Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 20 and May 27. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat NameTypeDescription
Win.Dropper.Chthonic-9950427-1 Dropper Chthonic is a banking trojan derived from the Zeus family of banking malware. It is typically spread via phishing emails and attempts to steal sensitive information from an infected machine. Chthonic has also been observed downloading follow-on malware such as Azorult, another information stealer.
Win.Dropper.Emotet-9950400-0 Dropper Emotet is one of the most widely distributed and active malware families today. It is a modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Dropper.Gh0stRAT-9950358-1 Dropper Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.
Win.Dropper.Trickbot-9950352-0 Dropper Trickbot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts.
Win.Dropper.Zusy-9950333-0 Dropper Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe". When the user accesses a banking website, it displays a form to trick the user into submitting personal information.
Win.Dropper.Ursnif-9950326-0 Dropper Ursnif is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits.

Threat Breakdown

Win.Dropper.Chthonic-9950427-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: Hidden
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: ShowSuperHidden
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: Load
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 1081297374
25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: 1081297374
25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 25
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
147[.]75[.]61[.]38 25
173[.]231[.]189[.]17 25
147[.]75[.]63[.]87 24
20[.]72[.]235[.]82 20
20[.]109[.]209[.]108 16
84[.]16[.]67[.]12 2
185[.]144[.]161[.]170 1
83[.]168[.]200[.]198 1
62[.]231[.]6[.]98 1
213[.]5[.]39[.]34 1
54[.]37[.]233[.]160 1
212[.]92[.]16[.]193 1
185[.]42[.]170[.]200 1
147[.]251[.]48[.]140 1
193[.]182[.]111[.]12 1
93[.]94[.]224[.]67 1
86[.]108[.]190[.]23 1
62[.]197[.]224[.]14 1
78[.]142[.]193[.]131 1
62[.]112[.]194[.]60 1
185[.]119[.]117[.]217 1
185[.]13[.]148[.]71 1
49[.]12[.]125[.]53 1
5[.]199[.]135[.]170 1
51[.]195[.]120[.]107 1

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
europe[.]pool[.]ntp[.]org 25
differentia[.]ru 25
disorderstatus[.]ru 25
Files and or directories createdOccurrences
%ProgramData%\msodtyzm.exe 25
%ProgramData%\~ 25

File Hashes

06bedcc1ff6b3113dd617687ebd3a5db4bacdbada62d9bbf78d39c2fb2dcfc21
06ee66d1e252aecb3e1858c3ff804f3b8ead7b365bb1e6349038e6581f0ec6d8
0d5b67815b0eeace9261b0beb824134e6a42756cdb7835954bfb704812426282
0e995fd16801d3be4b542d756e3f7ceddc124e70787c7e9dc05126482aeee270
2d6da79c07cd8598b7007053fc3fc49a82af543b844f3ec60871d041e700d398
32c1f62bd7c9d99b6576a5f582b627440743754f6d8d24abf7dfeaffdc62c9c0
37228b9f7de1a578dd548ca43a9b35eb766f1a314096835e93e3475ebdf3b26d
37b278d24226b721e911a00e08b70b04847130acdb2eb54b994eb841ee77f24c
3b49879da6c78f1da7835cffdfbb57daeb5755d28f32b55f898ad49f02eaf08b
408f6920d253467bc2ca2e304be6958a64161eb3c91da662f4f128a732c25ea9
42c9c481daa6c64210d9bce5124e5066544a0a14d8f5587b4e172f16e07a328f
4371dd819ef95b421bcd158655e3d6a1acbf818975c5848a5c004d4e4a38d523
6b144fc1b154009e3ac4ab66836fa27d24ffccdeb63af390830ec48b94e55ec2
6e18bb90bf031fd4c649766400bf734c48cc651b289f6a01f7e3537c90c75ab6
72e0680f6cbb3fa511d29d2f8742770dc64fafd33f553966d6536b90c173c306
8c4168ed00a240c84990931dd6b07255a025ac7047d5f65073a00ff1e4c3dcac
9283aaf76d68046dd628aa82f37d2717d594dc6d7a7911e7c865c397ba98c580
943bcf6cfbb1698b5b51ddf74635b53274cba70e2fbac1c44a9cbafeaee7dbd9
976c99febd73e2bb9e8024679f6e188a0f55abb94dd8463814e7ae74f8367ece
a6e4d847e321754b53e02fc6ceb222fb9eddff7b8366d9f24a39b6369e86078f
a72ab6a0def1bb62761646568318c2334b842c3bca58e901dda052eff52d3c20
a912cd3b0d36c4803fb5f062364eaa9885d19d33308bdbad915673cc5514bb23
ac1650c0f04b13a72bafde6e446d8ed19f5c1a225594a7d23fc82a5983055151
ae146a64ad64c46634e1b70272069370a3ac9fc65035385d51c9516160446022
ae5675be30049229354469decc7d32e1d0dfea14ddc45227dbe6383acb5c7ff1

*See JSON for more IOCs

Coverage

ProductProtection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

Secure Endpoint


Secure Malware Analytics


MITRE ATT&CK


Win.Dropper.Emotet-9950400-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 22 samples
Registry KeysOccurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 15
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusOverride
7
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify
7
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallDisableNotify
7
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallOverride
7
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify
7
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UacDisableNotify
7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: EnableFirewall
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DoNotAllowExceptions
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DisableNotifications
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Start
7
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION
Value Name: jfghdug_ooetvtgk
7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: JudCsgdy
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV
Value Name: Start
7
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Defender
7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Userinit
7
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Userinit
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SPECSYSTEM
Value Name: Type
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SPECSYSTEM
Value Name: Start
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SPECSYSTEM
Value Name: ErrorControl
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SPECSYSTEM
Value Name: ImagePath
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SPECSYSTEM
Value Name: DisplayName
2
MutexesOccurrences
{<random GUID>} 7
Global\VLock 4
<random, matching [a-zA-Z0-9]{5,9}> 4
Global\I98B68E3C 2
Global\M98B68E3C 2
eGUiKSAmJi 2
A9MTX7ERFAMKLQ 1
A9ZLO3DAFRVH1WAE 1
B81XZCHO7OLPA 1
BSKLZ1RVAUON 1
GJLAAZGJI156R 1
I-103-139-900557 1
I106865886KMTX 1
IGBIASAARMOAIZ 1
J8OSEXAZLIYSQ8J 1
LXCV0IMGIXS0RTA1 1
MKS8IUMZ13NOZ 1
OPLXSDF19WRQ 1
PLAX7FASCI8AMNA 1
RGT70AXCNUUD3 1
TEKL1AFHJ3 1
TXA19EQZP13A6JTR 1
VSHBZL6SWAG0C 1
flowblink90x33 1
GeneratingSchemaGlobalMapping 1

*See JSON for more IOCs

IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
195[.]201[.]179[.]207 7
142[.]250[.]72[.]110 7
87[.]106[.]190[.]153 3
192[.]81[.]212[.]79 2
172[.]217[.]13[.]238 2
34[.]117[.]59[.]81 2
178[.]79[.]132[.]214 2
74[.]208[.]17[.]10 2
93[.]180[.]157[.]92 2
178[.]62[.]175[.]211 2
13[.]107[.]21[.]200 1
5[.]9[.]49[.]12 1
193[.]183[.]98[.]154 1
31[.]3[.]135[.]232 1
172[.]217[.]5[.]238 1
208[.]83[.]223[.]34 1
171[.]25[.]193[.]9 1
209[.]85[.]144[.]100 1
78[.]47[.]139[.]102 1
216[.]58[.]217[.]78 1
23[.]6[.]65[.]194 1
5[.]39[.]69[.]166 1
95[.]217[.]228[.]176 1
23[.]67[.]200[.]172 1
23[.]67[.]202[.]10 1

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
erwwbasmhtm[.]com 5
fbnurqhsbun[.]com 5
h37eyrba720ui[.]com 5
jdnpwbnnya[.]com 5
jhaiujfprlsbpyov[.]com 5
mngawiyhlyo[.]com 5
oxxvnflhtpomjmwst[.]com 5
qlxuubxxxctvfcdajw[.]com 5
vfldtglyewhwrl[.]com 5
whepgbwulfnbw[.]com 5
xrgahbllandvrrohfkp[.]com 5
google[.]com 4
ipinfo[.]io 2
cd5b1[.]com 2
java[.]com 1
support[.]microsoft[.]com 1
wtfismyip[.]com 1
myexternalip[.]com 1
www[.]visualstudio[.]com 1
derevo[.]bit 1
www2[.]bing[.]com 1
ff[.]dfbkmoeiruoiumoeio[.]pro 1
x[.]demolist[.]org 1
fin[.]sleeptimellc[.]net 1
support[.]hebit[.]at 1

*See JSON for more IOCs

Files and or directories createdOccurrences
%LOCALAPPDATA%\bolpidti 7
%LOCALAPPDATA%\bolpidti\judcsgdy.exe 7
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\judcsgdy.exe 7
%TEMP%\<random, matching '[a-z]{8}'>.exe 5
%HOMEPATH%\Local Settings\Application Data\hmqphkgx\pseqpmjy.exe 4
%HOMEPATH%\Local Settings\Application Data\jpnfmrvn.log 4
%HOMEPATH%\Start Menu\Programs\Startup\pseqpmjy.exe 4
%ProgramData%\wtvakgao.log 4
%APPDATA%\winapp\Modules 4
%System32%\Tasks\services update 4
%APPDATA%\winapp\client_id 4
%APPDATA%\winapp\group_tag 4
%APPDATA%\winapp 4
%APPDATA%\WINAPP\<original file name>.exe 4
%PUBLIC%\Pictures\Sample Pictures\Chrysanthemum.jpg 3
%PUBLIC%\Pictures\Sample Pictures\Desert.jpg 3
%PUBLIC%\Pictures\Sample Pictures\Hydrangeas.jpg 3
%PUBLIC%\Pictures\Sample Pictures\Jellyfish.jpg 3
%PUBLIC%\Pictures\Sample Pictures\Koala.jpg 3
%PUBLIC%\Pictures\Sample Pictures\Lighthouse.jpg 3
%PUBLIC%\Pictures\Sample Pictures\Penguins.jpg 3
%PUBLIC%\Pictures\Sample Pictures\Tulips.jpg 3
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$R08BO8F.xlsx 3
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$R11KHR4.doc 3
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$R5QKHLN.doc 3

*See JSON for more IOCs

File Hashes

00e02b000df80d7a55277e5854a5abd0f7cd98f4ec06a6d0a9ca38977a0e286b
0349cf39dffbc2f8833782ece3fae70aaa34687d145824cc736d6ede386a017d
117a62da9109bc3e2331eca47a60ee52710e88c3c7117a2c4ff32bc8337ca5b4
1f764a335f4f3a57576985a2723552e34168a58740e7d033410c618a9f47375d
36f570c456270d2dfce28dc769701fdc7f831b8b3812920b80744bf66f306696
3c26333dbfca654c23f0d70abe3fc9ef7638e4047a1e80e0b2d46fe4380b2769
4b0dc9f77c2918e88b8148ca12d15a6542c49981f975f819699abd7d411a4c83
50432a7d68a06119a9efb84775947613a5c7e0a4d5a520432043f6316763f80f
7015d5a13fd93ccba1b39cc40d11e5aa501f39e804e6d6cf4d6fcc5390449063
740285c735cbc23a9ae85531d7caab1ebb666a45ecf1a1eaf99e1af6f81512d6
7531bf43c7cd316593becf72ce8012cf5b26e76121599135c28451298eb1744a
82d85e02e434dbba38750429dfdcc772ccfd6e6529ef938d4e45b3b37bc07e24
979187479dddb7e984163000fed503cfc9f2e104a541a7542a5aa3f6d70153fb
9898c5b0328e579b5d986f4436480b1ac127d8e8a64bea22241fa1268d3be789
b3e67b5ee899c53f90c9da772592a4709372192542e1297bbce4929a8e1d5c69
bdb825a94547fcfcfbf53dcda2d186b364c10cafe102efebbada0d3c80db553d
c35f7fd1f6f75de021dd8c4bca8bc5d40d3bba5de0c03b106c8bd184e2e6c718
d70136328bd6129856dd1a797f846891fed3af61538eab2166a6525a52087227
e1f32bc1c0817ee668e39b641135f8a2486782226ab4e49a804c4c922aa0cff9
fad31b9fac9f4c9e02d6a4d04c0ed07705006981eaebd8b74e7b3a2a361632a8
ff98df59a3af3f2954bc72c3068aecea769df723bad0214e5b77a3ad1cfa0f54
ffb379e543b8b354bfe57ccace4757dd89686fc00644039ab64d1021a65072ac

Coverage

ProductProtection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint


Secure Malware Analytics


MITRE ATT&CK


Win.Dropper.Gh0stRAT-9950358-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 24 samples
Registry KeysOccurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RS<random, matching '[A-Z]{4} [A-Z]{8}'> 6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RS<random, matching '[A-Z]{4} [A-Z]{8}'>
Value Name: Type
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RS<random, matching '[A-Z]{4} [A-Z]{8}'>
Value Name: Start
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RS<random, matching '[A-Z]{4} [A-Z]{8}'>
Value Name: ErrorControl
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RS<random, matching '[A-Z]{4} [A-Z]{8}'>
Value Name: ImagePath
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RS<random, matching '[A-Z]{4} [A-Z]{8}'>
Value Name: DisplayName
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RS<random, matching '[A-Z]{4} [A-Z]{8}'>
Value Name: WOW64
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RS<random, matching '[A-Z]{4} [A-Z]{8}'>
Value Name: ObjectName
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RS<random, matching '[A-Z]{4} [A-Z]{8}'>
Value Name: Description
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RS<random, matching '[A-Z]{4} [A-Z]{8}'>
Value Name: FailureActions
6
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\ACTIVEMOVIE\DEVENUM
Value Name: Version
1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\ACTIVEMOVIE 1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\ACTIVEMOVIE\DEVENUM 1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Asuamsg
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Oujkwoq.bat
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Aooyyca
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Ozyfgdn
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: svchost.exe
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Qmgoowc
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Qikwmis
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Kuqsggo
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SSDKSRV DISCOVERY SERVICE 1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SSDKSRV DISCOVERY SERVICE
Value Name: Type
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SSDKSRV DISCOVERY SERVICE
Value Name: Start
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SSDKSRV DISCOVERY SERVICE
Value Name: ErrorControl
1
MutexesOccurrences
59.47.73.72 6
59.47.73.104 5
yckz.5453.top 3
127.0.0.1 2
43.226.152.24 2
103.52.152.134 1
45.66.164.37 1
173.0.49.35 1
Rsfpdi isejfrav 1
81.70.79.167 1
Rsffwz rqzcfqlk 1
27.102.112.125 1
Rsnnfn hlbvbytu 1
Rsowcg wuqamwao 1
www.nianqing.xyz 1
Rsaaaa aaaaaaaa 1
SSDKSRV Discovery Service 1
Rsiaso ammqqcie 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
59[.]47[.]73[.]72 6
47[.]246[.]24[.]234 5
59[.]47[.]73[.]104 5
47[.]246[.]24[.]233 3
43[.]226[.]152[.]24 2
34[.]98[.]99[.]30 1
45[.]66[.]164[.]37 1
81[.]70[.]79[.]167 1
27[.]102[.]112[.]125 1
173[.]0[.]49[.]35 1
103[.]52[.]152[.]134 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
www[.]taobao[.]com 8
yckz[.]5453[.]top 3
www[.]baidu[.]com 2
www[.]nianqing[.]xyz 1
Files and or directories createdOccurrences
\TEMP\1.exe 1
%ProgramFiles(x86)%\NetMeeting 1
%ProgramFiles(x86)%\AppPatch 1
%ProgramData%\Wmizhad 1
%ProgramData%\Qaemmoc 1
%SystemRoot%\SysWOW64\sovhost.exe 1
%ProgramData%\Pogbfum 1
%ProgramFiles(x86)%\NetMeeting\ocr.bat 1
%ProgramFiles(x86)%\AppPatch\httpd.exe 1
%ProgramData%\Owmceii 1

File Hashes

008fe787c83ad23a840efa922863150d5c5e78b3668aec2004478fa1810f6573
09f2109c90bee605c791219b000c99de732b6bc546516ce3bfbf53b69e90e3a2
10e24759f2d820382d03e7e59b48fd332bef3d679af0c803afc3fb867deacbd6
21523d9b910073efc6f79ab0b6c7c2f75b38e8ea914b48deb107fcfc02f9e376
23c916c14862e4b9e165aa10fdf2153dd3e7268e6e01fe6b3e44a0d22d378831
26bedbe740b75b5483e166bddfa870506b1329968facad755fb0ad99b902c35c
322e2b6a5be735f3b9063ef640aa7142e021bbb1b059691730b5a544407fd35b
3589562893ed337d0163b07e4f4cd4527fe5b65dc28c66c87a423014cb53a10d
3c1ff6d9e5562fd068afd0f8db3bcfc4e126e25c05201c503e21c48fa0a8f6b8
512dabb427841380a778142556a3ef290d903ec57ceebb81439939fb46bbab8c
58be88fff8f99592d8ab1f83c0c8c572430bb2652b768b548f0790479b686eea
600bafea774fe042062b96639c2d473d0b71608c4101883279181786fd7fd6b9
6cdcdbe6be9c15fb9f0a0c30d505c4a038435ca1e91f4bd13da6fc6b2097456c
79c3231efa6b2d28b2403d666a47da9c510f344a620b55f4f6df8cbdcf4c322f
7a32c13ad042ced4009503fb603a56f4be871dd85cbf4e5c3ce84751c98286e0
86154766482ffdc99a2e7cead07ae18cfedac24a264003386594eb990ea1c5d6
907a67819b6d7e5a4ebfe7d4d7df514705ed413f117bc96333ac6dec3c38b188
99b8062a2427a026e3cec82c7fbf37b765b452acd1b83524af8fc11ea506efa5
a09687a3c41c0153597964e50e18f8fa0001733955a9cbc98631194b8d113527
bc543bde5d2a32bea3c01c774343254c5f304f2bfb867d70ade0613a7c130912
c3da9179b0cb7bf4d3894f3be8115ce77a4ef0382265bdf594065f8f0d6dc2e5
d4743f6f740bb6c68173906820d09cd8eae0a5563a8f2911324f59e720709ad8
ecf8fcae9fb3f77bd13b5e09662927beb9659fa6e3e5e7faf8ff96b30e8684ac
ee041515c12fb82c6ac0191c65ef181ceaf3fcdc6390db434af6850a2fb3aceb

Coverage

ProductProtection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint


Secure Malware Analytics


MITRE ATT&CK


Win.Dropper.Trickbot-9950352-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 57 samples
MutexesOccurrences
GLOBAL\{<random GUID>} 56
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
85[.]204[.]116[.]100 17
51[.]81[.]112[.]144 16
134[.]119[.]191[.]11 15
185[.]14[.]31[.]104 13
185[.]99[.]2[.]65 13
194[.]5[.]250[.]121 12
78[.]108[.]216[.]47 12
95[.]171[.]16[.]42 12
185[.]90[.]61[.]9 12
181[.]129[.]104[.]139 10
134[.]119[.]191[.]21 9
91[.]235[.]129[.]20 8
181[.]112[.]157[.]42 7
85[.]204[.]116[.]216 7
185[.]99[.]2[.]66 6
181[.]129[.]134[.]18 6
190[.]136[.]178[.]52 6
110[.]232[.]76[.]39 5
200[.]107[.]35[.]154 4
103[.]111[.]83[.]246 4
80[.]210[.]32[.]67 3
103[.]12[.]161[.]194 3
121[.]100[.]19[.]18 2
110[.]93[.]15[.]98 2
36[.]89[.]243[.]241 2

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
computer[.]example[.]org 2
wpad[.]example[.]org 2
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com 1
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com 1
Files and or directories createdOccurrences
%ProgramData%\Microsoft\Windows\Start Menu\Programs\WinPwrSvs 23
%TEMP%\<random, matching '[a-z]{3}[A-F0-9]{3,4}'>.tmp 12
\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 2
\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 2
%ProgramData%\Microsoft\Windows\Start Menu\Programs\WinPwrSvs\5844226300.exe 1
%ProgramData%\Microsoft\Windows\Start Menu\Programs\WinPwrSvs\0f87b8cb8991450b2c93e9704541bb3ae153c23cdfd3f10b35c808d4a82e7d18.exe 1
%ProgramData%\Microsoft\Windows\Start Menu\Programs\WinPwrSvs\10497a8baffd80652fa1f29b41ba8905a5435107ca8be0bce20e7105127b32fd.exe 1
%ProgramData%\Microsoft\Windows\Start Menu\Programs\WinPwrSvs\33909a3505ba7cda98e2dd85345d6d1e9d62f0efd8a7e5c6319f5ceb7d75573d.exe 1
%ProgramData%\Microsoft\Windows\Start Menu\Programs\WinPwrSvs\08ee9b5948caab0bce3c8a72f75db7a3464c2fb502db0d4e0711dfc2b2dbae7c.exe 1
%ProgramData%\Microsoft\Windows\Start Menu\Programs\WinPwrSvs\0410d127d5a416658d4a1da64f2b05eb04496a94514c1bc1475aa3fa896a52e7.exe 1
%ProgramData%\Microsoft\Windows\Start Menu\Programs\WinPwrSvs\00ec4cfe5f480835ea2e213dcbba211fdfbb840cd66e2acdd7b6b4f8f1a73edf.exe 1
%ProgramData%\Microsoft\Windows\Start Menu\Programs\WinPwrSvs\06f7dff552f3b975b7b2eb3a5b191e4f53e77cd7f6bef36d9fde9236ccbdaa60.exe 1
%ProgramData%\Microsoft\Windows\Start Menu\Programs\WinPwrSvs\042c37e5350c3fe9e173c6d9cd6489f043dd8764d9451bd9faf9a6f724faf9a6.exe 1

File Hashes

00ec4cfe5f480835ea2e213dcbba211fdfbb840cd66e2acdd7b6b4f8f1a73edf
01b265494a928b4630f224679d7014fc01f661d36005ef814fc50adea102f06f
02185f54325bdf746e6bd089ee08fcb21a03d269110cac5d62093187e54f3213
037a8da3a517312fc852456b100366664f2eba88421374df0f44630d8d7cf1fb
0410d127d5a416658d4a1da64f2b05eb04496a94514c1bc1475aa3fa896a52e7
042c37e5350c3fe9e173c6d9cd6489f043dd8764d9451bd9faf9a6f724faf9a6
0466e380e6631991157d2db9218c0e7511b84937e69c9777b42c841f0637dce2
06f7dff552f3b975b7b2eb3a5b191e4f53e77cd7f6bef36d9fde9236ccbdaa60
07cc8e44d62536c9c6d9672086e4b4352d91bd98fc2fde37eb6b0b730705dbc3
084480e33edff97ef07638336976f76bd516bf8ac69e2a594b54ffe339f6686c
08ee9b5948caab0bce3c8a72f75db7a3464c2fb502db0d4e0711dfc2b2dbae7c
0a9845cf74f970a4160eb71eefa799c5f3a2557c4b0457f696991dd2e5e880c3
0c6947247b1e3ca2b7891efeadf13b2231fe8affac9a206de159b49d4596ad54
0ce0ee0c944e61f12152155425307a8043a59b1fef5458dd3f5f26e365176134
0de732d1c830652bf873314c784e155f8435816f9c8db8b886222e0ebac8d3e7
0e25c7382ca11e71a19475218049edea92b314cd4e078de46d5d5e4a90e697bd
0ea358a2752c30199facc91e2505dac505e21398d4da85147a326252fa033dd6
0f87b8cb8991450b2c93e9704541bb3ae153c23cdfd3f10b35c808d4a82e7d18
0f9ba922f17918b0186943964d0f4d0baa1f301d9c2d04d94f2d0be5fb0652e5
10497a8baffd80652fa1f29b41ba8905a5435107ca8be0bce20e7105127b32fd
1051c811928ec851676763e671246c4fc4b0f3edcf9241447826c8f50b5ab69d
10e8eac3731431679f7b9d3d243a217f4e3a848f36d6b8c2c72a5db2e3718f74
10fc37f34f4a891f85472814d1afa57f2ca0db47b0b092ee74b6bce8d0e103ee
116ba6a2eecaa42567da0b5d77be50ad93d031aea62c580cb0054bbed161578a
120f1a59e7c19f053e7920852ea1c29a2800f4fb6f1db876951ad2fea30b82bf

*See JSON for more IOCs

Coverage

ProductProtection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

Secure Endpoint


Secure Malware Analytics


MITRE ATT&CK


Win.Dropper.Zusy-9950333-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 16 samples
Registry KeysOccurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 16
MutexesOccurrences
Dmrc_mtx_409a9db1-a045-4296-8d2c-9d71016c846b 1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
104[.]21[.]40[.]196 8
172[.]67[.]188[.]70 8
23[.]62[.]6[.]192 8
23[.]62[.]6[.]161 6
23[.]62[.]6[.]170 2
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
apps[.]identrust[.]com 16
toa[.]mygametoa[.]com 16
v[.]xyzgamev[.]com 16
computer[.]example[.]org 10
wpad[.]example[.]org 9
windowsupdatebg[.]s[.]llnwi[.]net 7
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com 5
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com 3
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com 1
Files and or directories createdOccurrences
\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 16
\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A 16
\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 16
\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A 16
\Users\user\AppData\Local\Temp\db.dat 16
\Users\user\AppData\Local\Temp\db.dll 16

File Hashes

10c18dab6e6b3241e8e6c45e4390e17a2325809d67d2bf31d9476adde88069e2
2a395181bb7772aa15db0bce8031681655e5b39ca37e935446a79be98660abb4
2bc7fa0667a9b1b81742c83ec7cf6efdee608f0f3a643027331a79610ec11701
38be045c7a70a9e32c5d998df90e8e3da3a7d29edae0833b2f47ab91bb3cee2b
48fca3228e955b485282b19fffaaa7657cecf99518965701e5918ac65d556a01
53efa4e2684c5d1f0af9f3beded76904bdb936ccd13c53e87920ba6893a74604
79ce6bd0c7b73ae15d2d7bc398660061392529a76132b0de5c5063b0dc74301c
7aa8d21a90b0615b383d5f42371ea7b9eb5f11abe0dc0cf82799ce4559ab1565
82f3fce9f3166e0f4e3a76274ba37978118a312be796dd5fe91db31d3f7cd0f5
8c0c470b43553c0b6ecd3a4d1a792368b109835cc976452776718e1cca3f5b59
8dd0386e3b570e4d171d4a8a85528e79e0c3512b40b0f6767c4515213565c2eb
9c7d107f95392a768573be4ee28ee5d4ead9dbf13938d4ad42ee7839bf214523
b728601bcd4ff2393af65fc2e960a4e40e5bbe330f5ae6be40f095e078223ba6
d083094f008a2e68de555a67105f3d6d82605f4af5d52700e171c833f6da10a1
e5506029470ae02a111b175e59122bfc9ba622c4924d97d06719054d22e29ac8
f6993cab6d1588b847b68cd42b47ad0ac215b10a7d4051abe4a91fa0bc09d6fe

Coverage

ProductProtection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint


Secure Malware Analytics


MITRE ATT&CK


Win.Dropper.Ursnif-9950326-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 29 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}
Value Name: FaviconPath
20
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}
Value Name: Deleted
20
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES
Value Name: DefaultScope
20
MutexesOccurrences
Global\<random guid> 5
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
142[.]251[.]40[.]142 20
142[.]250[.]72[.]100 15
13[.]107[.]21[.]200 13
172[.]253[.]115[.]99 2
172[.]253[.]122[.]99 1
131[.]253[.]33[.]200 1
172[.]253[.]115[.]147 1
142[.]250[.]81[.]228 1
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
www[.]bing[.]com 20
www[.]google[.]com 20
google[.]com 20
wngtdpablo[.]com 12

File Hashes

04a9927506d16c1fecf55bb2b5c61d0b1343c6f391d5a10ed5beccd5d659fd3b
067dfead0aa86066a01b6c4767df0ef8baffe45ce840ad02232866f6c8b93a26
0888ecc2cead625a82c955a0adad935a79ffd3771dcf69499248d160db9da185
0a2d71a76e011420b9612eabc4a7fc7b5794bbd62ed080426c157d7e4bb2f94e
0bcab30e1a0c276c8ed930c9d041fc5f0b3184227fc3cc9f706cc45f57901d82
0cb01b15bc079e96e24d2d18fadf3c38134031621dc7d6f899ebfed791d56610
0edcf17c5f7edebe65ea13d56acf8795b4fb2553e758ef4dcef5e3dd0f842ee9
132459285f8957811edb4ec3884ce293692d7f9bf70b087e89fe15abea06bbf3
140af4ae0b77bb10444188bfb4eea93c6b53eef8de49fba35c1d10eee602bcc6
184f9fd99216d26a6228916ea6154d4dc3ecdbd532f84ad57e2ff82317f938ca
18a07167962666b678582f140ec656f628c8118cfdadd056d81a290196f3c6cd
19d40ed16b82b5178b2350acc00b1278be2494ce209ffcb818bc5a959120a956
1d1e9d12c8203ea3f862dd0402b21dea86aef2235a5c9183bd3872ce582d7a3a
1f30db01b63cd6759c1bfe3a6cbb3d6d6c03e82a107cbd06377d90dc53f6049c
21436ba559eb2563c3081403990ec3e3eb3fed7a21fdb20bdaf7b05a674befc4
236f975fb50835bcb7132334a27815a76aff525bafe3fa671b58932d742e4378
23edbece8112470dbd208a41a843fb9ccd049a624fe2e91a53cdaf0e75fb7cdf
27270fd246c7101bc46c1ed674ed574925b95fa636e231d8a7ffc8eebaae10d7
2797fd0199816930e7614a32d6cb03900d2dae3f058e5ca0d470a88c719eb0bc
280376b53a75f5eadb12133cd87e5a1bc80db2114f9db7193c2dd2187b969b00
2c462997d54f62ddc4dde058e44745ab42ab03a81cd2c73ac7a5d95a419ecf23
2f75fbedad0e5b5fc64a6a06a1118198358f1e38cc20e1f984e10d344c9f837e
2fb6fb48f27990a62b38d41f85cca27ef5717c0ccabaee7cbbc3cddcb02a63c0
3260d334823b23ec21fcc705fbe33e8d824e3ea1ea72e67663a6ad3c6548915b
32c5b2b016318180e41dcaf1c4cad4db2695d9b8c53c99849693af5ea19bde5a

*See JSON for more IOCs

Coverage

ProductProtection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint


Secure Malware Analytics


MITRE ATT&CK