55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4

General

Target

55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Size

3.3MB
MD5

09040c6541c7ee566a9d6293af4e2f7f
SHA1

72ec1083d0a3e1f912189b631ad9614866904306
SHA256

55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4
SHA512

abfcab61da064e78d0cd598e2d2fe7d2238f48c53cdb0d99df1457bee211505ee5156e4bec38fe342b894d1a29fe42f10a7f43f7a2319ffb7555f8c530c79f89
SSDEEP

49152:DVZ5PUYt3FkqlNJNBjJAIQC/tbFXAq6JE8i6PR2M+yNfcRZp5:DVvtJjNRYE8XfV

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2ecb5bf7-6b1f-4b1f-a102-662c3ac8513d}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2ecb5bf7-6b1f-4b1f-a102-662c3ac8513d}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2ecb5bf7-6b1f-4b1f-a102-662c3ac8513d}\InprocServer32\ = "C:\\Program Files (x86)\\GOSSave\\bLCah71IRamlGV.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2ecb5bf7-6b1f-4b1f-a102-662c3ac8513d}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Loads dropped DLL 3 IoCs

Processes:

55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exeregsvr32.exeregsvr32.exe

pid process

1224 55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
1156 regsvr32.exe
992 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

Processes:

55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe

description	ioc	process
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\hidchojkbbdckncppfmbjbboafdpohnc\2.0\manifest.json	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\hidchojkbbdckncppfmbjbboafdpohnc\2.0\manifest.json	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hidchojkbbdckncppfmbjbboafdpohnc\2.0\manifest.json	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2ecb5bf7-6b1f-4b1f-a102-662c3ac8513d}\ = "GOSSave"	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2ecb5bf7-6b1f-4b1f-a102-662c3ac8513d}\NoExplorer = "1"	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2ecb5bf7-6b1f-4b1f-a102-662c3ac8513d}	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2ecb5bf7-6b1f-4b1f-a102-662c3ac8513d}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2ecb5bf7-6b1f-4b1f-a102-662c3ac8513d}\ = "GOSSave"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2ecb5bf7-6b1f-4b1f-a102-662c3ac8513d}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2ecb5bf7-6b1f-4b1f-a102-662c3ac8513d}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2ecb5bf7-6b1f-4b1f-a102-662c3ac8513d}	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe

Drops file in System32 directory 4 IoCs

Processes:

55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
File opened for modification	C:\Windows\System32\GroupPolicy	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe

Drops file in Program Files directory 8 IoCs

Processes:

55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\GOSSave\bLCah71IRamlGV.dat	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
File created	C:\Program Files (x86)\GOSSave\bLCah71IRamlGV.x64.dll	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
File opened for modification	C:\Program Files (x86)\GOSSave\bLCah71IRamlGV.x64.dll	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
File created	C:\Program Files (x86)\GOSSave\bLCah71IRamlGV.dll	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
File opened for modification	C:\Program Files (x86)\GOSSave\bLCah71IRamlGV.dll	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
File created	C:\Program Files (x86)\GOSSave\bLCah71IRamlGV.tlb	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
File opened for modification	C:\Program Files (x86)\GOSSave\bLCah71IRamlGV.tlb	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
File created	C:\Program Files (x86)\GOSSave\bLCah71IRamlGV.dat	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

regsvr32.exe55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{2ecb5bf7-6b1f-4b1f-a102-662c3ac8513d}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{2ecb5bf7-6b1f-4b1f-a102-662c3ac8513d}	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{2ECB5BF7-6B1F-4B1F-A102-662C3AC8513D}	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{2ECB5BF7-6B1F-4B1F-A102-662C3AC8513D}	regsvr32.exe

Modifies registry class 64 IoCs

Processes:

55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\GOSSave"	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2ECB5BF7-6B1F-4B1F-A102-662C3AC8513D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2ecb5bf7-6b1f-4b1f-a102-662c3ac8513d}\InprocServer32\ThreadingModel = "Apartment"	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2ecb5bf7-6b1f-4b1f-a102-662c3ac8513d}\InprocServer32	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2ecb5bf7-6b1f-4b1f-a102-662c3ac8513d}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2ecb5bf7-6b1f-4b1f-a102-662c3ac8513d}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2ecb5bf7-6b1f-4b1f-a102-662c3ac8513d}\ = "GOSSave"	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{2ecb5bf7-6b1f-4b1f-a102-662c3ac8513d}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2ecb5bf7-6b1f-4b1f-a102-662c3ac8513d}\InprocServer32\ = "C:\\Program Files (x86)\\GOSSave\\bLCah71IRamlGV.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2ecb5bf7-6b1f-4b1f-a102-662c3ac8513d}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2ecb5bf7-6b1f-4b1f-a102-662c3ac8513d}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2ecb5bf7-6b1f-4b1f-a102-662c3ac8513d}\ProgID\ = ".9"	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2ecb5bf7-6b1f-4b1f-a102-662c3ac8513d}\VersionIndependentProgID	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2ecb5bf7-6b1f-4b1f-a102-662c3ac8513d}\InprocServer32	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2ecb5bf7-6b1f-4b1f-a102-662c3ac8513d}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2ecb5bf7-6b1f-4b1f-a102-662c3ac8513d}\InprocServer32\ = "C:\\Program Files (x86)\\GOSSave\\bLCah71IRamlGV.dll"	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2ecb5bf7-6b1f-4b1f-a102-662c3ac8513d}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9"	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2ecb5bf7-6b1f-4b1f-a102-662c3ac8513d}\ProgID	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "GOSSave"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID\ = "{2ecb5bf7-6b1f-4b1f-a102-662c3ac8513d}"	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2ecb5bf7-6b1f-4b1f-a102-662c3ac8513d}\Programmable	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe

pid	process
1224	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
1224	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exeregsvr32.exe

description	pid	process	target process
PID 1224 wrote to memory of 1156	1224	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe	regsvr32.exe
PID 1224 wrote to memory of 1156	1224	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe	regsvr32.exe
PID 1224 wrote to memory of 1156	1224	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe	regsvr32.exe
PID 1224 wrote to memory of 1156	1224	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe	regsvr32.exe
PID 1224 wrote to memory of 1156	1224	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe	regsvr32.exe
PID 1224 wrote to memory of 1156	1224	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe	regsvr32.exe
PID 1224 wrote to memory of 1156	1224	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe	regsvr32.exe
PID 1156 wrote to memory of 992	1156	regsvr32.exe	regsvr32.exe
PID 1156 wrote to memory of 992	1156	regsvr32.exe	regsvr32.exe
PID 1156 wrote to memory of 992	1156	regsvr32.exe	regsvr32.exe
PID 1156 wrote to memory of 992	1156	regsvr32.exe	regsvr32.exe
PID 1156 wrote to memory of 992	1156	regsvr32.exe	regsvr32.exe
PID 1156 wrote to memory of 992	1156	regsvr32.exe	regsvr32.exe
PID 1156 wrote to memory of 992	1156	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{2ecb5bf7-6b1f-4b1f-a102-662c3ac8513d} = "1"	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe

C:\Users\Admin\AppData\Local\Temp\55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe
"C:\Users\Admin\AppData\Local\Temp\55c2d52e2aeb924d64a44590c1721e7e9246155da3a025bab577123042eba3e4.exe"
1⤵
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1224

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\GOSSave\bLCah71IRamlGV.x64.dll"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\GOSSave\bLCah71IRamlGV.x64.dll"
3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GOSSave\bLCah71IRamlGV.dat

Filesize
5KB

MD5
7c6259f21f388ed9381045fa0f74ca8c

SHA1
a25c2eebb5060df4075bda0f79d0d4dad9b78153

SHA256
c0f536b416f411da3cfc4ffba203121030bd548c1ee271d20a4ba10e486bd487

SHA512
97a5ec551c70c25d74cbf37d3ad9616f703809c783711882bebfe984db10f22f84648d9843f5dd585fa3a970a3308b0446c84589e679035b49a740d8bdb1bca0

Download Submit
C:\Program Files (x86)\GOSSave\bLCah71IRamlGV.tlb

Filesize
3KB

MD5
52866228bb7539656bd8281c08fb2261

SHA1
4c1b05dce1486823ae3cfeb3da9c4160a2cd87da

SHA256
39cc8a6f65f31290fc5178640328a256432a6c5e85476394f7258e30a2422570

SHA512
0eb408b1aa33c9ae50e75c72ffad12f88251dc1420ea3eb13b581e127f5ebaa5e350b4f65d67040f23923d4ce66ddadf594188bf05ae96d41ffbd59ff3e27715

Download Submit
C:\Program Files (x86)\GOSSave\bLCah71IRamlGV.x64.dll

Filesize
693KB

MD5
c9dddde71dbaa1cef628bb002eed6b70

SHA1
6f51e6d4640545a95b7830db997d9ed52a34c09f

SHA256
86c41c24b11fbd48135b5de608b93ff79ab370b674f50777453ef9ea550d6159

SHA512
15c5ace4a80c2f58b51a29977ec1ff62a5a988a4b24f5d75a4dee9bc15c9cd8abd39e7df120fc5f3cc86c9e8e97a855ae883385b8e483da46edb56d3fcff7720

Download Submit
\Program Files (x86)\GOSSave\bLCah71IRamlGV.dll

Filesize
613KB

MD5
748d9cd3bdc752d12f45cf798eac8de5

SHA1
fd30cc69cb173920c1162a367459ee3756060b10

SHA256
fb5985728d426dd6004f2e7ee843bffa843ca9dadd72e270e120f1224d9590b6

SHA512
4b2f6cba07887294c9adf53d651127f23bad949ab3162933877b96dcd9c01160f5457c617f9d487f13b284eae6a4726bd808e02c779cd8d3b0149950c9e955ed

Download Submit
\Program Files (x86)\GOSSave\bLCah71IRamlGV.x64.dll

Filesize
693KB

MD5
c9dddde71dbaa1cef628bb002eed6b70

SHA1
6f51e6d4640545a95b7830db997d9ed52a34c09f

SHA256
86c41c24b11fbd48135b5de608b93ff79ab370b674f50777453ef9ea550d6159

SHA512
15c5ace4a80c2f58b51a29977ec1ff62a5a988a4b24f5d75a4dee9bc15c9cd8abd39e7df120fc5f3cc86c9e8e97a855ae883385b8e483da46edb56d3fcff7720

Download Submit
\Program Files (x86)\GOSSave\bLCah71IRamlGV.x64.dll

Filesize
693KB

MD5
c9dddde71dbaa1cef628bb002eed6b70

SHA1
6f51e6d4640545a95b7830db997d9ed52a34c09f

SHA256
86c41c24b11fbd48135b5de608b93ff79ab370b674f50777453ef9ea550d6159

SHA512
15c5ace4a80c2f58b51a29977ec1ff62a5a988a4b24f5d75a4dee9bc15c9cd8abd39e7df120fc5f3cc86c9e8e97a855ae883385b8e483da46edb56d3fcff7720

Download Submit
memory/992-84-0x000007FEFC2E1000-0x000007FEFC2E3000-memory.dmp

Filesize
8KB

Download
memory/992-83-0x0000000000000000-mapping.dmp

Download
memory/1156-79-0x0000000000000000-mapping.dmp

Download
memory/1224-65-0x00000000003E2000-0x00000000003E6000-memory.dmp

Filesize
16KB

Download
memory/1224-76-0x00000000003E2000-0x00000000003E6000-memory.dmp

Filesize
16KB

Download
memory/1224-69-0x00000000003E2000-0x00000000003E6000-memory.dmp

Filesize
16KB

Download
memory/1224-70-0x00000000003E2000-0x00000000003E6000-memory.dmp

Filesize
16KB

Download
memory/1224-71-0x00000000003E2000-0x00000000003E6000-memory.dmp

Filesize
16KB

Download
memory/1224-72-0x00000000003E2000-0x00000000003E6000-memory.dmp

Filesize
16KB

Download
memory/1224-73-0x00000000003E2000-0x00000000003E6000-memory.dmp

Filesize
16KB

Download
memory/1224-74-0x00000000003E2000-0x00000000003E6000-memory.dmp

Filesize
16KB

Download
memory/1224-75-0x00000000003E2000-0x00000000003E6000-memory.dmp

Filesize
16KB

Download
memory/1224-68-0x00000000003E2000-0x00000000003E6000-memory.dmp

Filesize
16KB

Download
memory/1224-77-0x00000000003E6000-0x00000000003E9000-memory.dmp

Filesize
12KB

Download
memory/1224-67-0x00000000003E2000-0x00000000003E6000-memory.dmp

Filesize
16KB

Download
memory/1224-66-0x00000000003E2000-0x00000000003E6000-memory.dmp

Filesize
16KB

Download
memory/1224-54-0x0000000075C41000-0x0000000075C43000-memory.dmp

Filesize
8KB

Download
memory/1224-64-0x00000000003E2000-0x00000000003E6000-memory.dmp

Filesize
16KB

Download
memory/1224-63-0x00000000003E2000-0x00000000003E6000-memory.dmp

Filesize
16KB

Download
memory/1224-62-0x00000000003E2000-0x00000000003E6000-memory.dmp

Filesize
16KB

Download
memory/1224-61-0x00000000003E2000-0x00000000003E6000-memory.dmp

Filesize
16KB

Download
memory/1224-60-0x00000000003E2000-0x00000000003E6000-memory.dmp

Filesize
16KB

Download
memory/1224-55-0x0000000000CA0000-0x0000000000D46000-memory.dmp

Filesize
664KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads