Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 25 and April 1. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org , or ClamAV.net .
For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.
The most prevalent threats highlighted in this roundup are:
Threat Name
Type
Description
Win.Trojan.Emotet-9942352-0
Trojan
Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Attackers usually try to spread the botnet via malicious Microsoft Office documents with macros.
Win.Downloader.Upatre-9942329-0
Downloader
Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.
Win.Dropper.DarkComet-9942502-1
Dropper
DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.
Win.Dropper.Dridex-9942398-0
Dropper
Dridex is a well-known banking trojan that aims to steal credentials and other sensitive information from an infected machine.
Win.Dropper.Zegost-9942458-0
Dropper
Zegost is a remote access trojan designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. Zegost appears to be derived from Gh0stRAT, which is a well-known remote access trojan that had its source code leaked, thus significantly lowering the barrier to entry for actors looking to modify and reuse the code in new attacks.
Win.Dropper.Ursnif-9942533-0
Dropper
Ursnif steals sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits.
Win.Trojan.Gh0stRAT-9942536-1
Trojan
Gh0stRAT is a well-known family of remote access trojans that provides attackers with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.
Threat Breakdown Win.Trojan.Emotet-9942352-0 Indicators of Compromise IOCs collected from dynamic analysis of 168 samples
Registry Keys
Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 167
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
51[.]91[.]76[.]8925
70[.]36[.]102[.]3525
92[.]240[.]254[.]11025
217[.]182[.]25[.]2502
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
wpad[.]example[.]org25
computer[.]example[.]org23
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com10
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com9
windowsupdatebg[.]s[.]llnwi[.]net8
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com4
Files and or directories created
Occurrences
\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F800850625
\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F800850625
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml25
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml25
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml25
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml25
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml25
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml25
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml25
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml25
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml25
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PCALSGUV\ErrorPageTemplate[1]25
\Users\user\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\5f7b5f1e01b83767.automaticDestinations-ms25
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FNF9BE4O\green_shield[1]25
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OSZC6DKG\red_shield[1]25
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OSZC6DKG\securityatrisk[1]25
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PCALSGUV\background_gradient_red[1]25
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\XN0IX3V7\shield[1]25
\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F2A0D65B-AC4B-11EC-93F9-00007D858568}.dat1
\Users\user\AppData\Local\Temp\~DF0565B2AC4BEC530A.TMP1
\Users\user\AppData\Local\Temp\~DF19DB7E1FC43B6593.TMP1
\Users\user\AppData\Local\Temp\~DFA2E3B117AC6E9AEA.TMP1
\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F7BB52B1-AC4B-11EC-93F9-00007D868568}.dat1
\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F7BB52B3-AC4B-11EC-93F9-00007D868568}.dat1
\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F7BB52B4-AC4B-11EC-93F9-00007D868568}.dat1
*See JSON for more IOCs
File Hashes 0045cbae1ac5bb4fe3d2fad17c528abd872aad965b8bb7c97b11b9b7d5b80b7b
030f9d80b445d1a56ed15a864d9c8d7a40fb3ae19e403286fb5cc0627dbe8c95
034a27996a46122852d9beefa91fdf84f91c727382d0790ce5db618837c491a1
03ba825a40bc061e8a983f257eaefaacde80f1be20c106dfe8d805a0285125ee
058d915cfe8f4e6040f270daf54a5af893f915ca656cf4a4bbe850849846cfc2
0640346a8f8f79fc46401bad0e7a9250a4aa90472d66ba780e410cc1bf9e7efa
072dff293c8d9229732bee9bc9532ca789c43b6639c128070df541a348aeea56
07b413fd76f8a25caba1663fc6c8395ff888dc3c78d0c4214805ca56958b1e6f
09243bd814e93a1827ad7ad959e9f990c9eca6600421b9dd802aaf489d3d19f2
09e57f8cd4688989fcac0a0b3d63f36d664ce335c6eb6495cfa5c5ff528e2123
0a1303779d811835b0480a37f8e15d4b4f621f6cc8c1a786aac95a70134a3d31
0ae7a96b28545e114d48c07c8aa10744cd582435f2bf833b95a7a59aea484344
0ed9dd5cdf933ea1801313630da8c1f13d539829107a15169f143f95a7b23a66
13c84a4f33c8fbed24e58f5e42e9db4017f7bd615c6b8703195b9ba1e31981c0
14324a87d1acb9dff2e7af3a8ac3b3a2fbfdb0904e83bfb73e76d4ad9ce769ef
153d12d5c6ed4c0c4274c4770303f68212609ebf6d5cab00e9d6bac126862c5a
1565f38ad55f7c9d9f70afb008cd03e6b7a4de0bdae0a14d8c3df92bdf47c124
16ecff3f4cc74590a1ea6d131cde9eb3654c976657dae22611acb9ba08eab8ca
17d038fb37108faf8032c982e0c51be10e3dd423dad0f8f240d66649eccd9eb3
1aa4fb5a68d5bcf825b877428eac96ed42333f74cde59f3c34f140d602b95a7c
1d0eb2bfe3ef66616a6f749fc7641dc19bed01e90f916ce6789517a87d35a5ec
20ad084a35fa1a4275050d5fdf9ca6afe3b043bdc3fa1f8702ef390247a056eb
21904f217df3a5ee3668469b2bcd0f79ce053aa3c7d8b11f3652a8275e9083af
22b7eb665d47c061de1854ef2615a7f6cba6e3c4838474a805a5bafa7740a459
2676bad349cb8f55aaf8a79a39495b264ac0a05361d54c88d1f841c3bd109c55*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
✓
Cloudlock
N/A
CWS
✓
Email Security
✓
Network Security
✓
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
✓
Umbrella
N/A
WSA
✓
Screenshots of Detection Secure Endpoint Secure Malware Analytics MITRE ATT&CK Win.Downloader.Upatre-9942329-0 Indicators of Compromise IOCs collected from dynamic analysis of 141 samples
Registry Keys
Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 140
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
38[.]65[.]142[.]12141
104[.]18[.]114[.]9772
104[.]18[.]115[.]9769
176[.]36[.]251[.]20815
69[.]144[.]171[.]4415
24[.]148[.]217[.]18813
109[.]86[.]226[.]8513
96[.]46[.]103[.]23213
68[.]70[.]242[.]20313
98[.]222[.]64[.]18413
98[.]214[.]11[.]25312
76[.]84[.]81[.]12011
85[.]135[.]104[.]17011
66[.]196[.]61[.]21811
87[.]229[.]109[.]25011
69[.]163[.]81[.]21111
77[.]95[.]195[.]6811
87[.]249[.]142[.]18910
81[.]93[.]205[.]25110
173[.]216[.]240[.]5610
77[.]48[.]30[.]15610
76[.]105[.]248[.]13710
98[.]209[.]75[.]1649
173[.]216[.]247[.]749
64[.]111[.]36[.]528
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
icanhazip[.]com141
Files and or directories created
Occurrences
%TEMP%\izilysa.exe141
File Hashes 0518819726479c393a77183575e758c65689d61a51a2961b9f107581c15fdc92
0686f66f25cc1159f027f4fde0ea699c86fce0cd36be00bdb8eb57f7dd60085f
08d2884949d52b1fe84f79ad49fe037c432e1aa34a61f998cdf289ac38a28420
09929acd9ec143ca20b2d9a38a032bec1cb194d189d570692ea800d25e0a7a2a
0aa6732e69824536a3de8003d98f8708db6db253105a38de2dde43fd0a0ddca2
0b19e83d4c2d2a99366bed7e34b13670c545ac84e5e85a8c45a02b1fdfc9a7e5
0bcd9bdc8fffadd3ee620c7ac237b414e43101a2b1e16b98127af036e7c1f890
0bfb4865c10fd6940a1c3e9bb59df428821f89a1acd97bfefa3fa0bc460bec3e
0e29ef1894245b211224ef98a5cde2234ea17cda3ef7b6c103dee9c00b5cdfda
171c81646db92020cf097f45a3659e46478906f07496f2c264a4ece5cbc92ac2
17815f362cb6d94d2b395c1d5299fc7e4bee4131daebbc29b157e6539b753ebf
17f437729647e6b6eb1383eadd1494160b8a0b709d3fd4f81c3593f5ff99cd3f
18f4f0a02940589e4e04fc62d8fd92b0a4ae2b64420868a726dd658fb5b7cb7a
194d32b7f4f42e26e2e33077736d036bd9302f8c7e763635c1e8df2288d432e2
1a3bafcea5e8be02794676c707bab1e85107b96f6137b90a942d58991c1c46de
1a41a2145cbdd1c9cb3e7b945504df9047c612a2775436de2eeb8b500d4381fb
1c0f07b17f2f1e87464583fa3ca5584df0b0cd20ffc0a58b3c01a4c6994b933d
1d64bcccff18b5efd6006276bd530e9ba3e7adc2bb2d66edd1732ff3c3083107
1dfcd8dd25770ea402f30cfd2da0d09f1679b10031819afdfaf7db6af2553133
1e3ed5636ff9ca00b8692f59828b100bdda7b57f624426aecb9da600c9e2b476
1eda9963c173820ff105e507c82a7c21419a6c90a562ec7c593da7aed7ce9e36
1ef7ac29283e396b097373d963ba87b8ccfed4a84aa35415b722ed3f3fb6eee4
2018a8d26b2c6f9ff2b645a2fbfb950f539672cc24d7749c0383a6613e38d619
216a829ec3d780f3a6126867a9baeb3944249d8256fb3f509c99df9845b20f6f
23b23cbf7562a1bdbb311b4407339e9bb738be38ffd0e488657b99670f664650*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
✓
Cloudlock
N/A
CWS
✓
Email Security
✓
Network Security
✓
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
✓
Umbrella
N/A
WSA
✓
Screenshots of Detection Secure Endpoint Secure Malware Analytics MITRE ATT&CK Win.Dropper.DarkComet-9942502-1 Indicators of Compromise IOCs collected from dynamic analysis of 20 samples
Registry Keys
Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 16
<HKCU>\SOFTWARE\DC3_FEXEC 14
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON Value Name: UserInit 14
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: WinApp 9
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE Value Name: EnableFirewall 4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE Value Name: DisableNotifications 4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM Value Name: EnableLUA 4
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER Value Name: AntiVirusDisableNotify 4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC Value Name: Start 4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM 4
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER Value Name: UpdatesDisableNotify 3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\CURRENTVERSION\EXPLORERN Value Name: NoControlPanel 3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\CURRENTVERSION 3
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\CURRENTVERSION\EXPLORERN 3
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A} Value Name: FaviconPath 2
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A} Value Name: Deleted 2
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES Value Name: DefaultScope 2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: Microsoft 2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: MicroUpdate 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: System32 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: svchost.exe 1
Mutexes
Occurrences
DCPERSFWBP11
DC_MUTEX-BM9HF0R9
DC_MUTEX-<random, matching [A-Z0-9]{7}>5
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
23[.]67[.]200[.]1724
104[.]105[.]89[.]534
13[.]107[.]21[.]2003
201[.]22[.]167[.]2451
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
www[.]msftncsi[.]com20
wpad[.]example[.]org20
computer[.]example[.]org19
a1961[.]g2[.]akamai[.]net[.]0[.]1[.]cn[.]akamaitech[.]net10
p34[.]no-ip[.]biz9
docs[.]microsoft[.]com4
go[.]microsoft[.]com4
www[.]bing[.]com4
exbi[.]no-ip[.]org1
weath[.]ddns[.]net1
morfeucarder[.]duckdns[.]org1
trojan2015morfes[.]no-ip[.]org1
crase11[.]ddns[.]net1
barry21[.]no-ip[.]org1
Files and or directories created
Occurrences
%APPDATA%\dclogs14
%SystemRoot%\SysWOW64\WINAPP9
%SystemRoot%\SysWOW64\WINAPP\WinApp.exe9
%System32%\WINAPP\WinApp.exe9
%System32%\WINAPP\WinApp.exe:Zone.Identifier9
%APPDATA%\svcost2
%APPDATA%\svcost\svcost.exe2
\Users\user\AppData\Roaming\svcost\svcost.exe2
\Users\user\AppData\Roaming\svcost\svcost.exe:Zone.Identifier2
%TEMP%\MSDCSC1
%APPDATA%\MSDCSC1
%TEMP%\MSDCSC\svchost.exe1
%SystemRoot%\SysWOW64\system1
%SystemRoot%\SysWOW64\system\svchost.exe1
%System32%\system\svchost.exe1
\Users\user\AppData\Roaming\dclogs\2022-03-28-2.dc1
%APPDATA%\MSDCSC\svchosts.exe1
\Users\user\AppData\Roaming\MSDCSC\svchosts.exe1
\Users\user\AppData\Roaming\MSDCSC\svchosts.exe:Zone.Identifier1
\Users\user\AppData\Local\Temp\MSDCSC\svchost.exe1
\Users\user\AppData\Local\Temp\MSDCSC\svchost.exe:Zone.Identifier1
%System32%\system\svchost.exe:Zone.Identifier1
File Hashes 215e68e01ce674ff5a3bf5fc4ea77e3773fc74158e8c821d2ddf8abb4b7bdab1
4209ebff48f71c7f5a863682d99589514a8024275b9186390e0bdf68c1946585
4a68a3e35a31dd16abe294a2cdcffa23ead7c5d50488bc3b33cd5e4a2138ac52
4d4c3d3ae4e6e3d4dabb0b8a2aeab6f92774e59fcf0547a61727aa3c69c10d86
59bbc5f81f38aa814a0589ec9363b6a1afe216150cbc714cba7a39e36ddbccd1
5d3f37f2bea9dbf25a1b5d0ec66e1f977e5fbb7d09c26c24b0ff7351082ece51
776227b556009c08f68b0b8c88a94399eda82183d2fed5908719f24514f8f886
7b7c948874b53d4020aa482663b2a90579070ce828f3c5c308d684f4ef455549
7fdbcaf79d897960818786a50cdeb2034926b0832331dcf08a4af67840754ede
aea375bfa1b943a0d7a144c2c05fb5f2e728098f8980e92d7081cb0794642ecb
b004a952aeb7963b72ea0be819efefc0ba23876f2c3154b8cbbc6ae3c6858155
b87a832f292c0f8c9a6c103454c8994a8991de228849816c8bbf2faaa8bc22e4
bbccd1b66eab70f1ce764ad5984416ecc0e8e63cf833c292e527fbe7941778e5
c48f804ab7652312f87d07c46211e71bb212a20384f3ed0d6bf30f95f72b7330
cc378e68ceb7bb60cfe33198f118bcaf13dcbed75c3ef2e6cbb272c2b87b31c5
cc665561264baa9bb1e3ce15a964f2a20a7d9f3dfc40d6862fae8961639413e6
d3ed3c0a2950b04ac4de1d7b17d34e65e4db848a098a172acb9223b64c9e9842
f2b21cac91db979d6aeb80e4d5711f50c52bf185a105406cd151950f84deb309
f894902a9fd929c8ee5be67dff78c3f80999fa650ef6c0372b571055b677ab12
f96a3d116f4487b401841e8cb9d19c36887bb5b89d2dc1fdd3a3a17d11b0044bCoverage
Product
Protection
Secure Endpoint
✓
Cloudlock
N/A
CWS
✓
Email Security
✓
Network Security
✓
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
✓
Umbrella
N/A
WSA
N/A
Screenshots of Detection Secure Endpoint Secure Malware Analytics MITRE ATT&CK Win.Dropper.Dridex-9942398-0 Indicators of Compromise IOCs collected from dynamic analysis of 39 samples
Registry Keys
Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{690D1BD7-EA98-1004-3AC9-E87553700E95} 39
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{690D1BD7-EA98-1004-3AC9-E87553700E95}\SHELLFOLDER 39
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{63FC4996-AFD5-E391-06A7-EFB6E2702561} 39
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{63FC4996-AFD5-E391-06A7-EFB6E2702561}\SHELLFOLDER 39
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{10CDDA71-B745-777B-1AF7-51696DB9BB93} 39
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{10CDDA71-B745-777B-1AF7-51696DB9BB93}\SHELLFOLDER 39
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{CFD6D5E6-02FB-7433-9261-E8E1B87CAC69} 39
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{CFD6D5E6-02FB-7433-9261-E8E1B87CAC69}\SHELLFOLDER 39
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{8BAB5812-9D02-8F14-74B1-BEDE393F8C1F} 39
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{8BAB5812-9D02-8F14-74B1-BEDE393F8C1F}\SHELLFOLDER 39
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{10DF83AD-199B-9C18-3FEF-E4ECD6A42F66} 39
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{10DF83AD-199B-9C18-3FEF-E4ECD6A42F66}\SHELLFOLDER 39
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{1AD90FE5-CE2F-E8B8-CF09-E0B1912E9542} 39
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{1AD90FE5-CE2F-E8B8-CF09-E0B1912E9542}\SHELLFOLDER 39
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{05ED06D6-F422-71CC-26B3-C9964D56F645} 39
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{05ED06D6-F422-71CC-26B3-C9964D56F645}\SHELLFOLDER 39
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{98B09642-2764-54AE-3333-D8C6CA536428} 39
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{98B09642-2764-54AE-3333-D8C6CA536428}\SHELLFOLDER 39
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{63D99860-AA40-CA79-F681-9DECBEF55447} 39
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{63D99860-AA40-CA79-F681-9DECBEF55447}\SHELLFOLDER 39
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{D4B277A3-C25E-BCDE-A054-D41AAC36394B} 39
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{D4B277A3-C25E-BCDE-A054-D41AAC36394B}\SHELLFOLDER 39
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{FE9DE6BC-A4CF-8285-E73C-DFE7A08197FE} 39
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{FE9DE6BC-A4CF-8285-E73C-DFE7A08197FE}\SHELLFOLDER 39
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{B11CF2E2-C0C2-7860-F12E-428101DCB963} 39
Mutexes
Occurrences
{24d07012-9955-711c-e323-1079ebcbe1f4}39
{bf18992f-6351-a1bd-1f80-485116c997cd}39
{ed099f6b-73d9-00a3-4493-daef482dc5ca}39
{a2c9c140-d256-a4d5-6465-f62a6660f79e}39
{a8af557b-6de9-c774-28f4-5c293f1b1769}39
{b570fe85-587a-a133-ffc9-73821a57c0c1}39
{ac5b642b-c225-7367-a847-11bdf3a5e67c}39
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
wpad[.]example[.]org25
computer[.]example[.]org23
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com9
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com7
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com7
Files and or directories created
Occurrences
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c539
%System32%\Tasks\Ryddmbivo39
%APPDATA%\Microsoft\Access\7on96HcC5V1
%APPDATA%\Microsoft\Templates\LiveContent\User\SmartArt Graphics\Uoqg5M1DlR1
%APPDATA%\Microsoft\AddIns\zfVgQXW1
%APPDATA%\Microsoft\Spelling\upRwzqfD1
%APPDATA%\Microsoft\HTML Help\PK31
%APPDATA%\Microsoft\SystemCertificates\FadI6q91
%APPDATA%\Microsoft\Windows\IETldCache\MmoQ81
%APPDATA%\Adobe\Acrobat\9.0\5S2h8Q5jG1
%APPDATA%\Macromedia\Flash Player\#SharedObjects\YXTRFETG\Oc3XS4DTax1
%APPDATA%\Microsoft\AddIns\5Sib5QLgQ1
%APPDATA%\Microsoft\Templates\LiveContent\User\Document Themes\PK81
%APPDATA%\Microsoft\Internet Explorer\UserData\EXUAAUDV\Oc3XS4G1iM1
%APPDATA%\Macromedia\Flash Player\macromedia.com\PK31
%APPDATA%\Microsoft\Publisher Building Blocks\pmQRL8pm0V21
%APPDATA%\Microsoft\Windows\IECompatUACache\Low\PK81
%APPDATA%\Microsoft\Windows\IECompatCache\j3CCuoPw1
%APPDATA%\Adobe\Acrobat\9.0\CyHG3Wa1
%APPDATA%\Microsoft\Excel\TVREus1
%APPDATA%\Microsoft\MSDN\8.0\MmoQk1
%APPDATA%\Microsoft\Internet Explorer\UserData\MA3SBLRS\PfO1
%APPDATA%\Microsoft\Windows\IEDownloadHistory\5S2k4Fjvh1
%APPDATA%\Microsoft\Windows\PrivacIE\PK31
%APPDATA%\Microsoft\SystemCertificates\My\Certificates\zf3erGs1
*See JSON for more IOCs
File Hashes 0368065ca695a394f0395ec84c62ba93e01d62f0e7180aec8e5a27da3b5fbf8e
09d4943bea9d66c825c5914b5ea27ec2890319d06fd7bebbd2cec6d058f974a6
0a519dd70f094ce652f4a0b58bb5b9cc03248c95b1a2e701e7bdced24b6c748c
0c025adc6ecdc6d1aa1a9104be7d499098e70b343c879878628d1cbe4b567387
0dcfd532676728ce17ddaae48922ae211feef72f56e526c9a1b49639061c00fb
148ddb5c4b5c0798d11b6e8f510e12fab99834b2ecb4ffcb0e163be80ee3fc4d
17efe7b75a467b6839ea27eac3ee9778636bbd7cb8553f24d986ce30545f6b9f
1acc25aed8cefd2b668254eef425d4cae0d409067ae0f854ca3e6366dd46140d
1f2d8ab462a0afc6652a4ecca1a2ecdd2fe71437919138ffdfaadfbfc61411bb
2140f257aa5cb5bf5670a65a52badbaaca1e116007f1c2560f4678298a27fa26
32828c9dc19d90bfcb134216ba63ac14908069918aba91822e3a175cfef88faa
3575d051cf7c4b630ae0ea7ba6eece66dde26d275cb6f0325836f877bfdbbfcd
4801d7ac5d6ecc250dfd437662e8de5d21b3bbd06a1448094c58e6e169aba235
4889d008da5cb925dbfb5aec0003932148af7725763c54d1ae2aa39d976ffd50
4ee28d5a3b2a7de433d345e4242546f31ead14648f64f6e63a5f3f9ee0a17004
513d92f9531aec97a64462874a01719d317bc8db4922b076232a796b245f481c
54782d78225f0065ec917d2282496a304b5322b6d34e3b70b5da4db43e67a9d0
5745abb6e07e173a133067658489d3020a2de42e8e39025f0673efb0b32b28ad
5cbe877b642cd83129d527c81cffa59c567eb525f3ba714cf42de75bba58b48e
5d370f76b23642e0466b6364ce819bc542652de41ebe3f7eddf1b426cf513731
5f2d726e3d0e49b4fa100b682a63e2a991d8151b5d3397d11675eba646e626b6
64df17127f2a4fc7fc42ab2703fab375d8e3df591721786b345c8745e1e61965
6c62ae704c6c13b0bb1e1ff57cbaaf54b62c97cc7149885e92fe5368ceb48faf
70ede8abf9b4489e1cac6734a4120ef64f9eb2dee85b860eff44136ce9b54deb
7a1568877d6e942ad052c4cad18af42d36befb571ba9a445fa56d61ee56f40bb*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
✓
Cloudlock
N/A
CWS
✓
Email Security
✓
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
✓
Umbrella
N/A
WSA
N/A
Screenshots of Detection Secure Endpoint Secure Malware Analytics MITRE ATT&CK Win.Dropper.Zegost-9942458-0 Indicators of Compromise IOCs collected from dynamic analysis of 18 samples
Registry Keys
Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 18
<HKLM>\SYSTEM\CONTROLSET001\SERVICES Value Name: Type 8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES Value Name: InstallModule 2
Mutexes
Occurrences
AAAAAArqaxva61p72uvbGxsamnsJ8=5
AAAAAA5vinp7W9sLCxsb388QSpsa+usZ8=1
AAAAAArqaxva61p72uva6vr6mxr66xnw==1
AAAAAArqaxva61p72uvbGpsa+usZ8=1
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
20[.]189[.]173[.]207
52[.]168[.]117[.]1733
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
wpad[.]example[.]org18
computer[.]example[.]org17
clientconfig[.]passport[.]net15
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com10
onedsblobprdwus15[.]westus[.]cloudapp[.]azure[.]com7
onedsblobprdcus17[.]centralus[.]cloudapp[.]azure[.]com5
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com4
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com4
onedsblobprdeus16[.]eastus[.]cloudapp[.]azure[.]com3
yk886[.]3322[.]org1
Files and or directories created
Occurrences
\Users\user\AppData\Local\Temp\WAX795.tmp1
\Users\user\AppData\Local\Temp\WAX8CD.tmp1
\Users\user\AppData\Local\Temp\WAX7036.tmp1
\Users\user\AppData\Local\Temp\WAX70D2.tmp1
\Users\user\AppData\Local\Temp\WAX719D.tmp1
\Users\user\AppData\Local\Temp\WAX8BD2.tmp1
File Hashes 08a269d063655f1cf0977588fb2f4999c12344b90f4c2620aa1aeec784cfd4ab
0b2faf4010038ee1cc82048a206b40f26b40aabbada1ec5ea6f22cbd42177db3
1734925101c50079d04d196bf5a7bb8b483a3338e97308fc3fafb70d31c586cd
1f1ce72e5bed7a06e4f8049d15f1e93db9feb58b17eb2476a8d3177083fe947f
5075170139bff41f5f548406e23c843e8f99788bd5f2098db32117a5f19610b9
587a4c4523fcbf77d889d06d055e96817433b8368a48f8a8e779301ffc676ab3
661617975c2023aa3ba978a27de8eaaa16b9d05ec1d2a4da43aa43f4cb79a324
81b53df4ac5794ad03f820148b379965d17b4429cf89e12697116be4ab686a94
a0c52015a67d8078487a447cf37cc660cbe24cdd0c2511b06eac134149c7d9dc
acd9bf4feae1bd7ee1aaea1eb10815c8c5c3f1e83f7e3c6f753dcf5b58d31c7d
aeb479cafd8f7a1accdca7e4c0e0dac16b961a25818a2b29491e307a870a9043
be4f288b26a4b298b93ab5c63b2f1c2fd6261f4659def3f24f1f0ad16ddee62b
cbd435983706abe5da1c43fe4c840916c4860c889d6370942b5ea54e3f6cd3c9
e5d10e356c1be13b4e10a6286e90d08bdcfa59b1d0fe730d68d86cfd40e436d9
ed78a88f8775146dd92e5e6d0615484b5c0d790291777863b8d32b2943a41287
f5ce5327b23bc3725a6189cf37264c6bd9ae69c3309c291581682b2715ed0d02
f64976055d070dbf63ab971222295e362b96f823296dd55c3c2e4fb9a85e751e
fa38e5e7ed7153b981e030d9d0e027bb8bdec978a29729b60dba3096384371beCoverage
Product
Protection
Secure Endpoint
✓
Cloudlock
N/A
CWS
✓
Email Security
✓
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
✓
Umbrella
N/A
WSA
N/A
Screenshots of Detection Secure Endpoint Secure Malware Analytics MITRE ATT&CK Win.Dropper.Ursnif-9942533-0 Indicators of Compromise IOCs collected from dynamic analysis of 118 samples
Registry Keys
Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 118
Mutexes
Occurrences
Global\<random guid>25
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
www[.]msftncsi[.]com25
wpad[.]example[.]org25
computer[.]example[.]org24
cjwefomatt[.]com21
dubbergergbb[.]com18
ticrerfgiff[.]com10
Files and or directories created
Occurrences
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FNF9BE4O\dnserror[1]21
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OSZC6DKG\NewErrorPageTemplate[1]21
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PCALSGUV\errorPageStrings[1]21
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\XN0IX3V7\httpErrorPagesScripts[1]21
\Users\user\AppData\Local\Temp\JavaDeployReg.log21
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml19
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml19
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml19
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml19
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml19
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml19
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml19
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml19
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml19
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OSZC6DKG\errorPageStrings[1]18
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PCALSGUV\httpErrorPagesScripts[1]18
\Users\user\AppData\Local\Microsoft\Windows\INetCache\SQM\iesqmdata7.sqm18
\Users\user\AppData\Local\Microsoft\Windows\INetCache\SQM\iesqmdata8.sqm18
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FNF9BE4O\NewErrorPageTemplate[1]17
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FNF9BE4O\dnserror[2]17
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FNF9BE4O\errorPageStrings[1]14
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OSZC6DKG\httpErrorPagesScripts[1]14
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\XN0IX3V7\dnserror[1]14
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FNF9BE4O\NewErrorPageTemplate[2]14
\Users\user\AppData\Local\Microsoft\Windows\INetCache\SQM\iesqmdata9.sqm13
*See JSON for more IOCs
File Hashes 0109fd13d5ad5da80c7e7e4d8d1bc1085e98b5c75d4742b6fbb33f41d0c6446c
036394b14368f27ad6b7813f0ea19e641c521c1d83423165c8bef32e4aa77082
046bd83a48a29b22aa96f2e9a7922b1425aa046be19d8387bc07d230d51e4b1e
04cbbb36979fb47e2b62144fcc5af8368ec034cc370fe4d64a61f239b463220f
058948889aa518d88d19f0eb19312f2d449b1a4d4305af2aa3836cd2a31a2a2d
06c34086cc82c792446f341bb5859c8e658ab08b4c4041533f33c556f40acdb0
0a1087cf9133fd1e793012b94409cf90ca7f55f81288625a05faeeeb660316fe
0ac0c3c572e8beb6f7381d9dd8b6d0a6d265bcf17a3605946f3169ce170d8cfd
0b66411daef0e69e62f43bafa81bb023b0c932bb8700f533d41afbad97cfebaf
0caac061bb405d0444c3fdcc6617c5540a494a7f57577378dbd03971bae8dd07
0e3d18ded71834720ea9ff63a10c43677609905945f6548247a1aca464e11f87
0e8816aa213a878264606791b3f7d8cbaa3ef6e7abe6963e54f806b939a4e1c9
112fd8a78d32ab025d6f2fab7877e52175f3419545ccfab30bde297d2d84c07d
166c36d0c23a321f8d4a13cef0ab4248c7d304b0839809a89eb6c75abfe4685c
167d052abd9a6dbc849bac80936d6adc3590f8ef7d564fdd01a19170b9764642
179885962acbabfe9ad8c2274180a27cc7b6b49f992d257cdf340ff9f24a39f9
1c1121ab54f58b848ec60e704cd5c75d51039364bb3b750c7b69e4523dbdbd19
1d6438f8d593e8d5f29c379d52cad1790142fa2ba46d66290fd66d39f9c3fe15
1db40201edf47bf31c728f2e88a66ed6827068446d1bd1280c2dfbf00da80271
1e4748338ea161e68cb481c61274ff92b06c1c0e91542f46bda1298bdd98ceb2
1f92e83b38bd40df0534831c62b0d4fe46e5cdd06cec123c25e5dcf9ee5dffde
21b2ef7ad54adfa7b2e9d8b8938b2c9bd9bc58bce0642f5c694273011b0c34e4
243ee817ba6965c1f04f559c939860ea53206a81eb606c8f6c82da91d0c256e2
29a8553a1b8fefb907476bfc2c9beeefecb74a363a4a97f94dc25cd520d2f07c
2ab1fdde88104f342da4d4d992bb4d0c36d96ee99ba9a79ab9c0c0a4caf7ae48*See JSON for more IOCs
Coverage
Product
Protection
Secure Endpoint
✓
Cloudlock
N/A
CWS
✓
Email Security
✓
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
✓
Umbrella
N/A
WSA
N/A
Screenshots of Detection Secure Endpoint Secure Malware Analytics MITRE ATT&CK Win.Trojan.Gh0stRAT-9942536-1 Indicators of Compromise IOCs collected from dynamic analysis of 20 samples
Registry Keys
Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 20
<HKLM>\SYSTEM\SELECT Value Name: MarkTime 20
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\ACTIVEMOVIE\DEVENUM Value Name: Version 5
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\ACTIVEMOVIE 5
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\ACTIVEMOVIE\DEVENUM 5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SAINBOX 5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SAINBOX Value Name: Type 5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SAINBOX Value Name: Start 5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SAINBOX Value Name: ErrorControl 5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SAINBOX Value Name: ImagePath 5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SAINBOX Value Name: DisplayName 5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SAINBOX Value Name: WOW64 5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SAINBOX Value Name: ObjectName 5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SAINBOX Value Name: Description 5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PHXPHX QIYQH 3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PHXPHX QIYQH Value Name: Type 3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PHXPHX QIYQH Value Name: Start 3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PHXPHX QIYQH Value Name: ErrorControl 3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PHXPHX QIYQH Value Name: DisplayName 3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PHXPHX QIYQH Value Name: WOW64 3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PHXPHX QIYQH Value Name: ObjectName 3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PHXPHX QIYQH Value Name: Description 3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GWXPQR KLCDE Value Name: DisplayName 1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\KCDEUV XPQRI Value Name: ErrorControl 1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GWXPQR KLCDE Value Name: WOW64 1
Mutexes
Occurrences
eed3bd3a-a1ad-4e99-987b-d7cb3fcfa7f0 - S-1-5-185
Global\C:\Windows\SysWOW64\sainbox.exe -auto5
Global\C:\Windows\SysWOW64\sainbox.exe -acsi5
Global\C:\Windows\SysWOW64\Phxph.exe -auto3
Global\C:\Windows\SysWOW64\Phxph.exe -acsi3
47.94.138.49:1111:Sainbox2
xianyuv.e2.luyouxia.net:25881:Sainbox2
125.64.103.51:8080:Sainbox2
Global\"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\sainbox.exe" 1
Global\"C:\TEMP\de16e4bf26e6f6d8bec6c926da97c749055be4d5f80e0b63780821d9ea30d19f.exe" 1
23.225.194.93:8989:Jbrjar Kbskb1
124.248.65.95:3355:Phxphx Qiyqh1
Global\"C:\TEMP\178aaacdd52576cf2ac88da1b8169cc8aaf4e002ea6faef7d9486efcbe6d4a67.exe" 1
175.178.174.182:8080:Phxphx Qiyqh1
Global\"C:\TEMP\63e2e6c46afd23d365c57afd767b8cc949854ec43b6582be24ec55943317b771.exe" 1
Global\"C:\TEMP\9a6d65d03da37d742a0637c5c5cfcab605d327f5b7a3b4e75209001541c828c3.exe" 1
Global\C:\Windows\SysWOW64\Dtumn.exe -auto1
192.168.0.15:3355:Gwxpqr Klcde1
Global\C:\Windows\SysWOW64\Dtumn.exe -acsi1
Global\C:\Windows\SysWOW64\Tklme.exe -auto1
Global\"C:\TEMP\d7369c6f88b6066e413a8901ddfc9624c20f37cfb3cf6cc3f2bc1026475a7d4e.exe" 1
Global\C:\Windows\SysWOW64\Tklme.exe -acsi1
Global\C:\Windows\SysWOW64\Aqrsk.exe -auto1
xianyuv.e2.luyouxia.net:25881:Kcdeuv Xpqri1
Global\"C:\TEMP\a9c1863d54ca5316a6e67a2f91462cd4ce9171811f15c362cdc9cc8cb05a1474.exe" 1
*See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness
Occurrences
127[.]0[.]0[.]112
43[.]248[.]201[.]2094
47[.]94[.]138[.]492
175[.]178[.]174[.]1822
103[.]40[.]247[.]982
125[.]64[.]103[.]512
124[.]248[.]65[.]951
23[.]225[.]194[.]931
47[.]98[.]248[.]2051
114[.]132[.]42[.]1171
Domain Names contacted by malware. Does not indicate maliciousness
Occurrences
www[.]msftncsi[.]com15
wpad[.]example[.]org15
xianyuv[.]e2[.]luyouxia[.]net4
computer[.]example[.]org3
e2[.]luyouxia[.]net2
Files and or directories created
Occurrences
%SystemRoot%\SysWOW64\<random, matching '[a-zA-Z0-9]{4,19}'>.exe10
%SystemRoot%\SysWOW64\sainbox.exe5
%System32%\sainbox.exe4
%System32%\sainbox.exe:Zone.Identifier4
%System32%\Phxph.exe2
%System32%\Phxph.exe:Zone.Identifier2
agmkis21
%System32%\Jbrja.exe1
%System32%\Vnfvn.exe1
%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup\sainbox.exe1
%SystemRoot%\SysWOW64\ld.exe1
%System32%\Jbrja.exe:Zone.Identifier1
%System32%\Phxpg.exe1
%System32%\Phxpg.exe:Zone.Identifier1
%ProgramData%\Microsoft\Windows\Start Menu\Programs\StartUp\sainbox.exe:Zone.Identifier1
%System32%\Vnfvn.exe:Zone.Identifier1
%System32%\Dtumn.exe1
%System32%\Dtumn.exe:Zone.Identifier1
%System32%\Tklme.exe1
%System32%\Tklme.exe:Zone.Identifier1
File Hashes 178aaacdd52576cf2ac88da1b8169cc8aaf4e002ea6faef7d9486efcbe6d4a67
2b9c8b4b400d71c1229edb3b61c9e68c461ef76f44b495561c3a9e38c0250a0f
30169289cefa3879b52d3ab7e58046cd6906030496e18280ef7f608c6165f7be
6000b27c2f2bb9af868e4711e01764c07375d144ff7a2f47f3deb349e5b4ac30
63e2e6c46afd23d365c57afd767b8cc949854ec43b6582be24ec55943317b771
673393d42a2c985df522ba288b48a047cea2c0593bcdfc767c52ab2150fb95fa
6c0938e40a3456a0ecf30e27497420db325e37971d554970dfcb37fbeae6178d
7c7eeb5467b7de0b9d1bf5a16bb5205b6329257716e7f7556a87b78ee1d6783a
887af5e596817b1cdd3fb308ca7a3791ec72ec6084686a9091eb919f19be6317
8da864c8455204cf5621fa2308726f35988bd23a31d2998832efa910c2981b71
9a6d65d03da37d742a0637c5c5cfcab605d327f5b7a3b4e75209001541c828c3
a1c0abb87a04d4967b2caef3f6ea94fcc2d2159fce0550e37337a924c022088b
a9c1863d54ca5316a6e67a2f91462cd4ce9171811f15c362cdc9cc8cb05a1474
befa9eef3d1cc7928de4381c6ce070ab5f16fb6a97ae0da71dd2a4d2c6ae4b87
d7369c6f88b6066e413a8901ddfc9624c20f37cfb3cf6cc3f2bc1026475a7d4e
de16e4bf26e6f6d8bec6c926da97c749055be4d5f80e0b63780821d9ea30d19f
ebec2069724a3f3c636cec799e9bb228eed51e59333022be3d8c217b41e015a0
f07191715777fe8513f22a20e585a2e2cfb747dec16680daab519332d6121c29
f6228dd6d0f0a888640acfff041f6fc50ac4cbeee8745272f16ac08a3cf2d4f7
fcbc746329afe85ee2f040cad0a130ba833f07a7abd024524e36d3aa981dde35Coverage
Product
Protection
Secure Endpoint
✓
Cloudlock
N/A
CWS
✓
Email Security
✓
Network Security
✓
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
✓
Umbrella
N/A
WSA
✓
Screenshots of Detection Secure Endpoint Secure Malware Analytics MITRE ATT&CK
