Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 27 and June 3. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org , or ClamAV.net .
For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.
The most prevalent threats highlighted in this roundup are:
Threat Name Type Description Win.Packed.Zusy-9951045-0
Packed
Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe". When the user accesses a banking website, it displays a form to trick the user into submitting personal information.
Win.Malware.Upatre-9950530-0
Malware
Upatre is a malicious downloader often used by exploit kits and phishing campaigns. It downloads and executes malicious executables, such as banking malware.
Win.Malware.Zegost-9950579-0
Malware
Zegost is a remote access trojan designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. Zegost appears to be derived from Gh0stRAT, which is a well-known remote access trojan that had its source code leaked, significantly lowering the barrier to entry for actors looking to modify and reuse the code in new attacks.
Win.Trojan.Qakbot-9950589-1
Trojan
Qakbot, aka Qbot, has been around since at least 2008. Qbot primarily targets sensitive information like banking credentials but can steal FTP credentials and spread across a network using SMB.
Win.Malware.Razy-9950612-0
Malware
Razy is oftentimes a generic detection name for a Windows trojan. It collects sensitive information from the infected host and encrypts the data, eventually sending it to a command and control (C2) server. Information collected may include screenshots. The samples modify auto-execute functionality by setting and creating a value in the registry for persistence.
Win.Dropper.Lokibot-9951022-1
Dropper
Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.
Win.Dropper.Dridex-9951129-0
Dropper
Dridex is a well-known banking trojan that steals credentials and other sensitive information from an infected machine.
Win.Virus.Xpiro-9951191-1
Virus
Expiro is a known file infector and information-stealer that hinders analysis with anti-debugging and anti-analysis tricks.
Win.Packed.Ursnif-9951199-0
Packed
Ursnif steals sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits.
Threat Breakdown Win.Packed.Zusy-9951045-0 Indicators of Compromise IOCs collected from dynamic analysis of 25 samples Mutexes Occurrences Local\OfficeSharedLocks_BootMutex_00_S-1-5-18
25
Local\OfficeSharedLocks_Heap_00_S-1-5-18
25
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 20[.]150[.]87[.]132
25
Domain Names contacted by malware. Does not indicate maliciousness Occurrences wpad[.]example[.]org
25
blob[.]mwh05prdstr03a[.]store[.]core[.]windows[.]net
25
weus2watcab02[.]blob[.]core[.]windows[.]net
25
clownmice123[.]com
25
computer[.]example[.]org
22
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com
9
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com
8
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com
5
Files and or directories created Occurrences \Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml
25
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml
25
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml
25
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml
25
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml
25
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml
25
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml
25
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml
25
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml
25
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PCALSGUV\ErrorPageTemplate[1]
25
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FNF9BE4O\green_shield[1]
25
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OSZC6DKG\red_shield[1]
25
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OSZC6DKG\securityatrisk[1]
25
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PCALSGUV\background_gradient_red[1]
25
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\XN0IX3V7\shield[1]
25
%TEMP%\s1d8.0
9
%TEMP%\s1jk.0
5
%TEMP%\s1dk.0
5
%TEMP%\s1cw.0
2
%TEMP%\sx8.0
1
%TEMP%\s15c.0
1
%TEMP%\s1gg.0
1
%TEMP%\s18g.0
1
\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{076CB9D8-E089-11EC-93F9-00007D696902}.dat
1
\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{FA0F00E5-E088-11EC-93F9-00007D696902}.dat
1
*See JSON for more IOCs
File Hashes 09f837fdd4b94fe073068fafc6dda1117ded51da14eb558e42ab00ac499b3852
0a39ac2693d97eae1a36b40c5bbe2890a7bfa8f24c7ec3d3aeafd6dc56afc449
0f7c036336e5023cfb49bb0578b63fc609ae2d35576a8bd32820d49d0374c6c7
1358cfe0b9770735a1d221c3e3dd30015e8ac96f05eb55e671b845525e444eb0
19ac6fec527601c97b48a84d636ea1ceadcc8e277898d3c30d253d20c1315a8d
2397d5a63b8d78c13c8cfd7febc4b98220f4cc96c816ca5b0699342c89a5f190
335cd07e80ec349d4ad84f3eaa3ab32a8c5df4a72c8a6cb347357dbfb41c54fa
389dedb4668a19e93439f9a8fe5950fa5c74488115b0a257149b6243a8f10ef0
3e47920c3427f11686bcea406222427107b56a0c8e04b66f22a460c5f03f7336
424ecc4b8717d559456d474511cb805bd898fb6e076687fe2e521fd4fd7b43fd
476019ef64dfb9acc990a1e6bd8975832908e4cdad12032c9cbc826f246aae4c
4b86b261068f81622e6e809614314ebc248dec183a8f373e66b9484439d15555
4bd5fda13773e691dcbb1819dd27abbef752bac0164aa25539b74c8ab2bf7ae4
4ef8a540d6394834f5d377000c01d2b9ae07ede132b34d7a78668f09b5cf087b
580784734bee7e55913126031d46ac78a087cfef16ff1b15b8873de74246b12a
5d841247c20999e35ba5fadfe8dd9fca0df7b9d264fd7661b80e8406c6de41b0
5f9b7f5cb73b34968a671769bf720c1d927ed941679c9ef2f2ccace59d4c1ef3
8a4c11aeb28eb0f20c2d499f666fb06e8f80aaae7f5f33ea8c4660ae164b940b
8adfbbce8615b78dbc416237c03ffe1e38f49c970e1a4aee53d454ad0f324ec3
9077ba2ebf2ba354ddc0a35117ac9c54f02182883d3b6a45390d3c9c6eafc355
9272b8a1289215309b3b96c1a787e3313fafa464118a6db2497a0e5efc96a0ef
95b4211beb95423c2099a8f170154ba0421e10ee0adc1d7db01d9ef8d93b9456
99347125d01ac5faa7b89d8d5f610d7f169c406d2ded14ae4ee3ac6cda6a24dd
99e05c1b998d887ddd5be263ccaf76b25dd70eb9df17abd2e62c6a9ad2591ce0
a0755494fca017a84428b71b39e79ba6037edd47f625301d25ab35b60c9f841d
*See JSON for more IOCs
Coverage Product Protection Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK Win.Malware.Upatre-9950530-0 Indicators of Compromise IOCs collected from dynamic analysis of 26 samples IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 204[.]93[.]178[.]227
26
35[.]208[.]217[.]200
26
23[.]196[.]74[.]222
25
23[.]221[.]72[.]27
14
23[.]221[.]72[.]10
11
23[.]62[.]6[.]161
1
23[.]10[.]206[.]162
1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences x1[.]i[.]lencr[.]org
26
apps[.]identrust[.]com
26
bizaroob[.]com
26
faneema[.]com
26
computer[.]example[.]org
25
wpad[.]example[.]org
25
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com
9
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com
8
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com
8
windowsupdatebg[.]s[.]llnwi[.]net
5
Files and or directories created Occurrences %TEMP%\realupdater.exe
26
\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
25
\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
25
\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
25
\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A
25
\Users\user\AppData\Local\Temp\realupdater.exe
25
File Hashes 029a2c26e8a494af8982e6d6f01d952fb302b4328f5f927995518e74825e4f87
04d01ea4e7604dded32b049f50d5314a16d2aeb248a57de86957a2bab3de9389
0b2a5415bbe037ea8d6a8412a44cb9cc68a20b200cdbfe9a981f679bf767cdbf
1618bd12a4cba0d704a6678402ee2e6b2d8efbac491f1ff8e560bb80ae59b28d
1edb49c5fb38734124d41ac12bc25aaa2c707fa77f19a10c344aaf715bd35004
299bc3f3c7fe16907258e4861b8a22069ae5ec057e7176fa544b1fe7f7826c85
2b4addd319606f4ff523e188fe8757122c481880b70398da5fa0fa134f1629d5
30f949b66be8d832cd184db555be5856549db60ffca7a7d0bc52a46866148bf3
35c9f59e462aad4c8248bf7834d6830b7ecdaf6ddbb71ad46f69192ce1798b97
40fd0fac6a9234b5cd257d2516ffa3b1003012a679ea0d0a0cd130d9fc45c61f
42d80eb6517f896cd62911fcf15fe6cadb20645bc0396fea64e5704d70cf8780
44df587d898240cb988e365217cd1c40efe05adcb3484486e717e684905c4c74
459b54203f04b1280eb99b79989ec1e2162d1fdd0420cbca94eb405093e93fc2
46bd9f2b560ef69aa47ebbf9c76c296db7ac004c4756df53960b124f93b520c1
496c189704b5bb066a72c43404547563c05a0671147f3574f7ad33ffed800adc
4a88d31de016793ca2f91ff255f2963578c1e06f0c33d9543124d96b78c98c4f
59621f2d0cbb1cf1cfefa69c353063b2d4da5dfa69e860f5b2dcd3992e109863
5b99b65774fe012120702dd3e18e6de7c9f5021f3b92890e9d174f8746572718
5c60644c9c30cd1063e955215c0c3c2e2642cd0edd533a9f4f44af558536eb5f
6aaaab9f02fef41f059e9f960124b2c93c47891933487bcb0c716fd118588c53
6ee0bb83af8152b855200abe6abb9c90a995a1f4729eaa89a7fcba19a4ae9138
72a37e39b5ab069d7a4421daac99908b66e0cadd177b6b030f3929c3d4e1ac22
748312c452f206e375e5a7c87788aceaeefc87ae2d87ac1d47838a294270fff0
74a5f590693972a24b71c839e93fae44bc2669761885532b4ef56d1c5413d800
794a40ed486f9e594cc93e21181490843270d3be95d3c205470270ac53b9818e
*See JSON for more IOCs
Coverage Product Protection Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK Win.Malware.Zegost-9950579-0 Indicators of Compromise IOCs collected from dynamic analysis of 24 samples Registry Keys Occurrences <HKLM>\SYSTEM\CONTROLSET001\SERVICES
Value Name: MarkTime
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\.NET CLR
Value Name: Start
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\.NET CLR
Value Name: WOW64
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\.NET CLR
Value Name: ObjectName
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\.NET CLR
Value Name: Type
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\.NET CLR
Value Name: ErrorControl
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\.NET CLR
Value Name: FailureActions
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\.NET CLR
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\.NET CLR
Value Name: ImagePath
8
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GHIJKL NOPQRSTU WXY
Value Name: Description
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GHIJKL NOPQRSTU WXY
Value Name: Start
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GHIJKL NOPQRSTU WXY
Value Name: DisplayName
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GHIJKL NOPQRSTU WXY
Value Name: WOW64
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GHIJKL NOPQRSTU WXY
Value Name: ObjectName
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GHIJKL NOPQRSTU WXY
Value Name: FailureActions
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GHIJKL NOPQRSTU WXY
Value Name: Type
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GHIJKL NOPQRSTU WXY
Value Name: ErrorControl
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GHIJKL NOPQRSTU WXY
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GHIJKL NOPQRSTU WXY
Value Name: ImagePath
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.52896_64
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.52896_64
Value Name: Type
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.52896_64
Value Name: Start
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.52896_64
Value Name: ErrorControl
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.52896_64
Value Name: ImagePath
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.52896_64
Value Name: DisplayName
3
Mutexes Occurrences APPEAL
15
jjl
1
Fzsxaa qhxipelt
1
Youqoa kmkyygug
1
Qgwuog aomyqkaa
1
Pdbanw qhvhjvxh
1
APPEAL1
1
Uigeky qukkgyss
1
Xaexdh aaxdgkiw
1
Egsycs equwaaqa
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 61[.]158[.]162[.]80
3
113[.]4[.]133[.]2
2
167[.]88[.]178[.]121
1
108[.]166[.]210[.]197
1
58[.]221[.]72[.]157
1
142[.]91[.]147[.]25
1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences computer[.]example[.]org
24
wpad[.]example[.]org
24
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com
11
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com
10
bronya[.]vip
7
wk[.]hmxoo[.]com
5
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com
3
apms[.]3322[.]org
3
www[.]lfwll[.]com
2
dos2[.]f3322[.]net
1
www[.]mq8[.]top
1
crgolf[.]cn
1
Files and or directories created Occurrences %SystemRoot%\svchost.exe
23
%SystemRoot%\svchost.exe:Zone.Identifier
23
\<random, matching '[0-9]{4}'>.vbs
23
\0.vbs
1
\728.vbs
1
\604.vbs
1
\32.vbs
1
\592.vbs
1
File Hashes 01d94202beb849a511ac054079bdbc806a703c775fcc357faeddcb088774aca7
1166de11f2fa5ddd2342c71f65079476fa9973319892120496cbed384934cc7b
28a9c684da50492969439147d5e8d171367228d70cf1a03bdb5959e592dcb9d6
339c202dbd7c460cf60aa905c53e46166734ba9d778733645ce5999ad0c8eb42
36562f62c98c617e708333586794ae2c829cac82f7b4d3ce84250e56e9e249f6
36810270669372223e6e5b4996bd1e4585391e9b5804cfda6c22005da3a5378d
3737e263a43a2d7a2e61067aaa129449f0968677501879a722fb1cf279b936d9
430cdbbf7ce0ebb3a4106b4e911e8c8b84bea6ba30481737b236e669a06e4267
5c33e0d47ad1499922d93572f49ee9052042522903969091761e01e553b296f2
707d2335293fc7c2afc44150bf213829a3f6fa80e5501bf1067655b018ceed64
70bddc44d2b439fa05ba8aaa5a9d376a89faa5977409a8dc7b384bac2d3f3f5d
869888d5caff229ea4832499517c92afce0faa7d1c82fe86b6e4358bcc8ce5e8
a0ec2e8bef49b70620b50aec3497d6b76748199b2c296b81a0d82bae4f8db9ca
acd690f1a26faff8cc97c366c53140ba72a02d98e445010abbb956db14ddcaaf
ad2b2195bced66b830c0b7f699e5655bae935b497c2a999259c4b4d8f5fa6886
aef0c16eede2d7a420ca254634b8244438ea6819edfbc975891fbe1520e5058d
c5b3155493d6eae7301cf98c41936997a6eef800808a7d1581116af7d76aa3ac
e6959aebca28427c85da15b768a632556737d8a5f969b20175e2c03953d1c688
e70e321bf76901adf114e3ff24d984a45df45a0497b81c544019fbb12a4fcdb5
ee6db04f19d15ceadee81616bfa36f107addb0e198e1a5b42d8c510d6bdaa361
ef8aefc7790f573b02775544dbe2c3f21412b8cb9148057700dfeb6f8dad23f1
eff2282385d05bc0ebd2a50b2427934f2affe624418d6e24cb09c0cd7861ad3d
f01fb0ffba87061033ac600b46514a3c44dfa82fef8aa2b0a9dfb2ca9045c2a2
f20df3689096bf2097b709f962a81ca341528a86bc47751fbc27bef53fa40317
Coverage Product Protection Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK Win.Trojan.Qakbot-9950589-1 Indicators of Compromise IOCs collected from dynamic analysis of 25 samples Registry Keys Occurrences <HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
24
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: bd63ad6b
24
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: bf228d17
24
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO
24
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO
Value Name: ff0b3567
24
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO
Value Name: fd4a151b
24
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\ProgramData\Microsoft\Ecrirfryzd
24
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Users\Administrator\AppData\Roaming\Microsoft\Xtuou
24
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO
Value Name: b5dd8adf
24
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: f7b512d3
24
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: 5dfca0e
24
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: 88fc7d25
24
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO
Value Name: 80425a91
24
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO
Value Name: ca94e529
24
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO
Value Name: 47b75202
24
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: 79eea72
24
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: 7a96a5f8
24
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO
Value Name: 45f6727e
24
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\AIWIGKCO
Value Name: 38fe3df4
24
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK
Value Name: c22ac29d
24
Mutexes Occurrences Global\{06253ADC-953E-436E-8695-87FADA31FDFB}
24
{06253ADC-953E-436E-8695-87FADA31FDFB}
24
{357206BB-1CE6-4313-A3FA-D21258CBCDE6}
24
Global\{280C5EDE-5A47-4F1C-97D3-B8CFE4CF258D}
24
{280C5EDE-5A47-4F1C-97D3-B8CFE4CF258D}
24
Domain Names contacted by malware. Does not indicate maliciousness Occurrences wpad[.]example[.]org
25
computer[.]example[.]org
22
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com
11
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com
6
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com
5
Files and or directories created Occurrences %APPDATA%\Microsoft\Xtuou
24
%ProgramData%\Microsoft\Ecrirfryzd
24
%System32%\Tasks\jrtvkqgfdp
2
%System32%\Tasks\tzkuzukhs
1
%System32%\Tasks\fznlifpu
1
%System32%\Tasks\rurzcnma
1
%System32%\Tasks\nhlrugtge
1
%System32%\Tasks\dmshoolefk
1
%System32%\Tasks\jriutcew
1
%System32%\Tasks\usxxlulebb
1
%System32%\Tasks\hyzyvsuv
1
%System32%\Tasks\bodtdpu
1
%System32%\Tasks\jizczmt
1
%System32%\Tasks\iofajkh
1
%System32%\Tasks\onvnwjekc
1
%System32%\Tasks\gfapescmb
1
%System32%\Tasks\kbepgqszn
1
%System32%\Tasks\fxipsncza
1
%System32%\Tasks\yytabed
1
%System32%\Tasks\liwbmon
1
%System32%\Tasks\pyiamen
1
%System32%\Tasks\myvrcsdw
1
%System32%\Tasks\ruivnzy
1
%System32%\Tasks\tubdxfvau
1
%System32%\Tasks\evfzyhv
1
File Hashes 080d33d769ff2c3d103174031d146d606bb0cb57a8fffaa18b4818b512e15c46
09cb67546950ba43047a6f5b905a86c5c69227f47f20ed1f0813b43263c3785c
0ba375c981e7c4c77a4acbac918f3fad9de61faae59905258aa051777be2c046
12408009ac27b79c45fbab67e7db0b59b4bb83da75957d7d62b796d2c67e4975
127be625c27c9744b4cb42986fcf44000f7e80a3287047b6bf86eca37bd2dbac
151c33f7cc6970eb9d6cf8d1bc6f3c34899aea570381712a1059688478097693
19b39a1b4c58ccac0452f3d6df742e6fccd597c2d0c88fd0c3b427e10166fab5
3478d293fa3ecd86461ffd74e37c579f678d7df8bee270b020a987572a50b1d0
6a72e49b7fb08cb91c8023a0a0d228f5dfca22a14f2a8ece1fdd82c510f389f4
6c9ac84b13412ef8bed642d1efa2a6d249ce68b13aa7127a5e03b1ebd47f4efb
6f521101d25678de9ff7444efca2c45b2fe198e37332322fb696a3fb7a916823
70d18ef177da17c393fcc62c398a52ba808f849786a0faf24985066122b10d68
7c8320812c0c1c634d9c6a425e057fc045d0bccccd0165712348cbe757db653b
976aeff3a8234476c9757b3ad85be23a1d453e5d3960652d53e0c8c1ba3a531f
9826e849283d91ed226ba5ca9175795344352a8e26db24e68e22b39d303f2424
9a3686674c39ed0fd41b8f833aa9aa53a72451f4cf3def546643112b6aac97a3
a0da59ba26601ffbc5d04527c6cc7a8beed97ea97c52df7fb498e429618a3bd3
a0e9c9bbd5717e2510416977201c65868f73c805f7e4c38495fa766bef4ece9b
a1686f0c5c2a8e3abd68cc2aaadc5a37456458089738c3775a8edb4ec76fe958
a3ec040f43b7374bb1f00c32700119847dae3763c191c174d48e5e26c2d9ef49
a96ff0b409b0155e9c0aeb2a7a1c4416e8e836dec3a4aa09d88f4f5f2f9a59bb
c02f6c468924b34ade33d3e940ead79be5a68fce12ea7a227e2a4bba300f02a5
c14031bddf471d354211f9f9341c716e5a5860e7ecc128de82afc37bbd2a96af
c572d59193ce0a3c286c80a74490d240c8f6fd130b387f7dd9553f419dc56b2f
d5a6e983c273a9a052574325259822d49512da45f9ada076ed53015c80d1e1d4
*See JSON for more IOCs
Coverage Product Protection Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK Win.Malware.Razy-9950612-0 Indicators of Compromise IOCs collected from dynamic analysis of 25 samples Registry Keys Occurrences <HKLM>\SYSTEM\CONTROLSET001\SERVICES\VSS\DIAG\VSSAPIPUBLISHER
25
<HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\USERDS
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS
Value Name: 2d17e6
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: IntelPowerAgent13
25
Mutexes Occurrences 2d17e659d346
25
98b59d04000007a0
8
98b59d0b000007a0
8
98b59d0b00000760
6
98b59d0400000760
6
98b59d0b000005ac
4
98b59d04000005ac
4
98b59d0b000007bc
2
98b59d04000007bc
2
98b59d0400000234
2
98b59d0b00000234
2
98b59d0b000006b0
1
98b59d0b000004ec
1
98b59d0b0000079c
1
98b59d040000079c
1
98b59d04000006b0
1
98b59d04000004ec
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 31[.]13[.]65[.]36
25
157[.]240[.]2[.]35
25
157[.]240[.]2[.]174
25
31[.]13[.]65[.]174
25
162[.]125[.]248[.]18
25
12[.]153[.]224[.]22
25
17[.]253[.]144[.]10
25
138[.]197[.]63[.]241
25
104[.]244[.]42[.]1
11
140[.]82[.]113[.]4
11
140[.]82[.]112[.]3
10
172[.]67[.]141[.]102
9
104[.]21[.]41[.]17
8
13[.]107[.]4[.]50
7
20[.]103[.]85[.]33
7
20[.]53[.]203[.]50
7
72[.]21[.]81[.]240
6
140[.]82[.]113[.]3
6
20[.]84[.]181[.]62
6
140[.]82[.]114[.]4
5
23[.]221[.]72[.]41
5
140[.]82[.]114[.]3
4
209[.]197[.]3[.]8
3
20[.]81[.]111[.]85
3
20[.]112[.]52[.]29
2
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences github[.]com
25
microsoft[.]com
25
twitter[.]com
25
instagram[.]com
25
facebook[.]com
25
download[.]windowsupdate[.]com
25
dropbox[.]com
25
etrade[.]com
25
icloud[.]com
25
python[.]org
25
sendspace[.]com
25
wpad[.]example[.]org
25
computer[.]example[.]org
21
cdn[.]digicertcdn[.]com
21
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com
10
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com
8
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com
5
windowsupdatebg[.]s[.]llnwi[.]net
3
Files and or directories created Occurrences \Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
25
\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
25
\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
25
\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A
25
%TEMP%\2d17e659d34601689591
25
\Users\user\AppData\Local\Temp\65a7ba9885b9ed5d98fb
25
\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\74FBF93595CFC8459196065CE54AD928
25
\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\74FBF93595CFC8459196065CE54AD928
25
\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
21
\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
21
%TEMP%\rrg8FCA.tmp.bat
1
%ProgramData%\2d82d0406b.exe
1
%TEMP%\mbt5069.tmp.bat
1
%ProgramData%\bf6jjj2bj6.exe
1
%TEMP%\sxx11F7.tmp.bat
1
%TEMP%\ektD62.tmp.bat
1
%ProgramData%\40dfh6hbd0.exe
1
%TEMP%\kks2075.tmp.bat
1
%ProgramData%\h04fjf0f4.exe
1
%TEMP%\wbe2FC3.tmp.bat
1
%ProgramData%\dd24b22f68.exe
1
%TEMP%\tii127D.tmp.bat
1
%ProgramData%\6dfh26hdb.exe
1
%TEMP%\ldt7B80.tmp.bat
1
%ProgramData%\bbfj4fhj80.exe
1
*See JSON for more IOCs
File Hashes 18ee3f1aa87930381c08be6b1265fa6ce96802528c319a9421d6836eb0eaf6b6
256d2a981895d7571e7a8487dcdb22a15ac4da676156cfd998a003b15a0b9ef8
27d33499047b98a15fa6bea859f83308e1b7c2f4d08330dcaaa050d6f11ed81b
283977145a129fabde4321fd2551e1837e8e3e11e1b6ee7b6f52ab486875356f
2881007599ebd28af75ae82cd8a908dba72fe55451718a0ee6fba55aa871e6d5
28daa8d1fe18bbd9ac7565bbc0cf64480ce5ce5241564f1571299eaa4bd3f192
362e58c8a3f41f656de671ce9ec0aab32e0f551a244744aff53388c58fc4a6e2
399f262d92079f2ffecf0fcb16829620c05deab661bf5c6783b5ba3ae362f448
41b11c06a7b8fb5d150b000be312d14192c3bbed2f5223e8f8100004ef7d3769
41c32d860c96e3ed10747ae31b44c923037d1285ed59555c6056cd5d945bc835
5448e82c3d4e1b46d6f0f77762d1ee2ff2aebd10333475e2b95e269f37a0c74b
5489417e8b65281a8c91c86bbeee1d0730e30db31ade1453d9b75e8eb74ae0e7
57e55994a83b9dfaadd43d8e4b0bd64b5af7d9d89b4d911ba8abdae6259f049f
5acc61f6ce684068fe6f07ce1e0636ac82498a816058083c44601f26ccb7e850
63f0cee4f9bc1e9186a85684bd57b9b74ccdac7031ccb9d58b064b960b1a227d
71957a63cf8a7387d640ef4f29b1285db34432c053b56048a660912ad5c868f2
79e1510f7caeeb6249bc2d2064f2b9c5aebb438ebf97e4d24791c090258112c0
7c4f0c7a3f02b3f3dc335e5f4bcab2b1902696ce749498dc9e4681ff1ae8b574
883fcb50f17c3e54e7f04aa8b38894119ba6baace124426030119b580fed33a9
8a4d8ba8bcf91642892e946437a3471848b6dad25d80f7a6f6d4f4cf05b24b00
9d6ce349ae7a92237eafbbd66687e784e78f50c5cc92a22afe09a2971f9724d6
a9bc9070ba0b1f3cc6ca78e24ea830524cc5a9821c857f2ebc98bc74fabe7b4e
ae5233f7947ccc7339a4d3beee2ab2d82d82ee445df4010b87a9e30585f0a73d
bc873e9989a8343cd09b3b15c76a9c863c10489023c1340ac00db4df23ed50e1
bfafe7f6c07945cb86bb8f0c340745a723c54cbe7eb841e7a2261f46e65e28cc
*See JSON for more IOCs
Coverage Product Protection Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK Win.Dropper.Lokibot-9951022-1 Indicators of Compromise IOCs collected from dynamic analysis of 22 samples Mutexes Occurrences 3749282D282E1E80C56CAE5A
16
3BA87BBD1CC40F3583D46680
7
Global\2acec4a1-e064-11ec-b5f8-00501e3ae7b6
2
Global\2a3af0e1-e064-11ec-b5f8-00501e3ae7b6
1
Global\2ac2ddc1-e064-11ec-b5f8-00501e3ae7b6
1
Global\2a33ccc1-e064-11ec-b5f8-00501e3ae7b6
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 185[.]6[.]242[.]251
7
20[.]189[.]173[.]20
4
52[.]168[.]117[.]173
1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences wpad[.]example[.]org
15
computer[.]example[.]org
14
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com
7
clientconfig[.]passport[.]net
5
lidgeys[.]ru
5
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com
4
onedsblobprdwus15[.]westus[.]cloudapp[.]azure[.]com
4
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com
3
dunysaki[.]ru
3
joanread[.]ru
3
windowsupdatebg[.]s[.]llnwi[.]net
2
papgon10[.]ru
2
onedsblobprdeus16[.]eastus[.]cloudapp[.]azure[.]com
1
kkeyvenus[.]ru
1
finelets[.]ru
1
topreadz[.]ru
1
Files and or directories created Occurrences %APPDATA%\D282E1
16
%APPDATA%\D282E1\1E80C5.lck
16
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5
16
%APPDATA%\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\<original file name>.exe
15
\Users\user\AppData\Roaming\7C7955\5D4644.lck
9
\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1160359183-2529320614-3255788068-500\a18ca4003deb042bbee7a40f15e1970b_24e2b309-1719-4436-b195-573e7cb0f5b1
9
%APPDATA%\D1CC40\0F3583.hdb
7
%APPDATA%\D1CC40\0F3583.lck
7
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-1258710499-2222286471-4214075941-500\a18ca4003deb042bbee7a40f15e1970b_8f793a96-da80-4751-83f9-b23d8b735fb1
7
%APPDATA%\D1CC40\0F3583.exe (copy)
6
%HOMEPATH%\Start Menu\Programs\Startup\runme.exe
6
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\e9bcad9e3ac008d92f850aba4e1a3766.exe
1
%HOMEPATH%\Start Menu\Programs\Startup\310159487.exe
1
\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\518892792.exe
1
\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\518892788.exe
1
\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\518892792.exe:Zone.Identifier
1
\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\518892788.exe:Zone.Identifier
1
\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\518892796.exe
1
\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\518892796.exe:Zone.Identifier
1
\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\518892798.exe
1
\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\518892798.exe:Zone.Identifier
1
\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\518892808.exe
1
\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\518892808.exe:Zone.Identifier
1
\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\518892828.exe
1
\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\518892828.exe:Zone.Identifier
1
*See JSON for more IOCs
File Hashes 09ea5b984463b26a7add02ad67824c07941bbc239bc2f0e71e5c142a34c18807
137faab254c696beb4df6ae048df1aa357f99c8b971165976f5e6607860208c7
145b991f227a3acea6c5477c254d60777509a6dcde022ca64a00af8cd02fa94f
18789ef5ed7b260c3690efc855172a471f2a131f2e02b51a5d4b9e602028e792
1c239c93412dde6819df95cec672c700b90ebcaed3d25d9488013fdb6f356fa4
205d242fd827be9f0166d7ead7848415c20b444efdd9215c8b06d76eafe9a42e
21a7eaf27631ab8812694f9d5ff503c67209e2ce3647e94390d3ac5645294fd8
3abf86fa62e846b483801d7a1d0ab4e87d52aba252e51b7abc3da0637a7eac86
424609c7866fdabf02755893989974e265f748978151d4c44b8e1925466441bf
5da51e8697445e0bbccd8d0352b0b14d8119a600210a04d35031e02b673baade
6dbdda86125dbb2bfda34eb9d7d3bf1b870f3b3dd9892f66540e88842c6338cb
6de68b1f1d7a5bdbf2d4fa20cb951bccfcb42d48cabc6b4892392319241a465d
74a860b98c643e4472e85899e51ff0f7fe61eee086348028f9cc084b6980b7f9
74d5bea6ee23c98a3eeeaa5355614b60c737c0b48f90a1511110c8634edfc047
92bba937071cf7de59ab3a55f5eddcdcaec0bebebebcf98695c26772eb40b590
93ccee7943d0a8765a9a3c6404781a287eb871b7ea1cea87fd567ae6980be070
b87d1649548cad5a6374f3c7eb9baa1f222ac875ddf14bebc435436aa8ff4cf5
bb50fbdf8e758f6101641a08096354c729e7d8939841af2645f1148d6020bac0
e37da90176eb325abf9ae936087c6978a2da144ceed8032a7cd899f4055ce47f
ed7d5047b5e87c6885aadf452b40c0e22cd13e5428a2cfa18c90089e680d4173
f220311b5486b038905be7785c28a9a908a0d085e4ae71efe81ffc54e47bb32e
ff401215413c59bc54a00e6f8981f70a2a34ffdbe25a652690f6002b4c0fd9bc
Coverage Product Protection Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK Win.Dropper.Dridex-9951129-0 Indicators of Compromise IOCs collected from dynamic analysis of 21 samples Registry Keys Occurrences <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{690D1BD7-EA98-1004-3AC9-E87553700E95}
21
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{690D1BD7-EA98-1004-3AC9-E87553700E95}\SHELLFOLDER
21
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{63FC4996-AFD5-E391-06A7-EFB6E2702561}
21
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{63FC4996-AFD5-E391-06A7-EFB6E2702561}\SHELLFOLDER
21
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{10CDDA71-B745-777B-1AF7-51696DB9BB93}
21
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{10CDDA71-B745-777B-1AF7-51696DB9BB93}\SHELLFOLDER
21
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{CFD6D5E6-02FB-7433-9261-E8E1B87CAC69}
21
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{CFD6D5E6-02FB-7433-9261-E8E1B87CAC69}\SHELLFOLDER
21
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{8BAB5812-9D02-8F14-74B1-BEDE393F8C1F}
21
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{8BAB5812-9D02-8F14-74B1-BEDE393F8C1F}\SHELLFOLDER
21
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{10DF83AD-199B-9C18-3FEF-E4ECD6A42F66}
21
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{10DF83AD-199B-9C18-3FEF-E4ECD6A42F66}\SHELLFOLDER
21
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{1AD90FE5-CE2F-E8B8-CF09-E0B1912E9542}
21
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{1AD90FE5-CE2F-E8B8-CF09-E0B1912E9542}\SHELLFOLDER
21
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{05ED06D6-F422-71CC-26B3-C9964D56F645}
21
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{05ED06D6-F422-71CC-26B3-C9964D56F645}\SHELLFOLDER
21
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{98B09642-2764-54AE-3333-D8C6CA536428}
21
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{98B09642-2764-54AE-3333-D8C6CA536428}\SHELLFOLDER
21
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{63D99860-AA40-CA79-F681-9DECBEF55447}
21
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{63D99860-AA40-CA79-F681-9DECBEF55447}\SHELLFOLDER
21
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{D4B277A3-C25E-BCDE-A054-D41AAC36394B}
21
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{D4B277A3-C25E-BCDE-A054-D41AAC36394B}\SHELLFOLDER
21
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{FE9DE6BC-A4CF-8285-E73C-DFE7A08197FE}
21
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{FE9DE6BC-A4CF-8285-E73C-DFE7A08197FE}\SHELLFOLDER
21
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{B11CF2E2-C0C2-7860-F12E-428101DCB963}
21
Mutexes Occurrences {ac5b642b-c225-7367-a847-11bdf3a5e67c}
21
{24d07012-9955-711c-e323-1079ebcbe1f4}
21
{a2c9c140-d256-a4d5-6465-f62a6660f79e}
21
{a8af557b-6de9-c774-28f4-5c293f1b1769}
21
{b570fe85-587a-a133-ffc9-73821a57c0c1}
21
{<random GUID>}
5
Domain Names contacted by malware. Does not indicate maliciousness Occurrences computer[.]example[.]org
21
wpad[.]example[.]org
21
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com
12
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com
6
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com
3
Files and or directories created Occurrences %APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5
21
%System32%\Tasks\Ryddmbivo
21
%APPDATA%\Microsoft\Document Building Blocks\fuZP4
1
%APPDATA%\Adobe\Acrobat\9.0\JavaScripts\je70TvwCCP
1
%APPDATA%\Microsoft\Outlook\OND
1
%APPDATA%\Microsoft\Windows\Templates\w1KDXJGwsH
1
%APPDATA%\Microsoft\Access\GbpgKJG
1
%APPDATA%\Microsoft\Templates\LiveContent\Managed\Document Themes\Ho0UjJdx
1
%APPDATA%\Microsoft\Office\ibjy
1
%APPDATA%\Microsoft\Templates\LiveContent\Managed\Document Themes\tp0XaAdg
1
%APPDATA%\Microsoft\Windows\Recent\CustomDestinations\Z3apT9BqiI
1
%APPDATA%\Microsoft\SystemCertificates\My\CTLs\vvgivIKnG
1
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\KL
1
%APPDATA%\Microsoft\Templates\LiveContent\Managed\Word Document Building Blocks\PStcp
1
%APPDATA%\Macromedia\Flash Player\#SharedObjects\kYo
1
%APPDATA%\Macromedia\Flash Player\oZb
1
%APPDATA%\Microsoft\AddIns\hsl
1
%APPDATA%\Adobe\Acrobat\4uI
1
%APPDATA%\Microsoft\Office\zNM
1
%APPDATA%\Microsoft\Credentials\tcv
1
%APPDATA%\Media Center Programs\Eokg
1
%APPDATA%\Microsoft\Internet Explorer\dEZwfLqKSa4
1
%APPDATA%\Identities\yV3hWM
1
File Hashes 0b48278ff7a8ddb1294db87b6012a292ab7b56ff42ed37d6456e879f4aedce05
1c8912deebb6a9b8f083f1f52d7aef831d0a9b5e8f5c1f7996252b30c638772d
2c525f8506900d650c0afb99e98c4761a78eaf059698a1a94f7b597edc4c10cf
35851fc0b01a976fa6f133a8e8646f8414deca9800906538eb3ca06e35b69727
3f9fbb09401cf4d1b336e6474c998ca05c9bd5f9593048a91efb9b7dca5d185b
46b8c52581aef3a919238de483810142f02e25a09e655282674ee4efb16c3687
47c97178aba658ed6b9ed796e10cec832545ce3f8f58b47db79029bf0a1cf0fd
4fb7f7c01c1e7db94a72dbbc5c73456332187364ea289b36f24436b67ee05410
6ca85bb4acd17833dd44c64c98463fef474b513c3a262a8a8d0a1e66e088e6da
7f29f5afe87b2f4aef7ba228d88d9f9e12c249710474d1703e1d4688c8a9bec9
84203f6000f9888a61221c51e8b9443b9fc4acd05b8c95305d8e4907d4e52e82
84fdd91182e470a3d49388cebf51a5e7ea88a7bd69e684e0e897285878b0d761
8ebd98981f96b82af89d9c26cc0ffc3406f74f2b1cbe2a8f7d0aaa1701918e3b
a4dd3d62927b557f1076711b8675f094458b33d4c95178df2d6465abb0b48cac
ae265ec250881fdd46908355506bb1ba775cfebf619869b7409d49c1e03e96e4
af2c1487508f61ea4eba94322c7e164d0befc80d5858d157ed8621e7620d6271
c2af14dd3cfa398630d3107841bec33b511330a6a5a0439e5fe4cd16ad202da6
cfeedf481b6f95c8af9007d8eec015444c6245725856876f6dc972f1dc56ae92
d8cb4ee5018b9845ebf4de71f318d7f415ad4369ffac89ce306f48cf6a0665b3
df1bb863633dcbe6ce9cd7ce99b3c0267896a44c3b31921767ad4b4525f13cdd
fb66b9a97ed668bcc58f0540be9881109f142b867947d7f2e3213d9775967d2e
Coverage Product Protection Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK Win.Virus.Xpiro-9951191-1 Indicators of Compromise IOCs collected from dynamic analysis of 15 samples Registry Keys Occurrences <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
15
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: HideSCAHealth
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV
Value Name: Start
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32
Value Name: Type
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64
Value Name: Type
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32
Value Name: Type
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32
Value Name: Start
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MOZILLAMAINTENANCE
Value Name: Type
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MOZILLAMAINTENANCE
Value Name: Start
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\OSE
Value Name: Type
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\OSE
Value Name: Start
15
<HKLM>\SOFTWARE\MICROSOFT\SECURITY CENTER\SVC\S-1-5-21-2580483871-590521980-3826313501-500
15
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SYSTEM
Value Name: EnableSmartScreen
15
<HKLM>\SOFTWARE\MICROSOFT\SECURITY CENTER\SVC\S-1-5-21-2580483871-590521980-3826313501-500
Value Name: EnableNotifications
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_32
Value Name: Start
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ALG
Value Name: Start
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MICROSOFT SHAREPOINT WORKSPACE AUDIT SERVICE
Value Name: Start
15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELL FOLDERS
Value Name: Startup
15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\USER SHELL FOLDERS
Value Name: Startup
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64
Value Name: Start
15
<HKLM>\SOFTWARE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATE
Value Name: AccumulatedWaitIdleTime
15
<HKLM>\SOFTWARE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\LISTENEDSTATE
Value Name: RootstoreDirty
15
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\STATE
Value Name: AccumulatedWaitIdleTime
15
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\.NETFRAMEWORK\V2.0.50727\NGENSERVICE\LISTENEDSTATE
Value Name: RootstoreDirty
15
Mutexes Occurrences Global\mlbjlegc
15
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 64[.]70[.]19[.]203
3
35[.]205[.]61[.]67
3
69[.]16[.]231[.]59
3
Domain Names contacted by malware. Does not indicate maliciousness Occurrences computer[.]example[.]org
15
wpad[.]example[.]org
15
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com
9
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com
6
xezlifewvupazah[.]ws
3
amonuwezed-picriv[.]ws
3
r8decub-ydyg[.]ru
3
juwlewrifithal[.]in
3
r8gefa-bugin[.]com
3
ytocmoxjedkiciten[.]biz
2
upojawnixly-muro[.]cc
2
cakydofytipi[.]biz
2
aremumhumydoc[.]in
2
r8kegy-bikav[.]com
2
r8myjo-boneb[.]com
2
r8pykyb-aquh[.]ru
2
aninamilixif[.]ws
1
cemalykda-miw[.]biz
1
ujylyvpi-ziboj[.]in
1
cekhupovoxijyr[.]com
1
r8symi-betop[.]com
1
ynurefhynxavdu[.]net
1
ybatihowvusxuwlu[.]ws
1
libhitzumiwahod[.]com
1
otoqovacutebo[.]ws
1
*See JSON for more IOCs
Files and or directories created Occurrences %CommonProgramFiles(x86)%\microsoft shared\Source Engine\OSE.EXE
15
%ProgramFiles(x86)%\Microsoft Office\Office14\GROOVE.EXE
15
%ProgramFiles(x86)%\Mozilla Maintenance Service\maintenanceservice.exe
15
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
15
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
15
%SystemRoot%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
15
%System32%\alg.exe
15
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
15
%SystemRoot%\SysWOW64\svchost.exe
15
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock
15
%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat
15
%LOCALAPPDATA%\rqboqelc
15
%LOCALAPPDATA%\rqboqelc\cmd.exe
15
%System32%\<random, matching '[a-z]{8}'>.tmp
15
%SystemRoot%\microsoft.net\framework\v2.0.50727\<random, matching '[a-z]{8}'>.tmp
15
%SystemRoot%\microsoft.net\framework64\v2.0.50727\<random, matching '[a-z]{8}'>.tmp
15
%SystemRoot%\microsoft.net\framework\v4.0.30319\<random, matching '[a-z]{8}'>.tmp
15
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
13
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log
13
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock
13
%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat
13
%SystemRoot%\microsoft.net\framework64\v4.0.30319\<random, matching '[a-z]{8}'>.tmp
13
%SystemRoot%\Microsoft.NET\ngenservice_pri1_lock.dat
7
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log
6
%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat
6
*See JSON for more IOCs
File Hashes 08192d725e7bd147063a0c7135e0b6f05cd98a951b1566ca0a9dfe15add6e885
100442c45e98fc7dc4ed219220b686b91c768e201a034cf68a70bb97bf86919b
1660136631e8abdfadee79379a06b0720dd9406785ce790fe16e9d61a64de490
1e3d7338b17bd0bd74889181b26b5217b0ec2e5dec3bfafe1fc9856425f6932e
3e6e28303a08a0bf5816bffdcd67efffc97d99dee17dc76ed428e1064c2a0d08
5bf7645e7d1285b2a31b3a407671b8900633dd508fff1ec245f6c9d641a92729
5d27b7f281b030e61928622f354492e9f4371bc0b6927f9c5cdd13dcc1492a11
5dc7add9b95734aaa42a145808b33788c5c2d5fdcf5d9ee17f14c94e61e4717a
6be768dbf71c9296d49b33b49b8ee06a64f99f7df066fea73df276d9fb223869
7374ed5366c8ebcf453f7462c2d7e465ad027b439dbfeb1fa8b19dd67988e48d
74071fb7e226d6da8bf89ccdd30b09360dbc3b07895266a0aaf681907ae4aabb
921e3a9001d2d238ac63abde0087e87a683df6fa37368bb6b3c66167aaf53e9e
9da1250112f5c782a21b2974780ed44dfd82bdb71eb4e588a9faab7e5a30a40a
d50589a7a29bdd8448c0fc9a18106ce84550bb568b8179158918ed862833c3f8
db4f220570c51012b0c86069b7d7dda7d7ca7e52ae5583efdbe52d3bff7b0119
Coverage Product Protection Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
N/A
WSA
N/A
Screenshots of Detection Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK Win.Packed.Ursnif-9951199-0 Indicators of Compromise IOCs collected from dynamic analysis of 25 samples Registry Keys Occurrences <HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}
Value Name: FaviconPath
25
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}
Value Name: Deleted
25
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES
Value Name: DefaultScope
25
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\STARTPAGE
Value Name: StartMenu_Balloon_Time
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 142[.]251[.]35[.]174
25
142[.]251[.]40[.]164
23
13[.]107[.]21[.]200
13
13[.]107[.]22[.]200
4
172[.]253[.]122[.]105
1
172[.]253[.]122[.]106
1
131[.]253[.]33[.]200
1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences www[.]bing[.]com
25
www[.]google[.]com
25
google[.]com
25
majavontehm[.]com
25
wpad[.]example[.]org
22
bstacyr79ea[.]com
22
scandace79yy[.]com
22
computer[.]example[.]org
21
vmss-prod-seas[.]southeastasia[.]cloudapp[.]azure[.]com
11
vmss-prod-weu[.]westeurope[.]cloudapp[.]azure[.]com
7
vmss-prod-eus[.]eastus[.]cloudapp[.]azure[.]com
3
Files and or directories created Occurrences \Users\user\AppData\Local\Temp\JavaDeployReg.log
22
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml
22
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml
22
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml
22
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml
22
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml
22
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml
22
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml
22
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml
22
\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml
22
\Users\user\AppData\Local\Microsoft\Windows\INetCache\SQM\iesqmdata0.sqm
22
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FNF9BE4O\errorPageStrings[1]
22
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FNF9BE4O\httpErrorPagesScripts[1]
22
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OSZC6DKG\httpErrorPagesScripts[1]
22
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\XN0IX3V7\NewErrorPageTemplate[1]
22
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\XN0IX3V7\errorPageStrings[1]
22
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PCALSGUV\dnserror[1]
22
\Users\user\AppData\Local\Microsoft\Windows\INetCache\SQM\iesqmdata7.sqm
22
\Users\user\AppData\Local\Microsoft\Windows\INetCache\SQM\iesqmdata8.sqm
22
\Users\user\AppData\Local\Microsoft\Windows\INetCache\SQM\iesqmdata9.sqm
22
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PCALSGUV\errorPageStrings[1]
20
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\XN0IX3V7\httpErrorPagesScripts[1]
20
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PCALSGUV\NewErrorPageTemplate[1]
20
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PCALSGUV\NewErrorPageTemplate[2]
20
\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OSZC6DKG\dnserror[1]
20
*See JSON for more IOCs
File Hashes 02026a0800d9250cc1ab7800e5fe1cbe52d314aa343bfc501db631caf244e45b
08312dc7fff85efa7353c7e487192baf668e2f92c7f9ac9ff0c1247ad3090a8b
09491e3d33e2e33cfb98444540303515ef53f9a696c4d3414fa536fca9ada520
0de4389b1f30a43527c774f29678d631142024f8d6ef122f984b552a3c3317fd
2f8a551307ace49fccc081af6bbaf8967096288315ead6943d08e0921f66d839
2fe90d9f1e04c6f69e2a9eb799d819edcfb91d6d02628b40266c58cf87ddfb69
325675f49ae2106619e40bc186ee5c9ff9768b5f906a128ef1d8a4ca29b9d2fb
40ace2f85fad0bfff2053b91f0b0a43311fd96ae36087d66d00674c999c578da
50036f51b9f83d505f9a734965869ae9baf9a35cc4883dc54815a72d2e47b0aa
59c0b810474716b15ae32d0f437136229c549dedd3a3175cf1cf67273227bec2
5da11a64cbcb1c42c573c2a384dc3dba8d7fd0c55ecc5c2149bea70c1ac48625
63a8b12243ce334d510fd3c895f6f823ef69bfb948509b6ff61c29a8a20af7b6
64a06175a39350faa6fd4d66a043c4800827cfc4538c86ecbe4f8cf5ab74939c
8ebade300f795e27af297f9b1b0283ed16e6cf636a144e011fffd6443df5b964
908a4dd5c64e85fcc981c27aaf6d5185aa3c48d8e580fff7ea09017bc6f79e93
9332743a0d5727ddd4ef4331b1adb50af56fd981f31a186eed102b9b0a408ab9
97f9a61ea2208931a4256942fbfc2da6ce296b432e3718b433fd28ab5f731e93
98c43e05b8c023cc7cf034e0e1d4e58ee8865970d5e274e655f16cc4fdd0e9bc
a8a960c81c5a7c89693ea0a5716234154f7c0202a405d732992d6318699d8739
ad240b34d5007bea85c4e68df6c973f5ad9f2ac09837d0db807d22ee62ed0309
ae74f6872fd170050faed34966314d27a7daef9182090590672bef41ad6f7b97
b46ba86c660d468294c8dfab1649e2b4d6f132b332ac8b89a3e8ae65ae525ce1
b5da6bb3a84da8b8c029025448c744f4bb78ba0731cf4c46339f9dab09695488
b94c8ffcd81ae2fd3d9f9c6e5ce6b1c87b39837a2bfa2ba33568e44609ba3f26
caa6aa3ebf655fb0ef444780e0a8a36812cfef09f1bf2185052a6404157a913f
*See JSON for more IOCs
Coverage Product Protection Secure Endpoint
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Secure Malware Analytics
Umbrella
WSA
Screenshots of Detection Secure Endpoint
Secure Malware Analytics
MITRE ATT&CK