Security
Headlines
HeadlinesLatestCVEs

Headline

Threat Roundup for May 20 to May 27

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between May 20 and May 27. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics,…

[[ This is only the beginning! Please visit the blog for the complete entry ]]

TALOS
#vulnerability#web#mac#windows#google#microsoft#js#git#java

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between May 20 and May 27. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name

Type

Description

Win.Dropper.Chthonic-9950427-1

Dropper

Chthonic is a banking trojan derived from the Zeus family of banking malware. It is typically spread via phishing emails and attempts to steal sensitive information from an infected machine. Chthonic has also been observed downloading follow-on malware such as Azorult, another information stealer.

Win.Dropper.Emotet-9950400-0

Dropper

Emotet is one of the most widely distributed and active malware families today. It is a modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.

Win.Dropper.Gh0stRAT-9950358-1

Dropper

Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.

Win.Dropper.Trickbot-9950352-0

Dropper

Trickbot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts.

Win.Dropper.Zusy-9950333-0

Dropper

Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as “explorer.exe” and "winver.exe". When the user accesses a banking website, it displays a form to trick the user into submitting personal information.

Win.Dropper.Ursnif-9950326-0

Dropper

Ursnif is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits.

Threat Breakdown****Win.Dropper.Chthonic-9950427-1****Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples

Registry Keys

Occurrences

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED

        Value Name: Hidden

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED

        Value Name: ShowSuperHidden

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS

        Value Name: Load

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: 1081297374

25

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN

        Value Name: 1081297374

25

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN

25

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

147[.]75[.]61[.]38

25

173[.]231[.]189[.]17

25

147[.]75[.]63[.]87

24

20[.]72[.]235[.]82

20

20[.]109[.]209[.]108

16

84[.]16[.]67[.]12

2

185[.]144[.]161[.]170

1

83[.]168[.]200[.]198

1

62[.]231[.]6[.]98

1

213[.]5[.]39[.]34

1

54[.]37[.]233[.]160

1

212[.]92[.]16[.]193

1

185[.]42[.]170[.]200

1

147[.]251[.]48[.]140

1

193[.]182[.]111[.]12

1

93[.]94[.]224[.]67

1

86[.]108[.]190[.]23

1

62[.]197[.]224[.]14

1

78[.]142[.]193[.]131

1

62[.]112[.]194[.]60

1

185[.]119[.]117[.]217

1

185[.]13[.]148[.]71

1

49[.]12[.]125[.]53

1

5[.]199[.]135[.]170

1

51[.]195[.]120[.]107

1

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

europe[.]pool[.]ntp[.]org

25

differentia[.]ru

25

disorderstatus[.]ru

25

Files and or directories created

Occurrences

%ProgramData%\msodtyzm.exe

25

%ProgramData%~

25

File Hashes

    06bedcc1ff6b3113dd617687ebd3a5db4bacdbada62d9bbf78d39c2fb2dcfc21

    06ee66d1e252aecb3e1858c3ff804f3b8ead7b365bb1e6349038e6581f0ec6d8

    0d5b67815b0eeace9261b0beb824134e6a42756cdb7835954bfb704812426282

    0e995fd16801d3be4b542d756e3f7ceddc124e70787c7e9dc05126482aeee270

    2d6da79c07cd8598b7007053fc3fc49a82af543b844f3ec60871d041e700d398

    32c1f62bd7c9d99b6576a5f582b627440743754f6d8d24abf7dfeaffdc62c9c0

    37228b9f7de1a578dd548ca43a9b35eb766f1a314096835e93e3475ebdf3b26d

    37b278d24226b721e911a00e08b70b04847130acdb2eb54b994eb841ee77f24c

    3b49879da6c78f1da7835cffdfbb57daeb5755d28f32b55f898ad49f02eaf08b

    408f6920d253467bc2ca2e304be6958a64161eb3c91da662f4f128a732c25ea9

    42c9c481daa6c64210d9bce5124e5066544a0a14d8f5587b4e172f16e07a328f

    4371dd819ef95b421bcd158655e3d6a1acbf818975c5848a5c004d4e4a38d523

    6b144fc1b154009e3ac4ab66836fa27d24ffccdeb63af390830ec48b94e55ec2

    6e18bb90bf031fd4c649766400bf734c48cc651b289f6a01f7e3537c90c75ab6

    72e0680f6cbb3fa511d29d2f8742770dc64fafd33f553966d6536b90c173c306

    8c4168ed00a240c84990931dd6b07255a025ac7047d5f65073a00ff1e4c3dcac

    9283aaf76d68046dd628aa82f37d2717d594dc6d7a7911e7c865c397ba98c580

    943bcf6cfbb1698b5b51ddf74635b53274cba70e2fbac1c44a9cbafeaee7dbd9

    976c99febd73e2bb9e8024679f6e188a0f55abb94dd8463814e7ae74f8367ece

    a6e4d847e321754b53e02fc6ceb222fb9eddff7b8366d9f24a39b6369e86078f

    a72ab6a0def1bb62761646568318c2334b842c3bca58e901dda052eff52d3c20

    a912cd3b0d36c4803fb5f062364eaa9885d19d33308bdbad915673cc5514bb23

    ac1650c0f04b13a72bafde6e446d8ed19f5c1a225594a7d23fc82a5983055151

    ae146a64ad64c46634e1b70272069370a3ac9fc65035385d51c9516160446022

    ae5675be30049229354469decc7d32e1d0dfea14ddc45227dbe6383acb5c7ff1

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Emotet-9950400-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 22 samples

Registry Keys

Occurrences

<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159

15

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER

        Value Name: AntiVirusOverride

7

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER

        Value Name: AntiVirusDisableNotify

7

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER

        Value Name: FirewallDisableNotify

7

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER

        Value Name: FirewallOverride

7

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER

        Value Name: UpdatesDisableNotify

7

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER

        Value Name: UacDisableNotify

7

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM

        Value Name: EnableLUA

7

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE

        Value Name: EnableFirewall

7

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE

        Value Name: DoNotAllowExceptions

7

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE

        Value Name: DisableNotifications

7

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC

        Value Name: Start

7

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND

        Value Name: Start

7

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC

        Value Name: Start

7

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION

        Value Name: jfghdug_ooetvtgk

7

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: JudCsgdy

7

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV

        Value Name: Start

7

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: Windows Defender

7

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON

        Value Name: Userinit

7

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON

        Value Name: Userinit

7

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SPECSYSTEM

        Value Name: Type

2

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SPECSYSTEM

        Value Name: Start

2

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SPECSYSTEM

        Value Name: ErrorControl

2

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SPECSYSTEM

        Value Name: ImagePath

2

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SPECSYSTEM

        Value Name: DisplayName

2

Mutexes

Occurrences

{<random GUID>}

7

Global\VLock

4

<random, matching [a-zA-Z0-9]{5,9}>

4

Global\I98B68E3C

2

Global\M98B68E3C

2

eGUiKSAmJi

2

A9MTX7ERFAMKLQ

1

A9ZLO3DAFRVH1WAE

1

B81XZCHO7OLPA

1

BSKLZ1RVAUON

1

GJLAAZGJI156R

1

I-103-139-900557

1

I106865886KMTX

1

IGBIASAARMOAIZ

1

J8OSEXAZLIYSQ8J

1

LXCV0IMGIXS0RTA1

1

MKS8IUMZ13NOZ

1

OPLXSDF19WRQ

1

PLAX7FASCI8AMNA

1

RGT70AXCNUUD3

1

TEKL1AFHJ3

1

TXA19EQZP13A6JTR

1

VSHBZL6SWAG0C

1

flowblink90x33

1

GeneratingSchemaGlobalMapping

1

*See JSON for more IOCs

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

195[.]201[.]179[.]207

7

142[.]250[.]72[.]110

7

87[.]106[.]190[.]153

3

192[.]81[.]212[.]79

2

172[.]217[.]13[.]238

2

34[.]117[.]59[.]81

2

178[.]79[.]132[.]214

2

74[.]208[.]17[.]10

2

93[.]180[.]157[.]92

2

178[.]62[.]175[.]211

2

13[.]107[.]21[.]200

1

5[.]9[.]49[.]12

1

193[.]183[.]98[.]154

1

31[.]3[.]135[.]232

1

172[.]217[.]5[.]238

1

208[.]83[.]223[.]34

1

171[.]25[.]193[.]9

1

209[.]85[.]144[.]100

1

78[.]47[.]139[.]102

1

216[.]58[.]217[.]78

1

23[.]6[.]65[.]194

1

5[.]39[.]69[.]166

1

95[.]217[.]228[.]176

1

23[.]67[.]200[.]172

1

23[.]67[.]202[.]10

1

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

erwwbasmhtm[.]com

5

fbnurqhsbun[.]com

5

h37eyrba720ui[.]com

5

jdnpwbnnya[.]com

5

jhaiujfprlsbpyov[.]com

5

mngawiyhlyo[.]com

5

oxxvnflhtpomjmwst[.]com

5

qlxuubxxxctvfcdajw[.]com

5

vfldtglyewhwrl[.]com

5

whepgbwulfnbw[.]com

5

xrgahbllandvrrohfkp[.]com

5

google[.]com

4

ipinfo[.]io

2

cd5b1[.]com

2

java[.]com

1

support[.]microsoft[.]com

1

wtfismyip[.]com

1

myexternalip[.]com

1

www[.]visualstudio[.]com

1

derevo[.]bit

1

www2[.]bing[.]com

1

ff[.]dfbkmoeiruoiumoeio[.]pro

1

x[.]demolist[.]org

1

fin[.]sleeptimellc[.]net

1

support[.]hebit[.]at

1

*See JSON for more IOCs

Files and or directories created

Occurrences

%LOCALAPPDATA%\bolpidti

7

%LOCALAPPDATA%\bolpidti\judcsgdy.exe

7

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\judcsgdy.exe

7

%TEMP%<random, matching '[a-z]{8}’>.exe

5

%HOMEPATH%\Local Settings\Application Data\hmqphkgx\pseqpmjy.exe

4

%HOMEPATH%\Local Settings\Application Data\jpnfmrvn.log

4

%HOMEPATH%\Start Menu\Programs\Startup\pseqpmjy.exe

4

%ProgramData%\wtvakgao.log

4

%APPDATA%\winapp\Modules

4

%System32%\Tasks\services update

4

%APPDATA%\winapp\client_id

4

%APPDATA%\winapp\group_tag

4

%APPDATA%\winapp

4

%APPDATA%\WINAPP<original file name>.exe

4

%PUBLIC%\Pictures\Sample Pictures\Chrysanthemum.jpg

3

%PUBLIC%\Pictures\Sample Pictures\Desert.jpg

3

%PUBLIC%\Pictures\Sample Pictures\Hydrangeas.jpg

3

%PUBLIC%\Pictures\Sample Pictures\Jellyfish.jpg

3

%PUBLIC%\Pictures\Sample Pictures\Koala.jpg

3

%PUBLIC%\Pictures\Sample Pictures\Lighthouse.jpg

3

%PUBLIC%\Pictures\Sample Pictures\Penguins.jpg

3

%PUBLIC%\Pictures\Sample Pictures\Tulips.jpg

3

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$R08BO8F.xlsx

3

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$R11KHR4.doc

3

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$R5QKHLN.doc

3

*See JSON for more IOCs

File Hashes

    00e02b000df80d7a55277e5854a5abd0f7cd98f4ec06a6d0a9ca38977a0e286b

    0349cf39dffbc2f8833782ece3fae70aaa34687d145824cc736d6ede386a017d

    117a62da9109bc3e2331eca47a60ee52710e88c3c7117a2c4ff32bc8337ca5b4

    1f764a335f4f3a57576985a2723552e34168a58740e7d033410c618a9f47375d

    36f570c456270d2dfce28dc769701fdc7f831b8b3812920b80744bf66f306696

    3c26333dbfca654c23f0d70abe3fc9ef7638e4047a1e80e0b2d46fe4380b2769

    4b0dc9f77c2918e88b8148ca12d15a6542c49981f975f819699abd7d411a4c83

    50432a7d68a06119a9efb84775947613a5c7e0a4d5a520432043f6316763f80f

    7015d5a13fd93ccba1b39cc40d11e5aa501f39e804e6d6cf4d6fcc5390449063

    740285c735cbc23a9ae85531d7caab1ebb666a45ecf1a1eaf99e1af6f81512d6

    7531bf43c7cd316593becf72ce8012cf5b26e76121599135c28451298eb1744a

    82d85e02e434dbba38750429dfdcc772ccfd6e6529ef938d4e45b3b37bc07e24

    979187479dddb7e984163000fed503cfc9f2e104a541a7542a5aa3f6d70153fb

    9898c5b0328e579b5d986f4436480b1ac127d8e8a64bea22241fa1268d3be789

    b3e67b5ee899c53f90c9da772592a4709372192542e1297bbce4929a8e1d5c69

    bdb825a94547fcfcfbf53dcda2d186b364c10cafe102efebbada0d3c80db553d

    c35f7fd1f6f75de021dd8c4bca8bc5d40d3bba5de0c03b106c8bd184e2e6c718

    d70136328bd6129856dd1a797f846891fed3af61538eab2166a6525a52087227

    e1f32bc1c0817ee668e39b641135f8a2486782226ab4e49a804c4c922aa0cff9

    fad31b9fac9f4c9e02d6a4d04c0ed07705006981eaebd8b74e7b3a2a361632a8

    ff98df59a3af3f2954bc72c3068aecea769df723bad0214e5b77a3ad1cfa0f54

    ffb379e543b8b354bfe57ccace4757dd89686fc00644039ab64d1021a65072ac

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

WSA

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Gh0stRAT-9950358-1****Indicators of Compromise

  • IOCs collected from dynamic analysis of 24 samples

Registry Keys

Occurrences

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RS<random, matching '[A-Z]{4} [A-Z]{8}’>

6

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RS<random, matching '[A-Z]{4} [A-Z]{8}’>

        Value Name: Type

6

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RS<random, matching '[A-Z]{4} [A-Z]{8}’>

        Value Name: Start

6

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RS<random, matching '[A-Z]{4} [A-Z]{8}’>

        Value Name: ErrorControl

6

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RS<random, matching '[A-Z]{4} [A-Z]{8}’>

        Value Name: ImagePath

6

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RS<random, matching '[A-Z]{4} [A-Z]{8}’>

        Value Name: DisplayName

6

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RS<random, matching '[A-Z]{4} [A-Z]{8}’>

        Value Name: WOW64

6

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RS<random, matching '[A-Z]{4} [A-Z]{8}’>

        Value Name: ObjectName

6

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RS<random, matching '[A-Z]{4} [A-Z]{8}’>

        Value Name: Description

6

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RS<random, matching '[A-Z]{4} [A-Z]{8}’>

        Value Name: FailureActions

6

<HKU>.DEFAULT\SOFTWARE\MICROSOFT\ACTIVEMOVIE\DEVENUM

        Value Name: Version

1

<HKU>.DEFAULT\SOFTWARE\MICROSOFT\ACTIVEMOVIE

1

<HKU>.DEFAULT\SOFTWARE\MICROSOFT\ACTIVEMOVIE\DEVENUM

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: Asuamsg

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: Oujkwoq.bat

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: Aooyyca

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: Ozyfgdn

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: svchost.exe

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: Qmgoowc

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: Qikwmis

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: Kuqsggo

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SSDKSRV DISCOVERY SERVICE

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SSDKSRV DISCOVERY SERVICE

        Value Name: Type

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SSDKSRV DISCOVERY SERVICE

        Value Name: Start

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SSDKSRV DISCOVERY SERVICE

        Value Name: ErrorControl

1

Mutexes

Occurrences

59.47.73.72

6

59.47.73.104

5

yckz.5453.top

3

127.0.0.1

2

43.226.152.24

2

103.52.152.134

1

45.66.164.37

1

173.0.49.35

1

Rsfpdi isejfrav

1

81.70.79.167

1

Rsffwz rqzcfqlk

1

27.102.112.125

1

Rsnnfn hlbvbytu

1

Rsowcg wuqamwao

1

www.nianqing.xyz

1

Rsaaaa aaaaaaaa

1

SSDKSRV Discovery Service

1

Rsiaso ammqqcie

1

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

59[.]47[.]73[.]72

6

47[.]246[.]24[.]234

5

59[.]47[.]73[.]104

5

47[.]246[.]24[.]233

3

43[.]226[.]152[.]24

2

34[.]98[.]99[.]30

1

45[.]66[.]164[.]37

1

81[.]70[.]79[.]167

1

27[.]102[.]112[.]125

1

173[.]0[.]49[.]35

1

103[.]52[.]152[.]134

1

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

www[.]taobao[.]com

8

yckz[.]5453[.]top

3

www[.]baidu[.]com

2

www[.]nianqing[.]xyz

1

Files and or directories created

Occurrences

\TEMP\1.exe

1

%ProgramFiles(x86)%\NetMeeting

1

%ProgramFiles(x86)%\AppPatch

1

%ProgramData%\Wmizhad

1

%ProgramData%\Qaemmoc

1

%SystemRoot%\SysWOW64\sovhost.exe

1

%ProgramData%\Pogbfum

1

%ProgramFiles(x86)%\NetMeeting\ocr.bat

1

%ProgramFiles(x86)%\AppPatch\httpd.exe

1

%ProgramData%\Owmceii

1

File Hashes

    008fe787c83ad23a840efa922863150d5c5e78b3668aec2004478fa1810f6573

    09f2109c90bee605c791219b000c99de732b6bc546516ce3bfbf53b69e90e3a2

    10e24759f2d820382d03e7e59b48fd332bef3d679af0c803afc3fb867deacbd6

    21523d9b910073efc6f79ab0b6c7c2f75b38e8ea914b48deb107fcfc02f9e376

    23c916c14862e4b9e165aa10fdf2153dd3e7268e6e01fe6b3e44a0d22d378831

    26bedbe740b75b5483e166bddfa870506b1329968facad755fb0ad99b902c35c

    322e2b6a5be735f3b9063ef640aa7142e021bbb1b059691730b5a544407fd35b

    3589562893ed337d0163b07e4f4cd4527fe5b65dc28c66c87a423014cb53a10d

    3c1ff6d9e5562fd068afd0f8db3bcfc4e126e25c05201c503e21c48fa0a8f6b8

    512dabb427841380a778142556a3ef290d903ec57ceebb81439939fb46bbab8c

    58be88fff8f99592d8ab1f83c0c8c572430bb2652b768b548f0790479b686eea

    600bafea774fe042062b96639c2d473d0b71608c4101883279181786fd7fd6b9

    6cdcdbe6be9c15fb9f0a0c30d505c4a038435ca1e91f4bd13da6fc6b2097456c

    79c3231efa6b2d28b2403d666a47da9c510f344a620b55f4f6df8cbdcf4c322f

    7a32c13ad042ced4009503fb603a56f4be871dd85cbf4e5c3ce84751c98286e0

    86154766482ffdc99a2e7cead07ae18cfedac24a264003386594eb990ea1c5d6

    907a67819b6d7e5a4ebfe7d4d7df514705ed413f117bc96333ac6dec3c38b188

    99b8062a2427a026e3cec82c7fbf37b765b452acd1b83524af8fc11ea506efa5

    a09687a3c41c0153597964e50e18f8fa0001733955a9cbc98631194b8d113527

    bc543bde5d2a32bea3c01c774343254c5f304f2bfb867d70ade0613a7c130912

    c3da9179b0cb7bf4d3894f3be8115ce77a4ef0382265bdf594065f8f0d6dc2e5

    d4743f6f740bb6c68173906820d09cd8eae0a5563a8f2911324f59e720709ad8

    ecf8fcae9fb3f77bd13b5e09662927beb9659fa6e3e5e7faf8ff96b30e8684ac

    ee041515c12fb82c6ac0191c65ef181ceaf3fcdc6390db434af6850a2fb3aceb

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Trickbot-9950352-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 57 samples

Mutexes

Occurrences

GLOBAL{<random GUID>}

56

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

85[.]204[.]116[.]100

17

51[.]81[.]112[.]144

16

134[.]119[.]191[.]11

15

185[.]14[.]31[.]104

13

185[.]99[.]2[.]65

13

194[.]5[.]250[.]121

12

78[.]108[.]216[.]47

12

95[.]171[.]16[.]42

12

185[.]90[.]61[.]9

12

181[.]129[.]104[.]139

10

134[.]119[.]191[.]21

9

91[.]235[.]129[.]20

8

181[.]112[.]157[.]42

7

85[.]204[.]116[.]216

7

185[.]99[.]2[.]66

6

181[.]129[.]134[.]18

6

190[.]136[.]178[.]52

6

110[.]232[.]76[.]39

5

200[.]107[.]35[.]154

4

103[.]111[.]83[.]246

4

80[.]210[.]32[.]67

3

103[.]12[.]161[.]194

3

121[.]100[.]19[.]18

2

110[.]93[.]15[.]98

2

36[.]89[.]243[.]241

2

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

computer[.]example[.]org

2

wpad[.]example[.]org

2

vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com

1

vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com

1

Files and or directories created

Occurrences

%ProgramData%\Microsoft\Windows\Start Menu\Programs\WinPwrSvs

23

%TEMP%<random, matching '[a-z]{3}[A-F0-9]{3,4}’>.tmp

12

\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

2

\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

2

%ProgramData%\Microsoft\Windows\Start Menu\Programs\WinPwrSvs\5844226300.exe

1

%ProgramData%\Microsoft\Windows\Start Menu\Programs\WinPwrSvs\0f87b8cb8991450b2c93e9704541bb3ae153c23cdfd3f10b35c808d4a82e7d18.exe

1

%ProgramData%\Microsoft\Windows\Start Menu\Programs\WinPwrSvs\10497a8baffd80652fa1f29b41ba8905a5435107ca8be0bce20e7105127b32fd.exe

1

%ProgramData%\Microsoft\Windows\Start Menu\Programs\WinPwrSvs\33909a3505ba7cda98e2dd85345d6d1e9d62f0efd8a7e5c6319f5ceb7d75573d.exe

1

%ProgramData%\Microsoft\Windows\Start Menu\Programs\WinPwrSvs\08ee9b5948caab0bce3c8a72f75db7a3464c2fb502db0d4e0711dfc2b2dbae7c.exe

1

%ProgramData%\Microsoft\Windows\Start Menu\Programs\WinPwrSvs\0410d127d5a416658d4a1da64f2b05eb04496a94514c1bc1475aa3fa896a52e7.exe

1

%ProgramData%\Microsoft\Windows\Start Menu\Programs\WinPwrSvs\00ec4cfe5f480835ea2e213dcbba211fdfbb840cd66e2acdd7b6b4f8f1a73edf.exe

1

%ProgramData%\Microsoft\Windows\Start Menu\Programs\WinPwrSvs\06f7dff552f3b975b7b2eb3a5b191e4f53e77cd7f6bef36d9fde9236ccbdaa60.exe

1

%ProgramData%\Microsoft\Windows\Start Menu\Programs\WinPwrSvs\042c37e5350c3fe9e173c6d9cd6489f043dd8764d9451bd9faf9a6f724faf9a6.exe

1

File Hashes

    00ec4cfe5f480835ea2e213dcbba211fdfbb840cd66e2acdd7b6b4f8f1a73edf

    01b265494a928b4630f224679d7014fc01f661d36005ef814fc50adea102f06f

    02185f54325bdf746e6bd089ee08fcb21a03d269110cac5d62093187e54f3213

    037a8da3a517312fc852456b100366664f2eba88421374df0f44630d8d7cf1fb

    0410d127d5a416658d4a1da64f2b05eb04496a94514c1bc1475aa3fa896a52e7

    042c37e5350c3fe9e173c6d9cd6489f043dd8764d9451bd9faf9a6f724faf9a6

    0466e380e6631991157d2db9218c0e7511b84937e69c9777b42c841f0637dce2

    06f7dff552f3b975b7b2eb3a5b191e4f53e77cd7f6bef36d9fde9236ccbdaa60

    07cc8e44d62536c9c6d9672086e4b4352d91bd98fc2fde37eb6b0b730705dbc3

    084480e33edff97ef07638336976f76bd516bf8ac69e2a594b54ffe339f6686c

    08ee9b5948caab0bce3c8a72f75db7a3464c2fb502db0d4e0711dfc2b2dbae7c

    0a9845cf74f970a4160eb71eefa799c5f3a2557c4b0457f696991dd2e5e880c3

    0c6947247b1e3ca2b7891efeadf13b2231fe8affac9a206de159b49d4596ad54

    0ce0ee0c944e61f12152155425307a8043a59b1fef5458dd3f5f26e365176134

    0de732d1c830652bf873314c784e155f8435816f9c8db8b886222e0ebac8d3e7

    0e25c7382ca11e71a19475218049edea92b314cd4e078de46d5d5e4a90e697bd

    0ea358a2752c30199facc91e2505dac505e21398d4da85147a326252fa033dd6

    0f87b8cb8991450b2c93e9704541bb3ae153c23cdfd3f10b35c808d4a82e7d18

    0f9ba922f17918b0186943964d0f4d0baa1f301d9c2d04d94f2d0be5fb0652e5

    10497a8baffd80652fa1f29b41ba8905a5435107ca8be0bce20e7105127b32fd

    1051c811928ec851676763e671246c4fc4b0f3edcf9241447826c8f50b5ab69d

    10e8eac3731431679f7b9d3d243a217f4e3a848f36d6b8c2c72a5db2e3718f74

    10fc37f34f4a891f85472814d1afa57f2ca0db47b0b092ee74b6bce8d0e103ee

    116ba6a2eecaa42567da0b5d77be50ad93d031aea62c580cb0054bbed161578a

    120f1a59e7c19f053e7920852ea1c29a2800f4fb6f1db876951ad2fea30b82bf

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Zusy-9950333-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 16 samples

Registry Keys

Occurrences

<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159

16

Mutexes

Occurrences

Dmrc_mtx_409a9db1-a045-4296-8d2c-9d71016c846b

1

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

104[.]21[.]40[.]196

8

172[.]67[.]188[.]70

8

23[.]62[.]6[.]192

8

23[.]62[.]6[.]161

6

23[.]62[.]6[.]170

2

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

apps[.]identrust[.]com

16

toa[.]mygametoa[.]com

16

v[.]xyzgamev[.]com

16

computer[.]example[.]org

10

wpad[.]example[.]org

9

windowsupdatebg[.]s[.]llnwi[.]net

7

vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com

5

vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com

3

vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com

1

Files and or directories created

Occurrences

\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

16

\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

16

\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

16

\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A

16

\Users\user\AppData\Local\Temp\db.dat

16

\Users\user\AppData\Local\Temp\db.dll

16

File Hashes

    10c18dab6e6b3241e8e6c45e4390e17a2325809d67d2bf31d9476adde88069e2

    2a395181bb7772aa15db0bce8031681655e5b39ca37e935446a79be98660abb4

    2bc7fa0667a9b1b81742c83ec7cf6efdee608f0f3a643027331a79610ec11701

    38be045c7a70a9e32c5d998df90e8e3da3a7d29edae0833b2f47ab91bb3cee2b

    48fca3228e955b485282b19fffaaa7657cecf99518965701e5918ac65d556a01

    53efa4e2684c5d1f0af9f3beded76904bdb936ccd13c53e87920ba6893a74604

    79ce6bd0c7b73ae15d2d7bc398660061392529a76132b0de5c5063b0dc74301c

    7aa8d21a90b0615b383d5f42371ea7b9eb5f11abe0dc0cf82799ce4559ab1565

    82f3fce9f3166e0f4e3a76274ba37978118a312be796dd5fe91db31d3f7cd0f5

    8c0c470b43553c0b6ecd3a4d1a792368b109835cc976452776718e1cca3f5b59

    8dd0386e3b570e4d171d4a8a85528e79e0c3512b40b0f6767c4515213565c2eb

    9c7d107f95392a768573be4ee28ee5d4ead9dbf13938d4ad42ee7839bf214523

    b728601bcd4ff2393af65fc2e960a4e40e5bbe330f5ae6be40f095e078223ba6

    d083094f008a2e68de555a67105f3d6d82605f4af5d52700e171c833f6da10a1

    e5506029470ae02a111b175e59122bfc9ba622c4924d97d06719054d22e29ac8

    f6993cab6d1588b847b68cd42b47ad0ac215b10a7d4051abe4a91fa0bc09d6fe

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

WSA

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Ursnif-9950326-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 29 samples

Registry Keys

Occurrences

<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES{0633EE93-D776-472F-A0FF-E1416B8B2E3A}

        Value Name: FaviconPath

20

<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES{0633EE93-D776-472F-A0FF-E1416B8B2E3A}

        Value Name: Deleted

20

<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES

        Value Name: DefaultScope

20

Mutexes

Occurrences

Global<random guid>

5

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

142[.]251[.]40[.]142

20

142[.]250[.]72[.]100

15

13[.]107[.]21[.]200

13

172[.]253[.]115[.]99

2

172[.]253[.]122[.]99

1

131[.]253[.]33[.]200

1

172[.]253[.]115[.]147

1

142[.]250[.]81[.]228

1

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

www[.]bing[.]com

20

www[.]google[.]com

20

google[.]com

20

wngtdpablo[.]com

12

File Hashes

    04a9927506d16c1fecf55bb2b5c61d0b1343c6f391d5a10ed5beccd5d659fd3b

    067dfead0aa86066a01b6c4767df0ef8baffe45ce840ad02232866f6c8b93a26

    0888ecc2cead625a82c955a0adad935a79ffd3771dcf69499248d160db9da185

    0a2d71a76e011420b9612eabc4a7fc7b5794bbd62ed080426c157d7e4bb2f94e

    0bcab30e1a0c276c8ed930c9d041fc5f0b3184227fc3cc9f706cc45f57901d82

    0cb01b15bc079e96e24d2d18fadf3c38134031621dc7d6f899ebfed791d56610

    0edcf17c5f7edebe65ea13d56acf8795b4fb2553e758ef4dcef5e3dd0f842ee9

    132459285f8957811edb4ec3884ce293692d7f9bf70b087e89fe15abea06bbf3

    140af4ae0b77bb10444188bfb4eea93c6b53eef8de49fba35c1d10eee602bcc6

    184f9fd99216d26a6228916ea6154d4dc3ecdbd532f84ad57e2ff82317f938ca

    18a07167962666b678582f140ec656f628c8118cfdadd056d81a290196f3c6cd

    19d40ed16b82b5178b2350acc00b1278be2494ce209ffcb818bc5a959120a956

    1d1e9d12c8203ea3f862dd0402b21dea86aef2235a5c9183bd3872ce582d7a3a

    1f30db01b63cd6759c1bfe3a6cbb3d6d6c03e82a107cbd06377d90dc53f6049c

    21436ba559eb2563c3081403990ec3e3eb3fed7a21fdb20bdaf7b05a674befc4

    236f975fb50835bcb7132334a27815a76aff525bafe3fa671b58932d742e4378

    23edbece8112470dbd208a41a843fb9ccd049a624fe2e91a53cdaf0e75fb7cdf

    27270fd246c7101bc46c1ed674ed574925b95fa636e231d8a7ffc8eebaae10d7

    2797fd0199816930e7614a32d6cb03900d2dae3f058e5ca0d470a88c719eb0bc

    280376b53a75f5eadb12133cd87e5a1bc80db2114f9db7193c2dd2187b969b00

    2c462997d54f62ddc4dde058e44745ab42ab03a81cd2c73ac7a5d95a419ecf23

    2f75fbedad0e5b5fc64a6a06a1118198358f1e38cc20e1f984e10d344c9f837e

    2fb6fb48f27990a62b38d41f85cca27ef5717c0ccabaee7cbbc3cddcb02a63c0

    3260d334823b23ec21fcc705fbe33e8d824e3ea1ea72e67663a6ad3c6548915b

    32c5b2b016318180e41dcaf1c4cad4db2695d9b8c53c99849693af5ea19bde5a

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

TALOS: Latest News

Finding vulnerabilities in ClipSp, the driver at the core of Windows’ Client License Platform