Friday, April 1, 2022

Threat Roundup for March 25 to April 1


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 25 and April 1. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name Type Description
Win.Trojan.Emotet-9942352-0 Trojan Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Attackers usually try to spread the botnet via malicious Microsoft Office documents with macros.
Win.Downloader.Upatre-9942329-0 Downloader Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.
Win.Dropper.DarkComet-9942502-1 Dropper DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.
Win.Dropper.Dridex-9942398-0 Dropper Dridex is a well-known banking trojan that aims to steal credentials and other sensitive information from an infected machine.
Win.Dropper.Zegost-9942458-0 Dropper Zegost is a remote access trojan designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. Zegost appears to be derived from Gh0stRAT, which is a well-known remote access trojan that had its source code leaked, thus significantly lowering the barrier to entry for actors looking to modify and reuse the code in new attacks.
Win.Dropper.Ursnif-9942533-0 Dropper Ursnif steals sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits.
Win.Trojan.Gh0stRAT-9942536-1 Trojan Gh0stRAT is a well-known family of remote access trojans that provides attackers with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.

Threat Breakdown

Win.Trojan.Emotet-9942352-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 168 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 167
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
51[.]91[.]76[.]89 25
70[.]36[.]102[.]35 25
92[.]240[.]254[.]110 25
217[.]182[.]25[.]250 2
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
wpad[.]example[.]org 25
computer[.]example[.]org 23
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com 10
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com 9
windowsupdatebg[.]s[.]llnwi[.]net 8
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com 4
Files and or directories created Occurrences
\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 25
\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 25
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml 25
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml 25
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml 25
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml 25
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml 25
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml 25
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml 25
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml 25
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml 25
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PCALSGUV\ErrorPageTemplate[1] 25
\Users\user\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\5f7b5f1e01b83767.automaticDestinations-ms 25
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FNF9BE4O\green_shield[1] 25
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OSZC6DKG\red_shield[1] 25
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OSZC6DKG\securityatrisk[1] 25
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PCALSGUV\background_gradient_red[1] 25
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\XN0IX3V7\shield[1] 25
\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F2A0D65B-AC4B-11EC-93F9-00007D858568}.dat 1
\Users\user\AppData\Local\Temp\~DF0565B2AC4BEC530A.TMP 1
\Users\user\AppData\Local\Temp\~DF19DB7E1FC43B6593.TMP 1
\Users\user\AppData\Local\Temp\~DFA2E3B117AC6E9AEA.TMP 1
\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F7BB52B1-AC4B-11EC-93F9-00007D868568}.dat 1
\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F7BB52B3-AC4B-11EC-93F9-00007D868568}.dat 1
\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F7BB52B4-AC4B-11EC-93F9-00007D868568}.dat 1
*See JSON for more IOCs

File Hashes

0045cbae1ac5bb4fe3d2fad17c528abd872aad965b8bb7c97b11b9b7d5b80b7b 030f9d80b445d1a56ed15a864d9c8d7a40fb3ae19e403286fb5cc0627dbe8c95 034a27996a46122852d9beefa91fdf84f91c727382d0790ce5db618837c491a1 03ba825a40bc061e8a983f257eaefaacde80f1be20c106dfe8d805a0285125ee 058d915cfe8f4e6040f270daf54a5af893f915ca656cf4a4bbe850849846cfc2 0640346a8f8f79fc46401bad0e7a9250a4aa90472d66ba780e410cc1bf9e7efa 072dff293c8d9229732bee9bc9532ca789c43b6639c128070df541a348aeea56 07b413fd76f8a25caba1663fc6c8395ff888dc3c78d0c4214805ca56958b1e6f 09243bd814e93a1827ad7ad959e9f990c9eca6600421b9dd802aaf489d3d19f2 09e57f8cd4688989fcac0a0b3d63f36d664ce335c6eb6495cfa5c5ff528e2123 0a1303779d811835b0480a37f8e15d4b4f621f6cc8c1a786aac95a70134a3d31 0ae7a96b28545e114d48c07c8aa10744cd582435f2bf833b95a7a59aea484344 0ed9dd5cdf933ea1801313630da8c1f13d539829107a15169f143f95a7b23a66 13c84a4f33c8fbed24e58f5e42e9db4017f7bd615c6b8703195b9ba1e31981c0 14324a87d1acb9dff2e7af3a8ac3b3a2fbfdb0904e83bfb73e76d4ad9ce769ef 153d12d5c6ed4c0c4274c4770303f68212609ebf6d5cab00e9d6bac126862c5a 1565f38ad55f7c9d9f70afb008cd03e6b7a4de0bdae0a14d8c3df92bdf47c124 16ecff3f4cc74590a1ea6d131cde9eb3654c976657dae22611acb9ba08eab8ca 17d038fb37108faf8032c982e0c51be10e3dd423dad0f8f240d66649eccd9eb3 1aa4fb5a68d5bcf825b877428eac96ed42333f74cde59f3c34f140d602b95a7c 1d0eb2bfe3ef66616a6f749fc7641dc19bed01e90f916ce6789517a87d35a5ec 20ad084a35fa1a4275050d5fdf9ca6afe3b043bdc3fa1f8702ef390247a056eb 21904f217df3a5ee3668469b2bcd0f79ce053aa3c7d8b11f3652a8275e9083af 22b7eb665d47c061de1854ef2615a7f6cba6e3c4838474a805a5bafa7740a459 2676bad349cb8f55aaf8a79a39495b264ac0a05361d54c88d1f841c3bd109c55
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Downloader.Upatre-9942329-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 141 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 140
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
38[.]65[.]142[.]12 141
104[.]18[.]114[.]97 72
104[.]18[.]115[.]97 69
176[.]36[.]251[.]208 15
69[.]144[.]171[.]44 15
24[.]148[.]217[.]188 13
109[.]86[.]226[.]85 13
96[.]46[.]103[.]232 13
68[.]70[.]242[.]203 13
98[.]222[.]64[.]184 13
98[.]214[.]11[.]253 12
76[.]84[.]81[.]120 11
85[.]135[.]104[.]170 11
66[.]196[.]61[.]218 11
87[.]229[.]109[.]250 11
69[.]163[.]81[.]211 11
77[.]95[.]195[.]68 11
87[.]249[.]142[.]189 10
81[.]93[.]205[.]251 10
173[.]216[.]240[.]56 10
77[.]48[.]30[.]156 10
76[.]105[.]248[.]137 10
98[.]209[.]75[.]164 9
173[.]216[.]247[.]74 9
64[.]111[.]36[.]52 8
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
icanhazip[.]com 141
Files and or directories created Occurrences
%TEMP%\izilysa.exe 141

File Hashes

0518819726479c393a77183575e758c65689d61a51a2961b9f107581c15fdc92 0686f66f25cc1159f027f4fde0ea699c86fce0cd36be00bdb8eb57f7dd60085f 08d2884949d52b1fe84f79ad49fe037c432e1aa34a61f998cdf289ac38a28420 09929acd9ec143ca20b2d9a38a032bec1cb194d189d570692ea800d25e0a7a2a 0aa6732e69824536a3de8003d98f8708db6db253105a38de2dde43fd0a0ddca2 0b19e83d4c2d2a99366bed7e34b13670c545ac84e5e85a8c45a02b1fdfc9a7e5 0bcd9bdc8fffadd3ee620c7ac237b414e43101a2b1e16b98127af036e7c1f890 0bfb4865c10fd6940a1c3e9bb59df428821f89a1acd97bfefa3fa0bc460bec3e 0e29ef1894245b211224ef98a5cde2234ea17cda3ef7b6c103dee9c00b5cdfda 171c81646db92020cf097f45a3659e46478906f07496f2c264a4ece5cbc92ac2 17815f362cb6d94d2b395c1d5299fc7e4bee4131daebbc29b157e6539b753ebf 17f437729647e6b6eb1383eadd1494160b8a0b709d3fd4f81c3593f5ff99cd3f 18f4f0a02940589e4e04fc62d8fd92b0a4ae2b64420868a726dd658fb5b7cb7a 194d32b7f4f42e26e2e33077736d036bd9302f8c7e763635c1e8df2288d432e2 1a3bafcea5e8be02794676c707bab1e85107b96f6137b90a942d58991c1c46de 1a41a2145cbdd1c9cb3e7b945504df9047c612a2775436de2eeb8b500d4381fb 1c0f07b17f2f1e87464583fa3ca5584df0b0cd20ffc0a58b3c01a4c6994b933d 1d64bcccff18b5efd6006276bd530e9ba3e7adc2bb2d66edd1732ff3c3083107 1dfcd8dd25770ea402f30cfd2da0d09f1679b10031819afdfaf7db6af2553133 1e3ed5636ff9ca00b8692f59828b100bdda7b57f624426aecb9da600c9e2b476 1eda9963c173820ff105e507c82a7c21419a6c90a562ec7c593da7aed7ce9e36 1ef7ac29283e396b097373d963ba87b8ccfed4a84aa35415b722ed3f3fb6eee4 2018a8d26b2c6f9ff2b645a2fbfb950f539672cc24d7749c0383a6613e38d619 216a829ec3d780f3a6126867a9baeb3944249d8256fb3f509c99df9845b20f6f 23b23cbf7562a1bdbb311b4407339e9bb738be38ffd0e488657b99670f664650
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.DarkComet-9942502-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 20 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 16
<HKCU>\SOFTWARE\DC3_FEXEC 14
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: UserInit
14
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: WinApp
9
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: EnableFirewall
4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DisableNotifications
4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
4
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify
4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM 4
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\CURRENTVERSION\EXPLORERN
Value Name: NoControlPanel
3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\CURRENTVERSION 3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\CURRENTVERSION\EXPLORERN 3
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}
Value Name: FaviconPath
2
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}
Value Name: Deleted
2
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES
Value Name: DefaultScope
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Microsoft
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: MicroUpdate
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: System32
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: svchost.exe
1
Mutexes Occurrences
DCPERSFWBP 11
DC_MUTEX-BM9HF0R 9
DC_MUTEX-<random, matching [A-Z0-9]{7}> 5
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
23[.]67[.]200[.]172 4
104[.]105[.]89[.]53 4
13[.]107[.]21[.]200 3
201[.]22[.]167[.]245 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
www[.]msftncsi[.]com 20
wpad[.]example[.]org 20
computer[.]example[.]org 19
a1961[.]g2[.]akamai[.]net[.]0[.]1[.]cn[.]akamaitech[.]net 10
p34[.]no-ip[.]biz 9
docs[.]microsoft[.]com 4
go[.]microsoft[.]com 4
www[.]bing[.]com 4
exbi[.]no-ip[.]org 1
weath[.]ddns[.]net 1
morfeucarder[.]duckdns[.]org 1
trojan2015morfes[.]no-ip[.]org 1
crase11[.]ddns[.]net 1
barry21[.]no-ip[.]org 1
Files and or directories created Occurrences
%APPDATA%\dclogs 14
%SystemRoot%\SysWOW64\WINAPP 9
%SystemRoot%\SysWOW64\WINAPP\WinApp.exe 9
%System32%\WINAPP\WinApp.exe 9
%System32%\WINAPP\WinApp.exe:Zone.Identifier 9
%APPDATA%\svcost 2
%APPDATA%\svcost\svcost.exe 2
\Users\user\AppData\Roaming\svcost\svcost.exe 2
\Users\user\AppData\Roaming\svcost\svcost.exe:Zone.Identifier 2
%TEMP%\MSDCSC 1
%APPDATA%\MSDCSC 1
%TEMP%\MSDCSC\svchost.exe 1
%SystemRoot%\SysWOW64\system 1
%SystemRoot%\SysWOW64\system\svchost.exe 1
%System32%\system\svchost.exe 1
\Users\user\AppData\Roaming\dclogs\2022-03-28-2.dc 1
%APPDATA%\MSDCSC\svchosts.exe 1
\Users\user\AppData\Roaming\MSDCSC\svchosts.exe 1
\Users\user\AppData\Roaming\MSDCSC\svchosts.exe:Zone.Identifier 1
\Users\user\AppData\Local\Temp\MSDCSC\svchost.exe 1
\Users\user\AppData\Local\Temp\MSDCSC\svchost.exe:Zone.Identifier 1
%System32%\system\svchost.exe:Zone.Identifier 1

File Hashes

215e68e01ce674ff5a3bf5fc4ea77e3773fc74158e8c821d2ddf8abb4b7bdab1 4209ebff48f71c7f5a863682d99589514a8024275b9186390e0bdf68c1946585 4a68a3e35a31dd16abe294a2cdcffa23ead7c5d50488bc3b33cd5e4a2138ac52 4d4c3d3ae4e6e3d4dabb0b8a2aeab6f92774e59fcf0547a61727aa3c69c10d86 59bbc5f81f38aa814a0589ec9363b6a1afe216150cbc714cba7a39e36ddbccd1 5d3f37f2bea9dbf25a1b5d0ec66e1f977e5fbb7d09c26c24b0ff7351082ece51 776227b556009c08f68b0b8c88a94399eda82183d2fed5908719f24514f8f886 7b7c948874b53d4020aa482663b2a90579070ce828f3c5c308d684f4ef455549 7fdbcaf79d897960818786a50cdeb2034926b0832331dcf08a4af67840754ede aea375bfa1b943a0d7a144c2c05fb5f2e728098f8980e92d7081cb0794642ecb b004a952aeb7963b72ea0be819efefc0ba23876f2c3154b8cbbc6ae3c6858155 b87a832f292c0f8c9a6c103454c8994a8991de228849816c8bbf2faaa8bc22e4 bbccd1b66eab70f1ce764ad5984416ecc0e8e63cf833c292e527fbe7941778e5 c48f804ab7652312f87d07c46211e71bb212a20384f3ed0d6bf30f95f72b7330 cc378e68ceb7bb60cfe33198f118bcaf13dcbed75c3ef2e6cbb272c2b87b31c5 cc665561264baa9bb1e3ce15a964f2a20a7d9f3dfc40d6862fae8961639413e6 d3ed3c0a2950b04ac4de1d7b17d34e65e4db848a098a172acb9223b64c9e9842 f2b21cac91db979d6aeb80e4d5711f50c52bf185a105406cd151950f84deb309 f894902a9fd929c8ee5be67dff78c3f80999fa650ef6c0372b571055b677ab12 f96a3d116f4487b401841e8cb9d19c36887bb5b89d2dc1fdd3a3a17d11b0044b

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.Dridex-9942398-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 39 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{690D1BD7-EA98-1004-3AC9-E87553700E95} 39
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{690D1BD7-EA98-1004-3AC9-E87553700E95}\SHELLFOLDER 39
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{63FC4996-AFD5-E391-06A7-EFB6E2702561} 39
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{63FC4996-AFD5-E391-06A7-EFB6E2702561}\SHELLFOLDER 39
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{10CDDA71-B745-777B-1AF7-51696DB9BB93} 39
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{10CDDA71-B745-777B-1AF7-51696DB9BB93}\SHELLFOLDER 39
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{CFD6D5E6-02FB-7433-9261-E8E1B87CAC69} 39
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{CFD6D5E6-02FB-7433-9261-E8E1B87CAC69}\SHELLFOLDER 39
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{8BAB5812-9D02-8F14-74B1-BEDE393F8C1F} 39
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{8BAB5812-9D02-8F14-74B1-BEDE393F8C1F}\SHELLFOLDER 39
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{10DF83AD-199B-9C18-3FEF-E4ECD6A42F66} 39
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{10DF83AD-199B-9C18-3FEF-E4ECD6A42F66}\SHELLFOLDER 39
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{1AD90FE5-CE2F-E8B8-CF09-E0B1912E9542} 39
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{1AD90FE5-CE2F-E8B8-CF09-E0B1912E9542}\SHELLFOLDER 39
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{05ED06D6-F422-71CC-26B3-C9964D56F645} 39
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{05ED06D6-F422-71CC-26B3-C9964D56F645}\SHELLFOLDER 39
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{98B09642-2764-54AE-3333-D8C6CA536428} 39
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{98B09642-2764-54AE-3333-D8C6CA536428}\SHELLFOLDER 39
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{63D99860-AA40-CA79-F681-9DECBEF55447} 39
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{63D99860-AA40-CA79-F681-9DECBEF55447}\SHELLFOLDER 39
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{D4B277A3-C25E-BCDE-A054-D41AAC36394B} 39
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{D4B277A3-C25E-BCDE-A054-D41AAC36394B}\SHELLFOLDER 39
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{FE9DE6BC-A4CF-8285-E73C-DFE7A08197FE} 39
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{FE9DE6BC-A4CF-8285-E73C-DFE7A08197FE}\SHELLFOLDER 39
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{B11CF2E2-C0C2-7860-F12E-428101DCB963} 39
Mutexes Occurrences
{24d07012-9955-711c-e323-1079ebcbe1f4} 39
{bf18992f-6351-a1bd-1f80-485116c997cd} 39
{ed099f6b-73d9-00a3-4493-daef482dc5ca} 39
{a2c9c140-d256-a4d5-6465-f62a6660f79e} 39
{a8af557b-6de9-c774-28f4-5c293f1b1769} 39
{b570fe85-587a-a133-ffc9-73821a57c0c1} 39
{ac5b642b-c225-7367-a847-11bdf3a5e67c} 39
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
wpad[.]example[.]org 25
computer[.]example[.]org 23
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com 9
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com 7
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com 7
Files and or directories created Occurrences
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5 39
%System32%\Tasks\Ryddmbivo 39
%APPDATA%\Microsoft\Access\7on96HcC5V 1
%APPDATA%\Microsoft\Templates\LiveContent\User\SmartArt Graphics\Uoqg5M1DlR 1
%APPDATA%\Microsoft\AddIns\zfVgQXW 1
%APPDATA%\Microsoft\Spelling\upRwzqfD 1
%APPDATA%\Microsoft\HTML Help\PK3 1
%APPDATA%\Microsoft\SystemCertificates\FadI6q9 1
%APPDATA%\Microsoft\Windows\IETldCache\MmoQ8 1
%APPDATA%\Adobe\Acrobat\9.0\5S2h8Q5jG 1
%APPDATA%\Macromedia\Flash Player\#SharedObjects\YXTRFETG\Oc3XS4DTax 1
%APPDATA%\Microsoft\AddIns\5Sib5QLgQ 1
%APPDATA%\Microsoft\Templates\LiveContent\User\Document Themes\PK8 1
%APPDATA%\Microsoft\Internet Explorer\UserData\EXUAAUDV\Oc3XS4G1iM 1
%APPDATA%\Macromedia\Flash Player\macromedia.com\PK3 1
%APPDATA%\Microsoft\Publisher Building Blocks\pmQRL8pm0V2 1
%APPDATA%\Microsoft\Windows\IECompatUACache\Low\PK8 1
%APPDATA%\Microsoft\Windows\IECompatCache\j3CCuoPw 1
%APPDATA%\Adobe\Acrobat\9.0\CyHG3Wa 1
%APPDATA%\Microsoft\Excel\TVREus 1
%APPDATA%\Microsoft\MSDN\8.0\MmoQk 1
%APPDATA%\Microsoft\Internet Explorer\UserData\MA3SBLRS\PfO 1
%APPDATA%\Microsoft\Windows\IEDownloadHistory\5S2k4Fjvh 1
%APPDATA%\Microsoft\Windows\PrivacIE\PK3 1
%APPDATA%\Microsoft\SystemCertificates\My\Certificates\zf3erGs 1
*See JSON for more IOCs

File Hashes

0368065ca695a394f0395ec84c62ba93e01d62f0e7180aec8e5a27da3b5fbf8e 09d4943bea9d66c825c5914b5ea27ec2890319d06fd7bebbd2cec6d058f974a6 0a519dd70f094ce652f4a0b58bb5b9cc03248c95b1a2e701e7bdced24b6c748c 0c025adc6ecdc6d1aa1a9104be7d499098e70b343c879878628d1cbe4b567387 0dcfd532676728ce17ddaae48922ae211feef72f56e526c9a1b49639061c00fb 148ddb5c4b5c0798d11b6e8f510e12fab99834b2ecb4ffcb0e163be80ee3fc4d 17efe7b75a467b6839ea27eac3ee9778636bbd7cb8553f24d986ce30545f6b9f 1acc25aed8cefd2b668254eef425d4cae0d409067ae0f854ca3e6366dd46140d 1f2d8ab462a0afc6652a4ecca1a2ecdd2fe71437919138ffdfaadfbfc61411bb 2140f257aa5cb5bf5670a65a52badbaaca1e116007f1c2560f4678298a27fa26 32828c9dc19d90bfcb134216ba63ac14908069918aba91822e3a175cfef88faa 3575d051cf7c4b630ae0ea7ba6eece66dde26d275cb6f0325836f877bfdbbfcd 4801d7ac5d6ecc250dfd437662e8de5d21b3bbd06a1448094c58e6e169aba235 4889d008da5cb925dbfb5aec0003932148af7725763c54d1ae2aa39d976ffd50 4ee28d5a3b2a7de433d345e4242546f31ead14648f64f6e63a5f3f9ee0a17004 513d92f9531aec97a64462874a01719d317bc8db4922b076232a796b245f481c 54782d78225f0065ec917d2282496a304b5322b6d34e3b70b5da4db43e67a9d0 5745abb6e07e173a133067658489d3020a2de42e8e39025f0673efb0b32b28ad 5cbe877b642cd83129d527c81cffa59c567eb525f3ba714cf42de75bba58b48e 5d370f76b23642e0466b6364ce819bc542652de41ebe3f7eddf1b426cf513731 5f2d726e3d0e49b4fa100b682a63e2a991d8151b5d3397d11675eba646e626b6 64df17127f2a4fc7fc42ab2703fab375d8e3df591721786b345c8745e1e61965 6c62ae704c6c13b0bb1e1ff57cbaaf54b62c97cc7149885e92fe5368ceb48faf 70ede8abf9b4489e1cac6734a4120ef64f9eb2dee85b860eff44136ce9b54deb 7a1568877d6e942ad052c4cad18af42d36befb571ba9a445fa56d61ee56f40bb
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.Zegost-9942458-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 18 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES
Value Name: Type
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES
Value Name: InstallModule
2
Mutexes Occurrences
AAAAAArqaxva61p72uvbGxsamnsJ8= 5
AAAAAA5vinp7W9sLCxsb388QSpsa+usZ8= 1
AAAAAArqaxva61p72uva6vr6mxr66xnw== 1
AAAAAArqaxva61p72uvbGpsa+usZ8= 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
20[.]189[.]173[.]20 7
52[.]168[.]117[.]173 3
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
wpad[.]example[.]org 18
computer[.]example[.]org 17
clientconfig[.]passport[.]net 15
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com 10
onedsblobprdwus15[.]westus[.]cloudapp[.]azure[.]com 7
onedsblobprdcus17[.]centralus[.]cloudapp[.]azure[.]com 5
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com 4
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com 4
onedsblobprdeus16[.]eastus[.]cloudapp[.]azure[.]com 3
yk886[.]3322[.]org 1
Files and or directories created Occurrences
\Users\user\AppData\Local\Temp\WAX795.tmp 1
\Users\user\AppData\Local\Temp\WAX8CD.tmp 1
\Users\user\AppData\Local\Temp\WAX7036.tmp 1
\Users\user\AppData\Local\Temp\WAX70D2.tmp 1
\Users\user\AppData\Local\Temp\WAX719D.tmp 1
\Users\user\AppData\Local\Temp\WAX8BD2.tmp 1

File Hashes

08a269d063655f1cf0977588fb2f4999c12344b90f4c2620aa1aeec784cfd4ab 0b2faf4010038ee1cc82048a206b40f26b40aabbada1ec5ea6f22cbd42177db3 1734925101c50079d04d196bf5a7bb8b483a3338e97308fc3fafb70d31c586cd 1f1ce72e5bed7a06e4f8049d15f1e93db9feb58b17eb2476a8d3177083fe947f 5075170139bff41f5f548406e23c843e8f99788bd5f2098db32117a5f19610b9 587a4c4523fcbf77d889d06d055e96817433b8368a48f8a8e779301ffc676ab3 661617975c2023aa3ba978a27de8eaaa16b9d05ec1d2a4da43aa43f4cb79a324 81b53df4ac5794ad03f820148b379965d17b4429cf89e12697116be4ab686a94 a0c52015a67d8078487a447cf37cc660cbe24cdd0c2511b06eac134149c7d9dc acd9bf4feae1bd7ee1aaea1eb10815c8c5c3f1e83f7e3c6f753dcf5b58d31c7d aeb479cafd8f7a1accdca7e4c0e0dac16b961a25818a2b29491e307a870a9043 be4f288b26a4b298b93ab5c63b2f1c2fd6261f4659def3f24f1f0ad16ddee62b cbd435983706abe5da1c43fe4c840916c4860c889d6370942b5ea54e3f6cd3c9 e5d10e356c1be13b4e10a6286e90d08bdcfa59b1d0fe730d68d86cfd40e436d9 ed78a88f8775146dd92e5e6d0615484b5c0d790291777863b8d32b2943a41287 f5ce5327b23bc3725a6189cf37264c6bd9ae69c3309c291581682b2715ed0d02 f64976055d070dbf63ab971222295e362b96f823296dd55c3c2e4fb9a85e751e fa38e5e7ed7153b981e030d9d0e027bb8bdec978a29729b60dba3096384371be

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Dropper.Ursnif-9942533-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 118 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 118
Mutexes Occurrences
Global\<random guid> 25
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
www[.]msftncsi[.]com 25
wpad[.]example[.]org 25
computer[.]example[.]org 24
cjwefomatt[.]com 21
dubbergergbb[.]com 18
ticrerfgiff[.]com 10
Files and or directories created Occurrences
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FNF9BE4O\dnserror[1] 21
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OSZC6DKG\NewErrorPageTemplate[1] 21
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PCALSGUV\errorPageStrings[1] 21
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\XN0IX3V7\httpErrorPagesScripts[1] 21
\Users\user\AppData\Local\Temp\JavaDeployReg.log 21
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml 19
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml 19
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml 19
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml 19
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml 19
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml 19
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml 19
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml 19
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml 19
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OSZC6DKG\errorPageStrings[1] 18
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PCALSGUV\httpErrorPagesScripts[1] 18
\Users\user\AppData\Local\Microsoft\Windows\INetCache\SQM\iesqmdata7.sqm 18
\Users\user\AppData\Local\Microsoft\Windows\INetCache\SQM\iesqmdata8.sqm 18
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FNF9BE4O\NewErrorPageTemplate[1] 17
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FNF9BE4O\dnserror[2] 17
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FNF9BE4O\errorPageStrings[1] 14
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OSZC6DKG\httpErrorPagesScripts[1] 14
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\XN0IX3V7\dnserror[1] 14
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FNF9BE4O\NewErrorPageTemplate[2] 14
\Users\user\AppData\Local\Microsoft\Windows\INetCache\SQM\iesqmdata9.sqm 13
*See JSON for more IOCs

File Hashes

0109fd13d5ad5da80c7e7e4d8d1bc1085e98b5c75d4742b6fbb33f41d0c6446c 036394b14368f27ad6b7813f0ea19e641c521c1d83423165c8bef32e4aa77082 046bd83a48a29b22aa96f2e9a7922b1425aa046be19d8387bc07d230d51e4b1e 04cbbb36979fb47e2b62144fcc5af8368ec034cc370fe4d64a61f239b463220f 058948889aa518d88d19f0eb19312f2d449b1a4d4305af2aa3836cd2a31a2a2d 06c34086cc82c792446f341bb5859c8e658ab08b4c4041533f33c556f40acdb0 0a1087cf9133fd1e793012b94409cf90ca7f55f81288625a05faeeeb660316fe 0ac0c3c572e8beb6f7381d9dd8b6d0a6d265bcf17a3605946f3169ce170d8cfd 0b66411daef0e69e62f43bafa81bb023b0c932bb8700f533d41afbad97cfebaf 0caac061bb405d0444c3fdcc6617c5540a494a7f57577378dbd03971bae8dd07 0e3d18ded71834720ea9ff63a10c43677609905945f6548247a1aca464e11f87 0e8816aa213a878264606791b3f7d8cbaa3ef6e7abe6963e54f806b939a4e1c9 112fd8a78d32ab025d6f2fab7877e52175f3419545ccfab30bde297d2d84c07d 166c36d0c23a321f8d4a13cef0ab4248c7d304b0839809a89eb6c75abfe4685c 167d052abd9a6dbc849bac80936d6adc3590f8ef7d564fdd01a19170b9764642 179885962acbabfe9ad8c2274180a27cc7b6b49f992d257cdf340ff9f24a39f9 1c1121ab54f58b848ec60e704cd5c75d51039364bb3b750c7b69e4523dbdbd19 1d6438f8d593e8d5f29c379d52cad1790142fa2ba46d66290fd66d39f9c3fe15 1db40201edf47bf31c728f2e88a66ed6827068446d1bd1280c2dfbf00da80271 1e4748338ea161e68cb481c61274ff92b06c1c0e91542f46bda1298bdd98ceb2 1f92e83b38bd40df0534831c62b0d4fe46e5cdd06cec123c25e5dcf9ee5dffde 21b2ef7ad54adfa7b2e9d8b8938b2c9bd9bc58bce0642f5c694273011b0c34e4 243ee817ba6965c1f04f559c939860ea53206a81eb606c8f6c82da91d0c256e2 29a8553a1b8fefb907476bfc2c9beeefecb74a363a4a97f94dc25cd520d2f07c 2ab1fdde88104f342da4d4d992bb4d0c36d96ee99ba9a79ab9c0c0a4caf7ae48
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





Win.Trojan.Gh0stRAT-9942536-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 20 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 20
<HKLM>\SYSTEM\SELECT
Value Name: MarkTime
20
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\ACTIVEMOVIE\DEVENUM
Value Name: Version
5
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\ACTIVEMOVIE 5
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\ACTIVEMOVIE\DEVENUM 5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SAINBOX 5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SAINBOX
Value Name: Type
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SAINBOX
Value Name: Start
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SAINBOX
Value Name: ErrorControl
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SAINBOX
Value Name: ImagePath
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SAINBOX
Value Name: DisplayName
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SAINBOX
Value Name: WOW64
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SAINBOX
Value Name: ObjectName
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SAINBOX
Value Name: Description
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PHXPHX QIYQH 3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PHXPHX QIYQH
Value Name: Type
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PHXPHX QIYQH
Value Name: Start
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PHXPHX QIYQH
Value Name: ErrorControl
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PHXPHX QIYQH
Value Name: DisplayName
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PHXPHX QIYQH
Value Name: WOW64
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PHXPHX QIYQH
Value Name: ObjectName
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PHXPHX QIYQH
Value Name: Description
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GWXPQR KLCDE
Value Name: DisplayName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\KCDEUV XPQRI
Value Name: ErrorControl
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GWXPQR KLCDE
Value Name: WOW64
1
Mutexes Occurrences
eed3bd3a-a1ad-4e99-987b-d7cb3fcfa7f0 - S-1-5-18 5
Global\C:\Windows\SysWOW64\sainbox.exe -auto 5
Global\C:\Windows\SysWOW64\sainbox.exe -acsi 5
Global\C:\Windows\SysWOW64\Phxph.exe -auto 3
Global\C:\Windows\SysWOW64\Phxph.exe -acsi 3
47.94.138.49:1111:Sainbox 2
xianyuv.e2.luyouxia.net:25881:Sainbox 2
125.64.103.51:8080:Sainbox 2
Global\"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\sainbox.exe" 1
Global\"C:\TEMP\de16e4bf26e6f6d8bec6c926da97c749055be4d5f80e0b63780821d9ea30d19f.exe" 1
23.225.194.93:8989:Jbrjar Kbskb 1
124.248.65.95:3355:Phxphx Qiyqh 1
Global\"C:\TEMP\178aaacdd52576cf2ac88da1b8169cc8aaf4e002ea6faef7d9486efcbe6d4a67.exe" 1
175.178.174.182:8080:Phxphx Qiyqh 1
Global\"C:\TEMP\63e2e6c46afd23d365c57afd767b8cc949854ec43b6582be24ec55943317b771.exe" 1
Global\"C:\TEMP\9a6d65d03da37d742a0637c5c5cfcab605d327f5b7a3b4e75209001541c828c3.exe" 1
Global\C:\Windows\SysWOW64\Dtumn.exe -auto 1
192.168.0.15:3355:Gwxpqr Klcde 1
Global\C:\Windows\SysWOW64\Dtumn.exe -acsi 1
Global\C:\Windows\SysWOW64\Tklme.exe -auto 1
Global\"C:\TEMP\d7369c6f88b6066e413a8901ddfc9624c20f37cfb3cf6cc3f2bc1026475a7d4e.exe" 1
Global\C:\Windows\SysWOW64\Tklme.exe -acsi 1
Global\C:\Windows\SysWOW64\Aqrsk.exe -auto 1
xianyuv.e2.luyouxia.net:25881:Kcdeuv Xpqri 1
Global\"C:\TEMP\a9c1863d54ca5316a6e67a2f91462cd4ce9171811f15c362cdc9cc8cb05a1474.exe" 1
*See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
127[.]0[.]0[.]1 12
43[.]248[.]201[.]209 4
47[.]94[.]138[.]49 2
175[.]178[.]174[.]182 2
103[.]40[.]247[.]98 2
125[.]64[.]103[.]51 2
124[.]248[.]65[.]95 1
23[.]225[.]194[.]93 1
47[.]98[.]248[.]205 1
114[.]132[.]42[.]117 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
www[.]msftncsi[.]com 15
wpad[.]example[.]org 15
xianyuv[.]e2[.]luyouxia[.]net 4
computer[.]example[.]org 3
e2[.]luyouxia[.]net 2
Files and or directories created Occurrences
%SystemRoot%\SysWOW64\<random, matching '[a-zA-Z0-9]{4,19}'>.exe 10
%SystemRoot%\SysWOW64\sainbox.exe 5
%System32%\sainbox.exe 4
%System32%\sainbox.exe:Zone.Identifier 4
%System32%\Phxph.exe 2
%System32%\Phxph.exe:Zone.Identifier 2
agmkis2 1
%System32%\Jbrja.exe 1
%System32%\Vnfvn.exe 1
%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup\sainbox.exe 1
%SystemRoot%\SysWOW64\ld.exe 1
%System32%\Jbrja.exe:Zone.Identifier 1
%System32%\Phxpg.exe 1
%System32%\Phxpg.exe:Zone.Identifier 1
%ProgramData%\Microsoft\Windows\Start Menu\Programs\StartUp\sainbox.exe:Zone.Identifier 1
%System32%\Vnfvn.exe:Zone.Identifier 1
%System32%\Dtumn.exe 1
%System32%\Dtumn.exe:Zone.Identifier 1
%System32%\Tklme.exe 1
%System32%\Tklme.exe:Zone.Identifier 1

File Hashes

178aaacdd52576cf2ac88da1b8169cc8aaf4e002ea6faef7d9486efcbe6d4a67 2b9c8b4b400d71c1229edb3b61c9e68c461ef76f44b495561c3a9e38c0250a0f 30169289cefa3879b52d3ab7e58046cd6906030496e18280ef7f608c6165f7be 6000b27c2f2bb9af868e4711e01764c07375d144ff7a2f47f3deb349e5b4ac30 63e2e6c46afd23d365c57afd767b8cc949854ec43b6582be24ec55943317b771 673393d42a2c985df522ba288b48a047cea2c0593bcdfc767c52ab2150fb95fa 6c0938e40a3456a0ecf30e27497420db325e37971d554970dfcb37fbeae6178d 7c7eeb5467b7de0b9d1bf5a16bb5205b6329257716e7f7556a87b78ee1d6783a 887af5e596817b1cdd3fb308ca7a3791ec72ec6084686a9091eb919f19be6317 8da864c8455204cf5621fa2308726f35988bd23a31d2998832efa910c2981b71 9a6d65d03da37d742a0637c5c5cfcab605d327f5b7a3b4e75209001541c828c3 a1c0abb87a04d4967b2caef3f6ea94fcc2d2159fce0550e37337a924c022088b a9c1863d54ca5316a6e67a2f91462cd4ce9171811f15c362cdc9cc8cb05a1474 befa9eef3d1cc7928de4381c6ce070ab5f16fb6a97ae0da71dd2a4d2c6ae4b87 d7369c6f88b6066e413a8901ddfc9624c20f37cfb3cf6cc3f2bc1026475a7d4e de16e4bf26e6f6d8bec6c926da97c749055be4d5f80e0b63780821d9ea30d19f ebec2069724a3f3c636cec799e9bb228eed51e59333022be3d8c217b41e015a0 f07191715777fe8513f22a20e585a2e2cfb747dec16680daab519332d6121c29 f6228dd6d0f0a888640acfff041f6fc50ac4cbeee8745272f16ac08a3cf2d4f7 fcbc746329afe85ee2f040cad0a130ba833f07a7abd024524e36d3aa981dde35

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

Secure Endpoint



Secure Malware Analytics



MITRE ATT&CK





No comments:

Post a Comment

Note: Only a member of this blog may post a comment.