Friday, May 20, 2022

Threat Roundup for May 13 to May 20

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 13 and May 20. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name Type Description
Win.Ransomware.Cerber-9950163-0 Ransomware Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension ".cerber," although in more recent campaigns other file extensions are used.
Win.Dropper.Tofsee-9950166-0 Dropper Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and send large volumes of spam messages to infect additional systems and increase the size of the botnet under the operator's control.
Win.Ransomware.TeslaCrypt-9950169-0 Ransomware TeslaCrypt is a well-known ransomware family that encrypts a user's files with strong encryption and demands Bitcoin in exchange for a file decryption service. A flaw in the encryption algorithm was discovered that allowed files to be decrypted without paying the ransomware, and eventually, the malware developers released the master key allowing all encrypted files to be recovered easily.
Win.Dropper.Zegost-9950175-0 Dropper Zegost is a remote access trojan designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. Zegost appears to be derived from Gh0stRAT, which is a well-known remote access trojan that had its source code leaked, thus significantly lowering the barrier to entry for actors looking to modify and reuse the code in new attacks.
Win.Dropper.TrickBot-9950187-1 Dropper TrickBot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns, many of which rely on downloaders for distribution, such as VB scripts.
Win.Dropper.Dridex-9950227-0 Dropper Dridex is a well-known banking trojan that steals credentials and other sensitive information from an infected machine.
Win.Dropper.Ursu-9950236-0 Dropper Ursu is a generic malware that has numerous functions. It contacts a C2 server and performs code injection in the address space of legitimate processes. It can persist on the targeted machine while collecting confidential data and spreads via email.
Win.Dropper.Zusy-9950260-0 Dropper Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe". When the user accesses a banking website, it displays a form to trick the user into submitting personal information.

Threat Breakdown

Win.Ransomware.Cerber-9950163-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 18 samples
Mutexes Occurrences
Global\<random guid> 17
shell.{381828AA-8B28-3374-1B67-35680555C5EF} 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
20[.]189[.]173[.]22 6
104[.]208[.]16[.]94 4
20[.]42[.]65[.]92 3
20[.]189[.]173[.]20 2
65[.]55[.]50[.]0/27 1
192[.]42[.]118[.]0/27 1
194[.]165[.]16[.]0/22 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
computer[.]example[.]org 16
wpad[.]example[.]org 16
clientconfig[.]passport[.]net 15
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com 7
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com 6
onedsblobprdwus17[.]westus[.]cloudapp[.]azure[.]com 6
windowsupdatebg[.]s[.]llnwi[.]net 6
onedsblobprdcus16[.]centralus[.]cloudapp[.]azure[.]com 4
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com 3
onedsblobprdeus17[.]eastus[.]cloudapp[.]azure[.]com 3
onedsblobprdwus15[.]westus[.]cloudapp[.]azure[.]com 2
Files and or directories created Occurrences
%TEMP%\d19ab989\4710.tmp 1
%TEMP%\d19ab989\a35f.tmp 1
\Users\user\AppData\Local\Temp\24e2b309\4436.tmp 1
\Users\user\AppData\Local\Temp\WAXA44B.tmp 1
\Users\user\AppData\Local\Temp\WAX9CC5.tmp 1

File Hashes

097bab110d14c71480d7e3ace073a043b9c60cf442557d0cdeb438ef5019e93f 13e37ac660c60a1c788db8e1f4b64175b598fdb82382263a3406af1ededb46ca 1b97e3b2e8debc617bb89a002c5991cac51988c4864511b14832fb37b9c8f1bd 2a6f74d550c4e116f55ea73d9e752e9c2351e3042891dda914e22f68772dbcf5 2c0595bb1e93372bd6695f9a3b77b4166d3fa85bdb6acb427c1f327ce6c4f968 2f19a95adff3dc7c1c4cd23d277088b682d480c116f4ca9be90ef350a0705791 3f8ad607849adc67a227334dd99a31bd94a91d433b7266f0c816d8783a7e6c6d 4898229c51886c6a14330244e65f1f68780e971c1213a06590d649876e729dff 496e1641958d82aed327436ae39910507f81145f6faa1b260bf8e8b39bf8a24b 500e5534d73659779300c88cf8d479dab0cb434037eec277ea6cefdabde44053 593ecbd1773f20df0bc13d604006e0feb1a576cf3170c66807ae1f8459db1345 7e92f39c54eb42fdb0d5983d08f2bb1047e53dfc0a823f223a06cd5e3f9e51ff 835ce5de87d80ab9a7be0449236dd1efa73a7f1dd770150224694c486257cd60 8bdc1fceb0f0525c568940a07fda504ae6d8e9e2fb4a29dbb0be172d3fa2d228 9066a9ef24b43a9a7fc64b47315972b2048c6ec643717522e56632327775d800 9a69d4802add64156ce6a7fb089f106d34f5b559398caa12bc2fe223e4ea4411 e48197d5206ffba045e0fbd77d64bb8fb6b3a515515ce4fa3f4ee89c9aa7faf5 fd43f3c4b33d5294c4f342fc63a0dd50449e436c3674e18ea6cfb3a3df766df3

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK


Win.Dropper.Tofsee-9950166-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 23 samples
Registry Keys Occurrences
<HKU>\.DEFAULT\CONTROL PANEL\BUSES 6
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2
6
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config0
6
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config1
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
5
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\vexvpfkl
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\ajcaukpq
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\nwpnhxcd
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\tcvtndij
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\pyrpjzef
1
Mutexes Occurrences
Global\<random guid> 8
eZkOWkQUpHINngy 2
3749282D282E1E80C56CAE5A 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
142[.]250[.]80[.]100 6
213[.]91[.]128[.]133 6
91[.]243[.]33[.]5 6
45[.]8[.]229[.]39 6
91[.]243[.]33[.]254 6
31[.]41[.]244[.]81 6
31[.]41[.]244[.]82/31 6
31[.]41[.]244[.]84/31 6
31[.]13[.]64[.]174 5
157[.]240[.]2[.]174 4
31[.]13[.]65[.]174 4
142[.]251[.]16[.]94 4
144[.]76[.]136[.]153 4
185[.]28[.]21[.]161 4
185[.]237[.]206[.]60 4
45[.]61[.]139[.]224 4
94[.]228[.]125[.]39 4
157[.]240[.]21[.]63 3
13[.]107[.]42[.]14 3
40[.]93[.]207[.]0/31 3
142[.]250[.]65[.]206 3
172[.]253[.]63[.]100/31 3
20[.]81[.]111[.]85 3
13[.]107[.]21[.]200 2
104[.]47[.]54[.]36 2
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
wpad[.]example[.]org 22
computer[.]example[.]org 20
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com 8
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com 7
249[.]5[.]55[.]69[.]bl[.]spamcop[.]net 6
249[.]5[.]55[.]69[.]cbl[.]abuseat[.]org 6
249[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net 6
249[.]5[.]55[.]69[.]in-addr[.]arpa 6
249[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org 6
249[.]5[.]55[.]69[.]zen[.]spamhaus[.]org 6
microsoft-com[.]mail[.]protection[.]outlook[.]com 6
microsoft[.]com 6
www[.]google[.]com 6
fastpool[.]xyz 6
z-p42-instagram[.]c10r[.]instagram[.]com 6
niflheimr[.]cn 6
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com 5
www[.]instagram[.]com 4
monsutiur4[.]com 4
moroitomo4[.]net 4
cucumbetuturel4[.]com 4
nusurionuy5ff[.]at 4
susuerulianita1[.]net 4
nunuslushau[.]com 4
linislominyt11[.]at 4
*See JSON for more IOCs
Files and or directories created Occurrences
%SystemRoot%\SysWOW64\config\systemprofile 6
%SystemRoot%\SysWOW64\config\systemprofile:.repos 6
%System32%\config\systemprofile:.repos 6
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'> 6
%TEMP%\<random, matching '[a-z]{8}'>.exe 5
%LOCALAPPDATA%\Yandex 2
%LOCALAPPDATA%\Yandex\YaAddon 2
%APPDATA%\D282E1 1
%APPDATA%\D282E1\1E80C5.lck 1
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5 1
\Users\user\AppData\Roaming\7C7955\5D4644.lck 1
%TEMP%\lpirrbt.exe 1
\Users\user\AppData\Local\Temp\chsdcrzz.exe 1
\Users\user\AppData\Local\Temp\hvpzjxig.exe 1
\Users\user\AppData\Local\Temp\ryjmawye.exe 1
\Users\user\AppData\Local\Temp\suabilhj.exe 1
\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\518498962.exe.log 1
\Users\user\AppData\Local\Temp\uunshlaq.exe 1
\Users\user\AppData\Roaming\seefbbw 1
\Users\user\AppData\Roaming\seefbbw:Zone.Identifier 1
\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\518498972.exe.log 1
\Users\user\AppData\Local\Temp\kytvupuy.exe 1

File Hashes

0128d3cd5e43f6c3b0cd02071b65e9cb890e0d46e39dfa692b5757fceef6de52 09142589a0d5714b93156097b04b4b9b0b4f3fdd562a9a936b82952e86bd7eac 09d2706b754c07905f8dcfc8497d2cbcbbf1e2b51166b239a8f9861a5eb5898f 0ec1a04906159d42df0e3c952329b732fa758a24c064ef248055bca3a9d75779 293b7655279232c282a3e7e14a6cf1b5ff1c84773df337d00dd2c140b32a4574 3df7d9ca51264ebdbc270c89cb4c17ed00ba6426422e238e8c4301e3a0bb8435 40ac8ee866c7c98fdb53a46358ea0f4593f22f3fffaf7dda5496d55988949913 47bef109565da06b2c0e833ca715e09dab49cc58f00e02c3e1142cab98460b3a 4b5f4d97a4f13acd4f01191e0c34b370b707ce9c6b02283856b533aedbe9b988 4bdb55e73d8d688509059548da8fa1eb44a1719162fc8827695be6328b804121 5c673d6ad74a8948bea00e8d2e5e81f22a85e2ba26a04ed94a48d68a7d263fd5 60b8c692bf90e9d7ab729fee8c0a15fdfee61f130e787c194201f9c1abcbb787 754f5f353698ca45eceabc1a45de34de02c420155ffa7a0ccddbd04847c90882 8217573107ca562e7357b8347ad0ac44ecbbf70590ebca3f620aeed5ab051210 93320251dbc76cad5a48f60782e92516732eb806e516cd8dab43c81987419b90 a20c4b8fdca84480e1217d4339528cbf5b25785a22f39934e49256d92e37249c a8e48126fb0c74db25aa1a68ad0e2a24b356cb92fa3d16e55decc9580a264b76 ad32fffc0d98178964b5a55300f870125ad6f40dbdfe724e4f6043ae7d4945fc bbd91da105ea52d6251c733f6d1ed8ea2819f29091e5f50c6a1fc54d2d0fc4c5 c61c4c3ae816c6e9d9632e472bf58cf388569144390049651c438df9e8f6d792 c8b077322778bc87119ce0bce5f1db70bf6596260bc8c2f6ffd0f301fcaa2123 dc8f108a2030ecbbf5be79df305d02839fc1192d262e20faec834a0ac9ac05f3 ef78da2e9386931b44c99e0136e0ae13ff3d158434dd1a0288e09119ab9d9274

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK


Win.Ransomware.TeslaCrypt-9950169-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 15 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLinkedConnections
15
<HKCU>\SOFTWARE\ZSYS 15
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0
Value Name: CheckSetting
15
<HKCU>\SOFTWARE\ZSYS
Value Name: ID
15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Acrndtd
15
<HKCU>\Software\<random, matching '[A-Z0-9]{14,16}'> 15
<HKCU>\Software\<random, matching '[A-Z0-9]{14,16}'>
Value Name: data
15
\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\7C\52C64B7E 1
Mutexes Occurrences
2134-1234-1324-2134-1324-2134 15
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
198[.]185[.]159[.]144 15
213[.]185[.]87[.]28 15
35[.]195[.]98[.]220 15
34[.]117[.]59[.]81 15
23[.]218[.]119[.]73 10
99[.]83[.]153[.]108 9
75[.]2[.]26[.]18 6
96[.]6[.]30[.]95 5
20[.]189[.]173[.]22 5
20[.]42[.]65[.]92 2
104[.]208[.]16[.]94 2
20[.]189[.]173[.]20 2
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
myexternalip[.]com 15
garrityasphalt[.]com 15
gjesdalbrass[.]no 15
grassitup[.]com 15
www[.]garrityasphalt[.]com 15
www[.]godaddy[.]com 15
kochstudiomaashof[.]de 15
testadiseno[.]com 15
diskeeper-asia[.]com 15
wpad[.]example[.]org 13
clientconfig[.]passport[.]net 13
computer[.]example[.]org 12
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com 6
onedsblobprdwus17[.]westus[.]cloudapp[.]azure[.]com 5
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com 3
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com 3
onedsblobprdeus17[.]eastus[.]cloudapp[.]azure[.]com 2
onedsblobprdcus17[.]centralus[.]cloudapp[.]azure[.]com 2
onedsblobprdcus16[.]centralus[.]cloudapp[.]azure[.]com 2
onedsblobprdwus15[.]westus[.]cloudapp[.]azure[.]com 2
Files and or directories created Occurrences
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I08BO8F.xlsx 15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I11KHR4.doc 15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I5QKHLN.doc 15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I62TWBD.ppt 15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I6FZORX.doc 15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IABMX83.pdf 15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IAJ2Y6R.pdf 15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IALGTCS.xlsx 15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IGTBBSA.accdb 15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IH49RPF.ppt 15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IH71GGR.ppt 15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IJKODPH.pdf 15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IJP965K.accdb 15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IKY5R3M.pdf 15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IMYCSIT.pdf 15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$ISLP722.doc 15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IXLC77A.pdf 15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IXUL2U1.doc 15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IYSR1FU.ppt 15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IZ2GMJW.XLSX 15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$R08BO8F.xlsx 15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$R11KHR4.doc 15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$R5QKHLN.doc 15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$R62TWBD.ppt 15
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$R6FZORX.doc 15
*See JSON for more IOCs

File Hashes

10cb592686b6d293baaeb9258dbc9d026024dcadbb89fbe0966a8456b5011408 181a39b9477057e050e6b88583ffb21bc4b94a8783030735ee8ee677a9986e2a 235e75a04e4622be8e18ab647a77a87a65a0b33dd0a9edf07e5ada784dc32bb5 282e1666932d8debcc4ab86746e6791d49fd972582b2778062616d52a8866a96 291aab875adf6ae867713b06cd7e7456e395324d5de067a9e578441a39a7af3b 7192125799cce7c0f89dbcdaf9617d3884664f474e9e101458dd53bbefa20427 77f8d351f3f9b27c42ddd98965269e809e0b864571013240bc3f1e6c7cd51ddd 8fcafc56c480b5b6492aa5b4882f7b4351e0113b5c20fa69f73db0b2d9dbc82a a536cc094459b15044b7030ae665be94f01b9ce5467ff254af170d742e935be1 ad80dffea369021f6234c5f95daf448972bbcfa28faeaba5ae7edb34e2e11486 b261d6b8833f07990a69c4f88cdd54f703f465d162a6b1c3acf95561a17890b2 b57ca40eab68c52c47e979fae218dcb91cb833caeadd53538695b12f5f70c51c b89b656a2ce0c5f6f1a37f39b86096551eb04551bb352a651c03732d2b2b501f c8748a99549d45eff46cc2cd6687d257478ecad14a5a8a0436e96d48315267cf db24a3909701a11d90c3655edf5b4fffc2e73b4938f21ea705036b1446fe7440

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

Umbrella

MITRE ATT&CK


Win.Dropper.Zegost-9950175-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 18 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSSQKG RCQYYDRO 7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSSQKG RCQYYDRO
Value Name: ConnectGroup
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSSQKG RCQYYDRO
Value Name: MarkTime
7
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Wseguk cwuesiso
4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SUPERPROSERVER 3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SUPERPROSERVER
Value Name: ConnectGroup
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SUPERPROSERVER
Value Name: MarkTime
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSIZJB RKWHKRGW 2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSIZJB RKWHKRGW
Value Name: ConnectGroup
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSIZJB RKWHKRGW
Value Name: MarkTime
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Mocyoq mcsggysa
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SUPERPROSERVER
Value Name: Type
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SUPERPROSERVER
Value Name: Start
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SUPERPROSERVER
Value Name: ErrorControl
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SUPERPROSERVER
Value Name: DisplayName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SUPERPROSERVER
Value Name: WOW64
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SUPERPROSERVER
Value Name: ObjectName
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SUPERPROSERVER
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SUPERPROSERVER
Value Name: FailureActions
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SUPERPROSERVER
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSSQKG RCQYYDRO
Value Name: Type
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSSQKG RCQYYDRO
Value Name: Start
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSSQKG RCQYYDRO
Value Name: ErrorControl
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSSQKG RCQYYDRO
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSSQKG RCQYYDRO
Value Name: DisplayName
1
Mutexes Occurrences
Global\208c2121-d2ec-11ec-b5f8-00501e3ae7b6 1
Global\1ffd1021-d2ec-11ec-b5f8-00501e3ae7b6 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
60[.]191[.]97[.]139 1
118[.]193[.]164[.]207 1
122[.]114[.]57[.]137 1
183[.]26[.]161[.]58 1
121[.]41[.]227[.]197 1
221[.]199[.]59[.]161 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
gunnima[.]f3322[.]net 3
yxt1[.]f3322[.]net 1
ykykvip[.]6655[.]la 1
luoyewuhenscf[.]oicp[.]net 1
mahluk[.]f3322[.]org 1
Files and or directories created Occurrences
%ProgramFiles(x86)%\Microsoft <random, matching [A-Z][a-z]{5}> 13
%ProgramFiles(x86)%\Microsoft Nofhor\Oueo.exe 7
\<random, matching '[0-9]{4}'>.vbs 7
%ProgramFiles(x86)%\Microsoft Paqbot\aaccamq.exe 2
%SystemRoot%\Terms.EXE 1
%ProgramFiles(x86)%\Microsoft Gtdnht\Njzunsj.exe 1
%ProgramFiles(x86)%\Microsoft Fangyu\zhudongfangyu.exe 1
%ProgramFiles(x86)%\Microsoft Ynxqoq\Kiawggg.exe 1
%ProgramFiles(x86)%\Microsoft Ooscua\Wuyqmsa.exe 1

File Hashes

0e8d746ad396f3858e609b2a0cbfd41676c01ff7283bfcb9fb5e644b0c393874 144808022fa3f37b6532831390a8ebb11fd20ac239f0e468c6d8556957a0a32e 1632b7601eccb92cafe93b2ee1970f55c4305311165ef5088e55988aad2cf8a8 2ff02aef8a9ac75bed7e7bed931dac733cd2f310d50f1596eb6eb7de0b3d5628 3aa1e8a0cd1c08cf7ef80494693362083b6fe90d51feab94fd14dd3f003cd035 58d989e1903389b8fc0de808ead8343ac127a95daa4131776a518ad287526c30 64fac0ae2ed8c9e6c646a81ef171dcd078d1dbe43a55f66fa5676323b694ebe1 66db7cb8cd374153e5c534bfd1afe7f5e590960dcc37d3602e0620452812d456 70019a9e401cb30d30e82a7c4da4464ea826fb5ad7a673008874557ea1932809 732a581bbd232a5eed7034c898cb0c834af01e5dbdd79cd7a241151c8d7debeb 745dbcda3f3e84c1eed438ceafd129726864db1a39a33eddbc92f41bd7e5c5de 83c10e8e26234eb9657cc1d3d498723dfc4ad1f26161a622acbaf008b0b794fc 84c14436a6aa2dfd9b779c188d67d2b83d06e217f1f9756493367e1954cb4f91 8d2f20364ec1950e904d23c689a1984842cce89c4fe341395ae50f68237042fd b18fea368891dc8969a304c6b00bcd952f10295ef7cb69a3ac8981848415612c c6f7a82efbd4a77f830b527f892fb1ee5bcfe6e611143c7ab0a2e1632437ce05 c92c7bf31bca7ff667a24e34911b94bcbe40e931b056740f010961c1bd4c6933 d5008f73d6e0a70f7e5b20848d3bcced444f8900041d9f85fda0194fa2e008c0

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK


Win.Dropper.TrickBot-9950187-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 33 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS 33
<HKCU>\SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS\CODEWIZARD VERSION 1.0 33
<HKCU>\SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS\CODEWIZARD VERSION 1.0\RECENT FILE LIST 33
<HKCU>\SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS\CODEWIZARD VERSION 1.0\SETTINGS 33
<HKU>\.DEFAULT\SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS 14
<HKU>\.DEFAULT\SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS\CODEWIZARD VERSION 1.0 14
<HKU>\.DEFAULT\SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS\CODEWIZARD VERSION 1.0\RECENT FILE LIST 14
<HKU>\.DEFAULT\SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS\CODEWIZARD VERSION 1.0\SETTINGS 14
Mutexes Occurrences
GLOBAL\{<random GUID>} 33
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
51[.]254[.]164[.]244/31 18
185[.]14[.]30[.]134 13
172[.]245[.]156[.]138 10
200[.]21[.]51[.]38 9
5[.]255[.]96[.]218 9
178[.]156[.]202[.]228 8
185[.]17[.]123[.]90 8
185[.]14[.]30[.]152 8
185[.]20[.]185[.]76 7
181[.]140[.]173[.]186 7
45[.]148[.]120[.]153 7
5[.]182[.]210[.]226 6
181[.]112[.]157[.]42 6
23[.]62[.]6[.]170 6
5[.]255[.]96[.]217 6
190[.]214[.]13[.]2 5
23[.]62[.]6[.]161 5
92[.]38[.]171[.]11 5
200[.]127[.]121[.]99 4
181[.]113[.]28[.]146 4
194[.]5[.]250[.]175 4
170[.]84[.]78[.]224 3
36[.]89[.]85[.]103 3
121[.]100[.]19[.]18 3
171[.]100[.]142[.]238 3
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
wpad[.]example[.]org 33
computer[.]example[.]org 31
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com 16
windowsupdatebg[.]s[.]llnwi[.]net 15
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com 11
apps[.]identrust[.]com 11
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com 4
Files and or directories created Occurrences
%APPDATA%\maininf 33
%APPDATA%\maininf\data 33
%System32%\Tasks\WinInfo 33
%TEMP%\<random, matching '[a-z]{3}[A-F0-9]{3,4}'>.tmp 33
%APPDATA%\MAININF\<original file name>.exe 33
\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 26
\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 26
\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A 21
\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A 21
%APPDATA%\maininf\profiles.ini 11
%TEMP%\log2085.tmp 11
%APPDATA%\maininf\urlclassifierkey3.txt 8
%APPDATA%\maininf\extensions.ini 7
%APPDATA%\maininf\compatibility.ini 7
\Users\user\AppData\Roaming\maininf\TRRBlacklist.txt 6
\Users\user\AppData\Roaming\maininf\ShareFont.ini 6
\Users\user\AppData\Roaming\maininf\ConsoleHost_history.txt 5
%TEMP%\log2095.tmp 5
\Users\user\AppData\Roaming\maininf\SiteSecurityServiceState.txt 4
\Users\user\AppData\Roaming\maininf\profiles.ini 3
\Users\user\AppData\Roaming\maininf\cacheSize.txt 3
\Users\user\AppData\Roaming\maininf\compatibility.ini 2
\Users\user\AppData\Roaming\maininf\AlternateServices.txt 2
%SystemRoot%\TEMP\log6081.tmp 2
%SystemRoot%\TEMP\log87C0.tmp 2
*See JSON for more IOCs

File Hashes

089b366e8793cbc83d91a234bd8f50fb8dfcd8e1c9d4ec12a557a5087654cb09 12b485f8bb93df3ef543ac9c2df5a6c881ad8d80e7a0500acf5d5ff7a8350454 13edd954aa2cb6615acce1a1f169366f6d12554012d185b22150b4ac3b1e2b5c 148d77d752a0f883a10231c4b082a5faf76df3fae754e7d4d50f78194532b9b2 16ffb81083c9c988e526a1fd6fd8143dc21ea2f4876833ba43b64ead08ca9aee 259ba57d1ce1868c12144dc3fec87c8f882e201f3093048f7e933f53346b0afd 2c08d65f8d68f44346ec045c62374246c7eddcb1a1c5f3b3854b0ade90539aa9 3c62ba077f17b25160bd01df9ce8ecdd730eacece2a7947a62981cec829fb894 3f0e21c9807bcbe3081e0dfc1a28f15b483efe760afa382d891a97de6876f8aa 464bc95d917d9ec52420bf440a55f4099396d2af4af43d41694f30a70d00761b 4970c1befe8ed3cab71cd9d43317b9f311d10b49ffc18e1a71f6685cdce05c5c 4d4ad9bd0b51be44878ad59d1d9e3fa110a629ea52305cfc2ba3e9106698ca71 57f6bba7f29a365466af5dd3cd9a9f61e57543f4d83d76bef81640b3048e2cdd 5a260230cafe0229937d77eea28779f134ae0fd2d2b17bde92942b5a11073ec4 6463c1b28ff09bfd3895b958249ce7e3220ec35b5a49422219407ee5f51cd47d 704f3472d96b7a5ca6a31e7608ad29d5c0c331516367a6eca0ccd5ada61afdf6 7131c68df5ded52136e0dd93456da13dd3cef68f5222157d20fd61b04a86f038 72cb744b57f3183e15da3780cbfd4411dc77b36411c1fcca65ec59e2d15713f0 8266bd94da8a881040beec0e10ee3a15a146fd8f4e0772a2fbe8903d9c8f07b5 88e3c9743f423655a60801b44e4d8783c1a444f27748a7f00e827421eb7fd6c0 901cdae9018e02b8e9fe37f6f96f6bd88d07b95f10fd6db5e506d9e1dbf3eb94 904df9175e7c173fa0d09bd57f4c038ecfa0bd438aa233807dfdc973f6f08679 956446e6fce0d16ad5ad2dfe21d6fcaa52fcda2baa7b96695d47d948bf07adcb 96d60053f8d2be82d6fee5348e6ceff040525c149ec6d7642edce54d0251e0a3 9d1112135eee205ea776c78acd0c965d9ca00f904798f70451e6158fb14cbeac
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK


Win.Dropper.Dridex-9950227-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{690D1BD7-EA98-1004-3AC9-E87553700E95} 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{690D1BD7-EA98-1004-3AC9-E87553700E95}\SHELLFOLDER 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{63FC4996-AFD5-E391-06A7-EFB6E2702561} 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{63FC4996-AFD5-E391-06A7-EFB6E2702561}\SHELLFOLDER 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{10CDDA71-B745-777B-1AF7-51696DB9BB93} 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{10CDDA71-B745-777B-1AF7-51696DB9BB93}\SHELLFOLDER 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{CFD6D5E6-02FB-7433-9261-E8E1B87CAC69} 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{CFD6D5E6-02FB-7433-9261-E8E1B87CAC69}\SHELLFOLDER 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{8BAB5812-9D02-8F14-74B1-BEDE393F8C1F} 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{8BAB5812-9D02-8F14-74B1-BEDE393F8C1F}\SHELLFOLDER 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{10DF83AD-199B-9C18-3FEF-E4ECD6A42F66} 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{10DF83AD-199B-9C18-3FEF-E4ECD6A42F66}\SHELLFOLDER 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{1AD90FE5-CE2F-E8B8-CF09-E0B1912E9542} 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{1AD90FE5-CE2F-E8B8-CF09-E0B1912E9542}\SHELLFOLDER 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{05ED06D6-F422-71CC-26B3-C9964D56F645} 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{05ED06D6-F422-71CC-26B3-C9964D56F645}\SHELLFOLDER 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{98B09642-2764-54AE-3333-D8C6CA536428} 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{98B09642-2764-54AE-3333-D8C6CA536428}\SHELLFOLDER 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{63D99860-AA40-CA79-F681-9DECBEF55447} 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{63D99860-AA40-CA79-F681-9DECBEF55447}\SHELLFOLDER 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{D4B277A3-C25E-BCDE-A054-D41AAC36394B} 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{D4B277A3-C25E-BCDE-A054-D41AAC36394B}\SHELLFOLDER 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{FE9DE6BC-A4CF-8285-E73C-DFE7A08197FE} 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{FE9DE6BC-A4CF-8285-E73C-DFE7A08197FE}\SHELLFOLDER 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{B11CF2E2-C0C2-7860-F12E-428101DCB963} 25
Mutexes Occurrences
{24d07012-9955-711c-e323-1079ebcbe1f4} 25
{bf18992f-6351-a1bd-1f80-485116c997cd} 25
{ed099f6b-73d9-00a3-4493-daef482dc5ca} 25
{a2c9c140-d256-a4d5-6465-f62a6660f79e} 25
{a8af557b-6de9-c774-28f4-5c293f1b1769} 25
{b570fe85-587a-a133-ffc9-73821a57c0c1} 25
{ac5b642b-c225-7367-a847-11bdf3a5e67c} 25
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
wpad[.]example[.]org 25
computer[.]example[.]org 24
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com 11
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com 7
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com 6
Files and or directories created Occurrences
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5 25
%System32%\Tasks\Ryddmbivo 25
%APPDATA%\Microsoft\Templates\LiveContent\User\SmartArt Graphics\1033\PfaWGXk 1
%APPDATA%\Microsoft\Windows\Libraries\lBSo 1
%APPDATA%\Microsoft\MSDN\Ef 1
%APPDATA%\Microsoft\Internet Explorer\UserData\N03JH1M1\wgRwZjXl 1
%APPDATA%\Microsoft\Templates\LiveContent\Managed\SmartArt Graphics\1033\cLdKFEXDRff 1
%APPDATA%\Microsoft\HTML Help\b1e48 1
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\LkMlc 1
%APPDATA%\Adobe\9vMiNCNa0Wd 1
%APPDATA%\Microsoft\SystemCertificates\My\CTLs\FioSZeGC 1
%APPDATA%\Microsoft\Windows\DNTException\AoEub 1
%APPDATA%\Microsoft\MSDN\8.0\m3 1
%APPDATA%\Microsoft\Internet Explorer\UserData\KKRPCQ2X\I5G0NmIx0u 1
%APPDATA%\Microsoft\Internet Explorer\UserData\KKRPCQ2X\K1Jog 1
%APPDATA%\Microsoft\Templates\LiveContent\Qpt746lHyiU 1
%APPDATA%\Microsoft\Templates\LiveContent\User\swjDCObV4dK 1
%APPDATA%\Microsoft\Templates\LiveContent\Managed\Document Themes\n84 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Maintenance\2F 1
%APPDATA%\Microsoft\Windows\Libraries\iagm 1
%APPDATA%\Macromedia\Flash Player\macromedia.com\support\flashplayer\BVTsWphI 1
%APPDATA%\Microsoft\Templates\LiveContent\User\Word Document Building Blocks\1033\jaTH0NO 1
%APPDATA%\Microsoft\Office\YYTa0NJd1 1
%APPDATA%\Microsoft\Windows\Recent\0qGY 1
%APPDATA%\Adobe\Acrobat\9.0\Forms\CnQXdAEJP 1
*See JSON for more IOCs

File Hashes

1434bdd62d628a25829701c54d20f7ba778b3c63d93f6e5764931d1091ef83e3 14b6e67caf8ff987486978a07e5e177c89a9afe87326d930438b5cc1194e7533 15576d21edf15e69d6615168d5d63b72b44142e0c0af7b5ad0fe4d04ae0a935e 2ad3eedfd800d2c4746d7f7d78cce4e25bd97e5c638e6501afe8eda66e0be654 2caef31bc4acc28a419a2cc7658ea24461a442935bc63b9f90c217583a228c8c 2e99b07981ecf6945415b98085afdf88bd5e5a0ca74ed5021cd6ad5226cc2883 314a9d45233b60c2a0c6e6043332cae53687b3cefbc4754db3a77e1e4bfccbb0 3b682518b8aebea0550ac3a6f7cd39425d0d44ad220e1ada46e79a40b0d848a6 4cb0e3d4d7cf1a91f16370be66adee9084b2936d43826ba61a50789edd4021ac 5b0d9bc969fdc4d0530bbc7ce0f6dc1093e15702df5c44d1d9db982604362bef 5cb238a26bd971c6de9cb98e0132f3054ae23c2c760a3eb0ca7318f25d8d4780 5e3c0eac1f74586b973f6f09b0e160312d51c2f8557f0f61718fd60d368edafd 601e0547b844f9990b7f246e825051543a7e1bd69a47329785ee8d500b0832d5 60d81b8e4b16f86c121cc54d8a6e0303800266ae1e2abf9b2b70dce9cc6da8c8 6527e098cb2588b6ba84757886c0f740d46cf31db0c804072f7b7728f4ede080 668cb63fce74a7c9e705b8e7ad81c6b3d91d8325b92aee083f203a3f75e57610 6ba48ecadd6daa7296e3d1aab5c6f9bad8d97996b6bcb2b5dfaac404bf9c8f47 6f5284407cb0f4b7e2fe875294a4dbc27d7e9f7ac141285f5ab09a8102ff7dce 73da1601aa1fabd87a6fd5c945c4927dd68284ede0d343fed299fd2b484fbf65 785d71a9493e5e84cabaf43661912da7267a0ddd438cac6661538cf9d01cd276 80e087b28afb0be8ec3a0f0b35aec8ef06e7d806aa7e576a4282e394244a2bc1 860db4a765cb642a13888257692f65d600389c88d9573daffa5f0905f2bf018d 950e59486286f7e526a33e5ee60151e09b9c6fc3091cbc354fdf9940371ee37b a0faf0b9b2d332b765cc0e7d18e63e19b2465d4356a9c5008200c36f6d912474 a8ef9cf1ff529a1ef9237cc04e4e12a602669e35e07a65878f073e9067236140
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK


Win.Dropper.Ursu-9950236-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Mutexes Occurrences
VEOVFseK 5
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
154[.]16[.]220[.]209 5
127[.]0[.]0[.]2 5
67[.]214[.]175[.]69 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
wpad[.]example[.]org 25
computer[.]example[.]org 24
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com 11
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com 9
wallou[.]publicvm[.]com 5
www[.]wallou[.]publicvm[.]com 5
mediafire[.]chickenkiller[.]com 5
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com 4
Files and or directories created Occurrences
\TEMP\Dsl32.txt 25
\Users\user\Desktop\Dsl32.txt 25
%System32%\Dsl32.txt 24
%ProgramData%\path.exe 20
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\path.com.url 20
\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\path.com.url 20
\TEMP\.Identifier 5
%ProgramData%\sqlwrit.exe 5
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\sqlwrit.com.url 5
\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sqlwrit.com.url 5
\Users\user\Desktop\.Identifier 5
%SystemRoot%\Dsl32.txt 1

File Hashes

058f5c5fd0fb2cf3657e5d5911218a094c03e49c27ef55ffabbf5a4143b27d44 188e0c455ac511f976e8b8a86655fb2522c79f11a25372819edadecf52aa6720 1fab85fafa3c6415b069f4221d771202da98755ae9f7a3b2f34c570d7b01b12b 25cf983f69aef35f1acf0b1555002c5877f925b03df7c312f8f904eadfbe39b8 27b46b7de14445b26f4a8689caee861b824aeae7ea27e466a6292965043519f3 2db980f99457336e1f78bf6d7e78336756e0748f5acb1ca1fbaea0fc83c21d05 3a2b6918caafba046e10f58340ea7dee490e0ac150fbf306dc2546a909593407 3bbc5d12b36fe4f9e14f10dabeaa4bd594f228d457100dbf503f9c84f7616ce1 3e8ea5324c39dbcb1b0ee0e2fb18f7d928e4998f53381a798955dc906e916da5 4afd06a5768b10729aebe3020c980c9775c30355aac961fd9da155a56f1022d5 6004fc0133f36df0cabccdf5e17c6691514e94b57135cf626fdc9fb2ea845c8b 6994d069182e0e4e9a3336a7d0f8ccea5390938313f5585425803fd9b9f8636d 6cf4513e19fa3ceed13d7916a127c302ac4e004b549044788adbabfb5005da51 6e8229828586a2901269588bbc709cc09ad9a09342efdcac208ac636b01daf85 793e180a71f1a7744e655755ba0e3baac38875396421bec9469f904fbcab835e 8408e4515b34e24cbfff7d9f52bae3abaee2d60c9c48d59dfeb85055cb8d02c9 870cb7fd5ab94188bca9004a1a72028d5f227a11db0bea762c304c39dcf3a67a 8780788906312ede39dea623a3c9711d744bfacbb2410c66eae316daf150b361 89d221b63d6790ebba1959667c4f47a9e563e35507b254dd6af703ee2a11f04c a0f6abe5b1ccc020446ba72ce4b3fe4119c9967ba59f32a33251c0aa428647a8 a61894ebd208ba8c54e51912ec6405560931a9864aa3fd431f7df4a57eddd635 a795b3d767d5c8fa911a904d54a031f9a4d1eb4a21aa53de5b51e2a4bd101689 a991e025d962160b815f69feb32e75d917ee45927924440c5161cce44965e699 b74590a3e336341984fc38fea2ea801236796b6a610e5fa2f1d411f7159ec169 bf09b7d1aff22a5bc8e29bb7321a2cae0df270b109f216d1b63966ed0fc015a2
*See JSON for more IOCs

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK


Win.Dropper.Zusy-9950260-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 11 samples
Registry Keys Occurrences
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159 11
<HKLM>\SYSTEM\SELECT
Value Name: MarkTime
11
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\ACTIVEMOVIE\DEVENUM
Value Name: Version
7
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\ACTIVEMOVIE 7
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\ACTIVEMOVIE\DEVENUM 7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GSKCSKB TLCTL 5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GSKCSKB TLCTL
Value Name: Type
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GSKCSKB TLCTL
Value Name: Start
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GSKCSKB TLCTL
Value Name: ErrorControl
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GSKCSKB TLCTL
Value Name: ImagePath
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GSKCSKB TLCTL
Value Name: DisplayName
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GSKCSKB TLCTL
Value Name: WOW64
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GSKCSKB TLCTL
Value Name: ObjectName
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GSKCSKB TLCTL
Value Name: Description
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GDVNFVNF WOFWO 3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GDVNFVNF WOFWO
Value Name: Type
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GDVNFVNF WOFWO
Value Name: Start
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GDVNFVNF WOFWO
Value Name: ErrorControl
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GDVNFVNF WOFWO
Value Name: ImagePath
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GDVNFVNF WOFWO
Value Name: DisplayName
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GDVNFVNF WOFWO
Value Name: WOW64
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GDVNFVNF WOFWO
Value Name: ObjectName
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GDVNFVNF WOFWO
Value Name: Description
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GDTLDTL DUMDU 2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GDTLDTL DUMDU
Value Name: Type
2
Mutexes Occurrences
eed3bd3a-a1ad-4e99-987b-d7cb3fcfa7f0 - S-1-5-18 7
Global\C:\Windows\SysWOW64\ASkcsk.exe -auto 5
Global\C:\Windows\SysWOW64\ASkcsk.exe -acsi 5
Global\C:\Windows\SysWOW64\HFVnfvn.exe -auto 3
Global\C:\Windows\SysWOW64\HFVnfvn.exe -acsi 3
Global\C:\Windows\SysWOW64\KDtldt.exe -auto 2
Global\C:\Windows\SysWOW64\KDtldt.exe -acsi 2
Global\C:\TEMP674654654.exe 1
Global\C:\TEMP546584.exe 1
Global\C:\TEMP3546546574.exe 1
Global\C:\Windows\SysWOW64\SSkcsk.exe -auto 1
Global\C:\TEMP54657468468.exe 1
Global\C:\Windows\SysWOW64\SSkcsk.exe -acsi 1
Global\C:\TEMP5465457.exe 1
Global\C:\TEMP55468746.exe 1
Global\C:\TEMP55465754.exe 1
Global\C:\TEMP54654564.exe 1
Global\C:\TEMP65754547.exe 1
Global\C:\TEMP465468754.exe 1
Global\C:\TEMP53486484.exe 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
143[.]92[.]56[.]63 2
156[.]240[.]106[.]162 1
121[.]127[.]248[.]96 1
180[.]215[.]255[.]141 1
156[.]240[.]107[.]214 1
156[.]240[.]106[.]129 1
206[.]119[.]82[.]57 1
134[.]122[.]177[.]77 1
156[.]240[.]108[.]219 1
27[.]124[.]17[.]228 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
www[.]msftncsi[.]com 11
isatap[.]example[.]org 11
wpad[.]example[.]org 11
computer[.]example[.]org 10
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com 10
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com 5
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com 1
Files and or directories created Occurrences
%SystemRoot%\SysWOW64\Delete00.bat 11
%SystemRoot%\SysWOW64\ASkcsk.exe 5
%SystemRoot%\SysWOW64\HFVnfvn.exe 3
%SystemRoot%\SysWOW64\KDtldt.exe 2
\TEMP674654654.exe 1
%SystemRoot%\SysWOW64\SSkcsk.exe 1
\TEMP546584.exe 1
\TEMP3546546574.exe 1
\TEMP54657468468.exe 1
\TEMP5465457.exe 1
\TEMP55468746.exe 1
\TEMP55465754.exe 1
\TEMP54654564.exe 1
\TEMP65754547.exe 1
\TEMP53486484.exe 1
\TEMP465468754.exe 1

File Hashes

69f5d0f6de8d57bd374bbb702ba0e1363fcf7282168eeb3a3705e420229f68de 767fc2d320a39ac2a24fbc9f4deb13172776b4338561e820efea9865f33f8f8c 7f95ea485ab69f136ebb6e7e4ae9d0522ce60cc525ee7cd634484d53ff31fdb4 8a26a3adf738b1a2b3e84f323ca47928dfe93d1b635eb3a549a7d630c2871251 8fb5f16416475bbcd2005098dd10d52662b870e0b3787544bb60fc2775d54f7e 910b5935f42190d68f1a9462620f7a60eac839253267277000d61ec444766e59 ad45540821a86dae47bf35d1cad6d78ac5bb12fb68cd0135e180a29346bce66b bb598eedb28c42b011be6f27b0b3740cad173777c501e0fbe83306c37da6e87a ca5b8a90bad279bcbbcbdf19403aafd6cc99fe9f19bc46cbae7f9b54295b41ff caad99117625442cbea84fc9040033aecdf2981834634de7b2943adddc5ef4ea f395d12b196d3a6480d5056725cb834e9d2cb3aa07a15e77180225b67991709d

Coverage

Product Protection
Secure Endpoint This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Secure Malware Analytics This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK


No comments:

Post a Comment

Note: Only a member of this blog may post a comment.