrosoftWindowsWERERCstatecache.lock` | 25
`%System32%Authias.exe` | 25

#### File Hashes

` 04deccd24c8ba2a38462b2fbe8bbdfc70484892cbc0acdb28345de60b381f17c 07f1a829b39eb8df6754b4dbed45a71d4aac24c073702254b867113661423831 10bbe562791a00906cfcf42ce12046233438aedd689b92081c546f038fd23194 12981607682dab89979727d0ec582315b1565bf94a54cb5a08a876345c8c4dd7 17692c251e7257d3ab0db70615d9b30eeaddaf6958dcbd949bbaef0ded9e5d1e 23349c88ef430438af6b527e241074c7b2d6809337879da50b098c1a809cf814 25e0618244af804051450a99c664772473615c351714ce5a3d8912573ba964df 28b34665550780af293c665483967e1ba6be39b50bf1dd5d89c716990b67df4a 292139a3d2e6ac70015b05a225072c3f9d9d0b8ac39448e12733e33dbcb8add0 3662025e620ac8a337cb2e4a53d8953de01a92ee1439c2bac9b72de592dca969 3dca218d2bb5c419d0f92c5c5b8e9a891c817bc4c52f465fc89980f9c55551e6 4a2e7161239b8f9f3f9a3fcf868aa0fca6ca4890eceb629886062b6ff729385a 5535c54c6922219bf1ed1049b5e00c5a838f632b618b80eef36ccb10852f3de2 587713ec906ea8c3e5fee650abace23a1396ca69dd183253b8a6244bdfa3d5df 5e9f652ff2720dec825edb85e2abe9466e944287b35db49ac80e9adf95df165c 66196b18fcce2381b23c5575822a79542d009f039ec872eeaa199dbe97bbb26f 67f172a5505a404b8817a9f6dabb11a7d5c0bb4cc22d60e13a38d9a70a4d8e97 855033ed08a2ab3e8e157ba89696d9d9eab207a98fde70a60752f88607394b98 8cc1dcb771e5d781e5fa805cbfc349b768996cb363ee311b97a56b7a485c50c3 8e2761a959dbf166a680e0865438238f3f857a25466fc497bb5c25c1ce7f31c6 957881f71c8988d70b6d9aef095a70bae4256adefc160374ef4db1a09cf526b7 965e0adee6460a5bf1724e9b9c37542cff44abc50a7c8cf1a7b027bd0a3c8885 99584a5853ee407a4924921589e995dbbc135014c2f7a09e0887f45dfb0ce1c4 9b6b29ddd0789e95a73c9ea48d7335555dbf20064b8459549729332044c341c2 a917ac90f8a680731d543c6f93cdb7968d750fda8a36e8f531c01b5849150cb2 `

*See JSON for more IOCs

#### Coverage

Product | Protection
—|—
Secure Endpoint | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg)
Cloudlock | N/A
CWS | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg)
Email Security | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg)
Network Security | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg)
Stealthwatch | N/A
Stealthwatch Cloud | N/A
Secure Malware Analytics | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg)
Umbrella | N/A
WSA | N/A

#### Screenshots of Detection

#### Secure Endpoint

[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFuqfIdr59pUM45eN1Shlvsxd1KoITfgiJytIxzezBCvFG3Yxhx6PPlj1WOOPdO0CcWEPj03OnnlwF68sjYTZ8dk3sFOiv8uwyZ9hUujzKr55JZ4YyA_k0eFZR5BxNDbR1OXUHkIUA4cJO22qinkDO3vc7zQiejbZGPuxavaCNKtaTtrj-Q3a1ETRb/w400-h274/amp_67f172a5505a404b8817a9f6dabb11a7d5c0bb4cc22d60e13a38d9a70a4d8e97_20220921.png)]()

#### Secure Malware Analytics

[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgi0u4tWjCUK2t5rB5pUfcFifZmovuZG_1ZDoHNFXNFAmJciwmENyy9FlBzYWvbHTBJHriwTNoDwJA4svYuqhfaWXz1pstVyaFfCPpi_qAkvdxrYIc30U8IPGm3IDcTyWyZiZaUurSeDLia3CZfPHmMyLafwGID5jllxBCv5LTK1uUKFThQn13jIWSd/w640-h532/tg_3dca218d2bb5c419d0f92c5c5b8e9a891c817bc4c52f465fc89980f9c55551e6_20220921.png)]()

#### MITRE ATT&CK

[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqzS719LWUfl722i41zfiyJuNWFwaxCfI2tA1mVZT8RkOZUL2hSzOBAXa05PcSvqeiWR2IR9PNQhlahq_9L6xKXgOp6it5Pmo4cTY23HOCNIQC2_gLowomG-DxBAe-WEpTCEfNDqzQWupJW2JHgjJ6XMYa_C6CiYm9nmqsEKm0PyiOkxSlcfRwLdHp/w640-h398/mitre_attack_30922.png)]()

* * *

### Win.Packed.Nanocore-9970631-0

#### Indicators of Compromise

* IOCs collected from dynamic analysis of 16 samples
Registry Keys | Occurrences
—|—
`SOFTWAREWOW6432NODEMICROSOFTWINDOWSCURRENTVERSIONRUN
Value Name: AGP Manager ` | 16
Mutexes | Occurrences
—|—
`Global{5f88600c-86da-4b30-b45c-8e6d9614baec}` | 16
IP Addresses contacted by malware. Does not indicate maliciousness | Occurrences
—|—
`176[.]136[.]210[.]152` | 16
Domain Names contacted by malware. Does not indicate maliciousness | Occurrences
—|—
`foobosmy[.]duckdns[.]org` | 16
Files and or directories created | Occurrences
—|—
`%ProgramFiles(x86)%AGP Manager` | 16
`%ProgramFiles(x86)%AGP Manageragpmgr.exe` | 16
`%APPDATA%D19AB989-A35F-4710-83DF-7B2DB7EFE7C5` | 16
`%APPDATA%D19AB989-A35F-4710-83DF-7B2DB7EFE7C5Logs` | 16
`%APPDATA%D19AB989-A35F-4710-83DF-7B2DB7EFE7C5LogsAdministrator` | 16
`%APPDATA%D19AB989-A35F-4710-83DF-7B2DB7EFE7C5run.dat` | 16
`%APPDATA%D19AB989-A35F-4710-83DF-7B2DB7EFE7C5task.dat` | 16
`%System32%TasksAGP Manager` | 16
`%System32%TasksAGP Manager Task` | 16
`%APPDATA%MicrosoftWindowsStart MenuProgramsStartupvftwrxguvulmqhj.eu.url` | 16
`%APPDATA%zvgrxunhzg` | 16
`%APPDATA%zvgrxunhzgvftwrxguvulmqhj.exe` | 16
`%TEMP%tmp.tmp` | 16

#### File Hashes

` 134e0430e528508da28d81b2b4ece6c9273fb568a561dd507f26d666a9eb06b3 168455cbc98ae29cafcd0dc1587c449e208e5c4f8ca59420b3667c9f698a7c51 18d834d0819c859ca179e182dfb1cdedac88857124024bfce1d0368b414f50c0 3974f625f1fb08a2174021705db11ae31aa326357728ae0b1cdf102b80eb5763 3a7b0af05b1e41786cc3ff6d99d723418b89340df9ae67837001c6a31cafb4e5 6ffff5899e1086659ba7b24a72212c8531c334643757c46d4c837460c5380693 82defa5374685563056b630ef12a46f21408cace520e72af239b47afea32e8f8 8eb183d70b6842a68d17c3950b22fabbc4f2e6de8129afddcd2fb25d03fc7df9 8fe07daa7730dc17d3fdf7134e85da268a10ce447b4c3d810d433285a35cc9e6 9b46ecd089a55744c52ac2df7882a507dd1f97a3fd40805d9eccbdbbb6aed463 9dcfa90e87d3e281a4f42d3253b1ae3386930985c0ae5f9fb29e32284d7924ce aa4adb36cd79f611579e74bc562fb5f6282bce4d9cc5699e1db2aeb7a92151de b2eb77614315a5d51d44911016d2a235324af0d403de6a55262c9b1e3e74130f dc6284d0afde4a6fb81efdb496149c6b708af0f3497e96a63162131a839879c1 dff727df396c8c954148fa078980de5e7d35a2fc000bb75905b94e6a2b7f5ff0 fd70c1b68017c46b3050ee7932d3494bca6216151ddb7fcabc36f1a0649112d3 `

#### Coverage

Product | Protection
—|—
Secure Endpoint | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg)
Cloudlock | N/A
CWS | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg)
Email Security | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg)
Network Security | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg)
Stealthwatch | N/A
Stealthwatch Cloud | N/A
Secure Malware Analytics | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg)
Umbrella | N/A
WSA | N/A

#### Screenshots of Detection

#### Secure Endpoint

[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguQmRj0fn1FpkDdTz2dHybdfQY6iZ2IcmSXcQSF1P_5GqT2y-1lwRIWe9MxE1no_smJLVFCnYQqWiBPgQp5OnIW9701Y0XZFsnhYkVCk2HNzdNS1UiJvqU9bSoEBgaGukCWqLJTixOKfL1vn79vIG16jEo0ZxXwY1bqSdJ47N9OlipsZwRt-5mysAb/w400-h274/amp_dc6284d0afde4a6fb81efdb496149c6b708af0f3497e96a63162131a839879c1_20220921.png)]()

#### Secure Malware Analytics

[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHT8d7eBe5EfRJ4d7SMruIdMYT-dxFuXH8FlNh1bGBHF7D40bPiMuiLySKJKii1uOqaYjiRCk97-hgUSokASizh2XDIBwltGDePnVnSAzpruW3F_b45gPwLltRbshyGGRKLvEGYBt31sfTD4KRTgb3cLM12VpyUUZIgENc9gwlpkAoqz5PwdaXBOw0/w640-h532/tg_dc6284d0afde4a6fb81efdb496149c6b708af0f3497e96a63162131a839879c1_20220921.png)]()

#### MITRE ATT&CK

[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfc9yWIPymLqIfuluz3dvTaYqaZIVkBTzkSg9qn15ijxB_Jq-H-b2X_MuzAM9wJ8_cA07Pvz2sRzsxCAJ_9ZLHff2lOIOZHyQP4vLwNqSdOOzAys2BbQpaJoiTigicNCFLtP_gFtFqcvwYxCA13ViM4rVaEkhZgMqRnmqCCglhVDyKpOjuyBE_gznH/w640-h398/mitre_attack_30916.png)]()

* * *

### Win.Dropper.Formbook-9970817-0

#### Indicators of Compromise

* IOCs collected from dynamic analysis of 15 samples
Registry Keys | Occurrences
—|—
`LOCAL SETTINGSMUICACHE8252C64B7E
Value Name: LanguageList ` | 4
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN
Value Name: QWbqZbz ` | 1
Mutexes | Occurrences
—|—
`8-3503835SZBFHHZ` | 1
`S-1-5-21-2580483-12441345692046` | 1
`KP30NU33–DvY01Z` | 1
`Global5292ba81-3a39-11ed-9660-001517e40972` | 1
`aenDyAN` | 1
`Global46b1a361-3a9e-11ed-9660-001517a459ad` | 1
IP Addresses contacted by malware. Does not indicate maliciousness | Occurrences
—|—
`132[.]226[.]247[.]73` | 2
`198[.]185[.]159[.]145` | 1
`149[.]154[.]167[.]220` | 1
`34[.]102[.]136[.]180` | 1
`193[.]122[.]6[.]168` | 1
`193[.]122[.]130[.]0` | 1
`34[.]194[.]149[.]67` | 1
`104[.]18[.]115[.]97` | 1
`199[.]59[.]243[.]222` | 1
`8[.]130[.]101[.]174` | 1
`154[.]86[.]16[.]11` | 1
`5[.]2[.]84[.]51` | 1
Domain Names contacted by malware. Does not indicate maliciousness | Occurrences
—|—
`checkip[.]dyndns[.]org` | 4
`icanhazip[.]com` | 1
`api[.]telegram[.]org` | 1
`www[.]locallywhitstable[.]co[.]uk` | 1
`www[.]fftblogs[.]com` | 1
`www[.]lanyuelou[.]com` | 1
`www[.]icishopping[.]com` | 1
`www[.]mooreandsonsak[.]net` | 1
`www[.]junaidsubhani[.]tech` | 1
`mail[.]boyyem[.]com[.]tr` | 1
Files and or directories created | Occurrences
—|—
`%System32%TasksUpdates` | 3
`%APPDATA%QWbqZbz` | 1
`%APPDATA%QWbqZbzQWbqZbz.exe` | 1
`%TEMP%tmp67A.tmp` | 1
`%APPDATA%Hmcuym.exe` | 1
`%System32%TasksUpdatesHmcuym` | 1
`%TEMP%tmpBA86.tmp` | 1
`%APPDATA%hmlkDX.exe` | 1
`%System32%TasksUpdateshmlkDX` | 1
`%TEMP%tmpA204.tmp` | 1
`%APPDATA%idnepTZUXvdc.exe` | 1
`%System32%TasksUpdatesidnepTZUXvdc` | 1

#### File Hashes

` 23ed86473177a66d71540c3d3ac737aa5a4d30644af5710a54ebbb5e348fa2ee 2f2e0f257103ce5edb8051b532f00204bf882cbdec68de38c6fe8ea18390f9d2 33f83dffcd247e3fefedefb2b591598eda89c7a47892d45d3051df760b60a74a 39dd36743f55ee7885cd4033e9705a0bdf2dea44416bbdc6ec6d8384c3d4e20d 53a95222b2d47e3b44240183d0eafbc7f64bcbd88bbe61af3580ab00c5f0ff85 75ce7e84cc5c6682354ceb8edc7f0b77be3ecdda500d1b0178accd0c6158f980 9da14f5b4c27946dc53283a1773e0de7246b170e11b06be9fd8c27d095054d5b a8b84e503c11cce5530fb019cd43a0306656dd22e78eac4279a332b00430ed8d a933028fe3b25879543cc98653b7cf66d5b2ef8dfbae539bb8d284a5f9cd4c9e c1226a8fab28514368ebf700c5bb48e993c05e019e86a6db8c7ccc6105696a21 ca3afdd3df6970f8026481a1d7800d86ba9852aa6a12325330a91f05aa60fb32 da67541015af6ddee5bad1432ecc3efbf85cde69c494fd1635edbae606c4a628 e7612d60681cabff03ff3bbcb0a3985a94430375e941fd8dc58e1df8151930b1 e7cbf5001db95b997003f00bcac7ca10231130e2127470ead43f6563ebcda5fc f46e6b0438003a0daeec5461f9f01dd676b39243be432365a9c59116dc6613b5 `

#### Coverage

Product | Protection
—|—
Secure Endpoint | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg)
Cloudlock | N/A
CWS | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg)
Email Security | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg)
Network Security | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg)
Stealthwatch | N/A
Stealthwatch Cloud | N/A
Secure Malware Analytics | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg)
Umbrella | N/A
WSA | N/A

#### Screenshots of Detection

#### Secure Endpoint

[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGXizWrErilIKyn6mN622Z6KB-zC_s2ezxb5vZgb2sq6bwSGb7AwjYPXqNqWJ8sCMSbpg1oZtZJkx2uNgGpBqp9hxAKjpD_BcXOA-Yp4uJorSUE06M6w9CKFhS2YvBCPTgFLMI7_KxgCseOFr6Q_D-CmnruFky3SeHQia9NJ9rYHPNRWLmSQPNn2SM/w400-h274/amp_e7cbf5001db95b997003f00bcac7ca10231130e2127470ead43f6563ebcda5fc_20220922.png)]()

#### Secure Malware Analytics

[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiL86YB6ODpeiX5YXHFk-XK0EQnP0NDVXzPIvU-0VEu8ti-2LgfOqiyOIKTOE_3bHG6mriiyekyFmqz9obKYzuHngiJhmW4BYtqWJRc9t7ZOVOqaJHBxwoVQQ7FaznzvMANLtDyL05TYb4TcI6xhneGrQ7ZutxhC_d6zXpjtbyWj6yb3KTyVLPbnwSn/w640-h532/tg_e7cbf5001db95b997003f00bcac7ca10231130e2127470ead43f6563ebcda5fc_20220922.png)]()

#### MITRE ATT&CK

[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggNQ2dfkCdmDgMoo7qZHlwkSzxIOsweX7mcYdYZ_78lp-1BvBeKU95BdfJEAH3YEnwFgaM0HMiriHhB33Joel1mhfsG5QGBhtufnpbfzhADAjanJG4gYby1JoD2G-QWgo74EbmqA_cnvSqJynZTde3mNFqWC9Oq775O3Jj-QeyuGD0awCJGUmvsFdP/w640-h398/mitre_attack_30910.png)]()

* * *

### Win.Ransomware.BlackMatter-9970818-0

#### Indicators of Compromise

* IOCs collected from dynamic analysis of 18 samples
Registry Keys | Occurrences
—|—
`LOCAL SETTINGSMUICACHE8252C64B7E
Value Name: LanguageList ` | 18
`SOFTWAREWOW6432NODEMICROSOFTWINDOWSCURRENTVERSIONEXPLORER
Value Name: GlobalAssocChangedCounter ` | 17
`SYSTEMCONTROLSET001SERVICESVSS
Value Name: DeleteFlag ` | 16
`SYSTEMCONTROLSET001SERVICESVSS
Value Name: Start ` | 16
`SOFTWARECLASSESISTTBGKAFDEFAULTICON ` | 1
`SOFTWARECLASSES.YYBUFJ3PN ` | 1
`SOFTWARECLASSESYYBUFJ3PN ` | 1
`SOFTWARECLASSESYYBUFJ3PNDEFAULTICON ` | 1
`SOFTWARECLASSES.YYBUFJ3PN ` | 1
`SOFTWARECLASSESYYBUFJ3PNDEFAULTICON ` | 1
`SOFTWARECLASSES.WQCENFTHJ ` | 1
`SOFTWARECLASSESWQCENFTHJ ` | 1
`SOFTWARECLASSESWQCENFTHJDEFAULTICON ` | 1
`SOFTWARECLASSES.EL7OOPHD2 ` | 1
`SOFTWARECLASSES.WQCENFTHJ ` | 1
`SOFTWARECLASSESEL7OOPHD2 ` | 1
`SOFTWARECLASSESWQCENFTHJDEFAULTICON ` | 1
`SOFTWARECLASSESEL7OOPHD2DEFAULTICON ` | 1
`SOFTWARECLASSES.EL7OOPHD2 ` | 1
`SOFTWARECLASSESEL7OOPHD2DEFAULTICON ` | 1
`SOFTWARECLASSES.PF4SBMUII ` | 1
`SOFTWARECLASSESPF4SBMUII ` | 1
`SOFTWARECLASSESPF4SBMUIIDEFAULTICON ` | 1
`SOFTWARECLASSES.PF4SBMUII ` | 1
`SOFTWARECLASSESPF4SBMUIIDEFAULTICON ` | 1
Mutexes | Occurrences
—|—
`Global{649F4E29-16CB-DD42-8922-9FFF0592856B}` | 1
`Globaldc0d7207879493a1bb8d21571501a3c6` | 1
`Global3b84b750e7b0c183e81917fcc29ae2b` | 1
`Global68d784f599b693adb48d474d1722e8e9` | 1
`Global10b5e1850ed6703d7665a1adf3e368f4` | 1
`Globalb36e0b827c995460aa570434a5517221` | 1
`Global2f26f3d09ccaf40de88c7029b61a3701` | 1
`Global9edc1729071cfeb8f9fe5f019ce0054a` | 1
`Global459bf63110ce888f28d3fd21adc5b730` | 1
`Global391396896a2cb3a40a83c4fbbe4675f3` | 1
`Global4c3e3cb8c6ed0804dcd51ba2638722cd` | 1
`Globalb32ca9dec339d33dd1bd5908acf4ce2` | 1
`Global4fe0268a70e4d52b0350071e277b194f` | 1
`Globalee7e1dcdc809584b5f8189eb071d9f66` | 1
`Globaldfd07220109cd1dfb3c5268b025a72f3` | 1
`Globalaa1f32bc8faeb8bbba36c0d7ccb5c0a0` | 1
`Global2c43957a37f865be08b53665ca3386d7` | 1
`Globald40e39e3314b8106bbc67d7dd3c2c4f4` | 1
Domain Names contacted by malware. Does not indicate maliciousness | Occurrences
—|—
`test[.]white-datasheet[.]com` | 1
Files and or directories created | Occurrences
—|—
`$Recycle.BinS-1-5-21-2580483871-590521980-3826313501-1002desktop.ini` | 18
`$Recycle.BinS-1-5-21-2580483871-590521980-3826313501-500$I08BO8F.xlsx` | 18
`$Recycle.BinS-1-5-21-2580483871-590521980-3826313501-500$I11KHR4.doc` | 18
`$Recycle.BinS-1-5-21-2580483871-590521980-3826313501-500$I5QKHLN.doc` | 18
`$Recycle.BinS-1-5-21-2580483871-590521980-3826313501-500$I62TWBD.ppt` | 18
`$Recycle.BinS-1-5-21-2580483871-590521980-3826313501-500$I6FZORX.doc` | 18
`$Recycle.BinS-1-5-21-2580483871-590521980-3826313501-500$IABMX83.pdf` | 18
`$Recycle.BinS-1-5-21-2580483871-590521980-3826313501-500$IAJ2Y6R.pdf` | 18
`$Recycle.BinS-1-5-21-2580483871-590521980-3826313501-500$IALGTCS.xlsx` | 18
`$Recycle.BinS-1-5-21-2580483871-590521980-3826313501-500$IAPSNOM.tsv` | 18
`$Recycle.BinS-1-5-21-2580483871-590521980-3826313501-500$IGORSF7.xsn` | 18
`$Recycle.BinS-1-5-21-2580483871-590521980-3826313501-500$IGTBBSA.accdb` | 18
`$Recycle.BinS-1-5-21-2580483871-590521980-3826313501-500$IH49RPF.ppt` | 18
`$Recycle.BinS-1-5-21-2580483871-590521980-3826313501-500$IH71GGR.ppt` | 18
`$Recycle.BinS-1-5-21-2580483871-590521980-3826313501-500$IJKODPH.pdf` | 18
`$Recycle.BinS-1-5-21-2580483871-590521980-3826313501-500$IJP965K.accdb` | 18
`$Recycle.BinS-1-5-21-2580483871-590521980-3826313501-500$IKY5R3M.pdf` | 18
`$Recycle.BinS-1-5-21-2580483871-590521980-3826313501-500$IMYCSIT.pdf` | 18
`$Recycle.BinS-1-5-21-2580483871-590521980-3826313501-500$ISLP722.doc` | 18
`$Recycle.BinS-1-5-21-2580483871-590521980-3826313501-500$IXLC77A.pdf` | 18
`$Recycle.BinS-1-5-21-2580483871-590521980-3826313501-500$IXUL2U1.doc` | 18
`$Recycle.BinS-1-5-21-2580483871-590521980-3826313501-500$IYSR1FU.ppt` | 18
`$Recycle.BinS-1-5-21-2580483871-590521980-3826313501-500$IZ2GMJW.XLSX` | 18
`$Recycle.BinS-1-5-21-2580483871-590521980-3826313501-500$R08BO8F.xlsx` | 18
`$Recycle.BinS-1-5-21-2580483871-590521980-3826313501-500$R11KHR4.doc` | 18

*See JSON for more IOCs

#### File Hashes

` 072d0633006eeafc77c0b0144fdac84a57fa1e4f8b96d9aa33d377bd789bc533 0c4c93e6d8473b76a094a158b6dd045904bdc78e92a0bbc6faffa222df7acb6b 12b6fead37cca9d8ca4c00c2a9d56c0a402e760ab309356f078587acb7f33396 4b8fbb8a6e46b9db78bdf5ac1aa924f901270fe369411bf431fce8a46c48ca2a 50fad26d726e0af6dbed3225267934ae9ef22b31e48fc623ce93ba582a7e6110 58729cd09a74e3f69d26653b71412f9c9285ffaba52a9beb5b6d634014c98e1a 5f4ce514d8624a72d78cae3837a197ccb44cee28d4334a7641c02beb5496b3d0 6a255e2ee08490123fa594de4fe0dac977579deb541afcf455b59de2dbe05831 7d7357e4963c7d6f087a11e22d683cacf614dc7f269c2907bbb12ae30f2b007d 84d0154234d274d9188f3f1cf1852c58cfa8020a23f99812bced94d94b7f7fe5 97002e942beed0aff194d817e98fe9fa46abb30de87e893f328f01e638bbeed1 97320395d90b28ad3d5cd0ed0416b0fe379cc0cc3d65f0b27e50db4da5902ec2 b1f44fbe839e4f53bdcf5448b637ffcab3167dc931f7f7fd39738f83ae827f5e cb537a122fb0531f14c76dfd0a87cc304c26a9ab01aec46a5fd17f268ac80854 e609bf8406b61613f3e605d277cf445059974a4c71c3edd09fffae86a3c5dbfe ece96607ae4f56f49d06aa2d790f21837beec9dfcb4aeabf69f6a80965c54fdd f02cf38d417fc6e3d5f9fc05ebf49ca37e6106ffc62ce21145888338598e0c70 f1ecb57988caf26216683b1314607f06f8bf051632ff7ba73f17c2dc9b3aafcc `

#### Coverage

Product | Protection
—|—
Secure Endpoint | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg)
Cloudlock | N/A
CWS | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg)
Email Security | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg)
Network Security | N/A
Stealthwatch | N/A
Stealthwatch Cloud | N/A
Secure Malware Analytics | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg)
Umbrella | N/A
WSA | N/A

#### Screenshots of Detection

#### Secure Endpoint

[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyUmsOgd_UEqgvKZbmnoP4O7QS7PmW9k8rOFdjgUW5sJ9i0LBtKOu1En4xThC52lXSYPxUhpUdZi6_ztdOUt4fv3UlF7YClew2744uh7Rgb8Vn8nwDq_GDF_Ql7NziLOPIaMwWoYFcMFQ0ouspiG0xFrKrOBql90FreDxwk2mkr7wUb2zu30JPZkWf/w400-h274/amp_f1ecb57988caf26216683b1314607f06f8bf051632ff7ba73f17c2dc9b3aafcc_20220922.png)]()

#### Secure Malware Analytics

[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYQLJ51KacsDvE2RMu7XtIG35GXYIIeAgoybL65xzXqqbIrG8wd3o2say6HwDiL4x7v5vQOgLPow4kf_ZnloiCT3Kz3Zqqnx-yCHqxF7b3SoFqJ5Nh1ltKCALSo8Mg6__EVSMpMkimoPpdz9KTUygJKaEa7L3IzE7TBl0a5NrUR7GYQfoNrZrAIopH/w640-h532/tg_f1ecb57988caf26216683b1314607f06f8bf051632ff7ba73f17c2dc9b3aafcc_20220922.png)]()

#### MITRE ATT&CK

[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDlJeV-Er0ZnR3JKwUggtWd2I5Mj7rIW4klQBWiDP9w-ZuuB91MYxPmMgKWU0I02KErSP7j0JiLuXJKU5wjYKwffK_LgGhAZFd5NsxVrj4BlVRioID-HzpabIEHcSqK4Oja9dFv1rwJtlWiy08NMDaM-TFcnDvpPGSoePmRzLuIUlV5CP0nM39QZHR/w640-h398/mitre_attack_30908.png)]()

* * *

### Win.Dropper.DarkKomet-9970824-0

#### Indicators of Compromise

* IOCs collected from dynamic analysis of 269 samples
Registry Keys | Occurrences
—|—
`SYSTEMCONTROLSET001SERVICESWINDOWSDRIVER ` | 268
`SYSTEMCONTROLSET001SERVICESWINDOWSDRIVER
Value Name: Type ` | 268
`SYSTEMCONTROLSET001SERVICESWINDOWSDRIVER
Value Name: Start ` | 268
`SYSTEMCONTROLSET001SERVICESWINDOWSDRIVER
Value Name: ErrorControl ` | 268
`SYSTEMCONTROLSET001SERVICESWINDOWSDRIVER
Value Name: ImagePath ` | 268
`SYSTEMCONTROLSET001SERVICESWINDOWSDRIVER
Value Name: DisplayName ` | 268
`SYSTEMCONTROLSET001SERVICESWINDOWSDRIVER
Value Name: WOW64 ` | 268
`SYSTEMCONTROLSET001SERVICESWINDOWSDRIVER
Value Name: ObjectName ` | 268
`SYSTEMCONTROLSET001SERVICESWINDOWSDRIVERPARAMETERS ` | 268
`SOFTWAREWOW6432NODEMICROSOFTWINDOWS NTCURRENTVERSIONSVCHOST
Value Name: WindowsDriver ` | 268
`SYSTEMCONTROLSET001SERVICESWINDOWSDRIVERPARAMETERS
Value Name: ServiceDll ` | 268
`LOCAL SETTINGSMUICACHE8252C64B7E
Value Name: LanguageList ` | 19
`LOCAL SETTINGSMUICACHE8252C64B7E
Value Name: @explorer.exe,-7001 ` | 10
`LOCAL SETTINGSMUICACHE8252C64B7E
Value Name: @C:Windowssystem32DeviceCenter.dll,-2000 ` | 5
`.DEFAULTSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONINTERNET SETTINGS\CACHECONTENT
Value Name: CachePrefix ` | 2
`.DEFAULTSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONINTERNET SETTINGS\CACHECOOKIES
Value Name: CachePrefix ` | 2
`.DEFAULTSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONINTERNET SETTINGS\CACHEHISTORY
Value Name: CachePrefix ` | 2
Mutexes | Occurrences
—|—
`IEo.txt` | 268
`quansg` | 265
IP Addresses contacted by malware. Does not indicate maliciousness | Occurrences
—|—
`183[.]110[.]225[.]61` | 265
`112[.]175[.]100[.]207` | 265
Domain Names contacted by malware. Does not indicate maliciousness | Occurrences
—|—
`kanmay[.]cafe24[.]com` | 265
Files and or directories created | Occurrences
—|—
`%SystemRoot%SysWOW64IEn.txt` | 268
`%SystemRoot%SysWOW64WindowsDriver.dll` | 268

#### File Hashes

` 00eb6c2df37113f0e4003b628ee1a475c9f0400829b77299c299b1e9c95c418d 01794606a7a92c15bc8ba6502162976c823ba5d4ebc3a88467791a9db3778ef7 022f8be735d9e9d3997908a93196a52a87732dad299536c069ea85feeeea160f 02b9cd9c9154a18666fd00ed905d6da9b12009853cb9f8ce2e0cf92f87bd4135 02bad02ca69901b56f664e2885bafb295121452b5e109a3874f91f1ff4ffe23e 03412cef90bb6952d8c8972f197ee6b1ea28d295c4974d1a72b3b6d9095c1269 03906939f8b5a5ed4144066225b7386aec74d4c06b5e7cb81a2974e2c687f4da 04982dc42efe67ff4158e9fd73e30d728a29c0aaddafb6ba0e6fb0985bf89098 04b5517c234f42019237157847c6f66a9f3cdb90c218516f570bd82f259884da 0726d0dfa08cff2b64c73fcd9c62f0d422f9ad79ba8cedb571a4a01cbc821604 0801823675ac75c805fa9539faffaad12984ff7b5ca048ad246b75f3f23714c0 0920c8647741aa522efbc0f346802eb49d53364de493957d1f0e8690cbcff11c 0981457a5d19d389ff9add2ab40483b1e404ef8a08576125d602533619ef5d12 0bc073e7c6861c4cfab2a4c9beb7384bb78e102902874703ee0ccef855154155 0ca9110869dd63e0118be5c519c9e143010f4cf0ba2b1101aba59249f1285b52 0dfd8aae9b3535191eeb81ec4705625e9e57a6aa135a6c782b65ba169a80f656 0e099e281e6e3032165764a030ac73046c26b488f1fd803b64fef1fafddf2775 0eaae85e998d1617c34bc7d05db597c222f5a9fe863d995234ca7d591c8fa2fc 1131ba25f0df80d98481e1e669c5fef1e3ce0b6699e6ff0bbd40c20d0649d090 117afd55818106d5d5aad61f30f5d289666244243a41f42d7a224a89588f850b 12d5290c46b571ce5724937e85afb7d7146cbedb42c295243a55c8157fd07111 12edd2a6b213d68f391c831d4fbe706d077f01efea62a2a16db47c68df21768b 1352e8b45f865f8f5069d6c0e5e0e8239229a8bfbe000b32e6614a2d764e90ff 13d20eefb6ec5d8f0f688039c40e084665f82dc528c922c6f93a758a47befed1 14a0ae7aaf08ca98ec301d106c439cf81fbb5fb074720f2a902aa867dc91cc30 `

*See JSON for more IOCs

#### Coverage

Product | Protection
—|—
Secure Endpoint | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg)
Cloudlock | N/A
CWS | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg)
Email Security | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg)
Network Security | N/A
Stealthwatch | N/A
Stealthwatch Cloud | N/A
Secure Malware Analytics | ![This has coverage](https://www.talosintelligence.com/assets/icon_check_white.svg)
Umbrella | N/A
WSA | N/A

#### Screenshots of Detection

#### Secure Endpoint

[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMIeQCy8pt0zYfIrTFBa26UhiDTEjISRgGQXZjw1MQu7W_i20OYFXyGmPBWRwkdtEfOV8FFg3fZED6OXQ5XRj7MhodpL-gQIAArh8oJGuNyuXTqLgMHQgl-ixsfkaRwxk0eR599YtCw2zeJjC-6LS35MPyxVUvyaeRaABFoGreCfzyZD9UsKIwTR5Q/w400-h274/amp_0ca9110869dd63e0118be5c519c9e143010f4cf0ba2b1101aba59249f1285b52_20220922.png)]()

#### Secure Malware Analytics

[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3kHbimWcg_QWko8SsRIHsc4y6qVxTZBMd_2C5Tb7-C1HQlVrx9K1m6mDM4OgijFkYC0RFnRSZBI0v1SRhxxplTvK7oAF8lH6bCBME7vDkVJf18muIC5tkobRLSu24eDR_C5WM78BS1RqMhjLhmwRkcW8v9uCW7mTAmIBwp26xz9qE0XQIT-ufdDwQ/w640-h532/tg_3851f2b61fd7871b922f00bf56c531546f044a678afac424a3026af10fd665e5_20220922.png)]()

#### MITRE ATT&CK

[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfu0nTFmEdnYDQeLNv62gU9znDXYMeIq6Pf07_6wKxpkg4AHewQ_61uRMUcJqJ-q8mL9gNy1upSaKWg0taAZomBQSS3rfGWOUQi7xSlsdigglfATBfJje-ghrptcqpq6BooarbHsnBRg3wqvJkbnD5y-ggaLTOWi9ZTKlTJq0VQN2OYh0siF4q2hyw/w640-h398/mitre_attack_30902.png)]()

* * *Read More

Back to Main

Subscribe for the latest news: