Threat Roundup for May 27 to June 3

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between May 27 and June 3. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name

Type

Description

Win.Packed.Zusy-9951045-0

Packed

Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as “explorer.exe” and "winver.exe". When the user accesses a banking website, it displays a form to trick the user into submitting personal information.

Win.Malware.Upatre-9950530-0

Malware

Upatre is a malicious downloader often used by exploit kits and phishing campaigns. It downloads and executes malicious executables, such as banking malware.

Win.Malware.Zegost-9950579-0

Malware

Zegost is a remote access trojan designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. Zegost appears to be derived from Gh0stRAT, which is a well-known remote access trojan that had its source code leaked, significantly lowering the barrier to entry for actors looking to modify and reuse the code in new attacks.

Win.Trojan.Qakbot-9950589-1

Trojan

Qakbot, aka Qbot, has been around since at least 2008. Qbot primarily targets sensitive information like banking credentials but can steal FTP credentials and spread across a network using SMB.

Win.Malware.Razy-9950612-0

Malware

Razy is oftentimes a generic detection name for a Windows trojan. It collects sensitive information from the infected host and encrypts the data, eventually sending it to a command and control (C2) server. Information collected may include screenshots. The samples modify auto-execute functionality by setting and creating a value in the registry for persistence.

Win.Dropper.Lokibot-9951022-1

Dropper

Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.

Win.Dropper.Dridex-9951129-0

Dropper

Dridex is a well-known banking trojan that steals credentials and other sensitive information from an infected machine.

Win.Virus.Xpiro-9951191-1

Virus

Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.

Win.Packed.Ursnif-9951199-0

Packed

Ursnif steals sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits.

Threat Breakdown****Win.Packed.Zusy-9951045-0****Indicators of Compromise

• IOCs collected from dynamic analysis of 25 samples

Mutexes

Occurrences

Local\OfficeSharedLocks_BootMutex_00_S-1-5-18

25

Local\OfficeSharedLocks_Heap_00_S-1-5-18

25

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

20[.]150[.]87[.]132

25

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

wpad[.]example[.]org

25

blob[.]mwh05prdstr03a[.]store[.]core[.]windows[.]net

25

weus2watcab02[.]blob[.]core[.]windows[.]net

25

clownmice123[.]com

25

computer[.]example[.]org

22

vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com

9

vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com

8

vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com

5

Files and or directories created

Occurrences

\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml

25

\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml

25

\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml

25

\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml

25

\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml

25

\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml

25

\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml

25

\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml

25

\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml

25

\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PCALSGUV\ErrorPageTemplate[1]

25

\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FNF9BE4O\green_shield[1]

25

\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OSZC6DKG\red_shield[1]

25

\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OSZC6DKG\securityatrisk[1]

25

\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PCALSGUV\background_gradient_red[1]

25

\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\XN0IX3V7\shield[1]

25

%TEMP%\s1d8.0

9

%TEMP%\s1jk.0

5

%TEMP%\s1dk.0

5

%TEMP%\s1cw.0

2

%TEMP%\sx8.0

1

%TEMP%\s15c.0

1

%TEMP%\s1gg.0

1

%TEMP%\s18g.0

1

\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active{076CB9D8-E089-11EC-93F9-00007D696902}.dat

1

\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active{FA0F00E5-E088-11EC-93F9-00007D696902}.dat

1

*See JSON for more IOCs

File Hashes

    09f837fdd4b94fe073068fafc6dda1117ded51da14eb558e42ab00ac499b3852

    0a39ac2693d97eae1a36b40c5bbe2890a7bfa8f24c7ec3d3aeafd6dc56afc449

    0f7c036336e5023cfb49bb0578b63fc609ae2d35576a8bd32820d49d0374c6c7

    1358cfe0b9770735a1d221c3e3dd30015e8ac96f05eb55e671b845525e444eb0

    19ac6fec527601c97b48a84d636ea1ceadcc8e277898d3c30d253d20c1315a8d

    2397d5a63b8d78c13c8cfd7febc4b98220f4cc96c816ca5b0699342c89a5f190

    335cd07e80ec349d4ad84f3eaa3ab32a8c5df4a72c8a6cb347357dbfb41c54fa

    389dedb4668a19e93439f9a8fe5950fa5c74488115b0a257149b6243a8f10ef0

    3e47920c3427f11686bcea406222427107b56a0c8e04b66f22a460c5f03f7336

    424ecc4b8717d559456d474511cb805bd898fb6e076687fe2e521fd4fd7b43fd

    476019ef64dfb9acc990a1e6bd8975832908e4cdad12032c9cbc826f246aae4c

    4b86b261068f81622e6e809614314ebc248dec183a8f373e66b9484439d15555

    4bd5fda13773e691dcbb1819dd27abbef752bac0164aa25539b74c8ab2bf7ae4

    4ef8a540d6394834f5d377000c01d2b9ae07ede132b34d7a78668f09b5cf087b

    580784734bee7e55913126031d46ac78a087cfef16ff1b15b8873de74246b12a

    5d841247c20999e35ba5fadfe8dd9fca0df7b9d264fd7661b80e8406c6de41b0

    5f9b7f5cb73b34968a671769bf720c1d927ed941679c9ef2f2ccace59d4c1ef3

    8a4c11aeb28eb0f20c2d499f666fb06e8f80aaae7f5f33ea8c4660ae164b940b

    8adfbbce8615b78dbc416237c03ffe1e38f49c970e1a4aee53d454ad0f324ec3

    9077ba2ebf2ba354ddc0a35117ac9c54f02182883d3b6a45390d3c9c6eafc355

    9272b8a1289215309b3b96c1a787e3313fafa464118a6db2497a0e5efc96a0ef

    95b4211beb95423c2099a8f170154ba0421e10ee0adc1d7db01d9ef8d93b9456

    99347125d01ac5faa7b89d8d5f610d7f169c406d2ded14ae4ee3ac6cda6a24dd

    99e05c1b998d887ddd5be263ccaf76b25dd70eb9df17abd2e62c6a9ad2591ce0

    a0755494fca017a84428b71b39e79ba6037edd47f625301d25ab35b60c9f841d

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

WSA

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Malware.Upatre-9950530-0****Indicators of Compromise

• IOCs collected from dynamic analysis of 26 samples

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

204[.]93[.]178[.]227

26

35[.]208[.]217[.]200

26

23[.]196[.]74[.]222

25

23[.]221[.]72[.]27

14

23[.]221[.]72[.]10

11

23[.]62[.]6[.]161

1

23[.]10[.]206[.]162

1

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

x1[.]i[.]lencr[.]org

26

apps[.]identrust[.]com

26

bizaroob[.]com

26

faneema[.]com

26

computer[.]example[.]org

25

wpad[.]example[.]org

25

vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com

9

vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com

8

vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com

8

windowsupdatebg[.]s[.]llnwi[.]net

5

Files and or directories created

Occurrences

%TEMP%\realupdater.exe

26

\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

25

\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

25

\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

25

\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A

25

\Users\user\AppData\Local\Temp\realupdater.exe

25

File Hashes

    029a2c26e8a494af8982e6d6f01d952fb302b4328f5f927995518e74825e4f87

    04d01ea4e7604dded32b049f50d5314a16d2aeb248a57de86957a2bab3de9389

    0b2a5415bbe037ea8d6a8412a44cb9cc68a20b200cdbfe9a981f679bf767cdbf

    1618bd12a4cba0d704a6678402ee2e6b2d8efbac491f1ff8e560bb80ae59b28d

    1edb49c5fb38734124d41ac12bc25aaa2c707fa77f19a10c344aaf715bd35004

    299bc3f3c7fe16907258e4861b8a22069ae5ec057e7176fa544b1fe7f7826c85

    2b4addd319606f4ff523e188fe8757122c481880b70398da5fa0fa134f1629d5

    30f949b66be8d832cd184db555be5856549db60ffca7a7d0bc52a46866148bf3

    35c9f59e462aad4c8248bf7834d6830b7ecdaf6ddbb71ad46f69192ce1798b97

    40fd0fac6a9234b5cd257d2516ffa3b1003012a679ea0d0a0cd130d9fc45c61f

    42d80eb6517f896cd62911fcf15fe6cadb20645bc0396fea64e5704d70cf8780

    44df587d898240cb988e365217cd1c40efe05adcb3484486e717e684905c4c74

    459b54203f04b1280eb99b79989ec1e2162d1fdd0420cbca94eb405093e93fc2

    46bd9f2b560ef69aa47ebbf9c76c296db7ac004c4756df53960b124f93b520c1

    496c189704b5bb066a72c43404547563c05a0671147f3574f7ad33ffed800adc

    4a88d31de016793ca2f91ff255f2963578c1e06f0c33d9543124d96b78c98c4f

    59621f2d0cbb1cf1cfefa69c353063b2d4da5dfa69e860f5b2dcd3992e109863

    5b99b65774fe012120702dd3e18e6de7c9f5021f3b92890e9d174f8746572718

    5c60644c9c30cd1063e955215c0c3c2e2642cd0edd533a9f4f44af558536eb5f

    6aaaab9f02fef41f059e9f960124b2c93c47891933487bcb0c716fd118588c53

    6ee0bb83af8152b855200abe6abb9c90a995a1f4729eaa89a7fcba19a4ae9138

    72a37e39b5ab069d7a4421daac99908b66e0cadd177b6b030f3929c3d4e1ac22

    748312c452f206e375e5a7c87788aceaeefc87ae2d87ac1d47838a294270fff0

    74a5f590693972a24b71c839e93fae44bc2669761885532b4ef56d1c5413d800

    794a40ed486f9e594cc93e21181490843270d3be95d3c205470270ac53b9818e

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Malware.Zegost-9950579-0****Indicators of Compromise

• IOCs collected from dynamic analysis of 24 samples

Registry Keys

Occurrences

<HKLM>\SYSTEM\CONTROLSET001\SERVICES

        Value Name: MarkTime

24

<HKLM>\SYSTEM\CONTROLSET001\SERVICES.NET CLR

        Value Name: Start

8

<HKLM>\SYSTEM\CONTROLSET001\SERVICES.NET CLR

        Value Name: WOW64

8

<HKLM>\SYSTEM\CONTROLSET001\SERVICES.NET CLR

        Value Name: ObjectName

8

<HKLM>\SYSTEM\CONTROLSET001\SERVICES.NET CLR

        Value Name: Type

8

<HKLM>\SYSTEM\CONTROLSET001\SERVICES.NET CLR

        Value Name: ErrorControl

8

<HKLM>\SYSTEM\CONTROLSET001\SERVICES.NET CLR

        Value Name: FailureActions

8

<HKLM>\SYSTEM\CONTROLSET001\SERVICES.NET CLR

8

<HKLM>\SYSTEM\CONTROLSET001\SERVICES.NET CLR

        Value Name: ImagePath

8

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GHIJKL NOPQRSTU WXY

        Value Name: Description

3

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GHIJKL NOPQRSTU WXY

        Value Name: Start

3

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GHIJKL NOPQRSTU WXY

        Value Name: DisplayName

3

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GHIJKL NOPQRSTU WXY

        Value Name: WOW64

3

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GHIJKL NOPQRSTU WXY

        Value Name: ObjectName

3

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GHIJKL NOPQRSTU WXY

        Value Name: FailureActions

3

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GHIJKL NOPQRSTU WXY

        Value Name: Type

3

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GHIJKL NOPQRSTU WXY

        Value Name: ErrorControl

3

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GHIJKL NOPQRSTU WXY

3

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GHIJKL NOPQRSTU WXY

        Value Name: ImagePath

3

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.52896_64

3

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.52896_64

        Value Name: Type

3

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.52896_64

        Value Name: Start

3

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.52896_64

        Value Name: ErrorControl

3

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.52896_64

        Value Name: ImagePath

3

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.52896_64

        Value Name: DisplayName

3

Mutexes

Occurrences

APPEAL

15

jjl

1

Fzsxaa qhxipelt

1

Youqoa kmkyygug

1

Qgwuog aomyqkaa

1

Pdbanw qhvhjvxh

1

APPEAL1

1

Uigeky qukkgyss

1

Xaexdh aaxdgkiw

1

Egsycs equwaaqa

1

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

61[.]158[.]162[.]80

3

113[.]4[.]133[.]2

2

167[.]88[.]178[.]121

1

108[.]166[.]210[.]197

1

58[.]221[.]72[.]157

1

142[.]91[.]147[.]25

1

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

computer[.]example[.]org

24

wpad[.]example[.]org

24

vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com

11

vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com

10

bronya[.]vip

7

wk[.]hmxoo[.]com

5

vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com

3

apms[.]3322[.]org

3

www[.]lfwll[.]com

2

dos2[.]f3322[.]net

1

www[.]mq8[.]top

1

crgolf[.]cn

1

Files and or directories created

Occurrences

%SystemRoot%\svchost.exe

23

%SystemRoot%\svchost.exe:Zone.Identifier

23

<random, matching '[0-9]{4}’>.vbs

23

\0.vbs

1

\728.vbs

1

\604.vbs

1

\32.vbs

1

\592.vbs

1

File Hashes

    01d94202beb849a511ac054079bdbc806a703c775fcc357faeddcb088774aca7

    1166de11f2fa5ddd2342c71f65079476fa9973319892120496cbed384934cc7b

    28a9c684da50492969439147d5e8d171367228d70cf1a03bdb5959e592dcb9d6

    339c202dbd7c460cf60aa905c53e46166734ba9d778733645ce5999ad0c8eb42

    36562f62c98c617e708333586794ae2c829cac82f7b4d3ce84250e56e9e249f6

    36810270669372223e6e5b4996bd1e4585391e9b5804cfda6c22005da3a5378d

    3737e263a43a2d7a2e61067aaa129449f0968677501879a722fb1cf279b936d9

    430cdbbf7ce0ebb3a4106b4e911e8c8b84bea6ba30481737b236e669a06e4267

    5c33e0d47ad1499922d93572f49ee9052042522903969091761e01e553b296f2

    707d2335293fc7c2afc44150bf213829a3f6fa80e5501bf1067655b018ceed64

    70bddc44d2b439fa05ba8aaa5a9d376a89faa5977409a8dc7b384bac2d3f3f5d

    869888d5caff229ea4832499517c92afce0faa7d1c82fe86b6e4358bcc8ce5e8

    a0ec2e8bef49b70620b50aec3497d6b76748199b2c296b81a0d82bae4f8db9ca

    acd690f1a26faff8cc97c366c53140ba72a02d98e445010abbb956db14ddcaaf

    ad2b2195bced66b830c0b7f699e5655bae935b497c2a999259c4b4d8f5fa6886

    aef0c16eede2d7a420ca254634b8244438ea6819edfbc975891fbe1520e5058d

    c5b3155493d6eae7301cf98c41936997a6eef800808a7d1581116af7d76aa3ac

    e6959aebca28427c85da15b768a632556737d8a5f969b20175e2c03953d1c688

    e70e321bf76901adf114e3ff24d984a45df45a0497b81c544019fbb12a4fcdb5

    ee6db04f19d15ceadee81616bfa36f107addb0e198e1a5b42d8c510d6bdaa361

    ef8aefc7790f573b02775544dbe2c3f21412b8cb9148057700dfeb6f8dad23f1

    eff2282385d05bc0ebd2a50b2427934f2affe624418d6e24cb09c0cd7861ad3d

    f01fb0ffba87061033ac600b46514a3c44dfa82fef8aa2b0a9dfb2ca9045c2a2

    f20df3689096bf2097b709f962a81ca341528a86bc47751fbc27bef53fa40317

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Trojan.Qakbot-9950589-1****Indicators of Compromise

• IOCs collected from dynamic analysis of 25 samples

Registry Keys

Occurrences

<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK

24

<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK

        Value Name: bd63ad6b

24

<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK

        Value Name: bf228d17

24

<HKU>.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO

24

<HKU>.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO

        Value Name: ff0b3567

24

<HKU>.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO

        Value Name: fd4a151b

24

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS

        Value Name: C:\ProgramData\Microsoft\Ecrirfryzd

24

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS

        Value Name: C:\Users\Administrator\AppData\Roaming\Microsoft\Xtuou

24

<HKU>.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO

        Value Name: b5dd8adf

24

<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK

        Value Name: f7b512d3

24

<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK

        Value Name: 5dfca0e

24

<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK

        Value Name: 88fc7d25

24

<HKU>.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO

        Value Name: 80425a91

24

<HKU>.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO

        Value Name: ca94e529

24

<HKU>.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO

        Value Name: 47b75202

24

<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK

        Value Name: 79eea72

24

<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK

        Value Name: 7a96a5f8

24

<HKU>.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO

        Value Name: 45f6727e

24

<HKU>.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO

        Value Name: 38fe3df4

24

<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK

        Value Name: c22ac29d

24

Mutexes

Occurrences

Global{06253ADC-953E-436E-8695-87FADA31FDFB}

24

{06253ADC-953E-436E-8695-87FADA31FDFB}

24

{357206BB-1CE6-4313-A3FA-D21258CBCDE6}

24

Global{280C5EDE-5A47-4F1C-97D3-B8CFE4CF258D}

24

{280C5EDE-5A47-4F1C-97D3-B8CFE4CF258D}

24

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

wpad[.]example[.]org

25

computer[.]example[.]org

22

vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com

11

vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com

6

vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com

5

Files and or directories created

Occurrences

%APPDATA%\Microsoft\Xtuou

24

%ProgramData%\Microsoft\Ecrirfryzd

24

%System32%\Tasks\jrtvkqgfdp

2

%System32%\Tasks\tzkuzukhs

1

%System32%\Tasks\fznlifpu

1

%System32%\Tasks\rurzcnma

1

%System32%\Tasks\nhlrugtge

1

%System32%\Tasks\dmshoolefk

1

%System32%\Tasks\jriutcew

1

%System32%\Tasks\usxxlulebb

1

%System32%\Tasks\hyzyvsuv

1

%System32%\Tasks\bodtdpu

1

%System32%\Tasks\jizczmt

1

%System32%\Tasks\iofajkh

1

%System32%\Tasks\onvnwjekc

1

%System32%\Tasks\gfapescmb

1

%System32%\Tasks\kbepgqszn

1

%System32%\Tasks\fxipsncza

1

%System32%\Tasks\yytabed

1

%System32%\Tasks\liwbmon

1

%System32%\Tasks\pyiamen

1

%System32%\Tasks\myvrcsdw

1

%System32%\Tasks\ruivnzy

1

%System32%\Tasks\tubdxfvau

1

%System32%\Tasks\evfzyhv

1

File Hashes

    080d33d769ff2c3d103174031d146d606bb0cb57a8fffaa18b4818b512e15c46

    09cb67546950ba43047a6f5b905a86c5c69227f47f20ed1f0813b43263c3785c

    0ba375c981e7c4c77a4acbac918f3fad9de61faae59905258aa051777be2c046

    12408009ac27b79c45fbab67e7db0b59b4bb83da75957d7d62b796d2c67e4975

    127be625c27c9744b4cb42986fcf44000f7e80a3287047b6bf86eca37bd2dbac

    151c33f7cc6970eb9d6cf8d1bc6f3c34899aea570381712a1059688478097693

    19b39a1b4c58ccac0452f3d6df742e6fccd597c2d0c88fd0c3b427e10166fab5

    3478d293fa3ecd86461ffd74e37c579f678d7df8bee270b020a987572a50b1d0

    6a72e49b7fb08cb91c8023a0a0d228f5dfca22a14f2a8ece1fdd82c510f389f4

    6c9ac84b13412ef8bed642d1efa2a6d249ce68b13aa7127a5e03b1ebd47f4efb

    6f521101d25678de9ff7444efca2c45b2fe198e37332322fb696a3fb7a916823

    70d18ef177da17c393fcc62c398a52ba808f849786a0faf24985066122b10d68

    7c8320812c0c1c634d9c6a425e057fc045d0bccccd0165712348cbe757db653b

    976aeff3a8234476c9757b3ad85be23a1d453e5d3960652d53e0c8c1ba3a531f

    9826e849283d91ed226ba5ca9175795344352a8e26db24e68e22b39d303f2424

    9a3686674c39ed0fd41b8f833aa9aa53a72451f4cf3def546643112b6aac97a3

    a0da59ba26601ffbc5d04527c6cc7a8beed97ea97c52df7fb498e429618a3bd3

    a0e9c9bbd5717e2510416977201c65868f73c805f7e4c38495fa766bef4ece9b

    a1686f0c5c2a8e3abd68cc2aaadc5a37456458089738c3775a8edb4ec76fe958

    a3ec040f43b7374bb1f00c32700119847dae3763c191c174d48e5e26c2d9ef49

    a96ff0b409b0155e9c0aeb2a7a1c4416e8e836dec3a4aa09d88f4f5f2f9a59bb

    c02f6c468924b34ade33d3e940ead79be5a68fce12ea7a227e2a4bba300f02a5

    c14031bddf471d354211f9f9341c716e5a5860e7ecc128de82afc37bbd2a96af

    c572d59193ce0a3c286c80a74490d240c8f6fd130b387f7dd9553f419dc56b2f

    d5a6e983c273a9a052574325259822d49512da45f9ada076ed53015c80d1e1d4

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Malware.Razy-9950612-0****Indicators of Compromise

• IOCs collected from dynamic analysis of 25 samples

Registry Keys

Occurrences

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VSS\DIAG\VSSAPIPUBLISHER

25

<HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\USERDS

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS

        Value Name: 2d17e6

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: IntelPowerAgent13

25

Mutexes

Occurrences

2d17e659d346

25

98b59d04000007a0

8

98b59d0b000007a0

8

98b59d0b00000760

6

98b59d0400000760

6

98b59d0b000005ac

4

98b59d04000005ac

4

98b59d0b000007bc

2

98b59d04000007bc

2

98b59d0400000234

2

98b59d0b00000234

2

98b59d0b000006b0

1

98b59d0b000004ec

1

98b59d0b0000079c

1

98b59d040000079c

1

98b59d04000006b0

1

98b59d04000004ec

1

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

31[.]13[.]65[.]36

25

157[.]240[.]2[.]35

25

157[.]240[.]2[.]174

25

31[.]13[.]65[.]174

25

162[.]125[.]248[.]18

25

12[.]153[.]224[.]22

25

17[.]253[.]144[.]10

25

138[.]197[.]63[.]241

25

104[.]244[.]42[.]1

11

140[.]82[.]113[.]4

11

140[.]82[.]112[.]3

10

172[.]67[.]141[.]102

9

104[.]21[.]41[.]17

8

13[.]107[.]4[.]50

7

20[.]103[.]85[.]33

7

20[.]53[.]203[.]50

7

72[.]21[.]81[.]240

6

140[.]82[.]113[.]3

6

20[.]84[.]181[.]62

6

140[.]82[.]114[.]4

5

23[.]221[.]72[.]41

5

140[.]82[.]114[.]3

4

209[.]197[.]3[.]8

3

20[.]81[.]111[.]85

3

20[.]112[.]52[.]29

2

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

github[.]com

25

microsoft[.]com

25

twitter[.]com

25

instagram[.]com

25

facebook[.]com

25

download[.]windowsupdate[.]com

25

dropbox[.]com

25

etrade[.]com

25

icloud[.]com

25

python[.]org

25

sendspace[.]com

25

wpad[.]example[.]org

25

computer[.]example[.]org

21

cdn[.]digicertcdn[.]com

21

vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com

10

vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com

8

vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com

5

windowsupdatebg[.]s[.]llnwi[.]net

3

Files and or directories created

Occurrences

\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

25

\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

25

\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

25

\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A

25

%TEMP%\2d17e659d34601689591

25

\Users\user\AppData\Local\Temp\65a7ba9885b9ed5d98fb

25

\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\74FBF93595CFC8459196065CE54AD928

25

\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\74FBF93595CFC8459196065CE54AD928

25

\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

21

\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

21

%TEMP%\rrg8FCA.tmp.bat

1

%ProgramData%\2d82d0406b.exe

1

%TEMP%\mbt5069.tmp.bat

1

%ProgramData%\bf6jjj2bj6.exe

1

%TEMP%\sxx11F7.tmp.bat

1

%TEMP%\ektD62.tmp.bat

1

%ProgramData%\40dfh6hbd0.exe

1

%TEMP%\kks2075.tmp.bat

1

%ProgramData%\h04fjf0f4.exe

1

%TEMP%\wbe2FC3.tmp.bat

1

%ProgramData%\dd24b22f68.exe

1

%TEMP%\tii127D.tmp.bat

1

%ProgramData%\6dfh26hdb.exe

1

%TEMP%\ldt7B80.tmp.bat

1

%ProgramData%\bbfj4fhj80.exe

1

*See JSON for more IOCs

File Hashes

    18ee3f1aa87930381c08be6b1265fa6ce96802528c319a9421d6836eb0eaf6b6

    256d2a981895d7571e7a8487dcdb22a15ac4da676156cfd998a003b15a0b9ef8

    27d33499047b98a15fa6bea859f83308e1b7c2f4d08330dcaaa050d6f11ed81b

    283977145a129fabde4321fd2551e1837e8e3e11e1b6ee7b6f52ab486875356f

    2881007599ebd28af75ae82cd8a908dba72fe55451718a0ee6fba55aa871e6d5

    28daa8d1fe18bbd9ac7565bbc0cf64480ce5ce5241564f1571299eaa4bd3f192

    362e58c8a3f41f656de671ce9ec0aab32e0f551a244744aff53388c58fc4a6e2

    399f262d92079f2ffecf0fcb16829620c05deab661bf5c6783b5ba3ae362f448

    41b11c06a7b8fb5d150b000be312d14192c3bbed2f5223e8f8100004ef7d3769

    41c32d860c96e3ed10747ae31b44c923037d1285ed59555c6056cd5d945bc835

    5448e82c3d4e1b46d6f0f77762d1ee2ff2aebd10333475e2b95e269f37a0c74b

    5489417e8b65281a8c91c86bbeee1d0730e30db31ade1453d9b75e8eb74ae0e7

    57e55994a83b9dfaadd43d8e4b0bd64b5af7d9d89b4d911ba8abdae6259f049f

    5acc61f6ce684068fe6f07ce1e0636ac82498a816058083c44601f26ccb7e850

    63f0cee4f9bc1e9186a85684bd57b9b74ccdac7031ccb9d58b064b960b1a227d

    71957a63cf8a7387d640ef4f29b1285db34432c053b56048a660912ad5c868f2

    79e1510f7caeeb6249bc2d2064f2b9c5aebb438ebf97e4d24791c090258112c0

    7c4f0c7a3f02b3f3dc335e5f4bcab2b1902696ce749498dc9e4681ff1ae8b574

    883fcb50f17c3e54e7f04aa8b38894119ba6baace124426030119b580fed33a9

    8a4d8ba8bcf91642892e946437a3471848b6dad25d80f7a6f6d4f4cf05b24b00

    9d6ce349ae7a92237eafbbd66687e784e78f50c5cc92a22afe09a2971f9724d6

    a9bc9070ba0b1f3cc6ca78e24ea830524cc5a9821c857f2ebc98bc74fabe7b4e

    ae5233f7947ccc7339a4d3beee2ab2d82d82ee445df4010b87a9e30585f0a73d

    bc873e9989a8343cd09b3b15c76a9c863c10489023c1340ac00db4df23ed50e1

    bfafe7f6c07945cb86bb8f0c340745a723c54cbe7eb841e7a2261f46e65e28cc

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Lokibot-9951022-1****Indicators of Compromise

• IOCs collected from dynamic analysis of 22 samples

Mutexes

Occurrences

3749282D282E1E80C56CAE5A

16

3BA87BBD1CC40F3583D46680

7

Global\2acec4a1-e064-11ec-b5f8-00501e3ae7b6

2

Global\2a3af0e1-e064-11ec-b5f8-00501e3ae7b6

1

Global\2ac2ddc1-e064-11ec-b5f8-00501e3ae7b6

1

Global\2a33ccc1-e064-11ec-b5f8-00501e3ae7b6

1

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

185[.]6[.]242[.]251

7

20[.]189[.]173[.]20

4

52[.]168[.]117[.]173

1

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

wpad[.]example[.]org

15

computer[.]example[.]org

14

vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com

7

clientconfig[.]passport[.]net

5

lidgeys[.]ru

5

vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com

4

onedsblobprdwus15[.]westus[.]cloudapp[.]azure[.]com

4

vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com

3

dunysaki[.]ru

3

joanread[.]ru

3

windowsupdatebg[.]s[.]llnwi[.]net

2

papgon10[.]ru

2

onedsblobprdeus16[.]eastus[.]cloudapp[.]azure[.]com

1

kkeyvenus[.]ru

1

finelets[.]ru

1

topreadz[.]ru

1

Files and or directories created

Occurrences

%APPDATA%\D282E1

16

%APPDATA%\D282E1\1E80C5.lck

16

%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5

16

%APPDATA%\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP<original file name>.exe

15

\Users\user\AppData\Roaming\7C7955\5D4644.lck

9

\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1160359183-2529320614-3255788068-500\a18ca4003deb042bbee7a40f15e1970b_24e2b309-1719-4436-b195-573e7cb0f5b1

9

%APPDATA%\D1CC40\0F3583.hdb

7

%APPDATA%\D1CC40\0F3583.lck

7

%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-1258710499-2222286471-4214075941-500\a18ca4003deb042bbee7a40f15e1970b_8f793a96-da80-4751-83f9-b23d8b735fb1

7

%APPDATA%\D1CC40\0F3583.exe (copy)

6

%HOMEPATH%\Start Menu\Programs\Startup\runme.exe

6

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\e9bcad9e3ac008d92f850aba4e1a3766.exe

1

%HOMEPATH%\Start Menu\Programs\Startup\310159487.exe

1

\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\518892792.exe

1

\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\518892788.exe

1

\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\518892792.exe:Zone.Identifier

1

\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\518892788.exe:Zone.Identifier

1

\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\518892796.exe

1

\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\518892796.exe:Zone.Identifier

1

\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\518892798.exe

1

\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\518892798.exe:Zone.Identifier

1

\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\518892808.exe

1

\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\518892808.exe:Zone.Identifier

1

\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\518892828.exe

1

\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\518892828.exe:Zone.Identifier

1

*See JSON for more IOCs

File Hashes

    09ea5b984463b26a7add02ad67824c07941bbc239bc2f0e71e5c142a34c18807

    137faab254c696beb4df6ae048df1aa357f99c8b971165976f5e6607860208c7

    145b991f227a3acea6c5477c254d60777509a6dcde022ca64a00af8cd02fa94f

    18789ef5ed7b260c3690efc855172a471f2a131f2e02b51a5d4b9e602028e792

    1c239c93412dde6819df95cec672c700b90ebcaed3d25d9488013fdb6f356fa4

    205d242fd827be9f0166d7ead7848415c20b444efdd9215c8b06d76eafe9a42e

    21a7eaf27631ab8812694f9d5ff503c67209e2ce3647e94390d3ac5645294fd8

    3abf86fa62e846b483801d7a1d0ab4e87d52aba252e51b7abc3da0637a7eac86

    424609c7866fdabf02755893989974e265f748978151d4c44b8e1925466441bf

    5da51e8697445e0bbccd8d0352b0b14d8119a600210a04d35031e02b673baade

    6dbdda86125dbb2bfda34eb9d7d3bf1b870f3b3dd9892f66540e88842c6338cb

    6de68b1f1d7a5bdbf2d4fa20cb951bccfcb42d48cabc6b4892392319241a465d

    74a860b98c643e4472e85899e51ff0f7fe61eee086348028f9cc084b6980b7f9

    74d5bea6ee23c98a3eeeaa5355614b60c737c0b48f90a1511110c8634edfc047

    92bba937071cf7de59ab3a55f5eddcdcaec0bebebebcf98695c26772eb40b590

    93ccee7943d0a8765a9a3c6404781a287eb871b7ea1cea87fd567ae6980be070

    b87d1649548cad5a6374f3c7eb9baa1f222ac875ddf14bebc435436aa8ff4cf5

    bb50fbdf8e758f6101641a08096354c729e7d8939841af2645f1148d6020bac0

    e37da90176eb325abf9ae936087c6978a2da144ceed8032a7cd899f4055ce47f

    ed7d5047b5e87c6885aadf452b40c0e22cd13e5428a2cfa18c90089e680d4173

    f220311b5486b038905be7785c28a9a908a0d085e4ae71efe81ffc54e47bb32e

    ff401215413c59bc54a00e6f8981f70a2a34ffdbe25a652690f6002b4c0fd9bc

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

WSA

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Dridex-9951129-0****Indicators of Compromise

• IOCs collected from dynamic analysis of 21 samples

Registry Keys

Occurrences

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{690D1BD7-EA98-1004-3AC9-E87553700E95}

21

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{690D1BD7-EA98-1004-3AC9-E87553700E95}\SHELLFOLDER

21

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{63FC4996-AFD5-E391-06A7-EFB6E2702561}

21

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{63FC4996-AFD5-E391-06A7-EFB6E2702561}\SHELLFOLDER

21

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{10CDDA71-B745-777B-1AF7-51696DB9BB93}

21

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{10CDDA71-B745-777B-1AF7-51696DB9BB93}\SHELLFOLDER

21

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{CFD6D5E6-02FB-7433-9261-E8E1B87CAC69}

21

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{CFD6D5E6-02FB-7433-9261-E8E1B87CAC69}\SHELLFOLDER

21

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{8BAB5812-9D02-8F14-74B1-BEDE393F8C1F}

21

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{8BAB5812-9D02-8F14-74B1-BEDE393F8C1F}\SHELLFOLDER

21

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{10DF83AD-199B-9C18-3FEF-E4ECD6A42F66}

21

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{10DF83AD-199B-9C18-3FEF-E4ECD6A42F66}\SHELLFOLDER

21

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{1AD90FE5-CE2F-E8B8-CF09-E0B1912E9542}

21

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{1AD90FE5-CE2F-E8B8-CF09-E0B1912E9542}\SHELLFOLDER

21

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{05ED06D6-F422-71CC-26B3-C9964D56F645}

21

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{05ED06D6-F422-71CC-26B3-C9964D56F645}\SHELLFOLDER

21

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{98B09642-2764-54AE-3333-D8C6CA536428}

21

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{98B09642-2764-54AE-3333-D8C6CA536428}\SHELLFOLDER

21

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{63D99860-AA40-CA79-F681-9DECBEF55447}

21

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{63D99860-AA40-CA79-F681-9DECBEF55447}\SHELLFOLDER

21

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{D4B277A3-C25E-BCDE-A054-D41AAC36394B}

21

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{D4B277A3-C25E-BCDE-A054-D41AAC36394B}\SHELLFOLDER

21

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{FE9DE6BC-A4CF-8285-E73C-DFE7A08197FE}

21

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{FE9DE6BC-A4CF-8285-E73C-DFE7A08197FE}\SHELLFOLDER

21

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{B11CF2E2-C0C2-7860-F12E-428101DCB963}

21

Mutexes

Occurrences

{ac5b642b-c225-7367-a847-11bdf3a5e67c}

21

{24d07012-9955-711c-e323-1079ebcbe1f4}

21

{a2c9c140-d256-a4d5-6465-f62a6660f79e}

21

{a8af557b-6de9-c774-28f4-5c293f1b1769}

21

{b570fe85-587a-a133-ffc9-73821a57c0c1}

21

{<random GUID>}

5

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

computer[.]example[.]org

21

wpad[.]example[.]org

21

vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com

12

vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com

6

vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com

3

Files and or directories created

Occurrences

%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5

21

%System32%\Tasks\Ryddmbivo

21

%APPDATA%\Microsoft\Document Building Blocks\fuZP4

1

%APPDATA%\Adobe\Acrobat\9.0\JavaScripts\je70TvwCCP

1

%APPDATA%\Microsoft\Outlook\OND

1

%APPDATA%\Microsoft\Windows\Templates\w1KDXJGwsH

1

%APPDATA%\Microsoft\Access\GbpgKJG

1

%APPDATA%\Microsoft\Templates\LiveContent\Managed\Document Themes\Ho0UjJdx

1

%APPDATA%\Microsoft\Office\ibjy

1

%APPDATA%\Microsoft\Templates\LiveContent\Managed\Document Themes\tp0XaAdg

1

%APPDATA%\Microsoft\Windows\Recent\CustomDestinations\Z3apT9BqiI

1

%APPDATA%\Microsoft\SystemCertificates\My\CTLs\vvgivIKnG

1

%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\KL

1

%APPDATA%\Microsoft\Templates\LiveContent\Managed\Word Document Building Blocks\PStcp

1

%APPDATA%\Macromedia\Flash Player#SharedObjects\kYo

1

%APPDATA%\Macromedia\Flash Player\oZb

1

%APPDATA%\Microsoft\AddIns\hsl

1

%APPDATA%\Adobe\Acrobat\4uI

1

%APPDATA%\Microsoft\Office\zNM

1

%APPDATA%\Microsoft\Credentials\tcv

1

%APPDATA%\Media Center Programs\Eokg

1

%APPDATA%\Microsoft\Internet Explorer\dEZwfLqKSa4

1

%APPDATA%\Identities\yV3hWM

1

File Hashes

    0b48278ff7a8ddb1294db87b6012a292ab7b56ff42ed37d6456e879f4aedce05

    1c8912deebb6a9b8f083f1f52d7aef831d0a9b5e8f5c1f7996252b30c638772d

    2c525f8506900d650c0afb99e98c4761a78eaf059698a1a94f7b597edc4c10cf

    35851fc0b01a976fa6f133a8e8646f8414deca9800906538eb3ca06e35b69727

    3f9fbb09401cf4d1b336e6474c998ca05c9bd5f9593048a91efb9b7dca5d185b

    46b8c52581aef3a919238de483810142f02e25a09e655282674ee4efb16c3687

    47c97178aba658ed6b9ed796e10cec832545ce3f8f58b47db79029bf0a1cf0fd

    4fb7f7c01c1e7db94a72dbbc5c73456332187364ea289b36f24436b67ee05410

    6ca85bb4acd17833dd44c64c98463fef474b513c3a262a8a8d0a1e66e088e6da

    7f29f5afe87b2f4aef7ba228d88d9f9e12c249710474d1703e1d4688c8a9bec9

    84203f6000f9888a61221c51e8b9443b9fc4acd05b8c95305d8e4907d4e52e82

    84fdd91182e470a3d49388cebf51a5e7ea88a7bd69e684e0e897285878b0d761

    8ebd98981f96b82af89d9c26cc0ffc3406f74f2b1cbe2a8f7d0aaa1701918e3b

    a4dd3d62927b557f1076711b8675f094458b33d4c95178df2d6465abb0b48cac

    ae265ec250881fdd46908355506bb1ba775cfebf619869b7409d49c1e03e96e4

    af2c1487508f61ea4eba94322c7e164d0befc80d5858d157ed8621e7620d6271

    c2af14dd3cfa398630d3107841bec33b511330a6a5a0439e5fe4cd16ad202da6

    cfeedf481b6f95c8af9007d8eec015444c6245725856876f6dc972f1dc56ae92

    d8cb4ee5018b9845ebf4de71f318d7f415ad4369ffac89ce306f48cf6a0665b3

    df1bb863633dcbe6ce9cd7ce99b3c0267896a44c3b31921767ad4b4525f13cdd

    fb66b9a97ed668bcc58f0540be9881109f142b867947d7f2e3213d9775967d2e

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Virus.Xpiro-9951191-1****Indicators of Compromise

• IOCs collected from dynamic analysis of 15 samples

Registry Keys

Occurrences

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC

        Value Name: Start

15

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND

        Value Name: Start

15

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER

        Value Name: HideSCAHealth

15

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV

        Value Name: Start

15

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32

        Value Name: Type

15

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64

        Value Name: Type

15

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32

        Value Name: Type

15

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32

        Value Name: Start

15

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MOZILLAMAINTENANCE

        Value Name: Type

15

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MOZILLAMAINTENANCE

        Value Name: Start

15

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\OSE

        Value Name: Type

15

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\OSE

        Value Name: Start

15

<HKLM>\SOFTWARE\MICROSOFT\SECURITY CENTER\SVC\S-1-5-21-2580483871-590521980-3826313501-500

15

<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SYSTEM

        Value Name: EnableSmartScreen

15

<HKLM>\SOFTWARE\MICROSOFT\SECURITY CENTER\SVC\S-1-5-21-2580483871-590521980-3826313501-500

        Value Name: EnableNotifications

15

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32

        Value Name: Start

15

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ALG

        Value Name: Start

15

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MICROSOFT SHAREPOINT WORKSPACE AUDIT SERVICE

        Value Name: Start

15

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELL FOLDERS

        Value Name: Startup

15

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\USER SHELL FOLDERS

        Value Name: Startup

15

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64

        Value Name: Start

15

<HKLM>\SOFTWARE\MICROSOFT.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATE

        Value Name: AccumulatedWaitIdleTime

15

<HKLM>\SOFTWARE\MICROSOFT.NETFRAMEWORK\V2.0.50727\NGENSERVICE\LISTENEDSTATE

        Value Name: RootstoreDirty

15

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATE

        Value Name: AccumulatedWaitIdleTime

15

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT.NETFRAMEWORK\V2.0.50727\NGENSERVICE\LISTENEDSTATE

        Value Name: RootstoreDirty

15

Mutexes

Occurrences

Global\mlbjlegc

15

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

64[.]70[.]19[.]203

3

35[.]205[.]61[.]67

3

69[.]16[.]231[.]59

3

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

computer[.]example[.]org

15

wpad[.]example[.]org

15

vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com

9

vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com

6

xezlifewvupazah[.]ws

3

amonuwezed-picriv[.]ws

3

r8decub-ydyg[.]ru

3

juwlewrifithal[.]in

3

r8gefa-bugin[.]com

3

ytocmoxjedkiciten[.]biz

2

upojawnixly-muro[.]cc

2

cakydofytipi[.]biz

2

aremumhumydoc[.]in

2

r8kegy-bikav[.]com

2

r8myjo-boneb[.]com

2

r8pykyb-aquh[.]ru

2

aninamilixif[.]ws

1

cemalykda-miw[.]biz

1

ujylyvpi-ziboj[.]in

1

cekhupovoxijyr[.]com

1

r8symi-betop[.]com

1

ynurefhynxavdu[.]net

1

ybatihowvusxuwlu[.]ws

1

libhitzumiwahod[.]com

1

otoqovacutebo[.]ws

1

*See JSON for more IOCs

Files and or directories created

Occurrences

%CommonProgramFiles(x86)%\microsoft shared\Source Engine\OSE.EXE

15

%ProgramFiles(x86)%\Microsoft Office\Office14\GROOVE.EXE

15

%ProgramFiles(x86)%\Mozilla Maintenance Service\maintenanceservice.exe

15

%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

15

%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

15

%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

15

%System32%\alg.exe

15

%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

15

%SystemRoot%\SysWOW64\svchost.exe

15

%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock

15

%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat

15

%LOCALAPPDATA%\rqboqelc

15

%LOCALAPPDATA%\rqboqelc\cmd.exe

15

%System32%<random, matching '[a-z]{8}’>.tmp

15

%SystemRoot%\microsoft.net\framework\v2.0.50727<random, matching '[a-z]{8}’>.tmp

15

%SystemRoot%\microsoft.net\framework64\v2.0.50727<random, matching '[a-z]{8}’>.tmp

15

%SystemRoot%\microsoft.net\framework\v4.0.30319<random, matching '[a-z]{8}’>.tmp

15

%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

13

%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

13

%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock

13

%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat

13

%SystemRoot%\microsoft.net\framework64\v4.0.30319<random, matching '[a-z]{8}’>.tmp

13

%SystemRoot%\Microsoft.NET\ngenservice_pri1_lock.dat

7

%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

6

%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat

6

*See JSON for more IOCs

File Hashes

    08192d725e7bd147063a0c7135e0b6f05cd98a951b1566ca0a9dfe15add6e885

    100442c45e98fc7dc4ed219220b686b91c768e201a034cf68a70bb97bf86919b

    1660136631e8abdfadee79379a06b0720dd9406785ce790fe16e9d61a64de490

    1e3d7338b17bd0bd74889181b26b5217b0ec2e5dec3bfafe1fc9856425f6932e

    3e6e28303a08a0bf5816bffdcd67efffc97d99dee17dc76ed428e1064c2a0d08

    5bf7645e7d1285b2a31b3a407671b8900633dd508fff1ec245f6c9d641a92729

    5d27b7f281b030e61928622f354492e9f4371bc0b6927f9c5cdd13dcc1492a11

    5dc7add9b95734aaa42a145808b33788c5c2d5fdcf5d9ee17f14c94e61e4717a

    6be768dbf71c9296d49b33b49b8ee06a64f99f7df066fea73df276d9fb223869

    7374ed5366c8ebcf453f7462c2d7e465ad027b439dbfeb1fa8b19dd67988e48d

    74071fb7e226d6da8bf89ccdd30b09360dbc3b07895266a0aaf681907ae4aabb

    921e3a9001d2d238ac63abde0087e87a683df6fa37368bb6b3c66167aaf53e9e

    9da1250112f5c782a21b2974780ed44dfd82bdb71eb4e588a9faab7e5a30a40a

    d50589a7a29bdd8448c0fc9a18106ce84550bb568b8179158918ed862833c3f8

    db4f220570c51012b0c86069b7d7dda7d7ca7e52ae5583efdbe52d3bff7b0119

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Packed.Ursnif-9951199-0****Indicators of Compromise

• IOCs collected from dynamic analysis of 25 samples

Registry Keys

Occurrences

<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES{0633EE93-D776-472F-A0FF-E1416B8B2E3A}

        Value Name: FaviconPath

25

<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES{0633EE93-D776-472F-A0FF-E1416B8B2E3A}

        Value Name: Deleted

25

<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES

        Value Name: DefaultScope

25

<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\STARTPAGE

        Value Name: StartMenu_Balloon_Time

1

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

142[.]251[.]35[.]174

25

142[.]251[.]40[.]164

23

13[.]107[.]21[.]200

13

13[.]107[.]22[.]200

4

172[.]253[.]122[.]105

1

172[.]253[.]122[.]106

1

131[.]253[.]33[.]200

1

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

www[.]bing[.]com

25

www[.]google[.]com

25

google[.]com

25

majavontehm[.]com

25

wpad[.]example[.]org

22

bstacyr79ea[.]com

22

scandace79yy[.]com

22

computer[.]example[.]org

21

vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com

11

vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com

7

vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com

3

Files and or directories created

Occurrences

\Users\user\AppData\Local\Temp\JavaDeployReg.log

22

\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml

22

\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml

22

\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml

22

\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml

22

\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml

22

\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml

22

\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml

22

\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml

22

\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml

22

\Users\user\AppData\Local\Microsoft\Windows\INetCache\SQM\iesqmdata0.sqm

22

\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FNF9BE4O\errorPageStrings[1]

22

\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FNF9BE4O\httpErrorPagesScripts[1]

22

\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OSZC6DKG\httpErrorPagesScripts[1]

22

\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\XN0IX3V7\NewErrorPageTemplate[1]

22

\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\XN0IX3V7\errorPageStrings[1]

22

\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PCALSGUV\dnserror[1]

22

\Users\user\AppData\Local\Microsoft\Windows\INetCache\SQM\iesqmdata7.sqm

22

\Users\user\AppData\Local\Microsoft\Windows\INetCache\SQM\iesqmdata8.sqm

22

\Users\user\AppData\Local\Microsoft\Windows\INetCache\SQM\iesqmdata9.sqm

22

\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PCALSGUV\errorPageStrings[1]

20

\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\XN0IX3V7\httpErrorPagesScripts[1]

20

\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PCALSGUV\NewErrorPageTemplate[1]

20

\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PCALSGUV\NewErrorPageTemplate[2]

20

\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OSZC6DKG\dnserror[1]

20

*See JSON for more IOCs

File Hashes

    02026a0800d9250cc1ab7800e5fe1cbe52d314aa343bfc501db631caf244e45b

    08312dc7fff85efa7353c7e487192baf668e2f92c7f9ac9ff0c1247ad3090a8b

    09491e3d33e2e33cfb98444540303515ef53f9a696c4d3414fa536fca9ada520

    0de4389b1f30a43527c774f29678d631142024f8d6ef122f984b552a3c3317fd

    2f8a551307ace49fccc081af6bbaf8967096288315ead6943d08e0921f66d839

    2fe90d9f1e04c6f69e2a9eb799d819edcfb91d6d02628b40266c58cf87ddfb69

    325675f49ae2106619e40bc186ee5c9ff9768b5f906a128ef1d8a4ca29b9d2fb

    40ace2f85fad0bfff2053b91f0b0a43311fd96ae36087d66d00674c999c578da

    50036f51b9f83d505f9a734965869ae9baf9a35cc4883dc54815a72d2e47b0aa

    59c0b810474716b15ae32d0f437136229c549dedd3a3175cf1cf67273227bec2

    5da11a64cbcb1c42c573c2a384dc3dba8d7fd0c55ecc5c2149bea70c1ac48625

    63a8b12243ce334d510fd3c895f6f823ef69bfb948509b6ff61c29a8a20af7b6

    64a06175a39350faa6fd4d66a043c4800827cfc4538c86ecbe4f8cf5ab74939c

    8ebade300f795e27af297f9b1b0283ed16e6cf636a144e011fffd6443df5b964

    908a4dd5c64e85fcc981c27aaf6d5185aa3c48d8e580fff7ea09017bc6f79e93

    9332743a0d5727ddd4ef4331b1adb50af56fd981f31a186eed102b9b0a408ab9

    97f9a61ea2208931a4256942fbfc2da6ce296b432e3718b433fd28ab5f731e93

    98c43e05b8c023cc7cf034e0e1d4e58ee8865970d5e274e655f16cc4fdd0e9bc

    a8a960c81c5a7c89693ea0a5716234154f7c0202a405d732992d6318699d8739

    ad240b34d5007bea85c4e68df6c973f5ad9f2ac09837d0db807d22ee62ed0309

    ae74f6872fd170050faed34966314d27a7daef9182090590672bef41ad6f7b97

    b46ba86c660d468294c8dfab1649e2b4d6f132b332ac8b89a3e8ae65ae525ce1

    b5da6bb3a84da8b8c029025448c744f4bb78ba0731cf4c46339f9dab09695488

    b94c8ffcd81ae2fd3d9f9c6e5ce6b1c87b39837a2bfa2ba33568e44609ba3f26

    caa6aa3ebf655fb0ef444780e0a8a36812cfef09f1bf2185052a6404157a913f

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

WSA

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK