Threat Roundup for April 14 to April 21
Discription

![Threat Roundup for April 14 to April 21](https://blog.talosintelligence.com/content/images/2023/04/threat-roundup-3.jpg)

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between April 21 and April 28. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, [Snort.org](), or [ClamAV.net]().

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found [here]() that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name| Type| Description
—|—|—
Win.Dropper.Bifrost-9998862-0| Dropper| Bifrost is a backdoor with more than 10 variants. Bifrost uses the typical server, server builder, and client backdoor program configuration to allow a remote attacker, who uses the client, to execute arbitrary code on the compromised machine. Bifrost contains standard RAT features including a file manager, screen capture utility, keylogging, video recording, microphone and camera monitoring, and a process manager. In order to mark its presence in the system, Bifrost uses a mutex that may be named “Bif1234,” or “Tr0gBot.”
Win.Dropper.Tofsee-9997698-0| Dropper| Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator’s control.
Win.Virus.Ramnit-9997699-0| Virus| Ramnit is a banking trojan that monitors web browser activity on an infected machine and collects login information from financial websites. It also has the ability to steal browser cookies and attempts to hide from popular antivirus software.
Win.Dropper.Remcos-9998831-1| Dropper| Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, and capture screenshots. This malware is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Dropper.DarkComet-9998118-1| Dropper| DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user’s machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.
Win.Virus.Xpiro-9998650-1| Virus| Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.
Win.Dropper.LokiBot-9997784-0| Dropper| Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.
Win.Downloader.Upatre-9998551-0| Downloader| Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.
Win.Ransomware.Cerber-9998102-0| Ransomware| Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension “.cerber,” although in more recent campaigns other file extensions are used.

* * *

## Threat Breakdown

### Win.Dropper.Bifrost-9998862-0

#### Indicators of Compromise

* IOCs collected from dynamic analysis of 36 samples
Registry Keys| Occurrences
—|—
`SOFTWAREFORUM SERVER`| 6
`SOFTWAREWOW6432NODEMICROSOFTACTIVE SETUPINSTALLED COMPONENTS{OY2O4VXC-P514-O36S-5W0B-V135334Y4PE5}`| 6
`SOFTWAREWOW6432NODEFORUM SERVER`| 6
`SOFTWAREWOW6432NODEMICROSOFTACTIVE SETUPINSTALLED COMPONENTS{OY2O4VXC-P514-O36S-5W0B-V135334Y4PE5}
Value Name: StubPath`| 6
`SOFTWAREFORUM SERVER
Value Name: FirstExecution`| 6
`SOFTWAREWOW6432NODEMICROSOFTWINDOWSCURRENTVERSIONRUN
Value Name: tbtrb`| 6
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN
Value Name: bbbt`| 6
`SOFTWAREFORUM SERVER
Value Name: FileNameAtual`| 6
`SOFTWAREFORUM SERVER
Value Name: ByPersist`| 6
`SOFTWAREFORUM SERVER
Value Name: FileName`| 6
`SOFTWAREWOW6432NODEFORUM SERVER
Value Name: HKLM`| 6
`SOFTWAREFORUM SERVER
Value Name: HKCU`| 6
Mutexes| Occurrences
—|—
`Spy-Net`| 6
`Spy-Net_Sair`| 6
`Bif1234`| 4
`stb`| 1
`Global71b0ff21-e3cc-11ed-9660-001517619ccc`| 1
`Globala08a09e1-e3cc-11ed-9660-0015178afdb9`| 1
`Global6bc18981-e3cd-11ed-9660-0015170e0b8c`| 1
`Global1dc44421-e3cd-11ed-9660-0015177d9b69`| 1
Domain Names contacted by malware. Does not indicate maliciousness| Occurrences
—|—
`mola1986[.]no-ip[.]org`| 6
Files and or directories created| Occurrences
—|—
`%TEMP%Decrypted.exe`| 13
`%SystemRoot%SysWOW64btbrtb`| 6
`%SystemRoot%SysWOW64btbrtbbtrbbtr.exe`| 6

#### File Hashes

`084dc3306858ab9f11034d16d0501a428d6bca1c87ff35f9e51f00309c372994`
`088094d805941273abfdb59e583ce17ec3aca62b4536c8c69fdb703118284862`
`0a9ee8eaad2a4f30d82b93ff3b5212b97ceb83e99410418ee37e151d0512fa97`
`1773cbf7d98b8c4e0c06ef18ba7184c2ced2b84160ab577a9ee75c583097c25a`
`1d03f8d2e3b50d152aad6c4b419771a947bdaaa34d7844306116fc033fa20804`
`1e4718f6a64a05bfab681396a29588bfb53c513daf5797e7637acc7144e86a07`
`255c46863d02a30cb9ee83df61cd7c64d0fdc07dca22b1dbff149d2905a2117c`
`38e152f0162531bec131cd72a1b2dabde9db05146f62c6b949ff22ac94a37aca`
`44e509007c8cbf8d218f8aa3cce3dfb9f95aaa1c16f4664125dbac54b6f0bf81`
`495ab6d9993d6ca3ba252a3399eea0eeb1024b7483bf599389da459ec366316e`
`4baa7eeb20a838eb0108cf84a4de3c4aad260e2b6077ccb2905cc5aa43e110bf`
`52a6dfd20dc733393c7e00ce86fcf1ea3519c776ea6a5d24cfd9b58dfba9d3ad`
`52c43009e2fe9ace2a375bf3ceee4f27bfb1133c451b96ed10cdda9a1469049b`
`64d6d35fe7a4d2d3026a9195fcec34ef2e1751e47b7aefb728dd2b558a619b5a`
`706929906d67d8670f15fe378c8dfd8df5eeaf29aba6689374dccec54a6df187`
`7484eff0c8ecd8ea6ed2efde9e65a3dfacfd286c676fe9d2159427ba7b0eae10`
`7c4dbab37a8702b4c3299a28349db3e1d36c307ecbe95330ea41a0c5426f862a`
`8049d025952335eeed26b713bd4d0e94e21270e503be8551d6a93c6a861554dd`
`8dea08009858acb2dc2ab5d37af86067cbd9117df76912a178f7a2bed9b6e9b0`
`959bf6dd78031b9c5479eb4a6bd1939e40e75865454b950ff2058bdd6a954bf4`
`a099bfd621d82bdaab9dfef4dc379ab5e018456eaf801b93e9b03740d7fdcc90`
`a6ed598c222d92a37d24d7f52c4589d7239d3d311737dfa83bab8dc46e7f662f`
`a781183870f48fdc2b9047f34dbd9c9a7104f55dec98c31d10405c3c6cdef3cd`
`ab311c9d88db2eaaeb33d41ed93b17f05eef0e7ad81d24588bcf1a8f60fd11c2`
`adcd113723cefba68b98d7f2ee7988fca18e826a46d723758a62d4949ba328b6`
*See JSON for more IOCs

#### Coverage

Product| Protection
—|—
Secure Endpoint| ![Threat Roundup for April 14 to April 21](https://www.talosintelligence.com/assets/icon_check_white.svg)
Cloudlock| N/A
CWS| ![Threat Roundup for April 14 to April 21](https://www.talosintelligence.com/assets/icon_check_white.svg)
Email Security| ![Threat Roundup for April 14 to April 21](https://www.talosintelligence.com/assets/icon_check_white.svg)
Network Security| N/A
Stealthwatch| N/A
Stealthwatch Cloud| N/A
Secure Malware Analytics| ![Threat Roundup for April 14 to April 21](https://www.talosintelligence.com/assets/icon_check_white.svg)
Umbrella| N/A
WSA| N/A

#### Screenshots of Detection

#### Secure Endpoint

![Threat Roundup for April 14 to April 21](https://blog.talosintelligence.com/content/images/2023/04/amp_8049d025952335eeed26b713bd4d0e94e21270e503be8551d6a93c6a861554dd_20230426.png)

#### Secure Malware Analytics

![Threat Roundup for April 14 to April 21](https://blog.talosintelligence.com/content/images/2023/04/tg_8049d025952335eeed26b713bd4d0e94e21270e503be8551d6a93c6a861554dd_20230426.png)

#### MITRE ATT&CK

![Threat Roundup for April 14 to April 21](https://blog.talosintelligence.com/content/images/2023/04/mitre_attack_33306.png)

* * *

### Win.Dropper.Tofsee-9997698-0

#### Indicators of Compromise

* IOCs collected from dynamic analysis of 245 samples
Registry Keys| Occurrences
—|—
`SOFTWAREPOLICIESMICROSOFTWINDOWS DEFENDER
Value Name: DisableAntiSpyware`| 111
`SYSTEMCONTROLSET001SERVICESWINDEFEND
Value Name: Start`| 111
`SOFTWAREPOLICIESMICROSOFTWINDOWSWINDOWSUPDATEAU`| 111
`SOFTWAREPOLICIESMICROSOFTWINDOWSWINDOWSUPDATEAU
Value Name: NoAutoRebootWithLoggedOnUsers`| 111
`SYSTEMCONTROLSET001SERVICESWUAUSERV
Value Name: Start`| 111
`SOFTWAREPOLICIESMICROSOFTWINDOWSWINDOWSUPDATEAU
Value Name: NoAutoUpdate`| 111
`SOFTWAREPOLICIESMICROSOFTWINDOWS DEFENDERREAL-TIME PROTECTION
Value Name: DisableBehaviorMonitoring`| 111
`SOFTWAREPOLICIESMICROSOFTWINDOWS DEFENDERREAL-TIME PROTECTION
Value Name: DisableOnAccessProtection`| 111
`SOFTWAREPOLICIESMICROSOFTWINDOWS DEFENDERREAL-TIME PROTECTION
Value Name: DisableScanOnRealtimeEnable`| 111
`SOFTWAREPOLICIESMICROSOFTWINDOWS DEFENDERREAL-TIME PROTECTION
Value Name: DisableIOAVProtection`| 111
`SOFTWAREPOLICIESMICROSOFTWINDOWS DEFENDER`| 111
`SOFTWAREPOLICIESMICROSOFTWINDOWS DEFENDERREAL-TIME PROTECTION`| 111
`SOFTWAREPOLICIESMICROSOFTWINDOWSWINDOWSUPDATE`| 111
`SOFTWAREWOW6432NODEMICROSOFTWINDOWS DEFENDERFEATURES`| 111
`SOFTWAREWOW6432NODEMICROSOFTWINDOWS DEFENDERFEATURES
Value Name: TamperProtection`| 111
`SOFTWAREPOLICIESMICROSOFTWINDOWS DEFENDERREAL-TIME PROTECTION
Value Name: DisableRealtimeMonitoring`| 111
`SOFTWAREPOLICIESMICROSOFTWINDOWS DEFENDER SECURITY CENTER`| 111
`SOFTWAREPOLICIESMICROSOFTWINDOWSWINDOWSUPDATEAU
Value Name: AUOptions`| 111
`SOFTWAREPOLICIESMICROSOFTWINDOWSWINDOWSUPDATEAU
Value Name: AutoInstallMinorUpdates`| 111
`SOFTWAREPOLICIESMICROSOFTWINDOWS DEFENDER SECURITY CENTERNOTIFICATIONS`| 111
`SOFTWAREPOLICIESMICROSOFTWINDOWS DEFENDER SECURITY CENTERNOTIFICATIONS
Value Name: DisableNotifications`| 111
`SOFTWAREPOLICIESMICROSOFTWINDOWSWINDOWSUPDATEAU
Value Name: UseWUServer`| 111
`SOFTWAREPOLICIESMICROSOFTWINDOWSWINDOWSUPDATE
Value Name: DoNotConnectToWindowsUpdateInternetLocations`| 111
Mutexes| Occurrences
—|—
`Random name`| 3
`MSCTF.Asm.{00000009-4fb3f26-9d18-66b568-627b8a85e4b6}`| 3
`GlobalMSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620}`| 3
`Session1MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620}`| 3
`Session2MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620}`| 3
`Session3MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620}`| 3
`Session4MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620}`| 3
`Session5MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620}`| 3
`Session6MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620}`| 3
`Session7MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620}`| 3
`Session8MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620}`| 3
IP Addresses contacted by malware. Does not indicate maliciousness| Occurrences
—|—
`176[.]113[.]115[.]145`| 124
`185[.]11[.]61[.]125`| 5
`179[.]43[.]154[.]216`| 3
`192[.]229[.]211[.]108`| 2
`69[.]192[.]209[.]23`| 2
Domain Names contacted by malware. Does not indicate maliciousness| Occurrences
—|—
`cacerts[.]digicert[.]com`| 2
`download[.]microsoft[.]com`| 2
Files and or directories created| Occurrences
—|—
`%LOCALAPPDATA%Yandex`| 89
`%LOCALAPPDATA%YandexYaAddon`| 89
`x5cx55x73x65x72x73x5cx41x64x6dx69x6ex69x73x74x72x61x74x6fx72x5cx41x70x70x44x61x74x61x5cx4cx6fx63x61x6cx5cx4dx69x63x72x6fx73x6fx66x74x5cx57x69x6ex64x43ex77x73`| 4

#### File Hashes

`00206b2f652aaec449943e55d93ab85e9e87ef25f95578bde2ceed78feae3e7b`
`00716c634467bb8fdf909ba82c19ab498f8ef0423fde2d52b87d7b1c6308c1a8`
`02f075f4410cd77c70e51d2cd3b3990845345e799b9d9e1c3a2f70871f3ccfa4`
`0383eb5111c99149f27feb3c4d216b8057424ed5dc107575eeab3384d667a7c1`
`03dd6172107745be428868d9dc148f027d332a488668b9d7e401f9e7d7345536`
`047e794c09e7a4e7641574373a003bdd135ecb533b854464756e70f6dc46d557`
`06116b9095938c053f1c92d0b959fafa15127c19b681d09e01d699d8b8d4245d`
`06a539bbb4c43074abf5434c7291eac3f9fcb54beede07e3ff2aa087675c380f`
`07075825ec1f57b3f3bfa84eb839d5013e53cfcf7970360b19607794ac9daa71`
`07a571c2ba97badc98d92e522c3c84d0a1146b8eeae0172525b4ecd4b0e9a5eb`
`07dfd38512fc0f4bc010f164a9bc16f5ae76f18567701f6c2fed14bc9b00e73c`
`09f29244d4c89254e02426a2e9f8d783a190656154fe71a26495be0db69c5c2b`
`0bfdb5d464b82ebedeef2fe7e0f78c7e802267e7702ea20bc72d4886afef099e`
`0cec4fdbfad160dee0d939291083ee7b74adecf772f369c4a29839d1f5ee2b61`
`0d06e6076b309edb93b3cc71011970f69c371ed897fec2fbffec3d91e9c280cb`
`0dc803cd1f73fbfd38c42e13ff263e64fffdaf624ed43c7cf6c477c702b92d2f`
`0e391c41a2b2438935e818df13db66da10990306c514f431434ce37b2e9ce5e7`
`0fcc2c5d723b5b418beb83b215cfb294ac80c4f57d549f4fea04933b03cf058e`
`118ad96124e17b7445562a4ef815719cc63b556a1f54db86bb8ab984e181d08a`
`127af8143d8badde9f311fb806815f1a5f6fcc2f6a2d9a614b8221a1ec4331f2`
`16637a60cc0ff214fcbbdbc71cd93789ca61140ed2cef23a7fafd4a4fa81bd6a`
`1682a7f8f229e62c379fca3c6c989c748aef985e51fc6bcf76d06bde9b0484cf`
`16f405d2c293aa64c8b2fbd020332db2d7ae0b5ce00f33d659db6a5174ac2725`
`1878a7910e7d8aa1062bd5c7a7530984b22f0c8112d26836e2bdd1b8abf726e2`
`189e0a0f6fdcc385d54bb131b256adf7e35e8e04b90f9d432047b2808d434f16`
*See JSON for more IOCs

#### Coverage

Product| Protection
—|—
Secure Endpoint| ![Threat Roundup for April 14 to April 21](https://www.talosintelligence.com/assets/icon_check_white.svg)
Cloudlock| N/A
CWS| ![Threat Roundup for April 14 to April 21](https://www.talosintelligence.com/assets/icon_check_white.svg)
Email Security| ![Threat Roundup for April 14 to April 21](https://www.talosintelligence.com/assets/icon_check_white.svg)
Network Security| ![Threat Roundup for April 14 to April 21](https://www.talosintelligence.com/assets/icon_check_white.svg)
Stealthwatch| N/A
Stealthwatch Cloud| N/A
Secure Malware Analytics| ![Threat Roundup for April 14 to April 21](https://www.talosintelligence.com/assets/icon_check_white.svg)
Umbrella| N/A
WSA| N/A

#### Screenshots of Detection

#### Secure Endpoint

![Threat Roundup for April 14 to April 21](https://blog.talosintelligence.com/content/images/2023/04/amp_1682a7f8f229e62c379fca3c6c989c748aef985e51fc6bcf76d06bde9b0484cf_20230420.png)

#### Secure Malware Analytics

![Threat Roundup for April 14 to April 21](https://blog.talosintelligence.com/content/images/2023/04/tg_1f823a8e6b0754daa9a4ee7cd3d1dcd74b7272472fa6b7f558d6e56a43177158_20230420.png)

#### MITRE ATT&CK

![Threat Roundup for April 14 to April 21](https://blog.talosintelligence.com/content/images/2023/04/mitre_attack_33308.png)

* * *

### Win.Virus.Ramnit-9997699-0

#### Indicators of Compromise

* IOCs collected from dynamic analysis of 12 samples
Registry Keys| Occurrences
—|—
`SOFTWAREWOW6432NODEMICROSOFTSECURITY CENTER
Value Name: AntiVirusOverride`| 12
`SOFTWAREWOW6432NODEMICROSOFTSECURITY CENTER
Value Name: AntiVirusDisableNotify`| 12
`SOFTWAREWOW6432NODEMICROSOFTSECURITY CENTER
Value Name: FirewallDisableNotify`| 12
`SOFTWAREWOW6432NODEMICROSOFTSECURITY CENTER
Value Name: FirewallOverride`| 12
`SOFTWAREWOW6432NODEMICROSOFTSECURITY CENTER
Value Name: UpdatesDisableNotify`| 12
`SOFTWAREWOW6432NODEMICROSOFTSECURITY CENTER
Value Name: UacDisableNotify`| 12
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONPOLICIESSYSTEM
Value Name: EnableLUA`| 12
`SYSTEMCONTROLSET001SERVICESSHAREDACCESSPARAMETERSFIREWALLPOLICYSTANDARDPROFILE
Value Name: EnableFirewall`| 12
`SYSTEMCONTROLSET001SERVICESSHAREDACCESSPARAMETERSFIREWALLPOLICYSTANDARDPROFILE
Value Name: DoNotAllowExceptions`| 12
`SYSTEMCONTROLSET001SERVICESSHAREDACCESSPARAMETERSFIREWALLPOLICYSTANDARDPROFILE
Value Name: DisableNotifications`| 12
`SYSTEMCONTROLSET001SERVICESWSCSVC
Value Name: Start`| 12
`SYSTEMCONTROLSET001SERVICESWINDEFEND
Value Name: Start`| 12
`SYSTEMCONTROLSET001SERVICESMPSSVC
Value Name: Start`| 12
`SOFTWAREWOW6432NODEMICROSOFTWINDOWS NTCURRENTVERSION
Value Name: jfghdug_ooetvtgk`| 12
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN
Value Name: JudCsgdy`| 12
`SYSTEMCONTROLSET001SERVICESWUAUSERV
Value Name: Start`| 12
`SOFTWAREWOW6432NODEMICROSOFTWINDOWSCURRENTVERSIONRUN
Value Name: Windows Defender`| 12
`SOFTWAREMICROSOFTWINDOWS NTCURRENTVERSIONWINLOGON
Value Name: Userinit`| 12
`SOFTWAREWOW6432NODEMICROSOFTWINDOWS NTCURRENTVERSIONWINLOGON
Value Name: Userinit`| 12
Mutexes| Occurrences
—|—
`{7930D12C-1D38-EB63-89CF-4C8161B79ED4}`| 12
`{79345B6A-421F-2958-EA08-07396ADB9E27}`| 12
IP Addresses contacted by malware. Does not indicate maliciousness| Occurrences
—|—
`35[.]205[.]61[.]67`| 12
`142[.]250[.]80[.]46`| 12
`103[.]224[.]182[.]246`| 11
`46[.]165[.]254[.]201`| 11
`72[.]26[.]218[.]70`| 11
`195[.]201[.]179[.]207`| 11
`208[.]100[.]26[.]245`| 11
`206[.]191[.]152[.]58`| 11
`72[.]251[.]233[.]245`| 11
Domain Names contacted by malware. Does not indicate maliciousness| Occurrences
—|—
`google[.]com`| 12
`testetst[.]ru`| 12
`mtsoexdphaqliva[.]com`| 11
`uulwwmawqjujuuprpp[.]com`| 11
`twuybywnrlqcf[.]com`| 11
`wcqqjiixqutt[.]com`| 11
`ubgjsqkad[.]com`| 11
`iihsmkek[.]com`| 11
`tlmmcvqvearpxq[.]com`| 11
`flkheyxtcedehipox[.]com`| 11
`edirhtuawurxlobk[.]com`| 11
`tfjcwlxcjoviuvtr[.]com`| 11
Files and or directories created| Occurrences
—|—
`%LOCALAPPDATA%bolpidti`| 12
`%LOCALAPPDATA%bolpidtijudcsgdy.exe`| 12
`%APPDATA%MicrosoftWindowsStart MenuProgramsStartupjudcsgdy.exe`| 12
`TEMPnr3othpeM`| 12

#### File Hashes

`0fdd4e8b236b7b01e9745b40b2aa848c3184bc4096cb9bc76ddb2dbd71ccc093`
`5912fbc0929bfd2a39d4a2ac66a58fef95ff044958c81ce5d6698b4414b76cb2`
`6970bd6846357bbca2b52303d14264c191e386331a7d1559d2a9c0e14adf9b73`
`6c4b37cce41b603af1c66cca45b3046cf986de3e2e1b5fbd2aa99d6d1c75e6be`
`6df703d95ae69f56dffee813cbf5dc26f4345634b0227d539eb4a886387793aa`
`93de25c070a461c87ba30b2ebdbda3db2dacc313e67f857b58a5142530f9025c`
`99842408d235fe06c71037073a1b7bf137d983b6a10dfc73fbec2f7ae683d5d4`
`be88f9455c0409f685507107d010301af2d3d8f95354050e28e74e032655c215`
`d5aa9fdeeb12bc2d009ab44b490a53d6795f8e4fb11ef09ba87d9bfbc497baa9`
`d77f35323b96c301ea307d7858b5e795e13868b1a02a7f180ef44ade0e80a049`
`e2428ab7ee60ac074aec6c51a0c8522e639d054f3a5498876f2d3b9a643189f1`
`f2512b5637ddc1a42c03b8733aa7ec570cf9697825f8bf6fbcf23ed6a744a252`

#### Coverage

Product| Protection
—|—
Secure Endpoint| ![Threat Roundup for April 14 to April 21](https://www.talosintelligence.com/assets/icon_check_white.svg)
Cloudlock| N/A
CWS| ![Threat Roundup for April 14 to April 21](https://www.talosintelligence.com/assets/icon_check_white.svg)
Email Security| ![Threat Roundup for April 14 to April 21](https://www.talosintelligence.com/assets/icon_check_white.svg)
Network Security| ![Threat Roundup for April 14 to April 21](https://www.talosintelligence.com/assets/icon_check_white.svg)
Stealthwatch| N/A
Stealthwatch Cloud| N/A
Secure Malware Analytics| ![Threat Roundup for April 14 to April 21](https://www.talosintelligence.com/assets/icon_check_white.svg)
Umbrella| ![Threat Roundup for April 14 to April 21](https://www.talosintelligence.com/assets/icon_check_white.svg)
WSA| ![Threat Roundup for April 14 to April 21](https://www.talosintelligence.com/assets/icon_check_white.svg)

#### Screenshots of Detection

#### Secure Endpoint

![Threat Roundup for April 14 to April 21](https://blog.talosintelligence.com/content/images/2023/04/amp_d77f35323b96c301ea307d7858b5e795e13868b1a02a7f180ef44ade0e80a049_20230420-1.png)

#### Secure Malware Analytics

![Threat Roundup for April 14 to April 21](https://blog.talosintelligence.com/content/images/2023/04/tg_d77f35323b96c301ea307d7858b5e795e13868b1a02a7f180ef44ade0e80a049_20230420.png)

#### MITRE ATT&CK

![Threat Roundup for April 14 to April 21](https://blog.talosintelligence.com/content/images/2023/04/mitre_attack_33312.png)

* * *

### Win.Dropper.Remcos-9998831-1

#### Indicators of Compromise

* IOCs collected from dynamic analysis of 10 samples
Registry Keys| Occurrences
—|—
`SOFTWAREMSWORDOFFICESVC-QHO80M`| 10
`SOFTWAREMSWORDOFFICESVC-QHO80M
Value Name: EXEpath`| 10
`SOFTWAREMSWORDOFFICESVC-QHO80M
Value Name: WD`| 10
Mutexes| Occurrences
—|—
`Remcos_Mutex_Inj`| 10
`Mutex_RemWatchdog`| 10
`mswordofficesvc-QHO80M`| 10
Domain Names contacted by malware. Does not indicate maliciousness| Occurrences
—|—
`kelikjoinset[.]freedynamicdns[.]org`| 10
`noblegas[.]myftp[.]org`| 10
Files and or directories created| Occurrences
—|—
`%APPDATA%remcos`| 10
`%APPDATA%MicrosoftWindowsStart MenuProgramsStartupmswordsvc.vbe`| 10
`%APPDATA%mswordsvc.exe`| 10

#### File Hashes

`1068d5259b58c67b37559c2c5aaaffaa524cd38f05c99625b5b1bc97667388df`
`38606579b809ca28086c04af33a2bf54fbbd5a045ef60052dda6775a6e71a875`
`486aa0afed7943aed6838bce23d4d04410f9b5570ca90aa481f17ebecd2ad094`
`53718f911be349fb0bb16c2cd3464a4a786c41d1f34ec4830cd5d5a1a50a9fde`
`5678468ae9e47c877300c8de9d3f12dbd65f89bdc3af8838b30341f7451e3b7a`
`ba1a8e84a9bc1a73bfa49aeb376be2a18eff3a0e980fe0ebdb6ad5478b7e479d`
`cc0ca5bdd31ae56f5585b16988ef09ffd914d5bb461c6692e086484f892988d4`
`d2896ee59f6a2d1c1149c58e647e2c3dcdc7cb9011845a75254563f659298373`
`d3f05239dda9f9c81b42d7ad5f83459f8183b8592c323aa17fbb04103c08be3d`
`d74c4daab9d068fe6388596dc4daf7d93e61d1aa4868ec69f9ccd59eac2de1a8`

#### Coverage

Product| Protection
—|—
Secure Endpoint| ![Threat Roundup for April 14 to April 21](https://www.talosintelligence.com/assets/icon_check_white.svg)
Cloudlock| N/A
CWS| ![Threat Roundup for April 14 to April 21](https://www.talosintelligence.com/assets/icon_check_white.svg)
Email Security| ![Threat Roundup for April 14 to April 21](https://www.talosintelligence.com/assets/icon_check_white.svg)
Network Security| N/A
Stealthwatch| N/A
Stealthwatch Cloud| N/A
Secure Malware Analytics| ![Threat Roundup for April 14 to April 21](https://www.talosintelligence.com/assets/icon_check_white.svg)
Umbrella| N/A
WSA| N/A

#### Screenshots of Detection

#### Secure Endpoint

![Threat Roundup for April 14 to April 21](https://blog.talosintelligence.com/content/images/2023/04/amp_1068d5259b58c67b37559c2c5aaaffaa524cd38f05c99625b5b1bc97667388df_20230425.png)

#### Secure Malware Analytics

![Threat Roundup for April 14 to April 21](https://blog.talosintelligence.com/content/images/2023/04/tg_1068d5259b58c67b37559c2c5aaaffaa524cd38f05c99625b5b1bc97667388df_20230425.png)

#### MITRE ATT&CK

![Threat Roundup for April 14 to April 21](https://blog.talosintelligence.com/content/images/2023/04/mitre_attack_33316.png)

* * *

### Win.Dropper.DarkComet-9998118-1

#### Indicators of Compromise

* IOCs collected from dynamic analysis of 23 samples
Registry Keys| Occurrences
—|—
`SOFTWAREDC3_FEXEC`| 23
`SOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN
Value Name: kb2456.exe`| 23
Mutexes| Occurrences
—|—
`DC_MUTEX-13F3AYC`| 23
IP Addresses contacted by malware. Does not indicate maliciousness| Occurrences
—|—
`162[.]125[.]4[.]15`| 23
Domain Names contacted by malware. Does not indicate maliciousness| Occurrences
—|—
`dl[.]dropbox[.]com`| 23
`zoukiny[.]no-ip[.]biz`| 23
Files and or directories created| Occurrences
—|—
`%APPDATA%dclogs`| 23
`%TEMP%tmp.tmp`| 23
`%TEMP%tmpBD03.tmp.exe`| 3
`%TEMP%temp_GujQurApmI`| 2
`%TEMP%temp_GujQurApmIsvchost.exe`| 2
`%TEMP%temp_AoPXtxyscR`| 2
`%TEMP%temp_AoPXtxyscRsvchost.exe`| 2
`%TEMP%tmpC06C.tmp.exe`| 2
`%TEMP%temp_MhOpOytNASsvchost.exe`| 1
`%TEMP%tmpBF9C.tmp.exe`| 1
`%TEMP%temp_dgFaHSHFIPsvchost.exe`| 1
`%TEMP%tmpBAF0.tmp.exe`| 1
`%TEMP%temp_XbxDBxrtQMsvchost.exe`| 1
`%TEMP%temp_hYMuQAMQTysvchost.exe`| 1
`%TEMP%tmpBF44.tmp.exe`| 1
`%TEMP%temp_AChkJWUFGOsvchost.exe`| 1
`%TEMP%tmpC28E.tmp.exe`| 1
`%TEMP%temp_ktuFuZaySwsvchost.exe`| 1
`%TEMP%tmpCC7D.tmp.exe`| 1
`%TEMP%temp_jTWgKpaNicsvchost.exe`| 1
`%TEMP%tmpC453.tmp.exe`| 1
`%TEMP%temp_gwLGQvZjwnsvchost.exe`| 1
`%TEMP%tmpFFFB.tmp.exe`| 1
`%TEMP%temp_gFRVVtvPLvsvchost.exe`| 1
`%TEMP%tmpC0BA.tmp.exe`| 1

*See JSON for more IOCs

#### File Hashes

`0405c695532cdfadb49cd6e5dc0175e2740a6b34df032e0d6370ac57781bc0b9`
`099393350020fa9d643c1fd02dd8e0c8e2c9090ff5d4ff96a807b03cc927dae6`
`0b9d53d8392c6af28951737704765fb1a7c75a849633ef4e4a1d7b7be861f6d7`
`1ba1034f63585a98afac1b985f866ec53e66ba500c8a7e499521e47e66e7867e`
`276e6b279f8cf83b531fcee7fe2f770f1814b5d63ba25aa407bf1676698d09c7`
`2d67a134e9a81d3f55017c4c3e395e90194d6ad6cf2d24b6f567f9df0729f55e`
`2ed27da0b1a0cf9949aba612b54427c7d104e1fe44c98e363b3cef43289d7924`
`37c13c62990a05a6105024b075eb672723a0838eadec043618b4222ca15520b5`
`3fe6cb53ea8f0a35f828fc1e87ad9cf6a27081695ef9b709fb3367c2e8c21e82`
`506a3537c3afbb25783fe817f230595b3c7369eaf737ee84475a6ed1d5c5c5ec`
`66d64aad782b2ba9baf1fa04c5738d55bd23754dba179b7c01fe15837ee6b6b7`
`781529034cef2a9316fb18187611f911d2d6463f56636e7d6393045a88302614`
`786be271e7f3f8249203417bd8547b42e3dceb9440e228d844a78c85f2dc7822`
`8534b61a4f0c0dc39da45ddf6a874edfbaf0ea9ab36c58f470ae3e062f81c6b2`
`88789c72981be3e3f57b31771ab73ad52089f65a8b5f0544d3ae5ed9e8b14f6e`
`889b3fe85d94c61276540ea86de2de983c7d7357eaf394717e0705cd365a307f`
`8f12b7340c8cc0c6c7c3c3f6ed64a3f8850fa035d1f811dc4255b128ab00d4c5`
`a7b80aea4110f98e399e64abb923dee60f70650041593358297542c33f6b8a8e`
`b83385710b54918cdb2814e555c0b6189a2c5ba46bc2cb0a435b5b8f5a5b51cb`
`b837289b0f42bdfbe726dfafbae51a0b5cb5af21a3a2859bedaea7ab770d2482`
`ca67b7e760c2d09004928da6736f4784cc05899ea7ae4bf19deb16d4fee047ce`
`d24f72779958896980e074e15cc9abb88daa041c13123525db3d6ee33be32b81`
`ffe2607eec8bda28fc38b19bbef00cfcd572f3335b3773c4df758526243f128b`

#### Coverage

Product| Protection
—|—
Secure Endpoint| ![Threat Roundup for April 14 to April 21](https://www.talosintelligence.com/assets/icon_check_white.svg)
Cloudlock| N/A
CWS| ![Threat Roundup for April 14 to April 21](https://www.talosintelligence.com/assets/icon_check_white.svg)
Email Security| ![Threat Roundup for April 14 to April 21](https://www.talosintelligence.com/assets/icon_check_white.svg)
Network Security| ![Threat Roundup for April 14 to April 21](https://www.talosintelligence.com/assets/icon_check_white.svg)
Stealthwatch| N/A
Stealthwatch Cloud| N/A
Secure Malware Analytics| ![Threat Roundup for April 14 to April 21](https://www.talosintelligence.com/assets/icon_check_white.svg)
Umbrella| N/A
WSA| N/A

#### Screenshots of Detection

#### Secure Endpoint

![Threat Roundup for April 14 to April 21](https://blog.talosintelligence.com/content/images/2023/04/amp_786be271e7f3f8249203417bd8547b42e3dceb9440e228d844a78c85f2dc7822_20230421.png)

#### Secure Malware Analytics

![Threat Roundup for April 14 to April 21](https://blog.talosintelligence.com/content/images/2023/04/tg_786be271e7f3f8249203417bd8547b42e3dceb9440e228d844a78c85f2dc7822_20230421.png)

#### MITRE ATT&CK

![Threat Roundup for April 14 to April 21](https://blog.talosintelligence.com/content/images/2023/04/mitre_attack_33318.png)

* * *

### Win.Virus.Xpiro-9998650-1

#### Indicators of Compromise

* IOCs collected from dynamic analysis of 18 samples
Registry Keys| Occurrences
—|—
`SYSTEMCONTROLSET001SERVICESWSCSVC
Value Name: Start`| 18
`SYSTEMCONTROLSET001SERVICESWINDEFEND
Value Name: Start`| 18
`SYSTEMCONTROLSET001SERVICESCLR_OPTIMIZATION_V2.0.50727_32
Value Name: Type`| 18
`SYSTEMCONTROLSET001SERVICESCLR_OPTIMIZATION_V2.0.50727_64
Value Name: Type`| 18
`SYSTEMCONTROLSET001SERVICESCLR_OPTIMIZATION_V4.0.30319_32
Value Name: Type`| 18
`SYSTEMCONTROLSET001SERVICESCLR_OPTIMIZATION_V4.0.30319_32
Value Name: Start`| 18
`SYSTEMCONTROLSET001SERVICESCLR_OPTIMIZATION_V4.0.30319_64
Value Name: Type`| 18
`SYSTEMCONTROLSET001SERVICESCLR_OPTIMIZATION_V4.0.30319_64
Value Name: Start`| 18
`SYSTEMCONTROLSET001SERVICESCOMSYSAPP
Value Name: Type`| 18
`SYSTEMCONTROLSET001SERVICESCOMSYSAPP
Value Name: Start`| 18
`SYSTEMCONTROLSET001SERVICESMOZILLAMAINTENANCE
Value Name: Type`| 18
`SYSTEMCONTROLSET001SERVICESMOZILLAMAINTENANCE
Value Name: Start`| 18
`SYSTEMCONTROLSET001SERVICESMSISERVER
Value Name: Type`| 18
`SYSTEMCONTROLSET001SERVICESMSISERVER
Value Name: Start`| 18
`SYSTEMCONTROLSET001SERVICESOSE
Value Name: Type`| 18
`SYSTEMCONTROLSET001SERVICESOSE
Value Name: Start`| 18
`SYSTEMCONTROLSET001SERVICESUI0DETECT
Value Name: Type`| 18
`SYSTEMCONTROLSET001SERVICESUI0DETECT
Value Name: Start`| 18
`SYSTEMCONTROLSET001SERVICESVDS
Value Name: Type`| 18
`SYSTEMCONTROLSET001SERVICESVDS
Value Name: Start`| 18
`SYSTEMCONTROLSET001SERVICESVSS
Value Name: Type`| 18
`SYSTEMCONTROLSET001SERVICESVSS
Value Name: Start`| 18
`SYSTEMCONTROLSET001SERVICESWBENGINE
Value Name: Type`| 18
`SYSTEMCONTROLSET001SERVICESWBENGINE
Value Name: Start`| 18
`SYSTEMCONTROLSET001SERVICESWMIAPSRV
Value Name: Type`| 18
Mutexes| Occurrences
—|—
`kkq-vx_mtx64`| 18
`kkq-vx_mtx65`| 18
`kkq-vx_mtx66`| 18
`kkq-vx_mtx67`| 18
`kkq-vx_mtx68`| 18
`kkq-vx_mtx69`| 18
`kkq-vx_mtx70`| 18
`kkq-vx_mtx71`| 18
`kkq-vx_mtx72`| 18
`kkq-vx_mtx73`| 18
`kkq-vx_mtx74`| 18
`kkq-vx_mtx75`| 18
`kkq-vx_mtx76`| 18
`kkq-vx_mtx77`| 18
`kkq-vx_mtx78`| 18
`kkq-vx_mtx79`| 18
`kkq-vx_mtx80`| 18
`kkq-vx_mtx81`| 18
`kkq-vx_mtx82`| 18
`kkq-vx_mtx83`| 18
`kkq-vx_mtx84`| 18
`kkq-vx_mtx85`| 18
`kkq-vx_mtx86`| 18
`kkq-vx_mtx87`| 18
`kkq-vx_mtx88`| 18

*See JSON for more IOCs

Files and or directories created| Occurrences
—|—
`%ProgramFiles(x86)%Microsoft OfficeOffice14GROOVE.EXE`| 18
`%ProgramFiles(x86)%Mozilla Maintenance Servicemaintenanceservice.exe`| 18
`%SystemRoot%Microsoft.NETFramework64v2.0.50727mscorsvw.exe`| 18
`%SystemRoot%Microsoft.NETFramework64v4.0.30319mscorsvw.exe`| 18
`%SystemRoot%Microsoft.NETFrameworkv2.0.50727mscorsvw.exe`| 18
`%SystemRoot%Microsoft.NETFrameworkv4.0.30319mscorsvw.exe`| 18
`%System32%FXSSVC.exe`| 18
`%System32%UI0Detect.exe`| 18
`%System32%VSSVC.exe`| 18
`%System32%alg.exe`| 18
`%System32%dllhost.exe`| 18
`%System32%msdtc.exe`| 18
`%System32%msiexec.exe`| 18
`%System32%snmptrap.exe`| 18
`%System32%sppsvc.exe`| 18
`%System32%wbemWmiApSrv.exe`| 18
`%System32%wbengine.exe`| 18
`%SystemRoot%ehomeehsched.exe`| 18
`%SystemRoot%SysWOW64dllhost.exe`| 18
`%SystemRoot%SysWOW64svchost.exe`| 18
`%SystemRoot%SysWOW64dllhost.vir`| 18
`%SystemRoot%SysWOW64msiexec.vir`| 18
`%SystemRoot%SysWOW64svchost.vir`| 18
`%ProgramFiles%Internet Exploreriexplore.vir`| 18
`%CommonProgramFiles(x86)%microsoft sharedsource engineose.vir`| 18

*See JSON for more IOCs

#### File Hashes

`09088e115dd96c2940801cc32dc155226eb967a307b9015f889ec4683b71a48b`
`0a5eeac82828f8027cd544105cc76ba2d4d4eb2bbe409d1ef27835ce22a0ef06`
`2081057ccb7019073fe0b9606fe2a4e7258afc0644562c5458c41ede53c7b0b0`
`2f6c1972001b2d1f1d94916db33202cc724b5d18dca54867d5da63b8cc60a922`
`3c6d806fcb5c653732f48445a1dcbc1005e6ba80e1c38118662e2abb1791a101`
`3f77eca6fae88bb8491b548ed512e985f9cedc7e2dc8356a20050b388cc1fdd1`
`43d78d6a1608d210e08d0cddbc95f5408133b1b75f4b57ea3b452fddc1c78e1e`
`49efca6296124551bcca7ba1fea36a3fb0de419601db1756c83c9269c0359eb3`
`5a15877c52ca982117a6a00e50fc0e090937dcc52990baaad693934a750bc195`
`5c0cd3e42fc0b9b6c6fd054969d712c392db40a9280acbeeaa1149d42cae3422`
`6b33374ffb1cb5596388f80168376bb19776e526e02fbefc21bb971eed759667`
`75416463a1bd3c9d771a4cbcc092d6d13c5979659b47da3c45640a716fe9ada0`
`79e4f7df197ed82e1594e12db8a5d4374ed2cae15748861a8606391746503bfd`
`af1a241cf02027feaba30e34b6403204352384efe43269dd870a74b51ac77020`
`c2d4d9ba2963a5a20adab5d66cf0cbd62b2405159d01e60eb55a014a911a1d79`
`d2530371c070d1c6743d97850ed70999538019b088faf4231d67962f202971ef`
`ef64960868cb72ee318dcde7f5f50127587e7267f33f1a647ef05dfdb2071a28`
`f40dd15849f3a79ce8202325eb54b6dacf76346e593445a055014e43cf03cca6`

#### Coverage

Product| Protection
—|—
Secure Endpoint| ![Threat Roundup for April 14 to April 21](https://www.talosintelligence.com/assets/icon_check_white.svg)
Cloudlock| N/A
CWS| ![Threat Roundup for April 14 to April 21](https://www.talosintelligence.com/assets/icon_check_white.svg)
Email Security| ![Threat Roundup for April 14 to April 21](https://www.talosintelligence.com/assets/icon_check_white.svg)
Network Security| N/A
Stealthwatch| N/A
Stealthwatch Cloud| N/A
Secure Malware Analytics| ![Threat Roundup for April 14 to April 21](https://www.talosintelligence.com/assets/icon_check_white.svg)
Umbrella| N/A
WSA| N/A

#### Screenshots of Detection

#### Secure Endpoint

![Threat Roundup for April 14 to April 21](https://blog.talosintelligence.com/content/images/2023/04/amp_0a5eeac82828f8027cd544105cc76ba2d4d4eb2bbe409d1ef27835ce22a0ef06_20230423.png)

#### Secure Malware Analytics

![Threat Roundup for April 14 to April 21](https://blog.talosintelligence.com/content/images/2023/04/tg_75416463a1bd3c9d771a4cbcc092d6d13c5979659b47da3c45640a716fe9ada0_20230423.png)

#### MITRE ATT&CK

![Threat Roundup for April 14 to April 21](https://blog.talosintelligence.com/content/images/2023/04/mitre_attack_33328.png)

* * *

### Win.Dropper.LokiBot-9997784-0

#### Indicators of Compromise

* IOCs collected from dynamic analysis of 46 samples
Registry Keys| Occurrences
—|—
`SOFTWAREMICROSOFTWINDOWS NTCURRENTVERSIONSCHEDULETASKCACHETASKS
Value Name: Path`| 2
`SOFTWAREMICROSOFTWINDOWS NTCURRENTVERSIONSCHEDULETASKCACHETASKS
Value Name: Hash`| 2
`SOFTWAREMICROSOFTWINDOWS NTCURRENTVERSIONSCHEDULETASKCACHETASKS
Value Name: Triggers`| 2
`SOFTWAREMICROSOFTWINDOWS NTCURRENTVERSIONSCHEDULETASKCACHETASKS
Value Name: DynamicInfo`| 2
Mutexes| Occurrences
—|—
`hGaolUAEhBhpUPhRKOMCEdZwRZtiMG`| 20
`jXKhDsqpdQybVuPEmbAKwiHxLWIux`| 18
`CbrYMlytSPCzlXpbEHuxopJkpncgG`| 4
`3749282D282E1E80C56CAE5A`| 1
`ATdPKSSVGkktNJiqkeIrKymIi`| 1
IP Addresses contacted by malware. Does not indicate maliciousness| Occurrences
—|—
`34[.]229[.]94[.]227`| 43
Domain Names contacted by malware. Does not indicate maliciousness| Occurrences
—|—
`lancetasks[.]com`| 43
`poyrezbunker[.]xyz`| 1
Files and or directories created| Occurrences
—|—
`%APPDATA%MicrosoftWindowsStart MenuProgramsStartupwindrive.exe`| 43
`%APPDATA%windrive.exe`| 43
`%System32%Taskswindrive`| 43
`%APPDATA%Setupexe.exe`| 42
`%APPDATA%D282E1`| 1
`%APPDATA%D282E11E80C5.lck`| 1
`%APPDATA%MicrosoftCryptoRSAS-1-5-21-2580483871-590521980-3826313501-500a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5`| 1

#### File Hashes

`05c8ba64b02dc62aba0fb1455ec15e121b172acbba66e1954643a580ce310d57`
`0861738aaef9328d136bb3d07a3d64259ed5123ed9c473cb69d08357e2c0a57a`
`09403799c317cc67d029f6fbc01c8917e407cd9f26465f1580fa7607487e0d2c`
`0dab311d96dac557c4504b2879e33ba995f12e739b16b094a52e0839a9606c24`
`1142c0e37678c3940d80bc05bf0b2428774c24fe99256d265db84f3983fe0a95`
`1ee30c4b53bd334c22d4ae24ae5b9253f657ecfc15c9d85075ab21b71547b315`
`22272de4964a9f99e5eebf0f92c1c2a3a2ea7c858aa4f01aa274e100ef0f0474`
`2b1c6b2249d2c0a49e168341381431f8407b1871e3f1aa655cefd1f0e1e2d2ef`
`2e846d46ddb277cc24e6a5ee4147397d16ce4421d034860e504217511e7207fd`
`33f0e7d51bbef09378a752b47dffee4f6bb83c0042fecdf35e48323468b431e5`
`3409d8d2d1184a67cb56ef327383d00d8c749ece7732e952a78946e9925fad21`
`3d1dd0b1af801f27cb5639af28ed17f30900eaf4ceee050e2972303f92081960`
`470b8bd5cdec3257b91ef325a77521b4ab804d6827284ad5a6d3c0a6c1a96451`
`49566f476a01164aeee4f96a5321423eb718f19d97e04911e83b476a978432b8`
`4a1a9ee3a218ad5742a1f6fc58a14fedc56bb9fc35488ddfbf5a9ac660af7b98`
`4a3a2d78ca9cd193d984a2c511ee13afd818fa3b6df5b59a958c9b39d16838cb`
`4adae5139b791d9beb9c9ec8d852e763986b90cffd4fe3df5c3e8436a67623fd`
`50aa7ea0d282f6dfe7dd9ff774f254aa4375d50d0136460af8d15e571a0be797`
`5fb7d55abc605e56218b2593cc2ec3769500132a106ac13a0e62232c9e76a044`
`64b9769376d71aecd1383a5fe10fb8a3a95808dd9be96d02a5ce12b915c1795f`
`653e8125e67e0a9b845617e4bdbf5ee8fa3e36e2f01b5b663e43186d3fd31f0c`
`6b02d15580f3569d85f7514009d1619679571d23b25a6c0fea1947f4b8dd8544`
`802e1e558d1d054640db04009dbe3aa746e15b960765458870228c4553fe5095`
`85510cf15298da5d428c191cce0e5baecfaa37fe754fbd6be307b7b47645886b`
`88edc65514e9981fb2550061cccfad1e95fb642311fed93de4cfe854ec0d618a`
*See JSON for more IOCs

#### Coverage

Product| Protection
—|—
Secure Endpoint| ![Threat Roundup for April 14 to April 21](https://www.talosintelligence.com/assets/icon_check_white.svg)
Cloudlock| N/A
CWS| ![Threat Roundup for April 14 to April 21](https://www.talosintelligence.com/assets/icon_check_white.svg)
Email Security| ![Threat Roundup for April 14 to April 21](https://www.talosintelligence.com/assets/icon_check_white.svg)
Network Security| N/A
Stealthwatch| N/A
Stealthwatch Cloud| N/A
Secure Malware Analytics| ![Threat Roundup for April 14 to April 21](https://www.talosintelligence.com/assets/icon_check_white.svg)
Umbrella| N/A
WSA| N/A

#### Screenshots of Detection

#### Secure Endpoint

![Threat Roundup for April 14 to April 21](https://blog.talosintelligence.com/content/images/2023/04/amp_802e1e558d1d054640db04009dbe3aa746e15b960765458870228c4553fe5095_20230420.png)

#### Secure Malware Analytics

![Threat Roundup for April 14 to April 21](https://blog.talosintelligence.com/content/images/2023/04/tg_f278642d599cdeb7f26f152205b6fd5fb4dd025f1138a096f61b0f8fe1183220_20230420.png)

#### MITRE ATT&CK

![Threat Roundup for April 14 to April 21](https://blog.talosintelligence.com/content/images/2023/04/mitre_attack_33338.png)

* * *

### Win.Downloader.Upatre-9998551-0

#### Indicators of Compromise

* IOCs collected from dynamic analysis of 25 samples
IP Addresses contacted by malware. Does not indicate maliciousness| Occurrences
—|—
`51[.]222[.]30[.]164`| 25
Domain Names contacted by malware. Does not indicate maliciousness| Occurrences
—|—
`groupesorepco[.]com`| 25
`bulkbacklinks[.]com`| 25
Files and or directories created| Occurrences
—|—
`%TEMP%hummy.exe`| 25

#### File Hashes

`022151901a9b9625c6e127c544e70a9b3fa199914bf85163abbf70002e4a4009`
`060f1a46303116655092db2863f1d3ecb84ec380e3d803ea6b337538fe0f4a3b`
`07a178595827a67016935658a6d367039aa83ba93b499f06d16732d7895403b4`
`08d692463f8a2faa215615bca8d468610861cff2ca6fca6b0b890ea5194818d0`
`0a49e94fe253fd7dd6e9320b741c89bd994ecdbcba78b4e7eaf7fffba21951dd`
`1225163fabc0b349956dd6967d665ab1fd2c8ce54766f55961292b3d62365dd1`
`264c2c7b692c6dc0c577837c0c88b06408e538edb3fb2b7b2079df1dc9fa15b8`
`2e887c52e98a43a06e5673d2dd960fcae7e1b769f02256972351e2b3304e7821`
`41c69fd6c43ddf1dd7a8334667709dd03782ed4b6f392032726cc0dd3bdf8cc8`
`44b445cc2e1ccf169d3630cdda3d6bdc1e72d949e38756410fc36116582774ce`
`49b33b88e96ce51cfbfb7fa518dcc312d8e018eed3b34a6d843de5c9e0797332`
`4af862559a2d8414ceab6bb806f20cb6a99de083c5d0f7a53ebe3f1d7a7914b9`
`4beda3336e7de2cb11541b84d0eb36f5347a2b15c8237c8ee07f6bac2ecfab1a`
`4fd5becb2403b41d495b6008ddf37353271def2fd941855a4914b48d3ca14807`
`5913746a050b223ed031f12e9726cf37a70bc38cd0799ac6d495223b6e19e722`
`64e01754390befb75a46a7ae6e4ab44945879826c53a5c72d747aacff513e3a9`
`6970374e466577dc8e6bc0251673d8bc148019febaf65adb8af01a1b2449a8d0`
`7131b420a9cfb3d58b0aa4010994cea8db6062ca4c58f8da2a1adf83572945d9`
`797e11c3221d0724b2f08121872f794d7fff9507305797610d99773f7cee1fcb`
`8018abd70eac615031bc1af69f0cda4b33a46bf8d8a0578614efcb43003dded7`
`8e19065c5857c931ff51fb58f697b256deb5cdfef8275c6c6cf66fd0a9b6a892`
`a0c1a6b20042c3640808263720c71219d096a43a9dd5668d05828b6c55ef6579`
`a3d887cc44c266383ac3ad501a5d85d6ddb5fb627e93f611ad216e5d9cf4a6ea`
`a4ce1f1428a91c501661ae4711fd08fbb63a2682424b09190858a41fe72ce90b`
`a58b24e3083bacf2f1d4918247415a91b7e420f52ed5ef7b32a9f929632eafd8`
*See JSON for more IOCs

#### Coverage

Product| Protection
—|—
Secure Endpoint| ![Threat Roundup for April 14 to April 21](https://www.talosintelligence.com/assets/icon_check_white.svg)
Cloudlock| N/A
CWS| ![Threat Roundup for April 14 to April 21](https://www.talosintelligence.com/assets/icon_check_white.svg)
Email Security| ![Threat Roundup for April 14 to April 21](https://www.talosintelligence.com/assets/icon_check_white.svg)
Network Security| N/A
Stealthwatch| N/A
Stealthwatch Cloud| N/A
Secure Malware Analytics| ![Threat Roundup for April 14 to April 21](https://www.talosintelligence.com/assets/icon_check_white.svg)
Umbrella| N/A
WSA| N/A

#### Screenshots of Detection

#### Secure Endpoint

![Threat Roundup for April 14 to April 21](https://blog.talosintelligence.com/content/images/2023/04/amp_a58b24e3083bacf2f1d4918247415a91b7e420f52ed5ef7b32a9f929632eafd8_20230422.png)

#### Secure Malware Analytics

![Threat Roundup for April 14 to April 21](https://blog.talosintelligence.com/content/images/2023/04/tg_a58b24e3083bacf2f1d4918247415a91b7e420f52ed5ef7b32a9f929632eafd8_20230422.png)

#### MITRE ATT&CK

![Threat Roundup for April 14 to April 21](https://blog.talosintelligence.com/content/images/2023/04/mitre_attack_33354.png)

* * *

### Win.Ransomware.Cerber-9998102-0

#### Indicators of Compromise

* IOCs collected from dynamic analysis of 98 samples
Mutexes| Occurrences
—|—
`ipc.{8067AF37-05F3-E0A7-F91D-CF35012EB051}`| 96
`itbeoinopoc`| 96
IP Addresses contacted by malware. Does not indicate maliciousness| Occurrences
—|—
`19[.]48[.]17[.]0/27`| 96
`77[.]12[.]57[.]0/27`| 96
`87[.]98[.]176[.]0/22`| 96
`178[.]128[.]255[.]179`| 58
`104[.]20[.]20[.]251`| 33
`104[.]20[.]21[.]251`| 32
`172[.]67[.]2[.]88`| 31
`104[.]26[.]8[.]86`| 22
`172[.]67[.]74[.]49`| 21
`104[.]26[.]9[.]86`| 15
Domain Names contacted by malware. Does not indicate maliciousness| Occurrences
—|—
`api[.]blockcypher[.]com`| 96
`bitaps[.]com`| 58
`chain[.]so`| 58
`btc[.]blockr[.]io`| 58
`qfjhpgbefuhenjp7[.]1bxzyr[.]top`| 38
Files and or directories created| Occurrences
—|—
`%TEMP%d19ab989`| 96
`%TEMP%d19ab9894710.tmp`| 96
`%TEMP%d19ab989a35f.tmp`| 96
`%LOCALAPPDATA%MicrosoftOfficeGroove1SystemCSMIPC.dat`| 96
`%TEMP%tmp.tmp`| 96
`%TEMP%tmp.bmp`| 96
`_R_E_A_D___T_H_I_S____.txt`| 96
`_R_E_A_D___T_H_I_S____.hta`| 96
`pcuserspublicrecorded tvsample mediawin7_scenic-demoshort_raw.wtv`| 69

#### File Hashes

`002d43089d0c4ef3f41fda3ebffe0e392bd4115d91eb3964c459937d2972ccea`
`06fbbf4aa44810136e505633664deb2ff4e69e738b0c8f1cffe7ecbe452fba58`
`0fb57fbf3813e474e366359b9bbc5bec917ad5aeec20f7257948a58b9e9cbb52`
`10a4d53ec40c1458401eab89abdd5d03f4f95752d3f3acc714b0a156bc1c7ea6`
`1414ae8cf2ff8cd18b13fc9e982ee5e47afdd01ce2410bf14439bd21e574cd44`
`149a4a692b40f85e1f99c4a1f631c0bb992af72ac8eff6c08a6df80179dfbabb`
`1ada8fd30118dcc7fae7041c77b2dc77a4f844a4ca8daa146c1a436b4bf21855`
`1c28c2b98c6ab6b847913389ea8717e937edb24cd15302a37560d96ba2d2f02d`
`22d6fc92916deb2d4477c2ecaff01d67253e2f743f265b9848caef3b43a463ae`
`23ae4d7d6b10a77eb3b9a3899dd29292e866ffbea4623917e08374d1780223f1`
`256137af5a5461431c81be000cf5c2cf6643be5f87366e330e3ee3f2876847e9`
`2a943c6f4117f3dab6e00135c93de17ae26e4e5e62ffe5587534267535868641`
`361d0422b5b5e47076e0f0e4fa476649d3073e31b097572649e60d484fcfc31b`
`3c8bf29f6c52f87c6e08d72a28551b5569ef7951eb96b16b63411c8a3f132368`
`3d5349995dafd20c20632181b23fa5c12d63e3e086ffc2594ecf0373ac0d0ab5`
`3da3f20dc7ed83797ce0752b7f31c4008e5a08d3a27ce8a55d5a78ba5093fb51`
`3e541d44a3212fcb8c051aecdb6107814753bdd7644f7b982a098719eefe48db`
`3ebbfd0af3a85e6911f525726a80ebfc85aab7b1b7500d6fc102b13c16b1deb3`
`3feb42368dc1cefc4646912317a9eb3ce5d6e05c5ea0f123613c38e15d02d726`
`438b78222723877653f1fb18066a802f58374d5841cc1df518d83f1293052e5e`
`4965fd6dab40b061bfe2ca234e23b43a60de765958f59b327d3aec29077a13b7`
`4c41f045065a4fca849d0b189024c9aa734cc7e0a7805e5df8c9be222edaccb2`
`4dea0603c4c2148572b523417470fe7669cf671b9ea21ae8ffbff58ce21f23bd`
`4efd982fec1d05668ca457726e915887e1cc4ab6e1c735e8e11b9fd2b8530faa`
`524c3ef042a214e02c846d09cb3e394ce811638ba6d4000df3320f63aaf29a8b`
*See JSON for more IOCs

#### Coverage

Product| Protection
—|—
Secure Endpoint| ![Threat Roundup for April 14 to April 21](https://www.talosintelligence.com/assets/icon_check_white.svg)
Cloudlock| N/A
CWS| ![Threat Roundup for April 14 to April 21](https://www.talosintelligence.com/assets/icon_check_white.svg)
Email Security| ![Threat Roundup for April 14 to April 21](https://www.talosintelligence.com/assets/icon_check_white.svg)
Network Security| ![Threat Roundup for April 14 to April 21](https://www.talosintelligence.com/assets/icon_check_white.svg)
Stealthwatch| N/A
Stealthwatch Cloud| N/A
Secure Malware Analytics| ![Threat Roundup for April 14 to April 21](https://www.talosintelligence.com/assets/icon_check_white.svg)
Umbrella| N/A
WSA| N/A

#### Screenshots of Detection

#### Secure Endpoint

![Threat Roundup for April 14 to April 21](https://blog.talosintelligence.com/content/images/2023/04/amp_4efd982fec1d05668ca457726e915887e1cc4ab6e1c735e8e11b9fd2b8530faa_20230420.png)

#### Secure Malware Analytics

![Threat Roundup for April 14 to April 21](https://blog.talosintelligence.com/content/images/2023/04/tg_bf1095cb9808a7dbc75f6b769a48284f767e7090dd6a56a4ac3a30c059a9f593_20230420.png)

#### MITRE ATT&CK

![Threat Roundup for April 14 to April 21](https://blog.talosintelligence.com/content/images/2023/04/mitre_attack_33360.png)

* * *Read More

References

Back to Main
Subscribe for the latest news: