Security
Headlines
HeadlinesLatestCVEs

Headline

Threat Roundup for May 13 to May 20

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between May 13 and May 20. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics,…

[[ This is only the beginning! Please visit the blog for the complete entry ]]

TALOS
#sql#vulnerability#web#ios#mac#windows#google#microsoft#js#git#pdf#botnet#ssl

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between May 13 and May 20. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name

Type

Description

Win.Ransomware.Cerber-9950163-0

Ransomware

Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension “.cerber,” although in more recent campaigns other file extensions are used.

Win.Dropper.Tofsee-9950166-0

Dropper

Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and send large volumes of spam messages to infect additional systems and increase the size of the botnet under the operator’s control.

Win.Ransomware.TeslaCrypt-9950169-0

Ransomware

TeslaCrypt is a well-known ransomware family that encrypts a user’s files with strong encryption and demands Bitcoin in exchange for a file decryption service. A flaw in the encryption algorithm was discovered that allowed files to be decrypted without paying the ransomware, and eventually, the malware developers released the master key allowing all encrypted files to be recovered easily.

Win.Dropper.Zegost-9950175-0

Dropper

Zegost is a remote access trojan designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. Zegost appears to be derived from Gh0stRAT, which is a well-known remote access trojan that had its source code leaked, thus significantly lowering the barrier to entry for actors looking to modify and reuse the code in new attacks.

Win.Dropper.TrickBot-9950187-1

Dropper

TrickBot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns, many of which rely on downloaders for distribution, such as VB scripts.

Win.Dropper.Dridex-9950227-0

Dropper

Dridex is a well-known banking trojan that steals credentials and other sensitive information from an infected machine.

Win.Dropper.Ursu-9950236-0

Dropper

Ursu is a generic malware that has numerous functions. It contacts a C2 server and performs code injection in the address space of legitimate processes. It can persist on the targeted machine while collecting confidential data and spreads via email.

Win.Dropper.Zusy-9950260-0

Dropper

Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as “explorer.exe” and "winver.exe". When the user accesses a banking website, it displays a form to trick the user into submitting personal information.

Threat Breakdown****Win.Ransomware.Cerber-9950163-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 18 samples

Mutexes

Occurrences

Global<random guid>

17

shell.{381828AA-8B28-3374-1B67-35680555C5EF}

1

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

20[.]189[.]173[.]22

6

104[.]208[.]16[.]94

4

20[.]42[.]65[.]92

3

20[.]189[.]173[.]20

2

65[.]55[.]50[.]0/27

1

192[.]42[.]118[.]0/27

1

194[.]165[.]16[.]0/22

1

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

computer[.]example[.]org

16

wpad[.]example[.]org

16

clientconfig[.]passport[.]net

15

vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com

7

vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com

6

onedsblobprdwus17[.]westus[.]cloudapp[.]azure[.]com

6

windowsupdatebg[.]s[.]llnwi[.]net

6

onedsblobprdcus16[.]centralus[.]cloudapp[.]azure[.]com

4

vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com

3

onedsblobprdeus17[.]eastus[.]cloudapp[.]azure[.]com

3

onedsblobprdwus15[.]westus[.]cloudapp[.]azure[.]com

2

Files and or directories created

Occurrences

%TEMP%\d19ab989\4710.tmp

1

%TEMP%\d19ab989\a35f.tmp

1

\Users\user\AppData\Local\Temp\24e2b309\4436.tmp

1

\Users\user\AppData\Local\Temp\WAXA44B.tmp

1

\Users\user\AppData\Local\Temp\WAX9CC5.tmp

1

File Hashes

    097bab110d14c71480d7e3ace073a043b9c60cf442557d0cdeb438ef5019e93f

    13e37ac660c60a1c788db8e1f4b64175b598fdb82382263a3406af1ededb46ca

    1b97e3b2e8debc617bb89a002c5991cac51988c4864511b14832fb37b9c8f1bd

    2a6f74d550c4e116f55ea73d9e752e9c2351e3042891dda914e22f68772dbcf5

    2c0595bb1e93372bd6695f9a3b77b4166d3fa85bdb6acb427c1f327ce6c4f968

    2f19a95adff3dc7c1c4cd23d277088b682d480c116f4ca9be90ef350a0705791

    3f8ad607849adc67a227334dd99a31bd94a91d433b7266f0c816d8783a7e6c6d

    4898229c51886c6a14330244e65f1f68780e971c1213a06590d649876e729dff

    496e1641958d82aed327436ae39910507f81145f6faa1b260bf8e8b39bf8a24b

    500e5534d73659779300c88cf8d479dab0cb434037eec277ea6cefdabde44053

    593ecbd1773f20df0bc13d604006e0feb1a576cf3170c66807ae1f8459db1345

    7e92f39c54eb42fdb0d5983d08f2bb1047e53dfc0a823f223a06cd5e3f9e51ff

    835ce5de87d80ab9a7be0449236dd1efa73a7f1dd770150224694c486257cd60

    8bdc1fceb0f0525c568940a07fda504ae6d8e9e2fb4a29dbb0be172d3fa2d228

    9066a9ef24b43a9a7fc64b47315972b2048c6ec643717522e56632327775d800

    9a69d4802add64156ce6a7fb089f106d34f5b559398caa12bc2fe223e4ea4411

    e48197d5206ffba045e0fbd77d64bb8fb6b3a515515ce4fa3f4ee89c9aa7faf5

    fd43f3c4b33d5294c4f342fc63a0dd50449e436c3674e18ea6cfb3a3df766df3

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Tofsee-9950166-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 23 samples

Registry Keys

Occurrences

<HKU>.DEFAULT\CONTROL PANEL\BUSES

6

<HKU>.DEFAULT\CONTROL PANEL\BUSES

        Value Name: Config2

6

<HKU>.DEFAULT\CONTROL PANEL\BUSES

        Value Name: Config0

6

<HKU>.DEFAULT\CONTROL PANEL\BUSES

        Value Name: Config1

6

<HKLM>\SYSTEM\CONTROLSET001\SERVICES<random, matching '[A-Z0-9]{8}’>

6

<HKLM>\SYSTEM\CONTROLSET001\SERVICES<random, matching '[A-Z0-9]{8}’>

        Value Name: Type

6

<HKLM>\SYSTEM\CONTROLSET001\SERVICES<random, matching '[A-Z0-9]{8}’>

        Value Name: Start

6

<HKLM>\SYSTEM\CONTROLSET001\SERVICES<random, matching '[A-Z0-9]{8}’>

        Value Name: ErrorControl

6

<HKLM>\SYSTEM\CONTROLSET001\SERVICES<random, matching '[A-Z0-9]{8}’>

        Value Name: DisplayName

6

<HKLM>\SYSTEM\CONTROLSET001\SERVICES<random, matching '[A-Z0-9]{8}’>

        Value Name: WOW64

6

<HKLM>\SYSTEM\CONTROLSET001\SERVICES<random, matching '[A-Z0-9]{8}’>

        Value Name: ObjectName

6

<HKLM>\SYSTEM\CONTROLSET001\SERVICES<random, matching '[A-Z0-9]{8}’>

        Value Name: Description

6

<HKLM>\SYSTEM\CONTROLSET001\SERVICES<random, matching '[A-Z0-9]{8}’>

        Value Name: ImagePath

5

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS

        Value Name: C:\Windows\SysWOW64\vexvpfkl

2

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS

        Value Name: C:\Windows\SysWOW64\ajcaukpq

1

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS

        Value Name: C:\Windows\SysWOW64\nwpnhxcd

1

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS

        Value Name: C:\Windows\SysWOW64\tcvtndij

1

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS

        Value Name: C:\Windows\SysWOW64\pyrpjzef

1

Mutexes

Occurrences

Global<random guid>

8

eZkOWkQUpHINngy

2

3749282D282E1E80C56CAE5A

1

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

142[.]250[.]80[.]100

6

213[.]91[.]128[.]133

6

91[.]243[.]33[.]5

6

45[.]8[.]229[.]39

6

91[.]243[.]33[.]254

6

31[.]41[.]244[.]81

6

31[.]41[.]244[.]82/31

6

31[.]41[.]244[.]84/31

6

31[.]13[.]64[.]174

5

157[.]240[.]2[.]174

4

31[.]13[.]65[.]174

4

142[.]251[.]16[.]94

4

144[.]76[.]136[.]153

4

185[.]28[.]21[.]161

4

185[.]237[.]206[.]60

4

45[.]61[.]139[.]224

4

94[.]228[.]125[.]39

4

157[.]240[.]21[.]63

3

13[.]107[.]42[.]14

3

40[.]93[.]207[.]0/31

3

142[.]250[.]65[.]206

3

172[.]253[.]63[.]100/31

3

20[.]81[.]111[.]85

3

13[.]107[.]21[.]200

2

104[.]47[.]54[.]36

2

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

wpad[.]example[.]org

22

computer[.]example[.]org

20

vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com

8

vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com

7

249[.]5[.]55[.]69[.]bl[.]spamcop[.]net

6

249[.]5[.]55[.]69[.]cbl[.]abuseat[.]org

6

249[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net

6

249[.]5[.]55[.]69[.]in-addr[.]arpa

6

249[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org

6

249[.]5[.]55[.]69[.]zen[.]spamhaus[.]org

6

microsoft-com[.]mail[.]protection[.]outlook[.]com

6

microsoft[.]com

6

www[.]google[.]com

6

fastpool[.]xyz

6

z-p42-instagram[.]c10r[.]instagram[.]com

6

niflheimr[.]cn

6

vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com

5

www[.]instagram[.]com

4

monsutiur4[.]com

4

moroitomo4[.]net

4

cucumbetuturel4[.]com

4

nusurionuy5ff[.]at

4

susuerulianita1[.]net

4

nunuslushau[.]com

4

linislominyt11[.]at

4

*See JSON for more IOCs

Files and or directories created

Occurrences

%SystemRoot%\SysWOW64\config\systemprofile

6

%SystemRoot%\SysWOW64\config\systemprofile:.repos

6

%System32%\config\systemprofile:.repos

6

%SystemRoot%\SysWOW64<random, matching '[a-z]{8}’>

6

%TEMP%<random, matching '[a-z]{8}’>.exe

5

%LOCALAPPDATA%\Yandex

2

%LOCALAPPDATA%\Yandex\YaAddon

2

%APPDATA%\D282E1

1

%APPDATA%\D282E1\1E80C5.lck

1

%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5

1

\Users\user\AppData\Roaming\7C7955\5D4644.lck

1

%TEMP%\lpirrbt.exe

1

\Users\user\AppData\Local\Temp\chsdcrzz.exe

1

\Users\user\AppData\Local\Temp\hvpzjxig.exe

1

\Users\user\AppData\Local\Temp\ryjmawye.exe

1

\Users\user\AppData\Local\Temp\suabilhj.exe

1

\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\518498962.exe.log

1

\Users\user\AppData\Local\Temp\uunshlaq.exe

1

\Users\user\AppData\Roaming\seefbbw

1

\Users\user\AppData\Roaming\seefbbw:Zone.Identifier

1

\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\518498972.exe.log

1

\Users\user\AppData\Local\Temp\kytvupuy.exe

1

File Hashes

    0128d3cd5e43f6c3b0cd02071b65e9cb890e0d46e39dfa692b5757fceef6de52

    09142589a0d5714b93156097b04b4b9b0b4f3fdd562a9a936b82952e86bd7eac

    09d2706b754c07905f8dcfc8497d2cbcbbf1e2b51166b239a8f9861a5eb5898f

    0ec1a04906159d42df0e3c952329b732fa758a24c064ef248055bca3a9d75779

    293b7655279232c282a3e7e14a6cf1b5ff1c84773df337d00dd2c140b32a4574

    3df7d9ca51264ebdbc270c89cb4c17ed00ba6426422e238e8c4301e3a0bb8435

    40ac8ee866c7c98fdb53a46358ea0f4593f22f3fffaf7dda5496d55988949913

    47bef109565da06b2c0e833ca715e09dab49cc58f00e02c3e1142cab98460b3a

    4b5f4d97a4f13acd4f01191e0c34b370b707ce9c6b02283856b533aedbe9b988

    4bdb55e73d8d688509059548da8fa1eb44a1719162fc8827695be6328b804121

    5c673d6ad74a8948bea00e8d2e5e81f22a85e2ba26a04ed94a48d68a7d263fd5

    60b8c692bf90e9d7ab729fee8c0a15fdfee61f130e787c194201f9c1abcbb787

    754f5f353698ca45eceabc1a45de34de02c420155ffa7a0ccddbd04847c90882

    8217573107ca562e7357b8347ad0ac44ecbbf70590ebca3f620aeed5ab051210

    93320251dbc76cad5a48f60782e92516732eb806e516cd8dab43c81987419b90

    a20c4b8fdca84480e1217d4339528cbf5b25785a22f39934e49256d92e37249c

    a8e48126fb0c74db25aa1a68ad0e2a24b356cb92fa3d16e55decc9580a264b76

    ad32fffc0d98178964b5a55300f870125ad6f40dbdfe724e4f6043ae7d4945fc

    bbd91da105ea52d6251c733f6d1ed8ea2819f29091e5f50c6a1fc54d2d0fc4c5

    c61c4c3ae816c6e9d9632e472bf58cf388569144390049651c438df9e8f6d792

    c8b077322778bc87119ce0bce5f1db70bf6596260bc8c2f6ffd0f301fcaa2123

    dc8f108a2030ecbbf5be79df305d02839fc1192d262e20faec834a0ac9ac05f3

    ef78da2e9386931b44c99e0136e0ae13ff3d158434dd1a0288e09119ab9d9274

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

WSA

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Ransomware.TeslaCrypt-9950169-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 15 samples

Registry Keys

Occurrences

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM

        Value Name: EnableLinkedConnections

15

<HKCU>\SOFTWARE\ZSYS

15

<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159

15

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0

        Value Name: CheckSetting

15

<HKCU>\SOFTWARE\ZSYS

        Value Name: ID

15

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: Acrndtd

15

<HKCU>\Software<random, matching '[A-Z0-9]{14,16}’>

15

<HKCU>\Software<random, matching '[A-Z0-9]{14,16}’>

        Value Name: data

15

\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\7C\52C64B7E

1

Mutexes

Occurrences

2134-1234-1324-2134-1324-2134

15

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

198[.]185[.]159[.]144

15

213[.]185[.]87[.]28

15

35[.]195[.]98[.]220

15

34[.]117[.]59[.]81

15

23[.]218[.]119[.]73

10

99[.]83[.]153[.]108

9

75[.]2[.]26[.]18

6

96[.]6[.]30[.]95

5

20[.]189[.]173[.]22

5

20[.]42[.]65[.]92

2

104[.]208[.]16[.]94

2

20[.]189[.]173[.]20

2

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

myexternalip[.]com

15

garrityasphalt[.]com

15

gjesdalbrass[.]no

15

grassitup[.]com

15

www[.]garrityasphalt[.]com

15

www[.]godaddy[.]com

15

kochstudiomaashof[.]de

15

testadiseno[.]com

15

diskeeper-asia[.]com

15

wpad[.]example[.]org

13

clientconfig[.]passport[.]net

13

computer[.]example[.]org

12

vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com

6

onedsblobprdwus17[.]westus[.]cloudapp[.]azure[.]com

5

vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com

3

vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com

3

onedsblobprdeus17[.]eastus[.]cloudapp[.]azure[.]com

2

onedsblobprdcus17[.]centralus[.]cloudapp[.]azure[.]com

2

onedsblobprdcus16[.]centralus[.]cloudapp[.]azure[.]com

2

onedsblobprdwus15[.]westus[.]cloudapp[.]azure[.]com

2

Files and or directories created

Occurrences

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$I08BO8F.xlsx

15

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$I11KHR4.doc

15

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$I5QKHLN.doc

15

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$I62TWBD.ppt

15

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$I6FZORX.doc

15

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IABMX83.pdf

15

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IAJ2Y6R.pdf

15

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IALGTCS.xlsx

15

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IGTBBSA.accdb

15

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IH49RPF.ppt

15

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IH71GGR.ppt

15

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IJKODPH.pdf

15

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IJP965K.accdb

15

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IKY5R3M.pdf

15

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IMYCSIT.pdf

15

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$ISLP722.doc

15

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IXLC77A.pdf

15

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IXUL2U1.doc

15

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IYSR1FU.ppt

15

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IZ2GMJW.XLSX

15

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$R08BO8F.xlsx

15

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$R11KHR4.doc

15

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$R5QKHLN.doc

15

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$R62TWBD.ppt

15

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$R6FZORX.doc

15

*See JSON for more IOCs

File Hashes

    10cb592686b6d293baaeb9258dbc9d026024dcadbb89fbe0966a8456b5011408

    181a39b9477057e050e6b88583ffb21bc4b94a8783030735ee8ee677a9986e2a

    235e75a04e4622be8e18ab647a77a87a65a0b33dd0a9edf07e5ada784dc32bb5

    282e1666932d8debcc4ab86746e6791d49fd972582b2778062616d52a8866a96

    291aab875adf6ae867713b06cd7e7456e395324d5de067a9e578441a39a7af3b

    7192125799cce7c0f89dbcdaf9617d3884664f474e9e101458dd53bbefa20427

    77f8d351f3f9b27c42ddd98965269e809e0b864571013240bc3f1e6c7cd51ddd

    8fcafc56c480b5b6492aa5b4882f7b4351e0113b5c20fa69f73db0b2d9dbc82a

    a536cc094459b15044b7030ae665be94f01b9ce5467ff254af170d742e935be1

    ad80dffea369021f6234c5f95daf448972bbcfa28faeaba5ae7edb34e2e11486

    b261d6b8833f07990a69c4f88cdd54f703f465d162a6b1c3acf95561a17890b2

    b57ca40eab68c52c47e979fae218dcb91cb833caeadd53538695b12f5f70c51c

    b89b656a2ce0c5f6f1a37f39b86096551eb04551bb352a651c03732d2b2b501f

    c8748a99549d45eff46cc2cd6687d257478ecad14a5a8a0436e96d48315267cf

    db24a3909701a11d90c3655edf5b4fffc2e73b4938f21ea705036b1446fe7440

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

Umbrella

MITRE ATT&CK

Win.Dropper.Zegost-9950175-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 18 samples

Registry Keys

Occurrences

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSSQKG RCQYYDRO

7

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSSQKG RCQYYDRO

        Value Name: ConnectGroup

7

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSSQKG RCQYYDRO

        Value Name: MarkTime

7

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: Wseguk cwuesiso

4

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SUPERPROSERVER

3

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SUPERPROSERVER

        Value Name: ConnectGroup

3

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SUPERPROSERVER

        Value Name: MarkTime

3

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSIZJB RKWHKRGW

2

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSIZJB RKWHKRGW

        Value Name: ConnectGroup

2

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSIZJB RKWHKRGW

        Value Name: MarkTime

2

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: Mocyoq mcsggysa

2

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SUPERPROSERVER

        Value Name: Type

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SUPERPROSERVER

        Value Name: Start

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SUPERPROSERVER

        Value Name: ErrorControl

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SUPERPROSERVER

        Value Name: DisplayName

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SUPERPROSERVER

        Value Name: WOW64

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SUPERPROSERVER

        Value Name: ObjectName

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SUPERPROSERVER

        Value Name: ImagePath

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SUPERPROSERVER

        Value Name: FailureActions

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SUPERPROSERVER

        Value Name: Description

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSSQKG RCQYYDRO

        Value Name: Type

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSSQKG RCQYYDRO

        Value Name: Start

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSSQKG RCQYYDRO

        Value Name: ErrorControl

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSSQKG RCQYYDRO

        Value Name: ImagePath

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSSQKG RCQYYDRO

        Value Name: DisplayName

1

Mutexes

Occurrences

Global\208c2121-d2ec-11ec-b5f8-00501e3ae7b6

1

Global\1ffd1021-d2ec-11ec-b5f8-00501e3ae7b6

1

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

60[.]191[.]97[.]139

1

118[.]193[.]164[.]207

1

122[.]114[.]57[.]137

1

183[.]26[.]161[.]58

1

121[.]41[.]227[.]197

1

221[.]199[.]59[.]161

1

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

gunnima[.]f3322[.]net

3

yxt1[.]f3322[.]net

1

ykykvip[.]6655[.]la

1

luoyewuhenscf[.]oicp[.]net

1

mahluk[.]f3322[.]org

1

Files and or directories created

Occurrences

%ProgramFiles(x86)%\Microsoft <random, matching [A-Z][a-z]{5}>

13

%ProgramFiles(x86)%\Microsoft Nofhor\Oueo.exe

7

<random, matching '[0-9]{4}’>.vbs

7

%ProgramFiles(x86)%\Microsoft Paqbot\aaccamq.exe

2

%SystemRoot%\Terms.EXE

1

%ProgramFiles(x86)%\Microsoft Gtdnht\Njzunsj.exe

1

%ProgramFiles(x86)%\Microsoft Fangyu\zhudongfangyu.exe

1

%ProgramFiles(x86)%\Microsoft Ynxqoq\Kiawggg.exe

1

%ProgramFiles(x86)%\Microsoft Ooscua\Wuyqmsa.exe

1

File Hashes

    0e8d746ad396f3858e609b2a0cbfd41676c01ff7283bfcb9fb5e644b0c393874

    144808022fa3f37b6532831390a8ebb11fd20ac239f0e468c6d8556957a0a32e

    1632b7601eccb92cafe93b2ee1970f55c4305311165ef5088e55988aad2cf8a8

    2ff02aef8a9ac75bed7e7bed931dac733cd2f310d50f1596eb6eb7de0b3d5628

    3aa1e8a0cd1c08cf7ef80494693362083b6fe90d51feab94fd14dd3f003cd035

    58d989e1903389b8fc0de808ead8343ac127a95daa4131776a518ad287526c30

    64fac0ae2ed8c9e6c646a81ef171dcd078d1dbe43a55f66fa5676323b694ebe1

    66db7cb8cd374153e5c534bfd1afe7f5e590960dcc37d3602e0620452812d456

    70019a9e401cb30d30e82a7c4da4464ea826fb5ad7a673008874557ea1932809

    732a581bbd232a5eed7034c898cb0c834af01e5dbdd79cd7a241151c8d7debeb

    745dbcda3f3e84c1eed438ceafd129726864db1a39a33eddbc92f41bd7e5c5de

    83c10e8e26234eb9657cc1d3d498723dfc4ad1f26161a622acbaf008b0b794fc

    84c14436a6aa2dfd9b779c188d67d2b83d06e217f1f9756493367e1954cb4f91

    8d2f20364ec1950e904d23c689a1984842cce89c4fe341395ae50f68237042fd

    b18fea368891dc8969a304c6b00bcd952f10295ef7cb69a3ac8981848415612c

    c6f7a82efbd4a77f830b527f892fb1ee5bcfe6e611143c7ab0a2e1632437ce05

    c92c7bf31bca7ff667a24e34911b94bcbe40e931b056740f010961c1bd4c6933

    d5008f73d6e0a70f7e5b20848d3bcced444f8900041d9f85fda0194fa2e008c0

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.TrickBot-9950187-1****Indicators of Compromise

  • IOCs collected from dynamic analysis of 33 samples

Registry Keys

Occurrences

<HKCU>\SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS

33

<HKCU>\SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS\CODEWIZARD VERSION 1.0

33

<HKCU>\SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS\CODEWIZARD VERSION 1.0\RECENT FILE LIST

33

<HKCU>\SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS\CODEWIZARD VERSION 1.0\SETTINGS

33

<HKU>.DEFAULT\SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS

14

<HKU>.DEFAULT\SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS\CODEWIZARD VERSION 1.0

14

<HKU>.DEFAULT\SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS\CODEWIZARD VERSION 1.0\RECENT FILE LIST

14

<HKU>.DEFAULT\SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS\CODEWIZARD VERSION 1.0\SETTINGS

14

Mutexes

Occurrences

GLOBAL{<random GUID>}

33

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

51[.]254[.]164[.]244/31

18

185[.]14[.]30[.]134

13

172[.]245[.]156[.]138

10

200[.]21[.]51[.]38

9

5[.]255[.]96[.]218

9

178[.]156[.]202[.]228

8

185[.]17[.]123[.]90

8

185[.]14[.]30[.]152

8

185[.]20[.]185[.]76

7

181[.]140[.]173[.]186

7

45[.]148[.]120[.]153

7

5[.]182[.]210[.]226

6

181[.]112[.]157[.]42

6

23[.]62[.]6[.]170

6

5[.]255[.]96[.]217

6

190[.]214[.]13[.]2

5

23[.]62[.]6[.]161

5

92[.]38[.]171[.]11

5

200[.]127[.]121[.]99

4

181[.]113[.]28[.]146

4

194[.]5[.]250[.]175

4

170[.]84[.]78[.]224

3

36[.]89[.]85[.]103

3

121[.]100[.]19[.]18

3

171[.]100[.]142[.]238

3

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

wpad[.]example[.]org

33

computer[.]example[.]org

31

vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com

16

windowsupdatebg[.]s[.]llnwi[.]net

15

vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com

11

apps[.]identrust[.]com

11

vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com

4

Files and or directories created

Occurrences

%APPDATA%\maininf

33

%APPDATA%\maininf\data

33

%System32%\Tasks\WinInfo

33

%TEMP%<random, matching '[a-z]{3}[A-F0-9]{3,4}’>.tmp

33

%APPDATA%\MAININF<original file name>.exe

33

\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

26

\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

26

\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

21

\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A

21

%APPDATA%\maininf\profiles.ini

11

%TEMP%\log2085.tmp

11

%APPDATA%\maininf\urlclassifierkey3.txt

8

%APPDATA%\maininf\extensions.ini

7

%APPDATA%\maininf\compatibility.ini

7

\Users\user\AppData\Roaming\maininf\TRRBlacklist.txt

6

\Users\user\AppData\Roaming\maininf\ShareFont.ini

6

\Users\user\AppData\Roaming\maininf\ConsoleHost_history.txt

5

%TEMP%\log2095.tmp

5

\Users\user\AppData\Roaming\maininf\SiteSecurityServiceState.txt

4

\Users\user\AppData\Roaming\maininf\profiles.ini

3

\Users\user\AppData\Roaming\maininf\cacheSize.txt

3

\Users\user\AppData\Roaming\maininf\compatibility.ini

2

\Users\user\AppData\Roaming\maininf\AlternateServices.txt

2

%SystemRoot%\TEMP\log6081.tmp

2

%SystemRoot%\TEMP\log87C0.tmp

2

*See JSON for more IOCs

File Hashes

    089b366e8793cbc83d91a234bd8f50fb8dfcd8e1c9d4ec12a557a5087654cb09

    12b485f8bb93df3ef543ac9c2df5a6c881ad8d80e7a0500acf5d5ff7a8350454

    13edd954aa2cb6615acce1a1f169366f6d12554012d185b22150b4ac3b1e2b5c

    148d77d752a0f883a10231c4b082a5faf76df3fae754e7d4d50f78194532b9b2

    16ffb81083c9c988e526a1fd6fd8143dc21ea2f4876833ba43b64ead08ca9aee

    259ba57d1ce1868c12144dc3fec87c8f882e201f3093048f7e933f53346b0afd

    2c08d65f8d68f44346ec045c62374246c7eddcb1a1c5f3b3854b0ade90539aa9

    3c62ba077f17b25160bd01df9ce8ecdd730eacece2a7947a62981cec829fb894

    3f0e21c9807bcbe3081e0dfc1a28f15b483efe760afa382d891a97de6876f8aa

    464bc95d917d9ec52420bf440a55f4099396d2af4af43d41694f30a70d00761b

    4970c1befe8ed3cab71cd9d43317b9f311d10b49ffc18e1a71f6685cdce05c5c

    4d4ad9bd0b51be44878ad59d1d9e3fa110a629ea52305cfc2ba3e9106698ca71

    57f6bba7f29a365466af5dd3cd9a9f61e57543f4d83d76bef81640b3048e2cdd

    5a260230cafe0229937d77eea28779f134ae0fd2d2b17bde92942b5a11073ec4

    6463c1b28ff09bfd3895b958249ce7e3220ec35b5a49422219407ee5f51cd47d

    704f3472d96b7a5ca6a31e7608ad29d5c0c331516367a6eca0ccd5ada61afdf6

    7131c68df5ded52136e0dd93456da13dd3cef68f5222157d20fd61b04a86f038

    72cb744b57f3183e15da3780cbfd4411dc77b36411c1fcca65ec59e2d15713f0

    8266bd94da8a881040beec0e10ee3a15a146fd8f4e0772a2fbe8903d9c8f07b5

    88e3c9743f423655a60801b44e4d8783c1a444f27748a7f00e827421eb7fd6c0

    901cdae9018e02b8e9fe37f6f96f6bd88d07b95f10fd6db5e506d9e1dbf3eb94

    904df9175e7c173fa0d09bd57f4c038ecfa0bd438aa233807dfdc973f6f08679

    956446e6fce0d16ad5ad2dfe21d6fcaa52fcda2baa7b96695d47d948bf07adcb

    96d60053f8d2be82d6fee5348e6ceff040525c149ec6d7642edce54d0251e0a3

    9d1112135eee205ea776c78acd0c965d9ca00f904798f70451e6158fb14cbeac

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Dridex-9950227-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples

Registry Keys

Occurrences

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{690D1BD7-EA98-1004-3AC9-E87553700E95}

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{690D1BD7-EA98-1004-3AC9-E87553700E95}\SHELLFOLDER

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{63FC4996-AFD5-E391-06A7-EFB6E2702561}

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{63FC4996-AFD5-E391-06A7-EFB6E2702561}\SHELLFOLDER

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{10CDDA71-B745-777B-1AF7-51696DB9BB93}

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{10CDDA71-B745-777B-1AF7-51696DB9BB93}\SHELLFOLDER

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{CFD6D5E6-02FB-7433-9261-E8E1B87CAC69}

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{CFD6D5E6-02FB-7433-9261-E8E1B87CAC69}\SHELLFOLDER

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{8BAB5812-9D02-8F14-74B1-BEDE393F8C1F}

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{8BAB5812-9D02-8F14-74B1-BEDE393F8C1F}\SHELLFOLDER

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{10DF83AD-199B-9C18-3FEF-E4ECD6A42F66}

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{10DF83AD-199B-9C18-3FEF-E4ECD6A42F66}\SHELLFOLDER

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{1AD90FE5-CE2F-E8B8-CF09-E0B1912E9542}

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{1AD90FE5-CE2F-E8B8-CF09-E0B1912E9542}\SHELLFOLDER

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{05ED06D6-F422-71CC-26B3-C9964D56F645}

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{05ED06D6-F422-71CC-26B3-C9964D56F645}\SHELLFOLDER

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{98B09642-2764-54AE-3333-D8C6CA536428}

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{98B09642-2764-54AE-3333-D8C6CA536428}\SHELLFOLDER

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{63D99860-AA40-CA79-F681-9DECBEF55447}

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{63D99860-AA40-CA79-F681-9DECBEF55447}\SHELLFOLDER

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{D4B277A3-C25E-BCDE-A054-D41AAC36394B}

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{D4B277A3-C25E-BCDE-A054-D41AAC36394B}\SHELLFOLDER

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{FE9DE6BC-A4CF-8285-E73C-DFE7A08197FE}

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{FE9DE6BC-A4CF-8285-E73C-DFE7A08197FE}\SHELLFOLDER

25

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{B11CF2E2-C0C2-7860-F12E-428101DCB963}

25

Mutexes

Occurrences

{24d07012-9955-711c-e323-1079ebcbe1f4}

25

{bf18992f-6351-a1bd-1f80-485116c997cd}

25

{ed099f6b-73d9-00a3-4493-daef482dc5ca}

25

{a2c9c140-d256-a4d5-6465-f62a6660f79e}

25

{a8af557b-6de9-c774-28f4-5c293f1b1769}

25

{b570fe85-587a-a133-ffc9-73821a57c0c1}

25

{ac5b642b-c225-7367-a847-11bdf3a5e67c}

25

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

wpad[.]example[.]org

25

computer[.]example[.]org

24

vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com

11

vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com

7

vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com

6

Files and or directories created

Occurrences

%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5

25

%System32%\Tasks\Ryddmbivo

25

%APPDATA%\Microsoft\Templates\LiveContent\User\SmartArt Graphics\1033\PfaWGXk

1

%APPDATA%\Microsoft\Windows\Libraries\lBSo

1

%APPDATA%\Microsoft\MSDN\Ef

1

%APPDATA%\Microsoft\Internet Explorer\UserData\N03JH1M1\wgRwZjXl

1

%APPDATA%\Microsoft\Templates\LiveContent\Managed\SmartArt Graphics\1033\cLdKFEXDRff

1

%APPDATA%\Microsoft\HTML Help\b1e48

1

%APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\LkMlc

1

%APPDATA%\Adobe\9vMiNCNa0Wd

1

%APPDATA%\Microsoft\SystemCertificates\My\CTLs\FioSZeGC

1

%APPDATA%\Microsoft\Windows\DNTException\AoEub

1

%APPDATA%\Microsoft\MSDN\8.0\m3

1

%APPDATA%\Microsoft\Internet Explorer\UserData\KKRPCQ2X\I5G0NmIx0u

1

%APPDATA%\Microsoft\Internet Explorer\UserData\KKRPCQ2X\K1Jog

1

%APPDATA%\Microsoft\Templates\LiveContent\Qpt746lHyiU

1

%APPDATA%\Microsoft\Templates\LiveContent\User\swjDCObV4dK

1

%APPDATA%\Microsoft\Templates\LiveContent\Managed\Document Themes\n84

1

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Maintenance\2F

1

%APPDATA%\Microsoft\Windows\Libraries\iagm

1

%APPDATA%\Macromedia\Flash Player\macromedia.com\support\flashplayer\BVTsWphI

1

%APPDATA%\Microsoft\Templates\LiveContent\User\Word Document Building Blocks\1033\jaTH0NO

1

%APPDATA%\Microsoft\Office\YYTa0NJd1

1

%APPDATA%\Microsoft\Windows\Recent\0qGY

1

%APPDATA%\Adobe\Acrobat\9.0\Forms\CnQXdAEJP

1

*See JSON for more IOCs

File Hashes

    1434bdd62d628a25829701c54d20f7ba778b3c63d93f6e5764931d1091ef83e3

    14b6e67caf8ff987486978a07e5e177c89a9afe87326d930438b5cc1194e7533

    15576d21edf15e69d6615168d5d63b72b44142e0c0af7b5ad0fe4d04ae0a935e

    2ad3eedfd800d2c4746d7f7d78cce4e25bd97e5c638e6501afe8eda66e0be654

    2caef31bc4acc28a419a2cc7658ea24461a442935bc63b9f90c217583a228c8c

    2e99b07981ecf6945415b98085afdf88bd5e5a0ca74ed5021cd6ad5226cc2883

    314a9d45233b60c2a0c6e6043332cae53687b3cefbc4754db3a77e1e4bfccbb0

    3b682518b8aebea0550ac3a6f7cd39425d0d44ad220e1ada46e79a40b0d848a6

    4cb0e3d4d7cf1a91f16370be66adee9084b2936d43826ba61a50789edd4021ac

    5b0d9bc969fdc4d0530bbc7ce0f6dc1093e15702df5c44d1d9db982604362bef

    5cb238a26bd971c6de9cb98e0132f3054ae23c2c760a3eb0ca7318f25d8d4780

    5e3c0eac1f74586b973f6f09b0e160312d51c2f8557f0f61718fd60d368edafd

    601e0547b844f9990b7f246e825051543a7e1bd69a47329785ee8d500b0832d5

    60d81b8e4b16f86c121cc54d8a6e0303800266ae1e2abf9b2b70dce9cc6da8c8

    6527e098cb2588b6ba84757886c0f740d46cf31db0c804072f7b7728f4ede080

    668cb63fce74a7c9e705b8e7ad81c6b3d91d8325b92aee083f203a3f75e57610

    6ba48ecadd6daa7296e3d1aab5c6f9bad8d97996b6bcb2b5dfaac404bf9c8f47

    6f5284407cb0f4b7e2fe875294a4dbc27d7e9f7ac141285f5ab09a8102ff7dce

    73da1601aa1fabd87a6fd5c945c4927dd68284ede0d343fed299fd2b484fbf65

    785d71a9493e5e84cabaf43661912da7267a0ddd438cac6661538cf9d01cd276

    80e087b28afb0be8ec3a0f0b35aec8ef06e7d806aa7e576a4282e394244a2bc1

    860db4a765cb642a13888257692f65d600389c88d9573daffa5f0905f2bf018d

    950e59486286f7e526a33e5ee60151e09b9c6fc3091cbc354fdf9940371ee37b

    a0faf0b9b2d332b765cc0e7d18e63e19b2465d4356a9c5008200c36f6d912474

    a8ef9cf1ff529a1ef9237cc04e4e12a602669e35e07a65878f073e9067236140

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Ursu-9950236-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples

Mutexes

Occurrences

VEOVFseK

5

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

154[.]16[.]220[.]209

5

127[.]0[.]0[.]2

5

67[.]214[.]175[.]69

1

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

wpad[.]example[.]org

25

computer[.]example[.]org

24

vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com

11

vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com

9

wallou[.]publicvm[.]com

5

www[.]wallou[.]publicvm[.]com

5

mediafire[.]chickenkiller[.]com

5

vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com

4

Files and or directories created

Occurrences

\TEMP\Dsl32.txt

25

\Users\user\Desktop\Dsl32.txt

25

%System32%\Dsl32.txt

24

%ProgramData%\path.exe

20

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\path.com.url

20

\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\path.com.url

20

\TEMP.Identifier

5

%ProgramData%\sqlwrit.exe

5

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\sqlwrit.com.url

5

\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sqlwrit.com.url

5

\Users\user\Desktop.Identifier

5

%SystemRoot%\Dsl32.txt

1

File Hashes

    058f5c5fd0fb2cf3657e5d5911218a094c03e49c27ef55ffabbf5a4143b27d44

    188e0c455ac511f976e8b8a86655fb2522c79f11a25372819edadecf52aa6720

    1fab85fafa3c6415b069f4221d771202da98755ae9f7a3b2f34c570d7b01b12b

    25cf983f69aef35f1acf0b1555002c5877f925b03df7c312f8f904eadfbe39b8

    27b46b7de14445b26f4a8689caee861b824aeae7ea27e466a6292965043519f3

    2db980f99457336e1f78bf6d7e78336756e0748f5acb1ca1fbaea0fc83c21d05

    3a2b6918caafba046e10f58340ea7dee490e0ac150fbf306dc2546a909593407

    3bbc5d12b36fe4f9e14f10dabeaa4bd594f228d457100dbf503f9c84f7616ce1

    3e8ea5324c39dbcb1b0ee0e2fb18f7d928e4998f53381a798955dc906e916da5

    4afd06a5768b10729aebe3020c980c9775c30355aac961fd9da155a56f1022d5

    6004fc0133f36df0cabccdf5e17c6691514e94b57135cf626fdc9fb2ea845c8b

    6994d069182e0e4e9a3336a7d0f8ccea5390938313f5585425803fd9b9f8636d

    6cf4513e19fa3ceed13d7916a127c302ac4e004b549044788adbabfb5005da51

    6e8229828586a2901269588bbc709cc09ad9a09342efdcac208ac636b01daf85

    793e180a71f1a7744e655755ba0e3baac38875396421bec9469f904fbcab835e

    8408e4515b34e24cbfff7d9f52bae3abaee2d60c9c48d59dfeb85055cb8d02c9

    870cb7fd5ab94188bca9004a1a72028d5f227a11db0bea762c304c39dcf3a67a

    8780788906312ede39dea623a3c9711d744bfacbb2410c66eae316daf150b361

    89d221b63d6790ebba1959667c4f47a9e563e35507b254dd6af703ee2a11f04c

    a0f6abe5b1ccc020446ba72ce4b3fe4119c9967ba59f32a33251c0aa428647a8

    a61894ebd208ba8c54e51912ec6405560931a9864aa3fd431f7df4a57eddd635

    a795b3d767d5c8fa911a904d54a031f9a4d1eb4a21aa53de5b51e2a4bd101689

    a991e025d962160b815f69feb32e75d917ee45927924440c5161cce44965e699

    b74590a3e336341984fc38fea2ea801236796b6a610e5fa2f1d411f7159ec169

    bf09b7d1aff22a5bc8e29bb7321a2cae0df270b109f216d1b63966ed0fc015a2

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Zusy-9950260-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 11 samples

Registry Keys

Occurrences

<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159

11

<HKLM>\SYSTEM\SELECT

        Value Name: MarkTime

11

<HKU>.DEFAULT\SOFTWARE\MICROSOFT\ACTIVEMOVIE\DEVENUM

        Value Name: Version

7

<HKU>.DEFAULT\SOFTWARE\MICROSOFT\ACTIVEMOVIE

7

<HKU>.DEFAULT\SOFTWARE\MICROSOFT\ACTIVEMOVIE\DEVENUM

7

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GSKCSKB TLCTL

5

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GSKCSKB TLCTL

        Value Name: Type

5

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GSKCSKB TLCTL

        Value Name: Start

5

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GSKCSKB TLCTL

        Value Name: ErrorControl

5

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GSKCSKB TLCTL

        Value Name: ImagePath

5

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GSKCSKB TLCTL

        Value Name: DisplayName

5

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GSKCSKB TLCTL

        Value Name: WOW64

5

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GSKCSKB TLCTL

        Value Name: ObjectName

5

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GSKCSKB TLCTL

        Value Name: Description

5

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GDVNFVNF WOFWO

3

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GDVNFVNF WOFWO

        Value Name: Type

3

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GDVNFVNF WOFWO

        Value Name: Start

3

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GDVNFVNF WOFWO

        Value Name: ErrorControl

3

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GDVNFVNF WOFWO

        Value Name: ImagePath

3

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GDVNFVNF WOFWO

        Value Name: DisplayName

3

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GDVNFVNF WOFWO

        Value Name: WOW64

3

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GDVNFVNF WOFWO

        Value Name: ObjectName

3

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GDVNFVNF WOFWO

        Value Name: Description

3

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GDTLDTL DUMDU

2

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GDTLDTL DUMDU

        Value Name: Type

2

Mutexes

Occurrences

eed3bd3a-a1ad-4e99-987b-d7cb3fcfa7f0 - S-1-5-18

7

Global\C:\Windows\SysWOW64\ASkcsk.exe -auto

5

Global\C:\Windows\SysWOW64\ASkcsk.exe -acsi

5

Global\C:\Windows\SysWOW64\HFVnfvn.exe -auto

3

Global\C:\Windows\SysWOW64\HFVnfvn.exe -acsi

3

Global\C:\Windows\SysWOW64\KDtldt.exe -auto

2

Global\C:\Windows\SysWOW64\KDtldt.exe -acsi

2

Global\C:\TEMP674654654.exe

1

Global\C:\TEMP546584.exe

1

Global\C:\TEMP3546546574.exe

1

Global\C:\Windows\SysWOW64\SSkcsk.exe -auto

1

Global\C:\TEMP54657468468.exe

1

Global\C:\Windows\SysWOW64\SSkcsk.exe -acsi

1

Global\C:\TEMP5465457.exe

1

Global\C:\TEMP55468746.exe

1

Global\C:\TEMP55465754.exe

1

Global\C:\TEMP54654564.exe

1

Global\C:\TEMP65754547.exe

1

Global\C:\TEMP465468754.exe

1

Global\C:\TEMP53486484.exe

1

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

143[.]92[.]56[.]63

2

156[.]240[.]106[.]162

1

121[.]127[.]248[.]96

1

180[.]215[.]255[.]141

1

156[.]240[.]107[.]214

1

156[.]240[.]106[.]129

1

206[.]119[.]82[.]57

1

134[.]122[.]177[.]77

1

156[.]240[.]108[.]219

1

27[.]124[.]17[.]228

1

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

www[.]msftncsi[.]com

11

isatap[.]example[.]org

11

wpad[.]example[.]org

11

computer[.]example[.]org

10

vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com

10

vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com

5

vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com

1

Files and or directories created

Occurrences

%SystemRoot%\SysWOW64\Delete00.bat

11

%SystemRoot%\SysWOW64\ASkcsk.exe

5

%SystemRoot%\SysWOW64\HFVnfvn.exe

3

%SystemRoot%\SysWOW64\KDtldt.exe

2

\TEMP674654654.exe

1

%SystemRoot%\SysWOW64\SSkcsk.exe

1

\TEMP546584.exe

1

\TEMP3546546574.exe

1

\TEMP54657468468.exe

1

\TEMP5465457.exe

1

\TEMP55468746.exe

1

\TEMP55465754.exe

1

\TEMP54654564.exe

1

\TEMP65754547.exe

1

\TEMP53486484.exe

1

\TEMP465468754.exe

1

File Hashes

    69f5d0f6de8d57bd374bbb702ba0e1363fcf7282168eeb3a3705e420229f68de

    767fc2d320a39ac2a24fbc9f4deb13172776b4338561e820efea9865f33f8f8c

    7f95ea485ab69f136ebb6e7e4ae9d0522ce60cc525ee7cd634484d53ff31fdb4

    8a26a3adf738b1a2b3e84f323ca47928dfe93d1b635eb3a549a7d630c2871251

    8fb5f16416475bbcd2005098dd10d52662b870e0b3787544bb60fc2775d54f7e

    910b5935f42190d68f1a9462620f7a60eac839253267277000d61ec444766e59

    ad45540821a86dae47bf35d1cad6d78ac5bb12fb68cd0135e180a29346bce66b

    bb598eedb28c42b011be6f27b0b3740cad173777c501e0fbe83306c37da6e87a

    ca5b8a90bad279bcbbcbdf19403aafd6cc99fe9f19bc46cbae7f9b54295b41ff

    caad99117625442cbea84fc9040033aecdf2981834634de7b2943adddc5ef4ea

    f395d12b196d3a6480d5056725cb834e9d2cb3aa07a15e77180225b67991709d

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

TALOS: Latest News

New PXA Stealer targets government and education sectors for sensitive information