Headline
Threat Roundup for April 29 to May 6
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between April 29 and May 6. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics,…
[[ This is only the beginning! Please visit the blog for the complete entry ]]
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between April 29 and May 6. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.
The most prevalent threats highlighted in this roundup are:
Threat Name
Type
Description
Win.Dropper.XtremeRAT-9949237-0
Dropper
XtremeRAT is a remote access trojan active since 2010 that allows the attacker to eavesdrop on users and modify the running system. The source code for XtremeRAT, written in Delphi, was leaked online and has since been used by similar RATs.
Win.Malware.Qbot-9949117-0
Malware
Qakbot, aka Qbot, has been around since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.
Win.Packed.Zusy-9949055-0
Packed
Zusy is a trojan that uses Man-in-the-Middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as “explorer.exe” and "winver.exe". When the user access a banking website, it displays a form to trick the user into submitting personal information.
Win.Dropper.LokiBot-9948968-0
Dropper
Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents attached to spam emails.
Win.Malware.Upatre-9948887-0
Malware
Upatre is a malicious downloader often used by exploit kits and phishing campaigns. This malware downloads and executes malicious executables, often banking trojans.
Win.Malware.Ursnif-9948883-0
Malware
Ursnif is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits.
Win.Trojan.Fareit-9948716-0
Trojan
The Fareit trojan is primarily an information stealer with functionality to download and install other malware.
Win.Ransomware.Gandcrab-9948809-0
Ransomware
GandCrab is ransomware that encrypts documents, photos, databases and other important files typically using the file extension ".GDCB", “.CRAB” or “.KRAB.” GandCrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and GrandSoft.
Win.Packed.Dridex-9948874-0
Packed
Dridex is a well-known banking trojan that aims to steal credentials and other sensitive information from an infected machine.
Threat Breakdown****Win.Dropper.XtremeRAT-9949237-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 21 samples
Registry Keys
Occurrences
<HKCU>\SOFTWARE\AASPPAPMMXKVS
Value Name: A2_271
21
<HKCU>\SOFTWARE\AASPPAPMMXKVS
Value Name: A1_272
21
<HKCU>\SOFTWARE\AASPPAPMMXKVS
Value Name: A2_272
21
<HKCU>\SOFTWARE\AASPPAPMMXKVS
Value Name: A1_273
21
<HKCU>\SOFTWARE\AASPPAPMMXKVS
Value Name: A2_273
21
<HKCU>\SOFTWARE\AASPPAPMMXKVS
Value Name: A1_274
21
<HKCU>\SOFTWARE\AASPPAPMMXKVS
Value Name: A2_274
21
<HKCU>\SOFTWARE\AASPPAPMMXKVS
Value Name: A1_275
21
<HKCU>\SOFTWARE\AASPPAPMMXKVS
Value Name: A2_275
21
<HKCU>\SOFTWARE\AASPPAPMMXKVS
Value Name: A1_276
21
<HKCU>\SOFTWARE\AASPPAPMMXKVS
Value Name: A2_276
21
<HKCU>\SOFTWARE\AASPPAPMMXKVS
Value Name: A1_277
21
<HKCU>\SOFTWARE\AASPPAPMMXKVS
Value Name: A2_277
21
<HKCU>\SOFTWARE\AASPPAPMMXKVS
Value Name: A1_278
21
<HKCU>\SOFTWARE\AASPPAPMMXKVS
Value Name: A2_278
21
<HKCU>\SOFTWARE\AASPPAPMMXKVS
Value Name: A1_279
21
<HKCU>\SOFTWARE\AASPPAPMMXKVS
Value Name: A2_279
21
<HKCU>\SOFTWARE\AASPPAPMMXKVS
Value Name: A1_280
21
<HKCU>\SOFTWARE\AASPPAPMMXKVS
Value Name: A2_280
21
<HKCU>\SOFTWARE\AASPPAPMMXKVS
Value Name: A1_281
21
<HKCU>\SOFTWARE\AASPPAPMMXKVS
Value Name: A2_281
21
<HKCU>\SOFTWARE\AASPPAPMMXKVS
Value Name: A1_282
21
<HKCU>\SOFTWARE\AASPPAPMMXKVS
Value Name: A2_282
21
<HKCU>\SOFTWARE\AASPPAPMMXKVS
Value Name: A1_283
21
<HKCU>\SOFTWARE\AASPPAPMMXKVS
Value Name: A2_283
21
Mutexes
Occurrences
XTREMEUPDATE
21
smss.exeM_204_
21
uxJLpe1m
21
spoolsv.exeM_1060_
21
svchost.exeM_652_
21
svchost.exeM_828_
21
csrss.exeM_288_
21
csrss.exeM_344_
21
wininit.exeM_336_
21
winlogon.exeM_372_
21
dwm.exeM_224_
21
explorer.exeM_908_
21
lsass.exeM_440_
21
lsm.exeM_448_
21
services.exeM_432_
21
svchost.exeM_1116_
21
svchost.exeM_236_
21
svchost.exeM_536_
21
svchost.exeM_600_
21
svchost.exeM_756_
21
svchost.exeM_804_
21
taskhost.exeM_1096_
21
svchost.exeM_2036_
21
okok
21
okokPERSIST
21
*See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
206[.]189[.]61[.]126
21
85[.]17[.]167[.]196
21
85[.]14[.]86[.]35
21
118[.]137[.]42[.]114
21
81[.]181[.]112[.]247
21
62[.]90[.]21[.]54
21
76[.]104[.]215[.]8
21
89[.]230[.]213[.]141
21
89[.]120[.]233[.]17
21
89[.]46[.]234[.]189
21
72[.]218[.]137[.]25
21
71[.]226[.]96[.]253
21
87[.]121[.]209[.]81
21
212[.]12[.]166[.]36
21
80[.]54[.]102[.]172
21
78[.]96[.]105[.]81
21
84[.]114[.]219[.]90
21
71[.]95[.]133[.]164
21
164[.]125[.]131[.]62
21
129[.]74[.]157[.]231
21
81[.]180[.]234[.]176
21
211[.]106[.]155[.]59
21
220[.]121[.]134[.]142
21
77[.]77[.]35[.]67
21
64[.]29[.]151[.]221
21
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
www[.]3pindia[.]in
21
abb[.]ind[.]in
21
gim8[.]pl
21
1s2qvh91x[.]site[.]aplus[.]net
21
a-bring[.]com
21
tn69abi[.]com
21
www[.]akpartisariveliler[.]com
21
aclassalerts[.]com
21
acemoglusucuklari[.]com[.]tr
21
aci[.]gratix[.]com[.]br
21
wpad[.]example[.]org
21
spacehd[.]no-ip[.]org
21
computer[.]example[.]org
20
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com
10
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com
7
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com
4
www[.]msftncsi[.]com
1
assets[.]msn[.]com
1
isatap[.]example[.]org
1
clientconfig[.]passport[.]net
1
onedsblobprdcus15[.]centralus[.]cloudapp[.]azure[.]com
1
cdn[.]content[.]prod[.]cms[.]msn[.]com
1
_ldap[.]_tcp[.]dc[.]_msdcs[.]ltkmybs[.]example[.]org
1
376483[.]example[.]org
1
Files and or directories created
Occurrences
%TEMP%\x.html
21
%SystemRoot%\SysWOW64\chrome.exe
21
%SystemRoot%\system.ini
21
\Users\user\AppData\Roaming\Microsoft\Windows\okok.cfg
21
%System32%\chrome.exe
21
%System32%\chrome.exe:Zone.Identifier
21
%APPDATA%\Microsoft\Windows\okok.cfg
21
%APPDATA%\Microsoft\Windows\okok.dat
21
\autorun.inf
19
\Users\user\AppData\Roaming\Microsoft\Windows\okok.dat
16
<random, matching '[a-z]{4,7}’>.exe
10
<random, matching '[a-z]{4,6}’>.pif
9
\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log
3
\Users\user\AppData\Local\Temp\winyojtmq.exe
1
\Users\user\AppData\Local\Microsoft\Windows\INetCookies\0U1K4OU6.txt
1
\Users\user\AppData\Local\Microsoft\Windows\INetCookies\1QLY7KNY.txt
1
\Users\user\AppData\Local\Temp\btfa.exe
1
\Users\user\AppData\Local\Temp\lrxui.exe
1
\Users\user\AppData\Local\Microsoft\Windows\INetCookies\1XR90U9A.txt
1
\Users\user\AppData\Local\Temp\scgy.exe
1
\Users\user\AppData\Local\Microsoft\Windows\INetCookies\2BQYK1DJ.txt
1
\Users\user\AppData\Local\Temp\tkyrh.exe
1
\Users\user\AppData\Local\Microsoft\Windows\INetCookies\6507HZIH.txt
1
\Users\user\AppData\Local\Temp\wininqd.exe
1
\Users\user\AppData\Local\Microsoft\Windows\INetCookies\8VGIOW4O.txt
1
*See JSON for more IOCs
File Hashes
0e5d28d90c8d38e701d933a4d10cc7e1c815a44ecb4524a09edfc9d12fbf96de
1929bd21444cb0bc09a2595daeca241b9dbc87224c53b22f2dbcd2575835727b
1ad339fd6b00f60953cd908348500be1ea02ab533b1238020b63fdad3bb1131e
3f41a9fa02851ccc5e4419c55c1953d6c3eba29d23dd59916b37f4aa5ba3e891
402b3f8499801f4b6d8e9cbc14a7607a8de359ea933093f52ffd4c15932f2ccf
51947faaf2281e91266e60dd64a8a71df50060b9169e14e7630c31cdb48e6f5b
543d98f98554bec6660cd6824f6dd5c9ad093509efbcf223248a185c2bed6b01
69fe8eac23c68bc8cf78c375331c4cfc675601dbd6593efcab915fd45b7f44d5
6a33fa661d05c9f21da53de73d2a37f4b9bf15fa3d18ccf141d852f58e3d4ef9
79ac08d8b3ede78ac3988d5bd64d7126cb29119228e13a27f3093fcb8c335dd1
7c4e291c78d652bdb388929998082ef7be43ebca04a8984049ec59c7b4e9db35
8632e19fac6d30a8185200e700e53b37d6e170205aa1fe179151f951265108d6
8ffb0b47b47077e5ab9221f043b3bb49cbede124dd0c6ae0d5a61b31f4f0dfde
accf6a718056152f1c537550e1a84e2399297506d3e7a3ce3e02b555a52be006
b8b03518b8d86eba84708a4c5e4420169f4f638700d2bda41945fff56e83b7a1
caca5932b9899a36515e051974d3ef5b8a00e53afea8982cf1969119ae75305c
cedaccbf2f0d49307de026df79377cea058927a382ea299316cbe38a39588688
d291fed8043188e92fdc4328884dd2c3604c3828ed5b6e1954e21de65fab30db
f054828137096d78e68ec447889293f677cb9f33acedb7837f1f6ff991d270db
f1d6fb774ab918d6312058a236bda290ae0de0eb2fd985cea4db1c9bf477c3fe
f563fc417c6c2c6654ef5079deef6da5fd3b09d0f83a482272b621c63859183d
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Malware.Qbot-9949117-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 18 samples
Registry Keys
Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159
18
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
17
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: bd63ad6b
17
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: bf228d17
17
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: f7b512d3
17
<HKU>.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO
17
<HKU>.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO
Value Name: ff0b3567
17
<HKU>.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO
Value Name: fd4a151b
17
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\ProgramData\Microsoft\Ecrirfryzd
17
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Users\Administrator\AppData\Roaming\Microsoft\Xtuou
17
<HKU>.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO
Value Name: b5dd8adf
17
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: 79eea72
17
<HKU>.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO
Value Name: 45f6727e
17
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: c22ac29d
17
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: 5dfca0e
17
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: 88fc7d25
17
<HKU>.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO
Value Name: 80425a91
17
<HKU>.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO
Value Name: 47b75202
17
<HKU>.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO
Value Name: ca94e529
17
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: 7a96a5f8
17
<HKU>.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO
Value Name: 38fe3df4
17
Mutexes
Occurrences
Global{06253ADC-953E-436E-8695-87FADA31FDFB}
17
{06253ADC-953E-436E-8695-87FADA31FDFB}
17
{357206BB-1CE6-4313-A3FA-D21258CBCDE6}
17
Global{280C5EDE-5A47-4F1C-97D3-B8CFE4CF258D}
17
{280C5EDE-5A47-4F1C-97D3-B8CFE4CF258D}
17
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
wpad[.]example[.]org
18
computer[.]example[.]org
17
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com
8
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com
6
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com
4
Files and or directories created
Occurrences
%APPDATA%\Microsoft\Xtuou
17
%ProgramData%\Microsoft\Ecrirfryzd
17
%System32%\Tasks\qfnfkch
1
%System32%\Tasks\rygspicam
1
%System32%\Tasks\ewahlrzas
1
%System32%\Tasks\ppdrqbavsd
1
%System32%\Tasks\mvionunzwm
1
%System32%\Tasks\cpahvbj
1
%System32%\Tasks\annrbwjnqm
1
%System32%\Tasks\fwdgfsdqlb
1
%System32%\Tasks\yhrnwoy
1
%System32%\Tasks\fgmnsnrt
1
%System32%\Tasks\fdedsnfvq
1
%System32%\Tasks\mckozft
1
%System32%\Tasks\irhikebtsl
1
%System32%\Tasks\rfqhymiwqs
1
%System32%\Tasks\zycntsnwy
1
%System32%\Tasks\eiamjcoc
1
%System32%\Tasks\hgeezdi
1
File Hashes
03a8937c5d9637b60be1f02b835fd04320ca05ed0d38cbbe40e4a3f83bc6d3c8
0e6a4d17945d9c103fda3eabba411094f46bef60629254b5eb513cb1704549d6
1e4112132b6ccbb5113f2886e1083f777a08b3d6268b73d76b38cd0b927f4ecf
284947350f2b5ba8d274ce35fe7d4046bd5d60075a598b1f080ed415dfd9e322
3fc05b1cc4b4af7a9dd6d32f0b729840a4025325d864a689a389350fbcc4e20c
475800c77b04c9d9877abc8b57f3fcb85492ef01b8480b0fa98621c4cb81a049
58f2f5512d363ec45d0fc3f39ca9afcdd745f954c2087424595dff1d14a3a0b1
630172a8554497585e6fd7ebb266e040d29f49b09f728ef00d33b178a6604120
8cf4485ebcbdcaadbb806642b98578d2e1cd1eeac0d8605acdf4790a772010d5
903cfbb0bbee35282cd9f433403be7055ff84ab5f038ab9a6a7e0086a0374c6f
9995a209ed064f38bfb1bea4d35d26e6103c969d91bee45e942523f53e853c0b
a84c3002d8c7ea3f511c1223709389a12b4fb93d4ab248a59d63eee3d09b7fad
b33e1413f137a5f0d845c04fccfbe4fafb6e537b0ce9ea64319453ced6247a80
bc5f0344277a72a9e4520f49150e00ef3ccefe916e08ef248ab6b762621b2c98
bdd605f7dbe00d45eb8e8927d70a30d9ee646b5c18c13f7ae50ee9454217739a
bf156122bf6860f8383c94c2ea0dd5d6c0e1706c106a101020d411d4f8b68de1
db5972b4ab47c92b52c37ae694ccc5316c6cf4af79de52fc249fdb46a194596d
ff716935c2651546934d9cbbd61d039abc89da049fe7e9d0acf8b8c6035bd3e5
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Packed.Zusy-9949055-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 25 samples
Registry Keys
Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159
25
Mutexes
Occurrences
Weight F
25
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
184[.]87[.]164[.]111
19
23[.]192[.]58[.]247
19
52[.]182[.]143[.]212
10
184[.]28[.]206[.]15
10
104[.]244[.]42[.]131
6
104[.]208[.]16[.]94
6
104[.]244[.]42[.]3
5
20[.]42[.]73[.]29
5
23[.]192[.]43[.]213
5
104[.]81[.]240[.]111
4
20[.]189[.]173[.]20
4
23[.]3[.]112[.]28
3
104[.]244[.]42[.]195
2
104[.]244[.]42[.]67
1
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
wpad[.]example[.]org
25
clientconfig[.]passport[.]net
25
computer[.]example[.]org
23
support[.]microsoft[.]com
22
support[.]oracle[.]com
22
ldrlucky[.]casa
19
help[.]twitter[.]com
14
www[.]intel[.]com
10
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com
10
onedsblobprdcus15[.]centralus[.]cloudapp[.]azure[.]com
10
windowsupdatebg[.]s[.]llnwi[.]net
9
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com
8
support[.]apple[.]com
6
onedsblobprdcus16[.]centralus[.]cloudapp[.]azure[.]com
6
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com
5
onedsblobprdeus15[.]eastus[.]cloudapp[.]azure[.]com
5
onedsblobprdwus15[.]westus[.]cloudapp[.]azure[.]com
4
Files and or directories created
Occurrences
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml
25
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml
25
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml
25
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml
25
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml
25
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml
25
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml
25
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml
25
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml
25
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PCALSGUV\ErrorPageTemplate[1]
25
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FNF9BE4O\green_shield[1]
25
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OSZC6DKG\red_shield[1]
25
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OSZC6DKG\securityatrisk[1]
25
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PCALSGUV\background_gradient_red[1]
25
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\XN0IX3V7\shield[1]
25
\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F3A33D75-CB51-11EC-93F9-00007D868534}.dat
1
\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active{02606307-CB52-11EC-93F9-00007D868534}.dat
1
\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active{F3A33D77-CB51-11EC-93F9-00007D868534}.dat
1
\Users\user\AppData\Local\Temp\WAX5846.tmp
1
\Users\user\AppData\Local\Temp~DF00DA242FE99E703A.TMP
1
\Users\user\AppData\Local\Temp~DF326B22235A805658.TMP
1
\Users\user\AppData\Local\Temp~DFCF7D08D80801E7AC.TMP
1
\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F8E8A1BE-CB51-11EC-93F9-00007D858534}.dat
1
\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active{05C62C99-CB52-11EC-93F9-00007D858534}.dat
1
\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active{F8E8A1C0-CB51-11EC-93F9-00007D858534}.dat
1
*See JSON for more IOCs
File Hashes
0196fa3b8a46c6b371ab2dd592e19b58985bddc98434b64256fed0b9bf767e7b
065d55d15a08cdcafac1f01dfe44da0b03815dfe107f4e90bb7f272bf3349d0f
0704c90958d842510f12af62d3875fb174706f0cea2d1bfbcb348a0b55d671a6
08f37dfb6f160302b96b48b5159bd1e81efedeef24110f93bfbbf3a2a37236c7
0902000e7ad08fbd165b8f9b4ac66fd02d974e47ac24cf16cadf573b28704602
0960d67344e570084f437cd28f462fa2237af7e5e2ff2c0e4fc77d91ed9f444a
09a127e780e9bbdb5064cda7b3ce991c9148506264e21945227372e29dfd2fc7
0c0f399a89f267e281082b1bc0cab65d404624cbb01dabf5dd6238ab6fe5c54a
0d35c67e35428074c11261e8182d1c41c0d346262b16ed0e2ad84d0a45ce0a68
112e640b5ad49f1301c7434596a2538d3a317c24560471fdad2f3ed1198b7d4a
116952c47611d1c0b925b245d47211842edcd3ddae8da643ff96934f40cfcf11
12f01fa7c9499ce7c94c0759620dde0f74b9b3e95471e490a9abf025dab3351d
14de84b6d2a9737a81ddf7c7881436edaccd3ec5ab1be030eeff1a96d1510f26
153ec432231551deee374b0a878d0c6090ffb97d089da73a6dccfce840ce9be1
1cc71866f655e4cef1822eb4b19688ada9542414c87c0d3eaeb2a6eb3c695aad
1ed2b9df8d1a520b0b4b3366e123abf69e02d330c23a991b16c93b2c27dca027
1f7970601705a505c55552cacd7cc1111dafe1ef359a1cd712050b24f98062c5
21c0b1cac5c4aec649e0ae731410494554c4bca0c59580e2288ee11ce1bd778f
24180e5ff8448fd74f4002bc8f753ef979e416d0cf8ba38280fd60ab305866f0
2516389bf8fb97bf14ec7714e2b779a5955cd2f30946b1cd9ae01ac5face8af1
2af4383ac7bb36395bb6fafc6f26f8e394d90dae507e096806741c9c249bcb42
2cd1260a8903e44d8a8e1523ca6088a6905d3ab4e558999c2f07975f27b186f7
2d0fe4f17c820ae57163c5403992cf882ffed9972dcea711c36dc43146bd76ee
30b99759cad7404fa5ca45bd7fb646988495d9d5e1d8b61c9456e3f9b7f63e82
31387e9493a5163200d232cafce7222606c4f50cc88911ca35689c2b442d74de
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Dropper.LokiBot-9948968-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 11 samples
Registry Keys
Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159
11
<HKCU>\SOFTWARE\WINRAR
5
<HKCU>\SOFTWARE\WINRAR
Value Name: HWID
5
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003E9
Value Name: F
5
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000001F5
Value Name: F
5
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003EC
Value Name: F
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: EnableFirewall
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\PUBLICPROFILE
Value Name: EnableFirewall
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SSDPSRV
Value Name: Start
2
<HKCU>\SOFTWARE\WIN7ZIP
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RSTRUI.EXE
2
<HKCU>\SOFTWARE\WIN7ZIP
Value Name: Uuid
2
<HKCR>\CLSID{85FDE33D-583E-444B-99F8-141FFE5945FA}\0B4E02AC\CS1
2
<HKCR>\CLSID{85FDE33D-583E-444B-99F8-141FFE5945FA}\0B4E02AC\CW1
2
<HKCR>\CLSID{85FDE33D-583E-444B-99F8-141FFE5945FA}\0B4E02AC\CG1
Value Name: GLA
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101
Value Name: CheckSetting
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103
Value Name: CheckSetting
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100
Value Name: CheckSetting
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102
Value Name: CheckSetting
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104
Value Name: CheckSetting
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RSTRUI.EXE
Value Name: Debugger
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 911k1e97
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: D282E1
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\XSYTZECRN.EXE
Value Name: Debugger
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\OMYLCQKSW.EXE
Value Name: Debugger
1
Mutexes
Occurrences
3749282D282E1E80C56CAE5A
2
Global\b414b2a1-cab7-11ec-b5f8-00501e3ae7b6
1
Global\ace37341-cab7-11ec-b5f8-00501e3ae7b6
1
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
178[.]32[.]1[.]43
2
195[.]22[.]127[.]233
1
52[.]182[.]143[.]212
1
20[.]42[.]65[.]92
1
20[.]72[.]235[.]82
1
20[.]112[.]52[.]29
1
43[.]255[.]154[.]37
1
27[.]121[.]64[.]133
1
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
computer[.]example[.]org
4
wpad[.]example[.]org
4
clientconfig[.]passport[.]net
3
www5[.]cdljussarago[.]com[.]br
2
www5[.]tamareirashotelmg[.]com[.]br
2
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com
2
microsoft[.]com
1
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com
1
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com
1
onedsblobprdeus17[.]eastus[.]cloudapp[.]azure[.]com
1
onedsblobprdcus15[.]centralus[.]cloudapp[.]azure[.]com
1
crestimportersltd[.]com
1
usaalkz[.]biz
1
movshopclub[.]ru
1
doasure[.]biz
1
ariandange[.]com
1
www[.]ariandange[.]com
1
Files and or directories created
Occurrences
\out.bin
2
%APPDATA%\D282E1
2
%APPDATA%\D282E1\1E80C5.lck
2
%ProgramData%\6b407430
2
%ProgramData%\6b407430\desktop.ini
2
%System32%\Tasks\Windows Update Check - 0x0B4E02AC
2
%TEMP%\7734_appcompat.txt
1
%TEMP%\785859.bat
1
%TEMP%\762781.bat
1
%TEMP%\694281.bat
1
%TEMP%\1761586067.bat
1
%TEMP%\A73F6.dmp
1
%TEMP%\1761712023.bat
1
%TEMP%\1761721539.bat
1
%TEMP%\1761626269.bat
1
%TEMP%\1761774813.bat
1
%TEMP%\774906.bat
1
%TEMP%\9E032.dmp
1
%TEMP%\dbe6_appcompat.txt
1
File Hashes
0fba5963e35be7ef72301469aad93eb69e7e566314b9f6d20b23d495bdf1a040
488f50a3cd64b03b08b62d6fab984845f0883bf52b67d738ab4455ee8e2d8bf7
4a9c142b187ad0689aec507c7a3d5d2cb6d9118b2b9b834f7a895c27fb7a7e55
5d86d9cfeb947cdae4a02be50979ad32a8463c9f041b54c65afe4798dba2c063
7923fe25cfc6424f996229b1eaa9fb9fbd3cd7a749e468207e552f345b8529bc
91e7aaeab5daf95bbd092ebaa9e431ebf29e086466b903ce77b457ca94e81f1c
b97ffccb08189de1566c34f2892555d42678462e0edaaf4ee360e1685df29f90
bf73e437a6f98107d88b9ec7865421394e0c7210ea08b3e0547772cd370f1ac2
c00ef0d8016090a7446242dd585d5e27a8c2f35f00a0a397628fea8e8943760b
ee5fbc830d78187bbc44a389ca3c40fcc72dba31bbcc2a014ceab4226c1f04b6
f850c773d70ba2d5dcc16f10822c4a8035ad1dccf176084979ef642231314d63
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Malware.Upatre-9948887-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 125 samples
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
directcanadaei[.]com
101
advancehomesbd[.]com
101
wpad[.]example[.]org
95
computer[.]example[.]org
80
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com
28
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com
28
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com
25
Files and or directories created
Occurrences
%TEMP%\lsemc.exe
125
\Users\user\AppData\Local\Temp\lsemc.exe
125
File Hashes
00c51e3390f68f1779efbf489146df016b2705427edbe93a0cb43282aae58a51
015e7144fa62416f7a37932478be0d9c89e6660c0af60d2e1a9625d788981e97
02d02dd73af94bdb895eda8368b473ad050b49140c3a30547912128e92a05c97
045dc5bd9eaea32369043480e3f89225b611b346b9ac5a5eaf222d5e943000c7
0487ec4b904a15cc96b29846a4f5a6677f8dccfb2614d2ef5db2184ea75e4af2
04e13f940f6d423fe84380efc39985b5e8258ffb44f1878cf19ed3d2af1db9cb
05748f500ff20fe958a9e1683d40342c6ecf2407bcbaaa98be016e7784365b28
0579c8fd67205ac2bfba8aa6d9bcaf06e0e0f5058fcc376bac20b3141bed0588
061599a6f88c688a7cc4040d7cbd1a39adc1e099a98761346d3b9efce1482a75
06da73194078631adeb8df4e33c85e5f361efb7e4ba4185acfc33e8f6eab31f8
0718b27e9900c3cdf14522d3e27badb0eb5c53131ce6613b2d107ba1211fe973
077712b78fff0ae6bda66604bc4dc24563667721da27282c48c815fa5d3bf854
07fb82c440be84f25e6405e5dfcab37afce36704885c3284639e7ce88749499d
0bfde6b0ebc53e1d537f0e7e13686e0ee44dd18133041fc08e1ba185324d082d
0c0429ac396efe553d8f752c495f47b497cd4f0cd631c2b0a3d46409409dcff3
0c59afc9cde3b4f8b573acfba66579e900884ccb720d30ed5143d9f7c7269c05
0ccaaabecbf9117f59bf717b906800e36c6455faac508dee28fcaa176550ad93
0d0833a08521379a7d22345bd324357ff1c96724ca10cf52de3593f344494132
0e5fb0d221eccb8b3d6e0eec514aeed525c4215ef5c5e33adea2e1acfaac0c1b
0e6dddb8fd9aa5e3ba0c64ada20ac451dd2718e639842aaab3162b6a4d8df183
0eba37670d0986bef637d9a6ec760a77a9ee52c39e26b2455427f4d42162ccb8
1104dcd64e374e78750cf7d83651dba9d1a03207763c65a2116685ac2d4c1c1b
11729a75229ce4a498eca002c65ef5994df26f09688b9f19c15aae2df6c2377f
125bca0e47bc10559928c0e7e4b483b2d3a60b5395f91521137fd7a3f0386950
14c8e9f921b8e74c7ccf549148a5fe00396f632bb121361463d93a9fba60d758
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Malware.Ursnif-9948883-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 32 samples
Registry Keys
Occurrences
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES
Value Name: DefaultScope
25
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159
25
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES{0633EE93-D776-472F-A0FF-E1416B8B2E3A}
Value Name: FaviconPath
24
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES{0633EE93-D776-472F-A0FF-E1416B8B2E3A}
Value Name: Deleted
24
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS
Value Name: NewInstallPromptCount
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS
Value Name: CompatBlockPromptCount
1
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES
Value Name: FaviconPath
1
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES
Value Name: Deleted
1
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
96[.]6[.]27[.]90
25
152[.]199[.]4[.]33
25
173[.]223[.]179[.]204
25
146[.]75[.]30[.]133
22
146[.]75[.]29[.]26
22
13[.]32[.]206[.]122
20
52[.]213[.]150[.]210
20
157[.]240[.]2[.]25
19
69[.]147[.]92[.]12
17
104[.]16[.]148[.]64
15
146[.]75[.]29[.]108
15
13[.]107[.]21[.]200
14
104[.]18[.]38[.]174
14
172[.]64[.]149[.]82
14
13[.]107[.]246[.]40
13
23[.]222[.]236[.]25
13
23[.]216[.]88[.]76
13
104[.]20[.]184[.]68
12
13[.]107[.]213[.]40
12
23[.]222[.]236[.]51
12
23[.]62[.]217[.]177
10
13[.]32[.]153[.]82
10
23[.]222[.]236[.]18
9
18[.]211[.]154[.]234
9
23[.]218[.]40[.]161
8
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
avast[.]com
31
www[.]avast[.]com
31
static3[.]avast[.]com
30
wcpstatic[.]microsoft[.]com
25
www[.]bing[.]com
25
microsoft[.]com
25
assets[.]onestore[.]ms
25
c[.]s-microsoft[.]com
25
img-prod-cms-rt-microsoft-com[.]akamaized[.]net
25
cacerts[.]digicert[.]com
25
js[.]monitor[.]azure[.]com
25
ajax[.]aspnetcdn[.]com
25
wpad[.]example[.]org
24
tm90daron[.]club
24
scontent[.]xx[.]fbcdn[.]net
22
connect[.]facebook[.]net
22
edge[.]gycpi[.]b[.]yahoodns[.]net
22
s[.]yimg[.]com
22
cdn[.]cookielaw[.]org
22
widget[.]trustpilot[.]com
22
cdn[.]polyfill[.]io
22
ib[.]anycast[.]adnxs[.]com
22
secure[.]adnxs[.]com
22
script[.]hotjar[.]com
22
static-cdn[.]hotjar[.]com
22
*See JSON for more IOCs
Files and or directories created
Occurrences
\Users\user\AppData\Local\Temp\JavaDeployReg.log
24
\Users\user\AppData\Local\Microsoft\Windows\INetCache\SQM\iesqmdata7.sqm
24
\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
22
\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A
22
\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
21
\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
21
\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\7M9XJRXV\www.avast[1].xml
21
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OSZC6DKG\ef-a24652[1].css
21
\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\ey2kpcq\imagestore.dat
19
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OSZC6DKG\37-8473b9[1].js
18
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PCALSGUV\wcp-consent[1].js
17
\Users\user\AppData\Local\Microsoft\Windows\INetCache\SQM\iesqmdata8.sqm
14
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OSZC6DKG\OtAutoBlock[1].js
13
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PCALSGUV\jquery-1.9.1.min[1].js
13
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml
12
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml
12
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml
12
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml
12
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml
12
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml
12
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml
12
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml
12
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml
12
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FNF9BE4O\MWFMDL2[1].ttf
12
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OSZC6DKG\MWFMDL2[1].woff
12
*See JSON for more IOCs
File Hashes
03a31fd7e1d5bbf46a84ba87babfdff2ff23c43b69a69b5b19e215ee32dd1d0d
03e96d96194af38848547c45de19db6f439524c003f7c83e461cc0bf6276ffc7
063cdd22b200da576812c2c5354b5c20ea26112316e1868e08885372049f19e5
0713b704ce6d86868fb2390d27d2a771a656f1547ca0ebc69fa64265280b2ba8
10c548782a72ef94b5bbd1a1390973bcddc320ff005f59209a3b743ff9832ec7
123f9b4adb41684fae16d70ea8e26ac58a03dc11bdd93107194dab6e0332401d
12468f5e5a56d82cebd66080837498fd3defcb81c7867f4c6152367b39b6f1f0
174f74feff875c33dc4c916ce8fb3403206b5ed0e9e9e2264a63883d4f582abb
1b551b7c49c4b523052557582c47b0575d9ccb08966f4fb48d696c016ba33640
1db441d814b8838a68380059482931ae38863dc207a4fd27ac968343fa9237fa
1f35ec4242403b8b474034d47af970fb566a1b7072e0faddf4829bd074fb4c0c
228e64c296db4c06050a0a1091194a128f1772a5460481b332762b1ad4b9f8fb
28ea6a27de26636bd7c1b244144bdd8514a65180624a08bf134b7162d5069598
299a00d138511e0acb7fcc8eae8e7569f4d80d16d0b170df9f916ccf15cfeee0
2f4f95ae418915dd2a4e5bf1c144be9ecae39be644fa86053932f28ac4d3963b
3060327e7c855ad6d4f41bcfb95dfd8e81017b561ce0f335a41585bbebff001b
31b13d2de9dcf71c9825a8dcfcf71de2476e0e0283fd20ac5844af0ed3363831
3a6772ac9e9df79787ab3d2b35a9e20ed1803ba21d8c1ab4701c53d61624c066
3aa3fdc6f92768fb5b305bf2b45db42e4d1308529de46596b183cbee423642c0
3d95a9c5a04b8f99a4e14904afa8da5462960939f117b31ce04102c5158a2bfb
423d8fcd5143705938d88b778888bf73df023afb32492810943249ed5ea4e490
44a36274e72a19a5e08253a26bb749e474ef039067f89347e871a9028909451b
45c21df10683f463b13f3142cbadef492cde65fbcdafae4db83774d5c3a207cc
49cd125706f9ce847193cae0666e1923ce874a5c5a66e5a788a1b04fd7f3f1d3
4a3ba70488ae6188c59c73a612207e9cbc2c1805baa4029b4107d462d5925de7
*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Trojan.Fareit-9948716-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 15 samples
Registry Keys
Occurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: SonyAgent
13
Mutexes
Occurrences
Global\a3eccf81-c9ee-11ec-b5f8-00501e3ae7b6
1
Global\a3e34a01-c9ee-11ec-b5f8-00501e3ae7b6
1
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
46[.]37[.]195[.]5
13
82[.]193[.]121[.]16
10
178[.]151[.]133[.]25
10
37[.]57[.]15[.]7
9
77[.]123[.]39[.]4
9
188[.]190[.]44[.]19
9
46[.]211[.]74[.]79
8
178[.]151[.]67[.]6
8
219[.]68[.]182[.]18
8
109[.]87[.]58[.]1
7
178[.]165[.]79[.]59
7
93[.]79[.]190[.]27
7
46[.]216[.]100[.]4
6
84[.]237[.]168[.]99
6
188[.]231[.]248[.]54
6
109[.]162[.]7[.]90
6
178[.]150[.]115[.]39
5
77[.]123[.]32[.]24
5
141[.]170[.]255[.]5
5
176[.]8[.]68[.]194
5
176[.]100[.]2[.]29
5
178[.]165[.]45[.]54
5
46[.]118[.]147[.]54
5
82[.]139[.]25[.]34
5
46[.]250[.]3[.]88
5
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
computer[.]example[.]org
15
wpad[.]example[.]org
15
clientconfig[.]passport[.]net
15
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com
8
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com
4
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com
3
onedsblobprdwus17[.]westus[.]cloudapp[.]azure[.]com
3
onedsblobprdeus17[.]eastus[.]cloudapp[.]azure[.]com
3
windowsupdatebg[.]s[.]llnwi[.]net
3
onedsblobprdcus15[.]centralus[.]cloudapp[.]azure[.]com
2
onedsblobprdcus17[.]centralus[.]cloudapp[.]azure[.]com
2
onedsblobprdcus16[.]centralus[.]cloudapp[.]azure[.]com
2
onedsblobprdwus15[.]westus[.]cloudapp[.]azure[.]com
2
onedsblobprdeus15[.]eastus[.]cloudapp[.]azure[.]com
1
Files and or directories created
Occurrences
\TEMP\tmp.exe
13
File Hashes
075fe84b876dfe387e43638d39a957d343fc84cb8f95ad0212deffb349084dc2
1986488e034fe9b711a770394302a8fd3ed1a76ff0303da9e9e93419997ddada
1dd48d9dfedfc02efc61774828a4fc4dbceb5c9cafe354c3fc25c2ecee1fded5
22abe85594dc9fd914da4e8be757caa3c63e865d870113afdc06cde9c47c8df6
345e36fdb40e4ab56efeb59e71e9da7abb26dcaf32c0241074519a83b8f646a3
4790c54349eb3b996d6a0fb05d74fe119d49a3352f8c35dc4ebf1f80a825cfd1
51377238e811a2719b6d0539068b51c6f04a8fa7039b11af8b0a19546dfda74e
65f8af48ca1004cc12fc0b32144bc59503a874edaf853cfd00c48aa9b600a263
97535f5811049c5599ddcd1b94d17d879d51184eb57421193f90097665dd05e0
9ff89eae03cb938fc07d4f407b01ca2c5aa4477ff55d96d751e176c754e27ba5
b2b174f51ba7957d898d80346bbf6d47b75c9cab1401128dee3fb3fa93b6b361
c63c6a7678c4ce46edc09ee880772d6336b7892563c71f446e326e3874fa88d1
d308b19c74fe1aae7141da28eb4227708d40e47968b027f2daa89823550fbc50
d6a223421785838218067c12d6fdb2fef847e54d678edc766e3b96d408008848
ff647015da5a96f40e2c2a66b4b47cdb97a76fd536da4b33be37ade0a906388d
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Ransomware.Gandcrab-9948809-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 22 samples
Mutexes
Occurrences
Global<random guid>
18
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
52[.]182[.]143[.]212
2
20[.]42[.]65[.]92
2
104[.]208[.]16[.]94
2
72[.]21[.]81[.]240
1
77[.]75[.]249[.]22
1
20[.]42[.]73[.]29
1
52[.]168[.]117[.]173
1
20[.]189[.]173[.]20
1
23[.]205[.]105[.]157
1
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
wpad[.]example[.]org
19
computer[.]example[.]org
18
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com
11
clientconfig[.]passport[.]net
9
www[.]2mmotorsport[.]biz
6
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com
6
www[.]haargenau[.]biz
2
onedsblobprdeus17[.]eastus[.]cloudapp[.]azure[.]com
2
onedsblobprdcus15[.]centralus[.]cloudapp[.]azure[.]com
2
onedsblobprdcus16[.]centralus[.]cloudapp[.]azure[.]com
2
www[.]bizziniinfissi[.]com
1
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com
1
onedsblobprdeus16[.]eastus[.]cloudapp[.]azure[.]com
1
onedsblobprdeus15[.]eastus[.]cloudapp[.]azure[.]com
1
onedsblobprdwus15[.]westus[.]cloudapp[.]azure[.]com
1
windowsupdatebg[.]s[.]llnwi[.]net
1
Files and or directories created
Occurrences
\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\6818.528.0.0_0\cast_setup\index.html
9
\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\6818.528.0.0_0\cast_setup\offers.html
9
\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\6818.528.0.0_0\cast_setup\setup.html
9
\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\6818.528.0.0_0\common.js
9
\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\6818.528.0.0_0\feedback.css
9
\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\6818.528.0.0_0\feedback.html
9
\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\6818.528.0.0_0\feedback_script.js
9
\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\6818.528.0.0_0\manifest.json
9
\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\6818.528.0.0_0\material_css_min.css
9
\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\6818.528.0.0_0\mirroring_cast_streaming.js
9
\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\6818.528.0.0_0\mirroring_common.js
9
\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\6818.528.0.0_0\mirroring_hangouts.js
9
\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\6818.528.0.0_0\mirroring_webrtc.js
9
\Users\user\AppData\Local\Google\Chrome\User Data\Default\Favicons
9
\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
9
\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Provider Cache
9
\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.google.com_0.indexeddb.leveldb\000003.log
9
\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.google.com_0.indexeddb.leveldb\CURRENT
9
\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.google.com_0.indexeddb.leveldb\LOG
9
\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.google.com_0.indexeddb.leveldb\LOG.old
9
\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.google.com_0.indexeddb.leveldb\MANIFEST-000001
9
\Users\user\AppData\Local\Google\Chrome\User Data\Default\Last Session
9
\Users\user\AppData\Local\Google\Chrome\User Data\Default\Last Tabs
9
\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\000003.log
9
\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT
9
*See JSON for more IOCs
File Hashes
077fa281b59fb5aa0977144553ed93316302df6fc67b19aff84a2429a18d58b2
09ccef9524dfee402e934939beaf9450a5747818c8ccdbcbc4432c1fd296990d
0e34036e3922435ffff6f6602870d15b9bb5875fe9ff698d55a005dbd480ab24
0eae5bbc1a12cf430d1914cce44615002a9680793ec7e03a561edae47952c944
3933a130afd0c7b73922b7e4e821397cb574bd8c4d51d38221f47a02d93c9e11
413904ebf132af3738cac425e344100427b9adb923725b1095c34ca8da84339d
46d1b2cc47786c2d3904f22940eebe9f36eda9bf894d7c9ffe89289ca98f8634
68461c95968986b1ebbf8a0be9d97785a52d2510dd89e3c0eb76a299ae27d730
699d94da45e4c203506a92be689e104bc4dc65be7ec36c46f8a67425bc92901f
7de208a6bb7bedeee59ea8ca4350edaba431af071a32095bf1788a073d41d1d5
7e0cec2672fe4bcf8d94370d8181255a65502715126e74705ec3b64980ce1597
7e4770e63b2505c42a7c910affe3c724f813e3815647e31abb766e790082ef2d
9ad015eac4136678c7bfc20ea8376934e2da8c61afa1fe5fe7e79109ffc86c53
9ce6273e9e43567e19188088f4c7a3885c279955665c061c5451ef38e9d7cfdc
a353ef44948c935c7d4f198fe624147dd890339690b8e32e52f22855865f988a
b494089bd496c61d632529f3e60e5f16fd85b8201915d7857a9ff8bbacdd16b9
b54bb9d0be06af4117750df7fed4ce49cdff87973d4956fb47de1867d154eca8
c7dde16cbd4bc05edde892ae4a96516a3d6078d6ccde511453a401d929fe08a7
c906be0d9e91b715a1b4bc0b0cab4b5a237eff820e06402d3769b9be605f9224
d2292c28d1e7a744b3663f7b9427f8b1c9aaadae08ed16176126b5cd9e6ede71
d5042c7c2a1dccb91967a23a978213b26fa76d80d315f75e0e474b06dcb8ef59
f03591ddd7f5f82ee03b9ba93b58d9c1716aeaca5a576860fc107c7933d92d97
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK
Win.Packed.Dridex-9948874-0****Indicators of Compromise
- IOCs collected from dynamic analysis of 11 samples
Registry Keys
Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{26A899CD-F987-34AB-F4F2-73315FA3D780}
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{26A899CD-F987-34AB-F4F2-73315FA3D780}\SHELLFOLDER
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{96F3089D-9E34-6CE4-92A3-DF5F50118028}
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{96F3089D-9E34-6CE4-92A3-DF5F50118028}\SHELLFOLDER
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{9113AD42-32F0-3682-1420-9D5F3A7EE72F}
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{9113AD42-32F0-3682-1420-9D5F3A7EE72F}\SHELLFOLDER
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{74AA392D-80A9-310F-0EF9-3C32750B19EE}
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{74AA392D-80A9-310F-0EF9-3C32750B19EE}\SHELLFOLDER
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{03D08175-B48A-4379-3C87-E511E4A107B1}
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{03D08175-B48A-4379-3C87-E511E4A107B1}\SHELLFOLDER
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{3D3CC27C-8C03-9FBF-83B7-AAF28BAF56A0}
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{3D3CC27C-8C03-9FBF-83B7-AAF28BAF56A0}\SHELLFOLDER
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{340DF574-EFFC-1F92-6519-37F879D2A325}
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{340DF574-EFFC-1F92-6519-37F879D2A325}\SHELLFOLDER
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{8E533690-D98A-A2F1-3C5E-FA6CE8898067}
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{8E533690-D98A-A2F1-3C5E-FA6CE8898067}\SHELLFOLDER
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{BFD0B0CA-F12B-2A79-A56C-5737D056DEC3}
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{BFD0B0CA-F12B-2A79-A56C-5737D056DEC3}\SHELLFOLDER
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{BC894FE3-634C-E885-D2AC-A013E878CE40}
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{BC894FE3-634C-E885-D2AC-A013E878CE40}\SHELLFOLDER
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{AC6D5DC7-C1D4-D745-B280-FCF589E17581}
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{AC6D5DC7-C1D4-D745-B280-FCF589E17581}\SHELLFOLDER
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{773A15F5-5507-AB69-7992-97A12B3143E2}
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{773A15F5-5507-AB69-7992-97A12B3143E2}\SHELLFOLDER
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{77FA3E8C-33A2-53CC-55BE-2D3777C6E99C}
11
Mutexes
Occurrences
{655c7ed4-095a-878f-8a02-ccacb7724214}
11
{5a782dc2-0b94-357d-17af-73fbf368d549}
11
{a475d6c7-ab44-b118-e226-b84c7b8a352e}
11
{b95be61f-9779-aade-adb0-6d2f1081e6fc}
11
{3917e8e1-2ef8-14b9-d7e1-c05624d1cf39}
11
{582b256f-1b03-c642-c0bf-3f7f79237ad4}
11
{a5fd46be-4986-255f-560e-84dc77259aa5}
11
{711a8c95-ccf5-5e8a-ad9e-72d3d94bac81}
11
{<random GUID>}
11
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
wpad[.]example[.]org
10
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com
2
computer[.]example[.]org
1
Files and or directories created
Occurrences
%System32%\Tasks\User_Feed_Synchronization-{c6287966-c2f9-fe60-ca20-2632d2784c3f}
11
%HOMEPATH%\AppData\LocalLow\mzi2D59.tmp
1
%HOMEPATH%\AppData\LocalLow\bzx36CB.tmp
1
%HOMEPATH%\AppData\LocalLow\bzx3313.tmp
1
%HOMEPATH%\AppData\LocalLow\bzx2E33.tmp
1
%HOMEPATH%\AppData\LocalLow\bzx33CF.tmp
1
%HOMEPATH%\AppData\LocalLow\bzx3851.tmp
1
%HOMEPATH%\AppData\LocalLow\bzx3709.tmp
1
%HOMEPATH%\AppData\LocalLow\bzx3777.tmp
1
%HOMEPATH%\AppData\LocalLow\zcj3C28.tmp
1
%HOMEPATH%\AppData\LocalLow\gav30A3.tmp
1
%HOMEPATH%\AppData\LocalLow\jxv2F9A.tmp
1
File Hashes
1022409ef384934d2c2193cfe3fcd3c119a5985b3878b310af34541966614d59
46d82bcd3dcecca3879d51c04e3e1517b1bd700771067b2508ef64bec8f78b57
4fcd45010b421dfc09ba2d4e8431870ba6292cd0d278bc0578f2d8ffe73af163
9294df749ddc6830174e34bd915ab554fc3038cdc942afaac5564c6cf21c2824
a0fd69deccc51ac5a201cbe35bae7007cfbf776a4a294996485f324776c4f7fa
a31f283fd22e109844f03c4a0ce307af8cb248fa639a954fe759e66e29048868
c289032f31865bb81e7fd30a2739faf404dafb9c2ed067b6bc3f54aba6b81423
c4bfeb31ccd25178e7cfa87b0cd3cfe3612c677aed1cbfaba57bd517df7c78b2
d4936255aaad6b161805cf911f7b487aca82b7f21888181e8f76fbe48a202f72
f4a22a0aeccfe721ae539b5b952397b101699a875e15dc407771be9b1d4c00dc
f931a15f013b01fa1886d303c9c1cdd9dab166f2975854fe06bb6f29da4f528b
Coverage
Product
Protection
Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection****Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK