ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b

General

Target

ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Size

3.0MB
MD5

c08127490354a53d7a9011c71f6ddcdb
SHA1

a06266b3044d56c27ad834e7bf599199ec9c05e6
SHA256

ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b
SHA512

df52e43913606b0e6040814b89e6b390df40037ab2eb172ea03e67659358e2810671d427e81aede89428831eeae77a9c01504141724d5eb3c8aeb1483e5b4411
SSDEEP

49152:HVulgOaEUiwghIrWFZfToxu2FwfmqW8ntcJd1s65QwJv5NfsQ:1GUiwWiWXb7278ntcn13b

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66ee28a0-8b17-457e-b604-26871d8897c3}\InprocServer32\ = "C:\\Program Files (x86)\\GooSavee\\LpaWyNb67KIVwX.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66ee28a0-8b17-457e-b604-26871d8897c3}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66ee28a0-8b17-457e-b604-26871d8897c3}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66ee28a0-8b17-457e-b604-26871d8897c3}\InprocServer32	regsvr32.exe

Loads dropped DLL 3 IoCs

Processes:

ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exeregsvr32.exeregsvr32.exe

pid process

1880 ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
1820 regsvr32.exe
524 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

Processes:

ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\lhbghenmknpkdcpniipgnoecaomhipjl\2.0\manifest.json	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\lhbghenmknpkdcpniipgnoecaomhipjl\2.0\manifest.json	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\lhbghenmknpkdcpniipgnoecaomhipjl\2.0\manifest.json	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exeregsvr32.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{66ee28a0-8b17-457e-b604-26871d8897c3}	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{66ee28a0-8b17-457e-b604-26871d8897c3}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{66ee28a0-8b17-457e-b604-26871d8897c3}\ = "GooSavee"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{66ee28a0-8b17-457e-b604-26871d8897c3}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{66ee28a0-8b17-457e-b604-26871d8897c3}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{66ee28a0-8b17-457e-b604-26871d8897c3}	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{66ee28a0-8b17-457e-b604-26871d8897c3}\ = "GooSavee"	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{66ee28a0-8b17-457e-b604-26871d8897c3}\NoExplorer = "1"	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe

Drops file in System32 directory 4 IoCs

Processes:

ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
File opened for modification	C:\Windows\System32\GroupPolicy	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe

Drops file in Program Files directory 8 IoCs

Processes:

ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\GooSavee\LpaWyNb67KIVwX.tlb	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
File created	C:\Program Files (x86)\GooSavee\LpaWyNb67KIVwX.dat	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
File opened for modification	C:\Program Files (x86)\GooSavee\LpaWyNb67KIVwX.dat	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
File created	C:\Program Files (x86)\GooSavee\LpaWyNb67KIVwX.x64.dll	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
File opened for modification	C:\Program Files (x86)\GooSavee\LpaWyNb67KIVwX.x64.dll	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
File created	C:\Program Files (x86)\GooSavee\LpaWyNb67KIVwX.dll	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
File opened for modification	C:\Program Files (x86)\GooSavee\LpaWyNb67KIVwX.dll	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
File created	C:\Program Files (x86)\GooSavee\LpaWyNb67KIVwX.tlb	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

regsvr32.exece2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{66ee28a0-8b17-457e-b604-26871d8897c3}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{66ee28a0-8b17-457e-b604-26871d8897c3}	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{66EE28A0-8B17-457E-B604-26871D8897C3}	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{66EE28A0-8B17-457E-B604-26871D8897C3}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe

Modifies registry class 64 IoCs

Processes:

ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66ee28a0-8b17-457e-b604-26871d8897c3}\InprocServer32\ = "C:\\Program Files (x86)\\GooSavee\\LpaWyNb67KIVwX.dll"	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66ee28a0-8b17-457e-b604-26871d8897c3}\ProgID	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66ee28a0-8b17-457e-b604-26871d8897c3}\ = "GooSavee"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66ee28a0-8b17-457e-b604-26871d8897c3}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66EE28A0-8B17-457E-B604-26871D8897C3}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66ee28a0-8b17-457e-b604-26871d8897c3}\InprocServer32	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{66ee28a0-8b17-457e-b604-26871d8897c3}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66ee28a0-8b17-457e-b604-26871d8897c3}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66ee28a0-8b17-457e-b604-26871d8897c3}\InprocServer32	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66EE28A0-8B17-457E-B604-26871D8897C3}\Implemented Categories	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66ee28a0-8b17-457e-b604-26871d8897c3}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66ee28a0-8b17-457e-b604-26871d8897c3}\Programmable	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66ee28a0-8b17-457e-b604-26871d8897c3}	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66ee28a0-8b17-457e-b604-26871d8897c3}\ProgID\ = ".9"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66ee28a0-8b17-457e-b604-26871d8897c3}\VersionIndependentProgID\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\..9	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66EE28A0-8B17-457E-B604-26871D8897C3}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66ee28a0-8b17-457e-b604-26871d8897c3}\InprocServer32\ThreadingModel = "Apartment"	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66ee28a0-8b17-457e-b604-26871d8897c3}\Programmable	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID\ = "{66ee28a0-8b17-457e-b604-26871d8897c3}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\ = "GooSavee"	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66ee28a0-8b17-457e-b604-26871d8897c3}\VersionIndependentProgID\	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66ee28a0-8b17-457e-b604-26871d8897c3}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66ee28a0-8b17-457e-b604-26871d8897c3}\ProgID\ = ".9"	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66ee28a0-8b17-457e-b604-26871d8897c3}	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66EE28A0-8B17-457E-B604-26871D8897C3}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\GooSavee\\LpaWyNb67KIVwX.tlb"	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66ee28a0-8b17-457e-b604-26871d8897c3}\Programmable	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66ee28a0-8b17-457e-b604-26871d8897c3}\VersionIndependentProgID	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe

pid	process
1880	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
1880	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exeregsvr32.exe

description	pid	process	target process
PID 1880 wrote to memory of 1820	1880	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe	regsvr32.exe
PID 1880 wrote to memory of 1820	1880	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe	regsvr32.exe
PID 1880 wrote to memory of 1820	1880	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe	regsvr32.exe
PID 1880 wrote to memory of 1820	1880	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe	regsvr32.exe
PID 1880 wrote to memory of 1820	1880	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe	regsvr32.exe
PID 1880 wrote to memory of 1820	1880	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe	regsvr32.exe
PID 1880 wrote to memory of 1820	1880	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe	regsvr32.exe
PID 1820 wrote to memory of 524	1820	regsvr32.exe	regsvr32.exe
PID 1820 wrote to memory of 524	1820	regsvr32.exe	regsvr32.exe
PID 1820 wrote to memory of 524	1820	regsvr32.exe	regsvr32.exe
PID 1820 wrote to memory of 524	1820	regsvr32.exe	regsvr32.exe
PID 1820 wrote to memory of 524	1820	regsvr32.exe	regsvr32.exe
PID 1820 wrote to memory of 524	1820	regsvr32.exe	regsvr32.exe
PID 1820 wrote to memory of 524	1820	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{66ee28a0-8b17-457e-b604-26871d8897c3} = "1"	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe

C:\Users\Admin\AppData\Local\Temp\ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe
"C:\Users\Admin\AppData\Local\Temp\ce2edab323345c50f3cbfa91dcad2f22a7134cda799e694c074e63aec59a839b.exe"
1⤵
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1880

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\GooSavee\LpaWyNb67KIVwX.x64.dll"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\GooSavee\LpaWyNb67KIVwX.x64.dll"
3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GooSavee\LpaWyNb67KIVwX.dat

Filesize
4KB

MD5
a15bfbaaf696bc021bf480810932666d

SHA1
18f81b24f766c5e6596174b78118fe4473cdec94

SHA256
1643894d7613ceac24b19ea8797567de86e1c879434f9f117ad5840c4a6a127d

SHA512
c8c3e891f57087544ace186cad6da1ef4590a05c7522f766937c132ea274c73a11839a8d621997c25c6722fd5ebfdf363735abdf6bb2c6809c4081546275edda

Download Submit
C:\Program Files (x86)\GooSavee\LpaWyNb67KIVwX.tlb

Filesize
3KB

MD5
92756a87f506c53ffa4f08473e79b5ae

SHA1
125c2f2d08520c51f8746ede70f746ef8a6de3cf

SHA256
7e1a9e2e2faea603ec96b5d3a906eb86a495cbe2ca4be8bc6a902e7bf2981877

SHA512
1aaef6b900b931ed65d48b7258558ca3dad7b47c3f269f5b3af78210fbf07f438db132dfe8f5cf3f24d75b9ef5a537fa5c057f43d04c068220d4cfb8d93b192e

Download Submit
C:\Program Files (x86)\GooSavee\LpaWyNb67KIVwX.x64.dll

Filesize
689KB

MD5
343075f940027d076b1a8a928e4ecd7c

SHA1
2c544aa0b1c2872afdaf49e966fc46bf1a0b348f

SHA256
8c2ec31e34cd2bfc4c9a3464abf774d7e13796c29cd615042ae8661b3530e3b0

SHA512
3a0a2076b991582e9c355426673950e06ccb1d9c7efc7be37ada2330b28152661d0535292f6e00f63045639e69d47de200cd2d378194e65b56317921e3fd675f

Download Submit
\Program Files (x86)\GooSavee\LpaWyNb67KIVwX.dll

Filesize
610KB

MD5
44786626cc0757d485d2ae91232f06e7

SHA1
f8416c9f7d1647afa38f3304510f7ad9456af2c0

SHA256
5b0d904dbc30696d9ef9326edb60bb068514bc858a348534c4d91b5435618906

SHA512
f4dd00c5ca0bdf9f3f32d8c2ffcbe57bedf8bfbb1c1454a7af39d4c0bdc6e59de2dc98be304708272e7dd980f46e1b964497e40579f1406999aca49f3c054cdf

Download Submit
\Program Files (x86)\GooSavee\LpaWyNb67KIVwX.x64.dll

Filesize
689KB

MD5
343075f940027d076b1a8a928e4ecd7c

SHA1
2c544aa0b1c2872afdaf49e966fc46bf1a0b348f

SHA256
8c2ec31e34cd2bfc4c9a3464abf774d7e13796c29cd615042ae8661b3530e3b0

SHA512
3a0a2076b991582e9c355426673950e06ccb1d9c7efc7be37ada2330b28152661d0535292f6e00f63045639e69d47de200cd2d378194e65b56317921e3fd675f

Download Submit
\Program Files (x86)\GooSavee\LpaWyNb67KIVwX.x64.dll

Filesize
689KB

MD5
343075f940027d076b1a8a928e4ecd7c

SHA1
2c544aa0b1c2872afdaf49e966fc46bf1a0b348f

SHA256
8c2ec31e34cd2bfc4c9a3464abf774d7e13796c29cd615042ae8661b3530e3b0

SHA512
3a0a2076b991582e9c355426673950e06ccb1d9c7efc7be37ada2330b28152661d0535292f6e00f63045639e69d47de200cd2d378194e65b56317921e3fd675f

Download Submit
memory/524-81-0x000007FEFC481000-0x000007FEFC483000-memory.dmp

Filesize
8KB

Download
memory/524-80-0x0000000000000000-mapping.dmp

Download
memory/1820-76-0x0000000000000000-mapping.dmp

Download
memory/1880-64-0x0000000000632000-0x0000000000636000-memory.dmp

Filesize
16KB

Download
memory/1880-66-0x0000000000632000-0x0000000000636000-memory.dmp

Filesize
16KB

Download
memory/1880-69-0x0000000000632000-0x0000000000636000-memory.dmp

Filesize
16KB

Download
memory/1880-70-0x0000000000636000-0x0000000000639000-memory.dmp

Filesize
12KB

Download
memory/1880-71-0x0000000000636000-0x0000000000639000-memory.dmp

Filesize
12KB

Download
memory/1880-72-0x0000000000636000-0x0000000000639000-memory.dmp

Filesize
12KB

Download
memory/1880-73-0x0000000000636000-0x0000000000639000-memory.dmp

Filesize
12KB

Download
memory/1880-74-0x0000000000636000-0x0000000000639000-memory.dmp

Filesize
12KB

Download
memory/1880-67-0x0000000000632000-0x0000000000636000-memory.dmp

Filesize
16KB

Download
memory/1880-68-0x0000000000632000-0x0000000000636000-memory.dmp

Filesize
16KB

Download
memory/1880-65-0x0000000000632000-0x0000000000636000-memory.dmp

Filesize
16KB

Download
memory/1880-54-0x0000000076DC1000-0x0000000076DC3000-memory.dmp

Filesize
8KB

Download
memory/1880-63-0x0000000000632000-0x0000000000636000-memory.dmp

Filesize
16KB

Download
memory/1880-62-0x0000000000632000-0x0000000000636000-memory.dmp

Filesize
16KB

Download
memory/1880-61-0x0000000000632000-0x0000000000636000-memory.dmp

Filesize
16KB

Download
memory/1880-60-0x0000000000632000-0x0000000000636000-memory.dmp

Filesize
16KB

Download
memory/1880-55-0x00000000008A0000-0x0000000000941000-memory.dmp

Filesize
644KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads