Security
Headlines
HeadlinesLatestCVEs

Headline

Threat Roundup for April 29 to May 6

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between April 29 and May 6. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics,…

[[ This is only the beginning! Please visit the blog for the complete entry ]]

TALOS
#vulnerability#web#mac#windows#apple#google#microsoft#js#git#java#oracle#intel#ldap#samba#acer#chrome#sap

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between April 29 and May 6. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name

Type

Description

Win.Dropper.XtremeRAT-9949237-0

Dropper

XtremeRAT is a remote access trojan active since 2010 that allows the attacker to eavesdrop on users and modify the running system. The source code for XtremeRAT, written in Delphi, was leaked online and has since been used by similar RATs.

Win.Malware.Qbot-9949117-0

Malware

Qakbot, aka Qbot, has been around since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.

Win.Packed.Zusy-9949055-0

Packed

Zusy is a trojan that uses Man-in-the-Middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as “explorer.exe” and "winver.exe". When the user access a banking website, it displays a form to trick the user into submitting personal information.

Win.Dropper.LokiBot-9948968-0

Dropper

Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents attached to spam emails.

Win.Malware.Upatre-9948887-0

Malware

Upatre is a malicious downloader often used by exploit kits and phishing campaigns. This malware downloads and executes malicious executables, often banking trojans.

Win.Malware.Ursnif-9948883-0

Malware

Ursnif is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits.

Win.Trojan.Fareit-9948716-0

Trojan

The Fareit trojan is primarily an information stealer with functionality to download and install other malware.

Win.Ransomware.Gandcrab-9948809-0

Ransomware

GandCrab is ransomware that encrypts documents, photos, databases and other important files typically using the file extension ".GDCB", “.CRAB” or “.KRAB.” GandCrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and GrandSoft.

Win.Packed.Dridex-9948874-0

Packed

Dridex is a well-known banking trojan that aims to steal credentials and other sensitive information from an infected machine.

Threat Breakdown****Win.Dropper.XtremeRAT-9949237-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 21 samples

Registry Keys

Occurrences

<HKCU>\SOFTWARE\AASPPAPMMXKVS

        Value Name: A2_271

21

<HKCU>\SOFTWARE\AASPPAPMMXKVS

        Value Name: A1_272

21

<HKCU>\SOFTWARE\AASPPAPMMXKVS

        Value Name: A2_272

21

<HKCU>\SOFTWARE\AASPPAPMMXKVS

        Value Name: A1_273

21

<HKCU>\SOFTWARE\AASPPAPMMXKVS

        Value Name: A2_273

21

<HKCU>\SOFTWARE\AASPPAPMMXKVS

        Value Name: A1_274

21

<HKCU>\SOFTWARE\AASPPAPMMXKVS

        Value Name: A2_274

21

<HKCU>\SOFTWARE\AASPPAPMMXKVS

        Value Name: A1_275

21

<HKCU>\SOFTWARE\AASPPAPMMXKVS

        Value Name: A2_275

21

<HKCU>\SOFTWARE\AASPPAPMMXKVS

        Value Name: A1_276

21

<HKCU>\SOFTWARE\AASPPAPMMXKVS

        Value Name: A2_276

21

<HKCU>\SOFTWARE\AASPPAPMMXKVS

        Value Name: A1_277

21

<HKCU>\SOFTWARE\AASPPAPMMXKVS

        Value Name: A2_277

21

<HKCU>\SOFTWARE\AASPPAPMMXKVS

        Value Name: A1_278

21

<HKCU>\SOFTWARE\AASPPAPMMXKVS

        Value Name: A2_278

21

<HKCU>\SOFTWARE\AASPPAPMMXKVS

        Value Name: A1_279

21

<HKCU>\SOFTWARE\AASPPAPMMXKVS

        Value Name: A2_279

21

<HKCU>\SOFTWARE\AASPPAPMMXKVS

        Value Name: A1_280

21

<HKCU>\SOFTWARE\AASPPAPMMXKVS

        Value Name: A2_280

21

<HKCU>\SOFTWARE\AASPPAPMMXKVS

        Value Name: A1_281

21

<HKCU>\SOFTWARE\AASPPAPMMXKVS

        Value Name: A2_281

21

<HKCU>\SOFTWARE\AASPPAPMMXKVS

        Value Name: A1_282

21

<HKCU>\SOFTWARE\AASPPAPMMXKVS

        Value Name: A2_282

21

<HKCU>\SOFTWARE\AASPPAPMMXKVS

        Value Name: A1_283

21

<HKCU>\SOFTWARE\AASPPAPMMXKVS

        Value Name: A2_283

21

Mutexes

Occurrences

XTREMEUPDATE

21

smss.exeM_204_

21

uxJLpe1m

21

spoolsv.exeM_1060_

21

svchost.exeM_652_

21

svchost.exeM_828_

21

csrss.exeM_288_

21

csrss.exeM_344_

21

wininit.exeM_336_

21

winlogon.exeM_372_

21

dwm.exeM_224_

21

explorer.exeM_908_

21

lsass.exeM_440_

21

lsm.exeM_448_

21

services.exeM_432_

21

svchost.exeM_1116_

21

svchost.exeM_236_

21

svchost.exeM_536_

21

svchost.exeM_600_

21

svchost.exeM_756_

21

svchost.exeM_804_

21

taskhost.exeM_1096_

21

svchost.exeM_2036_

21

okok

21

okokPERSIST

21

*See JSON for more IOCs

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

206[.]189[.]61[.]126

21

85[.]17[.]167[.]196

21

85[.]14[.]86[.]35

21

118[.]137[.]42[.]114

21

81[.]181[.]112[.]247

21

62[.]90[.]21[.]54

21

76[.]104[.]215[.]8

21

89[.]230[.]213[.]141

21

89[.]120[.]233[.]17

21

89[.]46[.]234[.]189

21

72[.]218[.]137[.]25

21

71[.]226[.]96[.]253

21

87[.]121[.]209[.]81

21

212[.]12[.]166[.]36

21

80[.]54[.]102[.]172

21

78[.]96[.]105[.]81

21

84[.]114[.]219[.]90

21

71[.]95[.]133[.]164

21

164[.]125[.]131[.]62

21

129[.]74[.]157[.]231

21

81[.]180[.]234[.]176

21

211[.]106[.]155[.]59

21

220[.]121[.]134[.]142

21

77[.]77[.]35[.]67

21

64[.]29[.]151[.]221

21

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

www[.]3pindia[.]in

21

abb[.]ind[.]in

21

gim8[.]pl

21

1s2qvh91x[.]site[.]aplus[.]net

21

a-bring[.]com

21

tn69abi[.]com

21

www[.]akpartisariveliler[.]com

21

aclassalerts[.]com

21

acemoglusucuklari[.]com[.]tr

21

aci[.]gratix[.]com[.]br

21

wpad[.]example[.]org

21

spacehd[.]no-ip[.]org

21

computer[.]example[.]org

20

vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com

10

vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com

7

vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com

4

www[.]msftncsi[.]com

1

assets[.]msn[.]com

1

isatap[.]example[.]org

1

clientconfig[.]passport[.]net

1

onedsblobprdcus15[.]centralus[.]cloudapp[.]azure[.]com

1

cdn[.]content[.]prod[.]cms[.]msn[.]com

1

_ldap[.]_tcp[.]dc[.]_msdcs[.]ltkmybs[.]example[.]org

1

376483[.]example[.]org

1

Files and or directories created

Occurrences

%TEMP%\x.html

21

%SystemRoot%\SysWOW64\chrome.exe

21

%SystemRoot%\system.ini

21

\Users\user\AppData\Roaming\Microsoft\Windows\okok.cfg

21

%System32%\chrome.exe

21

%System32%\chrome.exe:Zone.Identifier

21

%APPDATA%\Microsoft\Windows\okok.cfg

21

%APPDATA%\Microsoft\Windows\okok.dat

21

\autorun.inf

19

\Users\user\AppData\Roaming\Microsoft\Windows\okok.dat

16

<random, matching '[a-z]{4,7}’>.exe

10

<random, matching '[a-z]{4,6}’>.pif

9

\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log

3

\Users\user\AppData\Local\Temp\winyojtmq.exe

1

\Users\user\AppData\Local\Microsoft\Windows\INetCookies\0U1K4OU6.txt

1

\Users\user\AppData\Local\Microsoft\Windows\INetCookies\1QLY7KNY.txt

1

\Users\user\AppData\Local\Temp\btfa.exe

1

\Users\user\AppData\Local\Temp\lrxui.exe

1

\Users\user\AppData\Local\Microsoft\Windows\INetCookies\1XR90U9A.txt

1

\Users\user\AppData\Local\Temp\scgy.exe

1

\Users\user\AppData\Local\Microsoft\Windows\INetCookies\2BQYK1DJ.txt

1

\Users\user\AppData\Local\Temp\tkyrh.exe

1

\Users\user\AppData\Local\Microsoft\Windows\INetCookies\6507HZIH.txt

1

\Users\user\AppData\Local\Temp\wininqd.exe

1

\Users\user\AppData\Local\Microsoft\Windows\INetCookies\8VGIOW4O.txt

1

*See JSON for more IOCs

File Hashes

    0e5d28d90c8d38e701d933a4d10cc7e1c815a44ecb4524a09edfc9d12fbf96de

    1929bd21444cb0bc09a2595daeca241b9dbc87224c53b22f2dbcd2575835727b

    1ad339fd6b00f60953cd908348500be1ea02ab533b1238020b63fdad3bb1131e

    3f41a9fa02851ccc5e4419c55c1953d6c3eba29d23dd59916b37f4aa5ba3e891

    402b3f8499801f4b6d8e9cbc14a7607a8de359ea933093f52ffd4c15932f2ccf

    51947faaf2281e91266e60dd64a8a71df50060b9169e14e7630c31cdb48e6f5b

    543d98f98554bec6660cd6824f6dd5c9ad093509efbcf223248a185c2bed6b01

    69fe8eac23c68bc8cf78c375331c4cfc675601dbd6593efcab915fd45b7f44d5

    6a33fa661d05c9f21da53de73d2a37f4b9bf15fa3d18ccf141d852f58e3d4ef9

    79ac08d8b3ede78ac3988d5bd64d7126cb29119228e13a27f3093fcb8c335dd1

    7c4e291c78d652bdb388929998082ef7be43ebca04a8984049ec59c7b4e9db35

    8632e19fac6d30a8185200e700e53b37d6e170205aa1fe179151f951265108d6

    8ffb0b47b47077e5ab9221f043b3bb49cbede124dd0c6ae0d5a61b31f4f0dfde

    accf6a718056152f1c537550e1a84e2399297506d3e7a3ce3e02b555a52be006

    b8b03518b8d86eba84708a4c5e4420169f4f638700d2bda41945fff56e83b7a1

    caca5932b9899a36515e051974d3ef5b8a00e53afea8982cf1969119ae75305c

    cedaccbf2f0d49307de026df79377cea058927a382ea299316cbe38a39588688

    d291fed8043188e92fdc4328884dd2c3604c3828ed5b6e1954e21de65fab30db

    f054828137096d78e68ec447889293f677cb9f33acedb7837f1f6ff991d270db

    f1d6fb774ab918d6312058a236bda290ae0de0eb2fd985cea4db1c9bf477c3fe

    f563fc417c6c2c6654ef5079deef6da5fd3b09d0f83a482272b621c63859183d

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

WSA

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Malware.Qbot-9949117-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 18 samples

Registry Keys

Occurrences

<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159

18

<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK

17

<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK

        Value Name: bd63ad6b

17

<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK

        Value Name: bf228d17

17

<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK

        Value Name: f7b512d3

17

<HKU>.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO

17

<HKU>.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO

        Value Name: ff0b3567

17

<HKU>.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO

        Value Name: fd4a151b

17

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS

        Value Name: C:\ProgramData\Microsoft\Ecrirfryzd

17

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS

        Value Name: C:\Users\Administrator\AppData\Roaming\Microsoft\Xtuou

17

<HKU>.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO

        Value Name: b5dd8adf

17

<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK

        Value Name: 79eea72

17

<HKU>.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO

        Value Name: 45f6727e

17

<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK

        Value Name: c22ac29d

17

<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK

        Value Name: 5dfca0e

17

<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK

        Value Name: 88fc7d25

17

<HKU>.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO

        Value Name: 80425a91

17

<HKU>.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO

        Value Name: 47b75202

17

<HKU>.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO

        Value Name: ca94e529

17

<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK

        Value Name: 7a96a5f8

17

<HKU>.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO

        Value Name: 38fe3df4

17

Mutexes

Occurrences

Global{06253ADC-953E-436E-8695-87FADA31FDFB}

17

{06253ADC-953E-436E-8695-87FADA31FDFB}

17

{357206BB-1CE6-4313-A3FA-D21258CBCDE6}

17

Global{280C5EDE-5A47-4F1C-97D3-B8CFE4CF258D}

17

{280C5EDE-5A47-4F1C-97D3-B8CFE4CF258D}

17

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

wpad[.]example[.]org

18

computer[.]example[.]org

17

vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com

8

vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com

6

vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com

4

Files and or directories created

Occurrences

%APPDATA%\Microsoft\Xtuou

17

%ProgramData%\Microsoft\Ecrirfryzd

17

%System32%\Tasks\qfnfkch

1

%System32%\Tasks\rygspicam

1

%System32%\Tasks\ewahlrzas

1

%System32%\Tasks\ppdrqbavsd

1

%System32%\Tasks\mvionunzwm

1

%System32%\Tasks\cpahvbj

1

%System32%\Tasks\annrbwjnqm

1

%System32%\Tasks\fwdgfsdqlb

1

%System32%\Tasks\yhrnwoy

1

%System32%\Tasks\fgmnsnrt

1

%System32%\Tasks\fdedsnfvq

1

%System32%\Tasks\mckozft

1

%System32%\Tasks\irhikebtsl

1

%System32%\Tasks\rfqhymiwqs

1

%System32%\Tasks\zycntsnwy

1

%System32%\Tasks\eiamjcoc

1

%System32%\Tasks\hgeezdi

1

File Hashes

    03a8937c5d9637b60be1f02b835fd04320ca05ed0d38cbbe40e4a3f83bc6d3c8

    0e6a4d17945d9c103fda3eabba411094f46bef60629254b5eb513cb1704549d6

    1e4112132b6ccbb5113f2886e1083f777a08b3d6268b73d76b38cd0b927f4ecf

    284947350f2b5ba8d274ce35fe7d4046bd5d60075a598b1f080ed415dfd9e322

    3fc05b1cc4b4af7a9dd6d32f0b729840a4025325d864a689a389350fbcc4e20c

    475800c77b04c9d9877abc8b57f3fcb85492ef01b8480b0fa98621c4cb81a049

    58f2f5512d363ec45d0fc3f39ca9afcdd745f954c2087424595dff1d14a3a0b1

    630172a8554497585e6fd7ebb266e040d29f49b09f728ef00d33b178a6604120

    8cf4485ebcbdcaadbb806642b98578d2e1cd1eeac0d8605acdf4790a772010d5

    903cfbb0bbee35282cd9f433403be7055ff84ab5f038ab9a6a7e0086a0374c6f

    9995a209ed064f38bfb1bea4d35d26e6103c969d91bee45e942523f53e853c0b

    a84c3002d8c7ea3f511c1223709389a12b4fb93d4ab248a59d63eee3d09b7fad

    b33e1413f137a5f0d845c04fccfbe4fafb6e537b0ce9ea64319453ced6247a80

    bc5f0344277a72a9e4520f49150e00ef3ccefe916e08ef248ab6b762621b2c98

    bdd605f7dbe00d45eb8e8927d70a30d9ee646b5c18c13f7ae50ee9454217739a

    bf156122bf6860f8383c94c2ea0dd5d6c0e1706c106a101020d411d4f8b68de1

    db5972b4ab47c92b52c37ae694ccc5316c6cf4af79de52fc249fdb46a194596d

    ff716935c2651546934d9cbbd61d039abc89da049fe7e9d0acf8b8c6035bd3e5

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Packed.Zusy-9949055-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples

Registry Keys

Occurrences

<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159

25

Mutexes

Occurrences

Weight F

25

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

184[.]87[.]164[.]111

19

23[.]192[.]58[.]247

19

52[.]182[.]143[.]212

10

184[.]28[.]206[.]15

10

104[.]244[.]42[.]131

6

104[.]208[.]16[.]94

6

104[.]244[.]42[.]3

5

20[.]42[.]73[.]29

5

23[.]192[.]43[.]213

5

104[.]81[.]240[.]111

4

20[.]189[.]173[.]20

4

23[.]3[.]112[.]28

3

104[.]244[.]42[.]195

2

104[.]244[.]42[.]67

1

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

wpad[.]example[.]org

25

clientconfig[.]passport[.]net

25

computer[.]example[.]org

23

support[.]microsoft[.]com

22

support[.]oracle[.]com

22

ldrlucky[.]casa

19

help[.]twitter[.]com

14

www[.]intel[.]com

10

vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com

10

onedsblobprdcus15[.]centralus[.]cloudapp[.]azure[.]com

10

windowsupdatebg[.]s[.]llnwi[.]net

9

vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com

8

support[.]apple[.]com

6

onedsblobprdcus16[.]centralus[.]cloudapp[.]azure[.]com

6

vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com

5

onedsblobprdeus15[.]eastus[.]cloudapp[.]azure[.]com

5

onedsblobprdwus15[.]westus[.]cloudapp[.]azure[.]com

4

Files and or directories created

Occurrences

\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml

25

\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml

25

\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml

25

\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml

25

\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml

25

\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml

25

\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml

25

\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml

25

\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml

25

\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PCALSGUV\ErrorPageTemplate[1]

25

\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FNF9BE4O\green_shield[1]

25

\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OSZC6DKG\red_shield[1]

25

\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OSZC6DKG\securityatrisk[1]

25

\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PCALSGUV\background_gradient_red[1]

25

\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\XN0IX3V7\shield[1]

25

\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F3A33D75-CB51-11EC-93F9-00007D868534}.dat

1

\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active{02606307-CB52-11EC-93F9-00007D868534}.dat

1

\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active{F3A33D77-CB51-11EC-93F9-00007D868534}.dat

1

\Users\user\AppData\Local\Temp\WAX5846.tmp

1

\Users\user\AppData\Local\Temp~DF00DA242FE99E703A.TMP

1

\Users\user\AppData\Local\Temp~DF326B22235A805658.TMP

1

\Users\user\AppData\Local\Temp~DFCF7D08D80801E7AC.TMP

1

\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F8E8A1BE-CB51-11EC-93F9-00007D858534}.dat

1

\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active{05C62C99-CB52-11EC-93F9-00007D858534}.dat

1

\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active{F8E8A1C0-CB51-11EC-93F9-00007D858534}.dat

1

*See JSON for more IOCs

File Hashes

    0196fa3b8a46c6b371ab2dd592e19b58985bddc98434b64256fed0b9bf767e7b

    065d55d15a08cdcafac1f01dfe44da0b03815dfe107f4e90bb7f272bf3349d0f

    0704c90958d842510f12af62d3875fb174706f0cea2d1bfbcb348a0b55d671a6

    08f37dfb6f160302b96b48b5159bd1e81efedeef24110f93bfbbf3a2a37236c7

    0902000e7ad08fbd165b8f9b4ac66fd02d974e47ac24cf16cadf573b28704602

    0960d67344e570084f437cd28f462fa2237af7e5e2ff2c0e4fc77d91ed9f444a

    09a127e780e9bbdb5064cda7b3ce991c9148506264e21945227372e29dfd2fc7

    0c0f399a89f267e281082b1bc0cab65d404624cbb01dabf5dd6238ab6fe5c54a

    0d35c67e35428074c11261e8182d1c41c0d346262b16ed0e2ad84d0a45ce0a68

    112e640b5ad49f1301c7434596a2538d3a317c24560471fdad2f3ed1198b7d4a

    116952c47611d1c0b925b245d47211842edcd3ddae8da643ff96934f40cfcf11

    12f01fa7c9499ce7c94c0759620dde0f74b9b3e95471e490a9abf025dab3351d

    14de84b6d2a9737a81ddf7c7881436edaccd3ec5ab1be030eeff1a96d1510f26

    153ec432231551deee374b0a878d0c6090ffb97d089da73a6dccfce840ce9be1

    1cc71866f655e4cef1822eb4b19688ada9542414c87c0d3eaeb2a6eb3c695aad

    1ed2b9df8d1a520b0b4b3366e123abf69e02d330c23a991b16c93b2c27dca027

    1f7970601705a505c55552cacd7cc1111dafe1ef359a1cd712050b24f98062c5

    21c0b1cac5c4aec649e0ae731410494554c4bca0c59580e2288ee11ce1bd778f

    24180e5ff8448fd74f4002bc8f753ef979e416d0cf8ba38280fd60ab305866f0

    2516389bf8fb97bf14ec7714e2b779a5955cd2f30946b1cd9ae01ac5face8af1

    2af4383ac7bb36395bb6fafc6f26f8e394d90dae507e096806741c9c249bcb42

    2cd1260a8903e44d8a8e1523ca6088a6905d3ab4e558999c2f07975f27b186f7

    2d0fe4f17c820ae57163c5403992cf882ffed9972dcea711c36dc43146bd76ee

    30b99759cad7404fa5ca45bd7fb646988495d9d5e1d8b61c9456e3f9b7f63e82

    31387e9493a5163200d232cafce7222606c4f50cc88911ca35689c2b442d74de

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.LokiBot-9948968-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 11 samples

Registry Keys

Occurrences

<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159

11

<HKCU>\SOFTWARE\WINRAR

5

<HKCU>\SOFTWARE\WINRAR

        Value Name: HWID

5

<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003E9

        Value Name: F

5

<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000001F5

        Value Name: F

5

<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003EC

        Value Name: F

5

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE

        Value Name: EnableFirewall

2

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\PUBLICPROFILE

        Value Name: EnableFirewall

2

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SSDPSRV

        Value Name: Start

2

<HKCU>\SOFTWARE\WIN7ZIP

2

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RSTRUI.EXE

2

<HKCU>\SOFTWARE\WIN7ZIP

        Value Name: Uuid

2

<HKCR>\CLSID{85FDE33D-583E-444B-99F8-141FFE5945FA}\0B4E02AC\CS1

2

<HKCR>\CLSID{85FDE33D-583E-444B-99F8-141FFE5945FA}\0B4E02AC\CW1

2

<HKCR>\CLSID{85FDE33D-583E-444B-99F8-141FFE5945FA}\0B4E02AC\CG1

        Value Name: GLA

2

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101

        Value Name: CheckSetting

2

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103

        Value Name: CheckSetting

2

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100

        Value Name: CheckSetting

2

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102

        Value Name: CheckSetting

2

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104

        Value Name: CheckSetting

2

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RSTRUI.EXE

        Value Name: Debugger

2

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: 911k1e97

2

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: D282E1

1

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\XSYTZECRN.EXE

        Value Name: Debugger

1

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\OMYLCQKSW.EXE

        Value Name: Debugger

1

Mutexes

Occurrences

3749282D282E1E80C56CAE5A

2

Global\b414b2a1-cab7-11ec-b5f8-00501e3ae7b6

1

Global\ace37341-cab7-11ec-b5f8-00501e3ae7b6

1

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

178[.]32[.]1[.]43

2

195[.]22[.]127[.]233

1

52[.]182[.]143[.]212

1

20[.]42[.]65[.]92

1

20[.]72[.]235[.]82

1

20[.]112[.]52[.]29

1

43[.]255[.]154[.]37

1

27[.]121[.]64[.]133

1

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

computer[.]example[.]org

4

wpad[.]example[.]org

4

clientconfig[.]passport[.]net

3

www5[.]cdljussarago[.]com[.]br

2

www5[.]tamareirashotelmg[.]com[.]br

2

vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com

2

microsoft[.]com

1

vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com

1

vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com

1

onedsblobprdeus17[.]eastus[.]cloudapp[.]azure[.]com

1

onedsblobprdcus15[.]centralus[.]cloudapp[.]azure[.]com

1

crestimportersltd[.]com

1

usaalkz[.]biz

1

movshopclub[.]ru

1

doasure[.]biz

1

ariandange[.]com

1

www[.]ariandange[.]com

1

Files and or directories created

Occurrences

\out.bin

2

%APPDATA%\D282E1

2

%APPDATA%\D282E1\1E80C5.lck

2

%ProgramData%\6b407430

2

%ProgramData%\6b407430\desktop.ini

2

%System32%\Tasks\Windows Update Check - 0x0B4E02AC

2

%TEMP%\7734_appcompat.txt

1

%TEMP%\785859.bat

1

%TEMP%\762781.bat

1

%TEMP%\694281.bat

1

%TEMP%\1761586067.bat

1

%TEMP%\A73F6.dmp

1

%TEMP%\1761712023.bat

1

%TEMP%\1761721539.bat

1

%TEMP%\1761626269.bat

1

%TEMP%\1761774813.bat

1

%TEMP%\774906.bat

1

%TEMP%\9E032.dmp

1

%TEMP%\dbe6_appcompat.txt

1

File Hashes

    0fba5963e35be7ef72301469aad93eb69e7e566314b9f6d20b23d495bdf1a040

    488f50a3cd64b03b08b62d6fab984845f0883bf52b67d738ab4455ee8e2d8bf7

    4a9c142b187ad0689aec507c7a3d5d2cb6d9118b2b9b834f7a895c27fb7a7e55

    5d86d9cfeb947cdae4a02be50979ad32a8463c9f041b54c65afe4798dba2c063

    7923fe25cfc6424f996229b1eaa9fb9fbd3cd7a749e468207e552f345b8529bc

    91e7aaeab5daf95bbd092ebaa9e431ebf29e086466b903ce77b457ca94e81f1c

    b97ffccb08189de1566c34f2892555d42678462e0edaaf4ee360e1685df29f90

    bf73e437a6f98107d88b9ec7865421394e0c7210ea08b3e0547772cd370f1ac2

    c00ef0d8016090a7446242dd585d5e27a8c2f35f00a0a397628fea8e8943760b

    ee5fbc830d78187bbc44a389ca3c40fcc72dba31bbcc2a014ceab4226c1f04b6

    f850c773d70ba2d5dcc16f10822c4a8035ad1dccf176084979ef642231314d63

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Malware.Upatre-9948887-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 125 samples

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

directcanadaei[.]com

101

advancehomesbd[.]com

101

wpad[.]example[.]org

95

computer[.]example[.]org

80

vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com

28

vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com

28

vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com

25

Files and or directories created

Occurrences

%TEMP%\lsemc.exe

125

\Users\user\AppData\Local\Temp\lsemc.exe

125

File Hashes

    00c51e3390f68f1779efbf489146df016b2705427edbe93a0cb43282aae58a51

    015e7144fa62416f7a37932478be0d9c89e6660c0af60d2e1a9625d788981e97

    02d02dd73af94bdb895eda8368b473ad050b49140c3a30547912128e92a05c97

    045dc5bd9eaea32369043480e3f89225b611b346b9ac5a5eaf222d5e943000c7

    0487ec4b904a15cc96b29846a4f5a6677f8dccfb2614d2ef5db2184ea75e4af2

    04e13f940f6d423fe84380efc39985b5e8258ffb44f1878cf19ed3d2af1db9cb

    05748f500ff20fe958a9e1683d40342c6ecf2407bcbaaa98be016e7784365b28

    0579c8fd67205ac2bfba8aa6d9bcaf06e0e0f5058fcc376bac20b3141bed0588

    061599a6f88c688a7cc4040d7cbd1a39adc1e099a98761346d3b9efce1482a75

    06da73194078631adeb8df4e33c85e5f361efb7e4ba4185acfc33e8f6eab31f8

    0718b27e9900c3cdf14522d3e27badb0eb5c53131ce6613b2d107ba1211fe973

    077712b78fff0ae6bda66604bc4dc24563667721da27282c48c815fa5d3bf854

    07fb82c440be84f25e6405e5dfcab37afce36704885c3284639e7ce88749499d

    0bfde6b0ebc53e1d537f0e7e13686e0ee44dd18133041fc08e1ba185324d082d

    0c0429ac396efe553d8f752c495f47b497cd4f0cd631c2b0a3d46409409dcff3

    0c59afc9cde3b4f8b573acfba66579e900884ccb720d30ed5143d9f7c7269c05

    0ccaaabecbf9117f59bf717b906800e36c6455faac508dee28fcaa176550ad93

    0d0833a08521379a7d22345bd324357ff1c96724ca10cf52de3593f344494132

    0e5fb0d221eccb8b3d6e0eec514aeed525c4215ef5c5e33adea2e1acfaac0c1b

    0e6dddb8fd9aa5e3ba0c64ada20ac451dd2718e639842aaab3162b6a4d8df183

    0eba37670d0986bef637d9a6ec760a77a9ee52c39e26b2455427f4d42162ccb8

    1104dcd64e374e78750cf7d83651dba9d1a03207763c65a2116685ac2d4c1c1b

    11729a75229ce4a498eca002c65ef5994df26f09688b9f19c15aae2df6c2377f

    125bca0e47bc10559928c0e7e4b483b2d3a60b5395f91521137fd7a3f0386950

    14c8e9f921b8e74c7ccf549148a5fe00396f632bb121361463d93a9fba60d758

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Malware.Ursnif-9948883-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 32 samples

Registry Keys

Occurrences

<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES

        Value Name: DefaultScope

25

<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159

25

<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES{0633EE93-D776-472F-A0FF-E1416B8B2E3A}

        Value Name: FaviconPath

24

<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES{0633EE93-D776-472F-A0FF-E1416B8B2E3A}

        Value Name: Deleted

24

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS

        Value Name: NewInstallPromptCount

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS

        Value Name: CompatBlockPromptCount

1

<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES

        Value Name: FaviconPath

1

<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES

        Value Name: Deleted

1

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

96[.]6[.]27[.]90

25

152[.]199[.]4[.]33

25

173[.]223[.]179[.]204

25

146[.]75[.]30[.]133

22

146[.]75[.]29[.]26

22

13[.]32[.]206[.]122

20

52[.]213[.]150[.]210

20

157[.]240[.]2[.]25

19

69[.]147[.]92[.]12

17

104[.]16[.]148[.]64

15

146[.]75[.]29[.]108

15

13[.]107[.]21[.]200

14

104[.]18[.]38[.]174

14

172[.]64[.]149[.]82

14

13[.]107[.]246[.]40

13

23[.]222[.]236[.]25

13

23[.]216[.]88[.]76

13

104[.]20[.]184[.]68

12

13[.]107[.]213[.]40

12

23[.]222[.]236[.]51

12

23[.]62[.]217[.]177

10

13[.]32[.]153[.]82

10

23[.]222[.]236[.]18

9

18[.]211[.]154[.]234

9

23[.]218[.]40[.]161

8

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

avast[.]com

31

www[.]avast[.]com

31

static3[.]avast[.]com

30

wcpstatic[.]microsoft[.]com

25

www[.]bing[.]com

25

microsoft[.]com

25

assets[.]onestore[.]ms

25

c[.]s-microsoft[.]com

25

img-prod-cms-rt-microsoft-com[.]akamaized[.]net

25

cacerts[.]digicert[.]com

25

js[.]monitor[.]azure[.]com

25

ajax[.]aspnetcdn[.]com

25

wpad[.]example[.]org

24

tm90daron[.]club

24

scontent[.]xx[.]fbcdn[.]net

22

connect[.]facebook[.]net

22

edge[.]gycpi[.]b[.]yahoodns[.]net

22

s[.]yimg[.]com

22

cdn[.]cookielaw[.]org

22

widget[.]trustpilot[.]com

22

cdn[.]polyfill[.]io

22

ib[.]anycast[.]adnxs[.]com

22

secure[.]adnxs[.]com

22

script[.]hotjar[.]com

22

static-cdn[.]hotjar[.]com

22

*See JSON for more IOCs

Files and or directories created

Occurrences

\Users\user\AppData\Local\Temp\JavaDeployReg.log

24

\Users\user\AppData\Local\Microsoft\Windows\INetCache\SQM\iesqmdata7.sqm

24

\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

22

\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A

22

\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

21

\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

21

\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\7M9XJRXV\www.avast[1].xml

21

\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OSZC6DKG\ef-a24652[1].css

21

\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\ey2kpcq\imagestore.dat

19

\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OSZC6DKG\37-8473b9[1].js

18

\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PCALSGUV\wcp-consent[1].js

17

\Users\user\AppData\Local\Microsoft\Windows\INetCache\SQM\iesqmdata8.sqm

14

\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OSZC6DKG\OtAutoBlock[1].js

13

\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PCALSGUV\jquery-1.9.1.min[1].js

13

\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml

12

\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml

12

\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml

12

\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml

12

\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml

12

\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml

12

\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml

12

\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml

12

\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml

12

\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FNF9BE4O\MWFMDL2[1].ttf

12

\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OSZC6DKG\MWFMDL2[1].woff

12

*See JSON for more IOCs

File Hashes

    03a31fd7e1d5bbf46a84ba87babfdff2ff23c43b69a69b5b19e215ee32dd1d0d

    03e96d96194af38848547c45de19db6f439524c003f7c83e461cc0bf6276ffc7

    063cdd22b200da576812c2c5354b5c20ea26112316e1868e08885372049f19e5

    0713b704ce6d86868fb2390d27d2a771a656f1547ca0ebc69fa64265280b2ba8

    10c548782a72ef94b5bbd1a1390973bcddc320ff005f59209a3b743ff9832ec7

    123f9b4adb41684fae16d70ea8e26ac58a03dc11bdd93107194dab6e0332401d

    12468f5e5a56d82cebd66080837498fd3defcb81c7867f4c6152367b39b6f1f0

    174f74feff875c33dc4c916ce8fb3403206b5ed0e9e9e2264a63883d4f582abb

    1b551b7c49c4b523052557582c47b0575d9ccb08966f4fb48d696c016ba33640

    1db441d814b8838a68380059482931ae38863dc207a4fd27ac968343fa9237fa

    1f35ec4242403b8b474034d47af970fb566a1b7072e0faddf4829bd074fb4c0c

    228e64c296db4c06050a0a1091194a128f1772a5460481b332762b1ad4b9f8fb

    28ea6a27de26636bd7c1b244144bdd8514a65180624a08bf134b7162d5069598

    299a00d138511e0acb7fcc8eae8e7569f4d80d16d0b170df9f916ccf15cfeee0

    2f4f95ae418915dd2a4e5bf1c144be9ecae39be644fa86053932f28ac4d3963b

    3060327e7c855ad6d4f41bcfb95dfd8e81017b561ce0f335a41585bbebff001b

    31b13d2de9dcf71c9825a8dcfcf71de2476e0e0283fd20ac5844af0ed3363831

    3a6772ac9e9df79787ab3d2b35a9e20ed1803ba21d8c1ab4701c53d61624c066

    3aa3fdc6f92768fb5b305bf2b45db42e4d1308529de46596b183cbee423642c0

    3d95a9c5a04b8f99a4e14904afa8da5462960939f117b31ce04102c5158a2bfb

    423d8fcd5143705938d88b778888bf73df023afb32492810943249ed5ea4e490

    44a36274e72a19a5e08253a26bb749e474ef039067f89347e871a9028909451b

    45c21df10683f463b13f3142cbadef492cde65fbcdafae4db83774d5c3a207cc

    49cd125706f9ce847193cae0666e1923ce874a5c5a66e5a788a1b04fd7f3f1d3

    4a3ba70488ae6188c59c73a612207e9cbc2c1805baa4029b4107d462d5925de7

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Trojan.Fareit-9948716-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 15 samples

Registry Keys

Occurrences

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: SonyAgent

13

Mutexes

Occurrences

Global\a3eccf81-c9ee-11ec-b5f8-00501e3ae7b6

1

Global\a3e34a01-c9ee-11ec-b5f8-00501e3ae7b6

1

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

46[.]37[.]195[.]5

13

82[.]193[.]121[.]16

10

178[.]151[.]133[.]25

10

37[.]57[.]15[.]7

9

77[.]123[.]39[.]4

9

188[.]190[.]44[.]19

9

46[.]211[.]74[.]79

8

178[.]151[.]67[.]6

8

219[.]68[.]182[.]18

8

109[.]87[.]58[.]1

7

178[.]165[.]79[.]59

7

93[.]79[.]190[.]27

7

46[.]216[.]100[.]4

6

84[.]237[.]168[.]99

6

188[.]231[.]248[.]54

6

109[.]162[.]7[.]90

6

178[.]150[.]115[.]39

5

77[.]123[.]32[.]24

5

141[.]170[.]255[.]5

5

176[.]8[.]68[.]194

5

176[.]100[.]2[.]29

5

178[.]165[.]45[.]54

5

46[.]118[.]147[.]54

5

82[.]139[.]25[.]34

5

46[.]250[.]3[.]88

5

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

computer[.]example[.]org

15

wpad[.]example[.]org

15

clientconfig[.]passport[.]net

15

vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com

8

vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com

4

vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com

3

onedsblobprdwus17[.]westus[.]cloudapp[.]azure[.]com

3

onedsblobprdeus17[.]eastus[.]cloudapp[.]azure[.]com

3

windowsupdatebg[.]s[.]llnwi[.]net

3

onedsblobprdcus15[.]centralus[.]cloudapp[.]azure[.]com

2

onedsblobprdcus17[.]centralus[.]cloudapp[.]azure[.]com

2

onedsblobprdcus16[.]centralus[.]cloudapp[.]azure[.]com

2

onedsblobprdwus15[.]westus[.]cloudapp[.]azure[.]com

2

onedsblobprdeus15[.]eastus[.]cloudapp[.]azure[.]com

1

Files and or directories created

Occurrences

\TEMP\tmp.exe

13

File Hashes

    075fe84b876dfe387e43638d39a957d343fc84cb8f95ad0212deffb349084dc2

    1986488e034fe9b711a770394302a8fd3ed1a76ff0303da9e9e93419997ddada

    1dd48d9dfedfc02efc61774828a4fc4dbceb5c9cafe354c3fc25c2ecee1fded5

    22abe85594dc9fd914da4e8be757caa3c63e865d870113afdc06cde9c47c8df6

    345e36fdb40e4ab56efeb59e71e9da7abb26dcaf32c0241074519a83b8f646a3

    4790c54349eb3b996d6a0fb05d74fe119d49a3352f8c35dc4ebf1f80a825cfd1

    51377238e811a2719b6d0539068b51c6f04a8fa7039b11af8b0a19546dfda74e

    65f8af48ca1004cc12fc0b32144bc59503a874edaf853cfd00c48aa9b600a263

    97535f5811049c5599ddcd1b94d17d879d51184eb57421193f90097665dd05e0

    9ff89eae03cb938fc07d4f407b01ca2c5aa4477ff55d96d751e176c754e27ba5

    b2b174f51ba7957d898d80346bbf6d47b75c9cab1401128dee3fb3fa93b6b361

    c63c6a7678c4ce46edc09ee880772d6336b7892563c71f446e326e3874fa88d1

    d308b19c74fe1aae7141da28eb4227708d40e47968b027f2daa89823550fbc50

    d6a223421785838218067c12d6fdb2fef847e54d678edc766e3b96d408008848

    ff647015da5a96f40e2c2a66b4b47cdb97a76fd536da4b33be37ade0a906388d

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Ransomware.Gandcrab-9948809-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 22 samples

Mutexes

Occurrences

Global<random guid>

18

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

52[.]182[.]143[.]212

2

20[.]42[.]65[.]92

2

104[.]208[.]16[.]94

2

72[.]21[.]81[.]240

1

77[.]75[.]249[.]22

1

20[.]42[.]73[.]29

1

52[.]168[.]117[.]173

1

20[.]189[.]173[.]20

1

23[.]205[.]105[.]157

1

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

wpad[.]example[.]org

19

computer[.]example[.]org

18

vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com

11

clientconfig[.]passport[.]net

9

www[.]2mmotorsport[.]biz

6

vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com

6

www[.]haargenau[.]biz

2

onedsblobprdeus17[.]eastus[.]cloudapp[.]azure[.]com

2

onedsblobprdcus15[.]centralus[.]cloudapp[.]azure[.]com

2

onedsblobprdcus16[.]centralus[.]cloudapp[.]azure[.]com

2

www[.]bizziniinfissi[.]com

1

vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com

1

onedsblobprdeus16[.]eastus[.]cloudapp[.]azure[.]com

1

onedsblobprdeus15[.]eastus[.]cloudapp[.]azure[.]com

1

onedsblobprdwus15[.]westus[.]cloudapp[.]azure[.]com

1

windowsupdatebg[.]s[.]llnwi[.]net

1

Files and or directories created

Occurrences

\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\6818.528.0.0_0\cast_setup\index.html

9

\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\6818.528.0.0_0\cast_setup\offers.html

9

\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\6818.528.0.0_0\cast_setup\setup.html

9

\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\6818.528.0.0_0\common.js

9

\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\6818.528.0.0_0\feedback.css

9

\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\6818.528.0.0_0\feedback.html

9

\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\6818.528.0.0_0\feedback_script.js

9

\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\6818.528.0.0_0\manifest.json

9

\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\6818.528.0.0_0\material_css_min.css

9

\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\6818.528.0.0_0\mirroring_cast_streaming.js

9

\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\6818.528.0.0_0\mirroring_common.js

9

\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\6818.528.0.0_0\mirroring_hangouts.js

9

\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\6818.528.0.0_0\mirroring_webrtc.js

9

\Users\user\AppData\Local\Google\Chrome\User Data\Default\Favicons

9

\Users\user\AppData\Local\Google\Chrome\User Data\Default\History

9

\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Provider Cache

9

\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.google.com_0.indexeddb.leveldb\000003.log

9

\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.google.com_0.indexeddb.leveldb\CURRENT

9

\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.google.com_0.indexeddb.leveldb\LOG

9

\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.google.com_0.indexeddb.leveldb\LOG.old

9

\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.google.com_0.indexeddb.leveldb\MANIFEST-000001

9

\Users\user\AppData\Local\Google\Chrome\User Data\Default\Last Session

9

\Users\user\AppData\Local\Google\Chrome\User Data\Default\Last Tabs

9

\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\000003.log

9

\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT

9

*See JSON for more IOCs

File Hashes

    077fa281b59fb5aa0977144553ed93316302df6fc67b19aff84a2429a18d58b2

    09ccef9524dfee402e934939beaf9450a5747818c8ccdbcbc4432c1fd296990d

    0e34036e3922435ffff6f6602870d15b9bb5875fe9ff698d55a005dbd480ab24

    0eae5bbc1a12cf430d1914cce44615002a9680793ec7e03a561edae47952c944

    3933a130afd0c7b73922b7e4e821397cb574bd8c4d51d38221f47a02d93c9e11

    413904ebf132af3738cac425e344100427b9adb923725b1095c34ca8da84339d

    46d1b2cc47786c2d3904f22940eebe9f36eda9bf894d7c9ffe89289ca98f8634

    68461c95968986b1ebbf8a0be9d97785a52d2510dd89e3c0eb76a299ae27d730

    699d94da45e4c203506a92be689e104bc4dc65be7ec36c46f8a67425bc92901f

    7de208a6bb7bedeee59ea8ca4350edaba431af071a32095bf1788a073d41d1d5

    7e0cec2672fe4bcf8d94370d8181255a65502715126e74705ec3b64980ce1597

    7e4770e63b2505c42a7c910affe3c724f813e3815647e31abb766e790082ef2d

    9ad015eac4136678c7bfc20ea8376934e2da8c61afa1fe5fe7e79109ffc86c53

    9ce6273e9e43567e19188088f4c7a3885c279955665c061c5451ef38e9d7cfdc

    a353ef44948c935c7d4f198fe624147dd890339690b8e32e52f22855865f988a

    b494089bd496c61d632529f3e60e5f16fd85b8201915d7857a9ff8bbacdd16b9

    b54bb9d0be06af4117750df7fed4ce49cdff87973d4956fb47de1867d154eca8

    c7dde16cbd4bc05edde892ae4a96516a3d6078d6ccde511453a401d929fe08a7

    c906be0d9e91b715a1b4bc0b0cab4b5a237eff820e06402d3769b9be605f9224

    d2292c28d1e7a744b3663f7b9427f8b1c9aaadae08ed16176126b5cd9e6ede71

    d5042c7c2a1dccb91967a23a978213b26fa76d80d315f75e0e474b06dcb8ef59

    f03591ddd7f5f82ee03b9ba93b58d9c1716aeaca5a576860fc107c7933d92d97

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

WSA

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Packed.Dridex-9948874-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 11 samples

Registry Keys

Occurrences

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{26A899CD-F987-34AB-F4F2-73315FA3D780}

11

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{26A899CD-F987-34AB-F4F2-73315FA3D780}\SHELLFOLDER

11

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{96F3089D-9E34-6CE4-92A3-DF5F50118028}

11

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{96F3089D-9E34-6CE4-92A3-DF5F50118028}\SHELLFOLDER

11

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{9113AD42-32F0-3682-1420-9D5F3A7EE72F}

11

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{9113AD42-32F0-3682-1420-9D5F3A7EE72F}\SHELLFOLDER

11

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{74AA392D-80A9-310F-0EF9-3C32750B19EE}

11

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{74AA392D-80A9-310F-0EF9-3C32750B19EE}\SHELLFOLDER

11

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{03D08175-B48A-4379-3C87-E511E4A107B1}

11

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{03D08175-B48A-4379-3C87-E511E4A107B1}\SHELLFOLDER

11

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{3D3CC27C-8C03-9FBF-83B7-AAF28BAF56A0}

11

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{3D3CC27C-8C03-9FBF-83B7-AAF28BAF56A0}\SHELLFOLDER

11

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{340DF574-EFFC-1F92-6519-37F879D2A325}

11

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{340DF574-EFFC-1F92-6519-37F879D2A325}\SHELLFOLDER

11

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{8E533690-D98A-A2F1-3C5E-FA6CE8898067}

11

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{8E533690-D98A-A2F1-3C5E-FA6CE8898067}\SHELLFOLDER

11

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{BFD0B0CA-F12B-2A79-A56C-5737D056DEC3}

11

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{BFD0B0CA-F12B-2A79-A56C-5737D056DEC3}\SHELLFOLDER

11

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{BC894FE3-634C-E885-D2AC-A013E878CE40}

11

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{BC894FE3-634C-E885-D2AC-A013E878CE40}\SHELLFOLDER

11

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{AC6D5DC7-C1D4-D745-B280-FCF589E17581}

11

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{AC6D5DC7-C1D4-D745-B280-FCF589E17581}\SHELLFOLDER

11

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{773A15F5-5507-AB69-7992-97A12B3143E2}

11

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{773A15F5-5507-AB69-7992-97A12B3143E2}\SHELLFOLDER

11

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{77FA3E8C-33A2-53CC-55BE-2D3777C6E99C}

11

Mutexes

Occurrences

{655c7ed4-095a-878f-8a02-ccacb7724214}

11

{5a782dc2-0b94-357d-17af-73fbf368d549}

11

{a475d6c7-ab44-b118-e226-b84c7b8a352e}

11

{b95be61f-9779-aade-adb0-6d2f1081e6fc}

11

{3917e8e1-2ef8-14b9-d7e1-c05624d1cf39}

11

{582b256f-1b03-c642-c0bf-3f7f79237ad4}

11

{a5fd46be-4986-255f-560e-84dc77259aa5}

11

{711a8c95-ccf5-5e8a-ad9e-72d3d94bac81}

11

{<random GUID>}

11

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

wpad[.]example[.]org

10

vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com

2

computer[.]example[.]org

1

Files and or directories created

Occurrences

%System32%\Tasks\User_Feed_Synchronization-{c6287966-c2f9-fe60-ca20-2632d2784c3f}

11

%HOMEPATH%\AppData\LocalLow\mzi2D59.tmp

1

%HOMEPATH%\AppData\LocalLow\bzx36CB.tmp

1

%HOMEPATH%\AppData\LocalLow\bzx3313.tmp

1

%HOMEPATH%\AppData\LocalLow\bzx2E33.tmp

1

%HOMEPATH%\AppData\LocalLow\bzx33CF.tmp

1

%HOMEPATH%\AppData\LocalLow\bzx3851.tmp

1

%HOMEPATH%\AppData\LocalLow\bzx3709.tmp

1

%HOMEPATH%\AppData\LocalLow\bzx3777.tmp

1

%HOMEPATH%\AppData\LocalLow\zcj3C28.tmp

1

%HOMEPATH%\AppData\LocalLow\gav30A3.tmp

1

%HOMEPATH%\AppData\LocalLow\jxv2F9A.tmp

1

File Hashes

    1022409ef384934d2c2193cfe3fcd3c119a5985b3878b310af34541966614d59

    46d82bcd3dcecca3879d51c04e3e1517b1bd700771067b2508ef64bec8f78b57

    4fcd45010b421dfc09ba2d4e8431870ba6292cd0d278bc0578f2d8ffe73af163

    9294df749ddc6830174e34bd915ab554fc3038cdc942afaac5564c6cf21c2824

    a0fd69deccc51ac5a201cbe35bae7007cfbf776a4a294996485f324776c4f7fa

    a31f283fd22e109844f03c4a0ce307af8cb248fa639a954fe759e66e29048868

    c289032f31865bb81e7fd30a2739faf404dafb9c2ed067b6bc3f54aba6b81423

    c4bfeb31ccd25178e7cfa87b0cd3cfe3612c677aed1cbfaba57bd517df7c78b2

    d4936255aaad6b161805cf911f7b487aca82b7f21888181e8f76fbe48a202f72

    f4a22a0aeccfe721ae539b5b952397b101699a875e15dc407771be9b1d4c00dc

    f931a15f013b01fa1886d303c9c1cdd9dab166f2975854fe06bb6f29da4f528b

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

TALOS: Latest News

Finding vulnerabilities in ClipSp, the driver at the core of Windows’ Client License Platform