Headline
Threat Roundup for May 13 to May 20
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between May 13 and May 20. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics,…
[[ This is only the beginning! Please visit the blog for the complete entry ]]
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between May 13 and May 20. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.
The most prevalent threats highlighted in this roundup are:
Threat Name
Type
Description
Win.Ransomware.Cerber-9950163-0
Ransomware
Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension “.cerber,” although in more recent campaigns other file extensions are used.
Win.Dropper.Tofsee-9950166-0
Dropper
Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and send large volumes of spam messages to infect additional systems and increase the size of the botnet under the operator’s control.
Win.Ransomware.TeslaCrypt-9950169-0
Ransomware
TeslaCrypt is a well-known ransomware family that encrypts a user’s files with strong encryption and demands Bitcoin in exchange for a file decryption service. A flaw in the encryption algorithm was discovered that allowed files to be decrypted without paying the ransomware, and eventually, the malware developers released the master key allowing all encrypted files to be recovered easily.
Win.Dropper.Zegost-9950175-0
Dropper
Zegost is a remote access trojan designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. Zegost appears to be derived from Gh0stRAT, which is a well-known remote access trojan that had its source code leaked, thus significantly lowering the barrier to entry for actors looking to modify and reuse the code in new attacks.
Win.Dropper.TrickBot-9950187-1
Dropper
TrickBot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns, many of which rely on downloaders for distribution, such as VB scripts.
Win.Dropper.Dridex-9950227-0
Dropper
Dridex is a well-known banking trojan that steals credentials and other sensitive information from an infected machine.
Win.Dropper.Ursu-9950236-0
Dropper
Ursu is a generic malware that has numerous functions. It contacts a C2 server and performs code injection in the address space of legitimate processes. It can persist on the targeted machine while collecting confidential data and spreads via email.
Win.Dropper.Zusy-9950260-0
Dropper
Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as “explorer.exe” and "winver.exe". When the user accesses a banking website, it displays a form to trick the user into submitting personal information.
Threat Breakdown****Win.Ransomware.Cerber-9950163-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 18 samples
Mutexes
Occurrences
Global<random guid>
17
shell.{381828AA-8B28-3374-1B67-35680555C5EF}
1
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
20[.]189[.]173[.]22
6
104[.]208[.]16[.]94
4
20[.]42[.]65[.]92
3
20[.]189[.]173[.]20
2
65[.]55[.]50[.]0/27
1
192[.]42[.]118[.]0/27
1
194[.]165[.]16[.]0/22
1
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
computer[.]example[.]org
16
wpad[.]example[.]org
16
clientconfig[.]passport[.]net
15
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com
7
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com
6
onedsblobprdwus17[.]westus[.]cloudapp[.]azure[.]com
6
windowsupdatebg[.]s[.]llnwi[.]net
6
onedsblobprdcus16[.]centralus[.]cloudapp[.]azure[.]com
4
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com
3
onedsblobprdeus17[.]eastus[.]cloudapp[.]azure[.]com
3
onedsblobprdwus15[.]westus[.]cloudapp[.]azure[.]com
2
Files and or directories created
Occurrences
%TEMP%\d19ab989\4710.tmp
1
%TEMP%\d19ab989\a35f.tmp
1
\Users\user\AppData\Local\Temp\24e2b309\4436.tmp
1
\Users\user\AppData\Local\Temp\WAXA44B.tmp
1
\Users\user\AppData\Local\Temp\WAX9CC5.tmp
1
File Hashes
097bab110d14c71480d7e3ace073a043b9c60cf442557d0cdeb438ef5019e93f
13e37ac660c60a1c788db8e1f4b64175b598fdb82382263a3406af1ededb46ca
1b97e3b2e8debc617bb89a002c5991cac51988c4864511b14832fb37b9c8f1bd
2a6f74d550c4e116f55ea73d9e752e9c2351e3042891dda914e22f68772dbcf5
2c0595bb1e93372bd6695f9a3b77b4166d3fa85bdb6acb427c1f327ce6c4f968
2f19a95adff3dc7c1c4cd23d277088b682d480c116f4ca9be90ef350a0705791
3f8ad607849adc67a227334dd99a31bd94a91d433b7266f0c816d8783a7e6c6d
4898229c51886c6a14330244e65f1f68780e971c1213a06590d649876e729dff
496e1641958d82aed327436ae39910507f81145f6faa1b260bf8e8b39bf8a24b
500e5534d73659779300c88cf8d479dab0cb434037eec277ea6cefdabde44053
593ecbd1773f20df0bc13d604006e0feb1a576cf3170c66807ae1f8459db1345
7e92f39c54eb42fdb0d5983d08f2bb1047e53dfc0a823f223a06cd5e3f9e51ff
835ce5de87d80ab9a7be0449236dd1efa73a7f1dd770150224694c486257cd60
8bdc1fceb0f0525c568940a07fda504ae6d8e9e2fb4a29dbb0be172d3fa2d228
9066a9ef24b43a9a7fc64b47315972b2048c6ec643717522e56632327775d800
9a69d4802add64156ce6a7fb089f106d34f5b559398caa12bc2fe223e4ea4411
e48197d5206ffba045e0fbd77d64bb8fb6b3a515515ce4fa3f4ee89c9aa7faf5
fd43f3c4b33d5294c4f342fc63a0dd50449e436c3674e18ea6cfb3a3df766df3
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Tofsee-9950166-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 23 samples
Registry Keys
Occurrences
<HKU>.DEFAULT\CONTROL PANEL\BUSES
6
<HKU>.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2
6
<HKU>.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config0
6
<HKU>.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config1
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES<random, matching '[A-Z0-9]{8}’>
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES<random, matching '[A-Z0-9]{8}’>
Value Name: Type
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES<random, matching '[A-Z0-9]{8}’>
Value Name: Start
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES<random, matching '[A-Z0-9]{8}’>
Value Name: ErrorControl
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES<random, matching '[A-Z0-9]{8}’>
Value Name: DisplayName
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES<random, matching '[A-Z0-9]{8}’>
Value Name: WOW64
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES<random, matching '[A-Z0-9]{8}’>
Value Name: ObjectName
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES<random, matching '[A-Z0-9]{8}’>
Value Name: Description
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES<random, matching '[A-Z0-9]{8}’>
Value Name: ImagePath
5
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\vexvpfkl
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\ajcaukpq
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\nwpnhxcd
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\tcvtndij
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\pyrpjzef
1
Mutexes
Occurrences
Global<random guid>
8
eZkOWkQUpHINngy
2
3749282D282E1E80C56CAE5A
1
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
142[.]250[.]80[.]100
6
213[.]91[.]128[.]133
6
91[.]243[.]33[.]5
6
45[.]8[.]229[.]39
6
91[.]243[.]33[.]254
6
31[.]41[.]244[.]81
6
31[.]41[.]244[.]82/31
6
31[.]41[.]244[.]84/31
6
31[.]13[.]64[.]174
5
157[.]240[.]2[.]174
4
31[.]13[.]65[.]174
4
142[.]251[.]16[.]94
4
144[.]76[.]136[.]153
4
185[.]28[.]21[.]161
4
185[.]237[.]206[.]60
4
45[.]61[.]139[.]224
4
94[.]228[.]125[.]39
4
157[.]240[.]21[.]63
3
13[.]107[.]42[.]14
3
40[.]93[.]207[.]0/31
3
142[.]250[.]65[.]206
3
172[.]253[.]63[.]100/31
3
20[.]81[.]111[.]85
3
13[.]107[.]21[.]200
2
104[.]47[.]54[.]36
2
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
wpad[.]example[.]org
22
computer[.]example[.]org
20
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com
8
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com
7
249[.]5[.]55[.]69[.]bl[.]spamcop[.]net
6
249[.]5[.]55[.]69[.]cbl[.]abuseat[.]org
6
249[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net
6
249[.]5[.]55[.]69[.]in-addr[.]arpa
6
249[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org
6
249[.]5[.]55[.]69[.]zen[.]spamhaus[.]org
6
microsoft-com[.]mail[.]protection[.]outlook[.]com
6
microsoft[.]com
6
www[.]google[.]com
6
fastpool[.]xyz
6
z-p42-instagram[.]c10r[.]instagram[.]com
6
niflheimr[.]cn
6
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com
5
www[.]instagram[.]com
4
monsutiur4[.]com
4
moroitomo4[.]net
4
cucumbetuturel4[.]com
4
nusurionuy5ff[.]at
4
susuerulianita1[.]net
4
nunuslushau[.]com
4
linislominyt11[.]at
4
*See JSON for more IOCs
Files and or directories created
Occurrences
%SystemRoot%\SysWOW64\config\systemprofile
6
%SystemRoot%\SysWOW64\config\systemprofile:.repos
6
%System32%\config\systemprofile:.repos
6
%SystemRoot%\SysWOW64<random, matching '[a-z]{8}’>
6
%TEMP%<random, matching '[a-z]{8}’>.exe
5
%LOCALAPPDATA%\Yandex
2
%LOCALAPPDATA%\Yandex\YaAddon
2
%APPDATA%\D282E1
1
%APPDATA%\D282E1\1E80C5.lck
1
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5
1
\Users\user\AppData\Roaming\7C7955\5D4644.lck
1
%TEMP%\lpirrbt.exe
1
\Users\user\AppData\Local\Temp\chsdcrzz.exe
1
\Users\user\AppData\Local\Temp\hvpzjxig.exe
1
\Users\user\AppData\Local\Temp\ryjmawye.exe
1
\Users\user\AppData\Local\Temp\suabilhj.exe
1
\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\518498962.exe.log
1
\Users\user\AppData\Local\Temp\uunshlaq.exe
1
\Users\user\AppData\Roaming\seefbbw
1
\Users\user\AppData\Roaming\seefbbw:Zone.Identifier
1
\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\518498972.exe.log
1
\Users\user\AppData\Local\Temp\kytvupuy.exe
1
File Hashes
0128d3cd5e43f6c3b0cd02071b65e9cb890e0d46e39dfa692b5757fceef6de52
09142589a0d5714b93156097b04b4b9b0b4f3fdd562a9a936b82952e86bd7eac
09d2706b754c07905f8dcfc8497d2cbcbbf1e2b51166b239a8f9861a5eb5898f
0ec1a04906159d42df0e3c952329b732fa758a24c064ef248055bca3a9d75779
293b7655279232c282a3e7e14a6cf1b5ff1c84773df337d00dd2c140b32a4574
3df7d9ca51264ebdbc270c89cb4c17ed00ba6426422e238e8c4301e3a0bb8435
40ac8ee866c7c98fdb53a46358ea0f4593f22f3fffaf7dda5496d55988949913
47bef109565da06b2c0e833ca715e09dab49cc58f00e02c3e1142cab98460b3a
4b5f4d97a4f13acd4f01191e0c34b370b707ce9c6b02283856b533aedbe9b988
4bdb55e73d8d688509059548da8fa1eb44a1719162fc8827695be6328b804121
5c673d6ad74a8948bea00e8d2e5e81f22a85e2ba26a04ed94a48d68a7d263fd5
60b8c692bf90e9d7ab729fee8c0a15fdfee61f130e787c194201f9c1abcbb787
754f5f353698ca45eceabc1a45de34de02c420155ffa7a0ccddbd04847c90882
8217573107ca562e7357b8347ad0ac44ecbbf70590ebca3f620aeed5ab051210
93320251dbc76cad5a48f60782e92516732eb806e516cd8dab43c81987419b90
a20c4b8fdca84480e1217d4339528cbf5b25785a22f39934e49256d92e37249c
a8e48126fb0c74db25aa1a68ad0e2a24b356cb92fa3d16e55decc9580a264b76
ad32fffc0d98178964b5a55300f870125ad6f40dbdfe724e4f6043ae7d4945fc
bbd91da105ea52d6251c733f6d1ed8ea2819f29091e5f50c6a1fc54d2d0fc4c5
c61c4c3ae816c6e9d9632e472bf58cf388569144390049651c438df9e8f6d792
c8b077322778bc87119ce0bce5f1db70bf6596260bc8c2f6ffd0f301fcaa2123
dc8f108a2030ecbbf5be79df305d02839fc1192d262e20faec834a0ac9ac05f3
ef78da2e9386931b44c99e0136e0ae13ff3d158434dd1a0288e09119ab9d9274
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Ransomware.TeslaCrypt-9950169-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 15 samples
Registry Keys
Occurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLinkedConnections
15
<HKCU>\SOFTWARE\ZSYS
15
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159
15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0
Value Name: CheckSetting
15
<HKCU>\SOFTWARE\ZSYS
Value Name: ID
15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Acrndtd
15
<HKCU>\Software<random, matching '[A-Z0-9]{14,16}’>
15
<HKCU>\Software<random, matching '[A-Z0-9]{14,16}’>
Value Name: data
15
\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\7C\52C64B7E
1
Mutexes
Occurrences
2134-1234-1324-2134-1324-2134
15
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
198[.]185[.]159[.]144
15
213[.]185[.]87[.]28
15
35[.]195[.]98[.]220
15
34[.]117[.]59[.]81
15
23[.]218[.]119[.]73
10
99[.]83[.]153[.]108
9
75[.]2[.]26[.]18
6
96[.]6[.]30[.]95
5
20[.]189[.]173[.]22
5
20[.]42[.]65[.]92
2
104[.]208[.]16[.]94
2
20[.]189[.]173[.]20
2
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
myexternalip[.]com
15
garrityasphalt[.]com
15
gjesdalbrass[.]no
15
grassitup[.]com
15
www[.]garrityasphalt[.]com
15
www[.]godaddy[.]com
15
kochstudiomaashof[.]de
15
testadiseno[.]com
15
diskeeper-asia[.]com
15
wpad[.]example[.]org
13
clientconfig[.]passport[.]net
13
computer[.]example[.]org
12
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com
6
onedsblobprdwus17[.]westus[.]cloudapp[.]azure[.]com
5
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com
3
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com
3
onedsblobprdeus17[.]eastus[.]cloudapp[.]azure[.]com
2
onedsblobprdcus17[.]centralus[.]cloudapp[.]azure[.]com
2
onedsblobprdcus16[.]centralus[.]cloudapp[.]azure[.]com
2
onedsblobprdwus15[.]westus[.]cloudapp[.]azure[.]com
2
Files and or directories created
Occurrences
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$I08BO8F.xlsx
15
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$I11KHR4.doc
15
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$I5QKHLN.doc
15
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$I62TWBD.ppt
15
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$I6FZORX.doc
15
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IABMX83.pdf
15
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IAJ2Y6R.pdf
15
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IALGTCS.xlsx
15
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IGTBBSA.accdb
15
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IH49RPF.ppt
15
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IH71GGR.ppt
15
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IJKODPH.pdf
15
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IJP965K.accdb
15
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IKY5R3M.pdf
15
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IMYCSIT.pdf
15
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$ISLP722.doc
15
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IXLC77A.pdf
15
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IXUL2U1.doc
15
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IYSR1FU.ppt
15
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IZ2GMJW.XLSX
15
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$R08BO8F.xlsx
15
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$R11KHR4.doc
15
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$R5QKHLN.doc
15
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$R62TWBD.ppt
15
$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$R6FZORX.doc
15
*See JSON for more IOCs
File Hashes
10cb592686b6d293baaeb9258dbc9d026024dcadbb89fbe0966a8456b5011408
181a39b9477057e050e6b88583ffb21bc4b94a8783030735ee8ee677a9986e2a
235e75a04e4622be8e18ab647a77a87a65a0b33dd0a9edf07e5ada784dc32bb5
282e1666932d8debcc4ab86746e6791d49fd972582b2778062616d52a8866a96
291aab875adf6ae867713b06cd7e7456e395324d5de067a9e578441a39a7af3b
7192125799cce7c0f89dbcdaf9617d3884664f474e9e101458dd53bbefa20427
77f8d351f3f9b27c42ddd98965269e809e0b864571013240bc3f1e6c7cd51ddd
8fcafc56c480b5b6492aa5b4882f7b4351e0113b5c20fa69f73db0b2d9dbc82a
a536cc094459b15044b7030ae665be94f01b9ce5467ff254af170d742e935be1
ad80dffea369021f6234c5f95daf448972bbcfa28faeaba5ae7edb34e2e11486
b261d6b8833f07990a69c4f88cdd54f703f465d162a6b1c3acf95561a17890b2
b57ca40eab68c52c47e979fae218dcb91cb833caeadd53538695b12f5f70c51c
b89b656a2ce0c5f6f1a37f39b86096551eb04551bb352a651c03732d2b2b501f
c8748a99549d45eff46cc2cd6687d257478ecad14a5a8a0436e96d48315267cf
db24a3909701a11d90c3655edf5b4fffc2e73b4938f21ea705036b1446fe7440
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
Umbrella
MITRE ATT&CK
Win.Dropper.Zegost-9950175-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 18 samples
Registry Keys
Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSSQKG RCQYYDRO
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSSQKG RCQYYDRO
Value Name: ConnectGroup
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSSQKG RCQYYDRO
Value Name: MarkTime
7
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Wseguk cwuesiso
4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SUPERPROSERVER
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SUPERPROSERVER
Value Name: ConnectGroup
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SUPERPROSERVER
Value Name: MarkTime
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSIZJB RKWHKRGW
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSIZJB RKWHKRGW
Value Name: ConnectGroup
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSIZJB RKWHKRGW
Value Name: MarkTime
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Mocyoq mcsggysa
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SUPERPROSERVER
Value Name: Type
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SUPERPROSERVER
Value Name: Start
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SUPERPROSERVER
Value Name: ErrorControl
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SUPERPROSERVER
Value Name: DisplayName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SUPERPROSERVER
Value Name: WOW64
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SUPERPROSERVER
Value Name: ObjectName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SUPERPROSERVER
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SUPERPROSERVER
Value Name: FailureActions
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SUPERPROSERVER
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSSQKG RCQYYDRO
Value Name: Type
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSSQKG RCQYYDRO
Value Name: Start
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSSQKG RCQYYDRO
Value Name: ErrorControl
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSSQKG RCQYYDRO
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSSQKG RCQYYDRO
Value Name: DisplayName
1
Mutexes
Occurrences
Global\208c2121-d2ec-11ec-b5f8-00501e3ae7b6
1
Global\1ffd1021-d2ec-11ec-b5f8-00501e3ae7b6
1
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
60[.]191[.]97[.]139
1
118[.]193[.]164[.]207
1
122[.]114[.]57[.]137
1
183[.]26[.]161[.]58
1
121[.]41[.]227[.]197
1
221[.]199[.]59[.]161
1
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
gunnima[.]f3322[.]net
3
yxt1[.]f3322[.]net
1
ykykvip[.]6655[.]la
1
luoyewuhenscf[.]oicp[.]net
1
mahluk[.]f3322[.]org
1
Files and or directories created
Occurrences
%ProgramFiles(x86)%\Microsoft <random, matching [A-Z][a-z]{5}>
13
%ProgramFiles(x86)%\Microsoft Nofhor\Oueo.exe
7
<random, matching '[0-9]{4}’>.vbs
7
%ProgramFiles(x86)%\Microsoft Paqbot\aaccamq.exe
2
%SystemRoot%\Terms.EXE
1
%ProgramFiles(x86)%\Microsoft Gtdnht\Njzunsj.exe
1
%ProgramFiles(x86)%\Microsoft Fangyu\zhudongfangyu.exe
1
%ProgramFiles(x86)%\Microsoft Ynxqoq\Kiawggg.exe
1
%ProgramFiles(x86)%\Microsoft Ooscua\Wuyqmsa.exe
1
File Hashes
0e8d746ad396f3858e609b2a0cbfd41676c01ff7283bfcb9fb5e644b0c393874
144808022fa3f37b6532831390a8ebb11fd20ac239f0e468c6d8556957a0a32e
1632b7601eccb92cafe93b2ee1970f55c4305311165ef5088e55988aad2cf8a8
2ff02aef8a9ac75bed7e7bed931dac733cd2f310d50f1596eb6eb7de0b3d5628
3aa1e8a0cd1c08cf7ef80494693362083b6fe90d51feab94fd14dd3f003cd035
58d989e1903389b8fc0de808ead8343ac127a95daa4131776a518ad287526c30
64fac0ae2ed8c9e6c646a81ef171dcd078d1dbe43a55f66fa5676323b694ebe1
66db7cb8cd374153e5c534bfd1afe7f5e590960dcc37d3602e0620452812d456
70019a9e401cb30d30e82a7c4da4464ea826fb5ad7a673008874557ea1932809
732a581bbd232a5eed7034c898cb0c834af01e5dbdd79cd7a241151c8d7debeb
745dbcda3f3e84c1eed438ceafd129726864db1a39a33eddbc92f41bd7e5c5de
83c10e8e26234eb9657cc1d3d498723dfc4ad1f26161a622acbaf008b0b794fc
84c14436a6aa2dfd9b779c188d67d2b83d06e217f1f9756493367e1954cb4f91
8d2f20364ec1950e904d23c689a1984842cce89c4fe341395ae50f68237042fd
b18fea368891dc8969a304c6b00bcd952f10295ef7cb69a3ac8981848415612c
c6f7a82efbd4a77f830b527f892fb1ee5bcfe6e611143c7ab0a2e1632437ce05
c92c7bf31bca7ff667a24e34911b94bcbe40e931b056740f010961c1bd4c6933
d5008f73d6e0a70f7e5b20848d3bcced444f8900041d9f85fda0194fa2e008c0
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.TrickBot-9950187-1****Indicators of Compromise
- IOCs collected from dynamic analysis of 33 samples
Registry Keys
Occurrences
<HKCU>\SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS
33
<HKCU>\SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS\CODEWIZARD VERSION 1.0
33
<HKCU>\SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS\CODEWIZARD VERSION 1.0\RECENT FILE LIST
33
<HKCU>\SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS\CODEWIZARD VERSION 1.0\SETTINGS
33
<HKU>.DEFAULT\SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS
14
<HKU>.DEFAULT\SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS\CODEWIZARD VERSION 1.0
14
<HKU>.DEFAULT\SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS\CODEWIZARD VERSION 1.0\RECENT FILE LIST
14
<HKU>.DEFAULT\SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS\CODEWIZARD VERSION 1.0\SETTINGS
14
Mutexes
Occurrences
GLOBAL{<random GUID>}
33
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
51[.]254[.]164[.]244/31
18
185[.]14[.]30[.]134
13
172[.]245[.]156[.]138
10
200[.]21[.]51[.]38
9
5[.]255[.]96[.]218
9
178[.]156[.]202[.]228
8
185[.]17[.]123[.]90
8
185[.]14[.]30[.]152
8
185[.]20[.]185[.]76
7
181[.]140[.]173[.]186
7
45[.]148[.]120[.]153
7
5[.]182[.]210[.]226
6
181[.]112[.]157[.]42
6
23[.]62[.]6[.]170
6
5[.]255[.]96[.]217
6
190[.]214[.]13[.]2
5
23[.]62[.]6[.]161
5
92[.]38[.]171[.]11
5
200[.]127[.]121[.]99
4
181[.]113[.]28[.]146
4
194[.]5[.]250[.]175
4
170[.]84[.]78[.]224
3
36[.]89[.]85[.]103
3
121[.]100[.]19[.]18
3
171[.]100[.]142[.]238
3
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
wpad[.]example[.]org
33
computer[.]example[.]org
31
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com
16
windowsupdatebg[.]s[.]llnwi[.]net
15
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com
11
apps[.]identrust[.]com
11
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com
4
Files and or directories created
Occurrences
%APPDATA%\maininf
33
%APPDATA%\maininf\data
33
%System32%\Tasks\WinInfo
33
%TEMP%<random, matching '[a-z]{3}[A-F0-9]{3,4}’>.tmp
33
%APPDATA%\MAININF<original file name>.exe
33
\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
26
\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
26
\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
21
\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A
21
%APPDATA%\maininf\profiles.ini
11
%TEMP%\log2085.tmp
11
%APPDATA%\maininf\urlclassifierkey3.txt
8
%APPDATA%\maininf\extensions.ini
7
%APPDATA%\maininf\compatibility.ini
7
\Users\user\AppData\Roaming\maininf\TRRBlacklist.txt
6
\Users\user\AppData\Roaming\maininf\ShareFont.ini
6
\Users\user\AppData\Roaming\maininf\ConsoleHost_history.txt
5
%TEMP%\log2095.tmp
5
\Users\user\AppData\Roaming\maininf\SiteSecurityServiceState.txt
4
\Users\user\AppData\Roaming\maininf\profiles.ini
3
\Users\user\AppData\Roaming\maininf\cacheSize.txt
3
\Users\user\AppData\Roaming\maininf\compatibility.ini
2
\Users\user\AppData\Roaming\maininf\AlternateServices.txt
2
%SystemRoot%\TEMP\log6081.tmp
2
%SystemRoot%\TEMP\log87C0.tmp
2
*See JSON for more IOCs
File Hashes
089b366e8793cbc83d91a234bd8f50fb8dfcd8e1c9d4ec12a557a5087654cb09
12b485f8bb93df3ef543ac9c2df5a6c881ad8d80e7a0500acf5d5ff7a8350454
13edd954aa2cb6615acce1a1f169366f6d12554012d185b22150b4ac3b1e2b5c
148d77d752a0f883a10231c4b082a5faf76df3fae754e7d4d50f78194532b9b2
16ffb81083c9c988e526a1fd6fd8143dc21ea2f4876833ba43b64ead08ca9aee
259ba57d1ce1868c12144dc3fec87c8f882e201f3093048f7e933f53346b0afd
2c08d65f8d68f44346ec045c62374246c7eddcb1a1c5f3b3854b0ade90539aa9
3c62ba077f17b25160bd01df9ce8ecdd730eacece2a7947a62981cec829fb894
3f0e21c9807bcbe3081e0dfc1a28f15b483efe760afa382d891a97de6876f8aa
464bc95d917d9ec52420bf440a55f4099396d2af4af43d41694f30a70d00761b
4970c1befe8ed3cab71cd9d43317b9f311d10b49ffc18e1a71f6685cdce05c5c
4d4ad9bd0b51be44878ad59d1d9e3fa110a629ea52305cfc2ba3e9106698ca71
57f6bba7f29a365466af5dd3cd9a9f61e57543f4d83d76bef81640b3048e2cdd
5a260230cafe0229937d77eea28779f134ae0fd2d2b17bde92942b5a11073ec4
6463c1b28ff09bfd3895b958249ce7e3220ec35b5a49422219407ee5f51cd47d
704f3472d96b7a5ca6a31e7608ad29d5c0c331516367a6eca0ccd5ada61afdf6
7131c68df5ded52136e0dd93456da13dd3cef68f5222157d20fd61b04a86f038
72cb744b57f3183e15da3780cbfd4411dc77b36411c1fcca65ec59e2d15713f0
8266bd94da8a881040beec0e10ee3a15a146fd8f4e0772a2fbe8903d9c8f07b5
88e3c9743f423655a60801b44e4d8783c1a444f27748a7f00e827421eb7fd6c0
901cdae9018e02b8e9fe37f6f96f6bd88d07b95f10fd6db5e506d9e1dbf3eb94
904df9175e7c173fa0d09bd57f4c038ecfa0bd438aa233807dfdc973f6f08679
956446e6fce0d16ad5ad2dfe21d6fcaa52fcda2baa7b96695d47d948bf07adcb
96d60053f8d2be82d6fee5348e6ceff040525c149ec6d7642edce54d0251e0a3
9d1112135eee205ea776c78acd0c965d9ca00f904798f70451e6158fb14cbeac
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Dridex-9950227-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 25 samples
Registry Keys
Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{690D1BD7-EA98-1004-3AC9-E87553700E95}
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{690D1BD7-EA98-1004-3AC9-E87553700E95}\SHELLFOLDER
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{63FC4996-AFD5-E391-06A7-EFB6E2702561}
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{63FC4996-AFD5-E391-06A7-EFB6E2702561}\SHELLFOLDER
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{10CDDA71-B745-777B-1AF7-51696DB9BB93}
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{10CDDA71-B745-777B-1AF7-51696DB9BB93}\SHELLFOLDER
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{CFD6D5E6-02FB-7433-9261-E8E1B87CAC69}
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{CFD6D5E6-02FB-7433-9261-E8E1B87CAC69}\SHELLFOLDER
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{8BAB5812-9D02-8F14-74B1-BEDE393F8C1F}
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{8BAB5812-9D02-8F14-74B1-BEDE393F8C1F}\SHELLFOLDER
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{10DF83AD-199B-9C18-3FEF-E4ECD6A42F66}
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{10DF83AD-199B-9C18-3FEF-E4ECD6A42F66}\SHELLFOLDER
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{1AD90FE5-CE2F-E8B8-CF09-E0B1912E9542}
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{1AD90FE5-CE2F-E8B8-CF09-E0B1912E9542}\SHELLFOLDER
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{05ED06D6-F422-71CC-26B3-C9964D56F645}
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{05ED06D6-F422-71CC-26B3-C9964D56F645}\SHELLFOLDER
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{98B09642-2764-54AE-3333-D8C6CA536428}
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{98B09642-2764-54AE-3333-D8C6CA536428}\SHELLFOLDER
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{63D99860-AA40-CA79-F681-9DECBEF55447}
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{63D99860-AA40-CA79-F681-9DECBEF55447}\SHELLFOLDER
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{D4B277A3-C25E-BCDE-A054-D41AAC36394B}
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{D4B277A3-C25E-BCDE-A054-D41AAC36394B}\SHELLFOLDER
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{FE9DE6BC-A4CF-8285-E73C-DFE7A08197FE}
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{FE9DE6BC-A4CF-8285-E73C-DFE7A08197FE}\SHELLFOLDER
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{B11CF2E2-C0C2-7860-F12E-428101DCB963}
25
Mutexes
Occurrences
{24d07012-9955-711c-e323-1079ebcbe1f4}
25
{bf18992f-6351-a1bd-1f80-485116c997cd}
25
{ed099f6b-73d9-00a3-4493-daef482dc5ca}
25
{a2c9c140-d256-a4d5-6465-f62a6660f79e}
25
{a8af557b-6de9-c774-28f4-5c293f1b1769}
25
{b570fe85-587a-a133-ffc9-73821a57c0c1}
25
{ac5b642b-c225-7367-a847-11bdf3a5e67c}
25
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
wpad[.]example[.]org
25
computer[.]example[.]org
24
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com
11
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com
7
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com
6
Files and or directories created
Occurrences
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5
25
%System32%\Tasks\Ryddmbivo
25
%APPDATA%\Microsoft\Templates\LiveContent\User\SmartArt Graphics\1033\PfaWGXk
1
%APPDATA%\Microsoft\Windows\Libraries\lBSo
1
%APPDATA%\Microsoft\MSDN\Ef
1
%APPDATA%\Microsoft\Internet Explorer\UserData\N03JH1M1\wgRwZjXl
1
%APPDATA%\Microsoft\Templates\LiveContent\Managed\SmartArt Graphics\1033\cLdKFEXDRff
1
%APPDATA%\Microsoft\HTML Help\b1e48
1
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\LkMlc
1
%APPDATA%\Adobe\9vMiNCNa0Wd
1
%APPDATA%\Microsoft\SystemCertificates\My\CTLs\FioSZeGC
1
%APPDATA%\Microsoft\Windows\DNTException\AoEub
1
%APPDATA%\Microsoft\MSDN\8.0\m3
1
%APPDATA%\Microsoft\Internet Explorer\UserData\KKRPCQ2X\I5G0NmIx0u
1
%APPDATA%\Microsoft\Internet Explorer\UserData\KKRPCQ2X\K1Jog
1
%APPDATA%\Microsoft\Templates\LiveContent\Qpt746lHyiU
1
%APPDATA%\Microsoft\Templates\LiveContent\User\swjDCObV4dK
1
%APPDATA%\Microsoft\Templates\LiveContent\Managed\Document Themes\n84
1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Maintenance\2F
1
%APPDATA%\Microsoft\Windows\Libraries\iagm
1
%APPDATA%\Macromedia\Flash Player\macromedia.com\support\flashplayer\BVTsWphI
1
%APPDATA%\Microsoft\Templates\LiveContent\User\Word Document Building Blocks\1033\jaTH0NO
1
%APPDATA%\Microsoft\Office\YYTa0NJd1
1
%APPDATA%\Microsoft\Windows\Recent\0qGY
1
%APPDATA%\Adobe\Acrobat\9.0\Forms\CnQXdAEJP
1
*See JSON for more IOCs
File Hashes
1434bdd62d628a25829701c54d20f7ba778b3c63d93f6e5764931d1091ef83e3
14b6e67caf8ff987486978a07e5e177c89a9afe87326d930438b5cc1194e7533
15576d21edf15e69d6615168d5d63b72b44142e0c0af7b5ad0fe4d04ae0a935e
2ad3eedfd800d2c4746d7f7d78cce4e25bd97e5c638e6501afe8eda66e0be654
2caef31bc4acc28a419a2cc7658ea24461a442935bc63b9f90c217583a228c8c
2e99b07981ecf6945415b98085afdf88bd5e5a0ca74ed5021cd6ad5226cc2883
314a9d45233b60c2a0c6e6043332cae53687b3cefbc4754db3a77e1e4bfccbb0
3b682518b8aebea0550ac3a6f7cd39425d0d44ad220e1ada46e79a40b0d848a6
4cb0e3d4d7cf1a91f16370be66adee9084b2936d43826ba61a50789edd4021ac
5b0d9bc969fdc4d0530bbc7ce0f6dc1093e15702df5c44d1d9db982604362bef
5cb238a26bd971c6de9cb98e0132f3054ae23c2c760a3eb0ca7318f25d8d4780
5e3c0eac1f74586b973f6f09b0e160312d51c2f8557f0f61718fd60d368edafd
601e0547b844f9990b7f246e825051543a7e1bd69a47329785ee8d500b0832d5
60d81b8e4b16f86c121cc54d8a6e0303800266ae1e2abf9b2b70dce9cc6da8c8
6527e098cb2588b6ba84757886c0f740d46cf31db0c804072f7b7728f4ede080
668cb63fce74a7c9e705b8e7ad81c6b3d91d8325b92aee083f203a3f75e57610
6ba48ecadd6daa7296e3d1aab5c6f9bad8d97996b6bcb2b5dfaac404bf9c8f47
6f5284407cb0f4b7e2fe875294a4dbc27d7e9f7ac141285f5ab09a8102ff7dce
73da1601aa1fabd87a6fd5c945c4927dd68284ede0d343fed299fd2b484fbf65
785d71a9493e5e84cabaf43661912da7267a0ddd438cac6661538cf9d01cd276
80e087b28afb0be8ec3a0f0b35aec8ef06e7d806aa7e576a4282e394244a2bc1
860db4a765cb642a13888257692f65d600389c88d9573daffa5f0905f2bf018d
950e59486286f7e526a33e5ee60151e09b9c6fc3091cbc354fdf9940371ee37b
a0faf0b9b2d332b765cc0e7d18e63e19b2465d4356a9c5008200c36f6d912474
a8ef9cf1ff529a1ef9237cc04e4e12a602669e35e07a65878f073e9067236140
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Ursu-9950236-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 25 samples
Mutexes
Occurrences
VEOVFseK
5
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
154[.]16[.]220[.]209
5
127[.]0[.]0[.]2
5
67[.]214[.]175[.]69
1
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
wpad[.]example[.]org
25
computer[.]example[.]org
24
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com
11
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com
9
wallou[.]publicvm[.]com
5
www[.]wallou[.]publicvm[.]com
5
mediafire[.]chickenkiller[.]com
5
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com
4
Files and or directories created
Occurrences
\TEMP\Dsl32.txt
25
\Users\user\Desktop\Dsl32.txt
25
%System32%\Dsl32.txt
24
%ProgramData%\path.exe
20
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\path.com.url
20
\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\path.com.url
20
\TEMP.Identifier
5
%ProgramData%\sqlwrit.exe
5
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\sqlwrit.com.url
5
\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sqlwrit.com.url
5
\Users\user\Desktop.Identifier
5
%SystemRoot%\Dsl32.txt
1
File Hashes
058f5c5fd0fb2cf3657e5d5911218a094c03e49c27ef55ffabbf5a4143b27d44
188e0c455ac511f976e8b8a86655fb2522c79f11a25372819edadecf52aa6720
1fab85fafa3c6415b069f4221d771202da98755ae9f7a3b2f34c570d7b01b12b
25cf983f69aef35f1acf0b1555002c5877f925b03df7c312f8f904eadfbe39b8
27b46b7de14445b26f4a8689caee861b824aeae7ea27e466a6292965043519f3
2db980f99457336e1f78bf6d7e78336756e0748f5acb1ca1fbaea0fc83c21d05
3a2b6918caafba046e10f58340ea7dee490e0ac150fbf306dc2546a909593407
3bbc5d12b36fe4f9e14f10dabeaa4bd594f228d457100dbf503f9c84f7616ce1
3e8ea5324c39dbcb1b0ee0e2fb18f7d928e4998f53381a798955dc906e916da5
4afd06a5768b10729aebe3020c980c9775c30355aac961fd9da155a56f1022d5
6004fc0133f36df0cabccdf5e17c6691514e94b57135cf626fdc9fb2ea845c8b
6994d069182e0e4e9a3336a7d0f8ccea5390938313f5585425803fd9b9f8636d
6cf4513e19fa3ceed13d7916a127c302ac4e004b549044788adbabfb5005da51
6e8229828586a2901269588bbc709cc09ad9a09342efdcac208ac636b01daf85
793e180a71f1a7744e655755ba0e3baac38875396421bec9469f904fbcab835e
8408e4515b34e24cbfff7d9f52bae3abaee2d60c9c48d59dfeb85055cb8d02c9
870cb7fd5ab94188bca9004a1a72028d5f227a11db0bea762c304c39dcf3a67a
8780788906312ede39dea623a3c9711d744bfacbb2410c66eae316daf150b361
89d221b63d6790ebba1959667c4f47a9e563e35507b254dd6af703ee2a11f04c
a0f6abe5b1ccc020446ba72ce4b3fe4119c9967ba59f32a33251c0aa428647a8
a61894ebd208ba8c54e51912ec6405560931a9864aa3fd431f7df4a57eddd635
a795b3d767d5c8fa911a904d54a031f9a4d1eb4a21aa53de5b51e2a4bd101689
a991e025d962160b815f69feb32e75d917ee45927924440c5161cce44965e699
b74590a3e336341984fc38fea2ea801236796b6a610e5fa2f1d411f7159ec169
bf09b7d1aff22a5bc8e29bb7321a2cae0df270b109f216d1b63966ed0fc015a2
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.Zusy-9950260-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 11 samples
Registry Keys
Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159
11
<HKLM>\SYSTEM\SELECT
Value Name: MarkTime
11
<HKU>.DEFAULT\SOFTWARE\MICROSOFT\ACTIVEMOVIE\DEVENUM
Value Name: Version
7
<HKU>.DEFAULT\SOFTWARE\MICROSOFT\ACTIVEMOVIE
7
<HKU>.DEFAULT\SOFTWARE\MICROSOFT\ACTIVEMOVIE\DEVENUM
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GSKCSKB TLCTL
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GSKCSKB TLCTL
Value Name: Type
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GSKCSKB TLCTL
Value Name: Start
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GSKCSKB TLCTL
Value Name: ErrorControl
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GSKCSKB TLCTL
Value Name: ImagePath
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GSKCSKB TLCTL
Value Name: DisplayName
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GSKCSKB TLCTL
Value Name: WOW64
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GSKCSKB TLCTL
Value Name: ObjectName
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GSKCSKB TLCTL
Value Name: Description
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GDVNFVNF WOFWO
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GDVNFVNF WOFWO
Value Name: Type
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GDVNFVNF WOFWO
Value Name: Start
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GDVNFVNF WOFWO
Value Name: ErrorControl
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GDVNFVNF WOFWO
Value Name: ImagePath
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GDVNFVNF WOFWO
Value Name: DisplayName
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GDVNFVNF WOFWO
Value Name: WOW64
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GDVNFVNF WOFWO
Value Name: ObjectName
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GDVNFVNF WOFWO
Value Name: Description
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GDTLDTL DUMDU
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GDTLDTL DUMDU
Value Name: Type
2
Mutexes
Occurrences
eed3bd3a-a1ad-4e99-987b-d7cb3fcfa7f0 - S-1-5-18
7
Global\C:\Windows\SysWOW64\ASkcsk.exe -auto
5
Global\C:\Windows\SysWOW64\ASkcsk.exe -acsi
5
Global\C:\Windows\SysWOW64\HFVnfvn.exe -auto
3
Global\C:\Windows\SysWOW64\HFVnfvn.exe -acsi
3
Global\C:\Windows\SysWOW64\KDtldt.exe -auto
2
Global\C:\Windows\SysWOW64\KDtldt.exe -acsi
2
Global\C:\TEMP674654654.exe
1
Global\C:\TEMP546584.exe
1
Global\C:\TEMP3546546574.exe
1
Global\C:\Windows\SysWOW64\SSkcsk.exe -auto
1
Global\C:\TEMP54657468468.exe
1
Global\C:\Windows\SysWOW64\SSkcsk.exe -acsi
1
Global\C:\TEMP5465457.exe
1
Global\C:\TEMP55468746.exe
1
Global\C:\TEMP55465754.exe
1
Global\C:\TEMP54654564.exe
1
Global\C:\TEMP65754547.exe
1
Global\C:\TEMP465468754.exe
1
Global\C:\TEMP53486484.exe
1
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
143[.]92[.]56[.]63
2
156[.]240[.]106[.]162
1
121[.]127[.]248[.]96
1
180[.]215[.]255[.]141
1
156[.]240[.]107[.]214
1
156[.]240[.]106[.]129
1
206[.]119[.]82[.]57
1
134[.]122[.]177[.]77
1
156[.]240[.]108[.]219
1
27[.]124[.]17[.]228
1
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
www[.]msftncsi[.]com
11
isatap[.]example[.]org
11
wpad[.]example[.]org
11
computer[.]example[.]org
10
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com
10
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com
5
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com
1
Files and or directories created
Occurrences
%SystemRoot%\SysWOW64\Delete00.bat
11
%SystemRoot%\SysWOW64\ASkcsk.exe
5
%SystemRoot%\SysWOW64\HFVnfvn.exe
3
%SystemRoot%\SysWOW64\KDtldt.exe
2
\TEMP674654654.exe
1
%SystemRoot%\SysWOW64\SSkcsk.exe
1
\TEMP546584.exe
1
\TEMP3546546574.exe
1
\TEMP54657468468.exe
1
\TEMP5465457.exe
1
\TEMP55468746.exe
1
\TEMP55465754.exe
1
\TEMP54654564.exe
1
\TEMP65754547.exe
1
\TEMP53486484.exe
1
\TEMP465468754.exe
1
File Hashes
69f5d0f6de8d57bd374bbb702ba0e1363fcf7282168eeb3a3705e420229f68de
767fc2d320a39ac2a24fbc9f4deb13172776b4338561e820efea9865f33f8f8c
7f95ea485ab69f136ebb6e7e4ae9d0522ce60cc525ee7cd634484d53ff31fdb4
8a26a3adf738b1a2b3e84f323ca47928dfe93d1b635eb3a549a7d630c2871251
8fb5f16416475bbcd2005098dd10d52662b870e0b3787544bb60fc2775d54f7e
910b5935f42190d68f1a9462620f7a60eac839253267277000d61ec444766e59
ad45540821a86dae47bf35d1cad6d78ac5bb12fb68cd0135e180a29346bce66b
bb598eedb28c42b011be6f27b0b3740cad173777c501e0fbe83306c37da6e87a
ca5b8a90bad279bcbbcbdf19403aafd6cc99fe9f19bc46cbae7f9b54295b41ff
caad99117625442cbea84fc9040033aecdf2981834634de7b2943adddc5ef4ea
f395d12b196d3a6480d5056725cb834e9d2cb3aa07a15e77180225b67991709d
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection
Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK