9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117

General

Target

9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Size

4.6MB
MD5

6be2684284b3812ca845422cbbb46b8e
SHA1

4fa46e361d16c889ad0fd4b5403508fb7f06c289
SHA256

9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117
SHA512

acf16e65939a1b219447fc564785c97ac1dbe63dec68c045ab28fcf1cd01da38727f9e0d9ca73a3ccb0e2618b68ccb7a3c85f03a97dfb5492422f0b0afaea4aa
SSDEEP

98304:IB5ZQZz8FK10bOlT84AkxqYmZHj3E7vqiVDBXptM+cD:o5eHAkxAuNVRoD

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436934f9-67ee-4703-8dd1-8e39762d04de}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436934f9-67ee-4703-8dd1-8e39762d04de}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436934f9-67ee-4703-8dd1-8e39762d04de}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436934f9-67ee-4703-8dd1-8e39762d04de}\InprocServer32\ = "C:\\Program Files (x86)\\GoSave\\upTsQ64wiB8cmM.x64.dll"	regsvr32.exe

Loads dropped DLL 3 IoCs

Processes:

9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exeregsvr32.exeregsvr32.exe

pid process

1356 9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
1160 regsvr32.exe
1140 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

Processes:

9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe

description	ioc	process
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\ooflipdhcjhoajkiimoonfoaimdkccod\2.0\manifest.json	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\ooflipdhcjhoajkiimoonfoaimdkccod\2.0\manifest.json	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ooflipdhcjhoajkiimoonfoaimdkccod\2.0\manifest.json	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exe9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{436934f9-67ee-4703-8dd1-8e39762d04de}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{436934f9-67ee-4703-8dd1-8e39762d04de}	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{436934f9-67ee-4703-8dd1-8e39762d04de}\ = "GoSave"	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{436934f9-67ee-4703-8dd1-8e39762d04de}\NoExplorer = "1"	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{436934f9-67ee-4703-8dd1-8e39762d04de}	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{436934f9-67ee-4703-8dd1-8e39762d04de}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{436934f9-67ee-4703-8dd1-8e39762d04de}\ = "GoSave"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{436934f9-67ee-4703-8dd1-8e39762d04de}\NoExplorer = "1"	regsvr32.exe

Drops file in System32 directory 4 IoCs

Processes:

9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe

Drops file in Program Files directory 8 IoCs

Processes:

9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe

description	ioc	process
File created	C:\Program Files (x86)\GoSave\upTsQ64wiB8cmM.x64.dll	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
File opened for modification	C:\Program Files (x86)\GoSave\upTsQ64wiB8cmM.x64.dll	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
File created	C:\Program Files (x86)\GoSave\upTsQ64wiB8cmM.dll	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
File opened for modification	C:\Program Files (x86)\GoSave\upTsQ64wiB8cmM.dll	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
File created	C:\Program Files (x86)\GoSave\upTsQ64wiB8cmM.tlb	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
File opened for modification	C:\Program Files (x86)\GoSave\upTsQ64wiB8cmM.tlb	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
File created	C:\Program Files (x86)\GoSave\upTsQ64wiB8cmM.dat	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
File opened for modification	C:\Program Files (x86)\GoSave\upTsQ64wiB8cmM.dat	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

regsvr32.exe9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{436934f9-67ee-4703-8dd1-8e39762d04de}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{436934f9-67ee-4703-8dd1-8e39762d04de}	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Key deleted	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{436934F9-67EE-4703-8DD1-8E39762D04DE}	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Key deleted	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Key deleted	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{436934F9-67EE-4703-8DD1-8E39762D04DE}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe

Modifies registry class 64 IoCs

Processes:

9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436934f9-67ee-4703-8dd1-8e39762d04de}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436934f9-67ee-4703-8dd1-8e39762d04de}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436934f9-67ee-4703-8dd1-8e39762d04de}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{436934f9-67ee-4703-8dd1-8e39762d04de}\ProgID\ = ".9"	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{436934f9-67ee-4703-8dd1-8e39762d04de}\InprocServer32\ThreadingModel = "Apartment"	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436934F9-67EE-4703-8DD1-8E39762D04DE}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9"	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{436934f9-67ee-4703-8dd1-8e39762d04de}\InprocServer32	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436934f9-67ee-4703-8dd1-8e39762d04de}\VersionIndependentProgID\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\ = "GoSave"	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\GoSave\\upTsQ64wiB8cmM.tlb"	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436934f9-67ee-4703-8dd1-8e39762d04de}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID\ = "{436934f9-67ee-4703-8dd1-8e39762d04de}"	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\ = "GoSave"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436934f9-67ee-4703-8dd1-8e39762d04de}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{436934F9-67EE-4703-8DD1-8E39762D04DE}	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{436934F9-67EE-4703-8DD1-8E39762D04DE}\Implemented Categories	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\..9	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436934f9-67ee-4703-8dd1-8e39762d04de}\ = "GoSave"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436934f9-67ee-4703-8dd1-8e39762d04de}\ProgID\ = ".9"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{436934f9-67ee-4703-8dd1-8e39762d04de}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "GoSave"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{436934f9-67ee-4703-8dd1-8e39762d04de}\VersionIndependentProgID	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe

pid	process
1356	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
1356	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
1356	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
1356	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
1356	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
1356	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
1356	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
1356	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
1356	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
1356	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe

description	pid	process
Token: SeDebugPrivilege	1356	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Token: SeDebugPrivilege	1356	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Token: SeDebugPrivilege	1356	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Token: SeDebugPrivilege	1356	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Token: SeDebugPrivilege	1356	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Token: SeDebugPrivilege	1356	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exeregsvr32.exe

description	pid	process	target process
PID 1356 wrote to memory of 1160	1356	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe	regsvr32.exe
PID 1356 wrote to memory of 1160	1356	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe	regsvr32.exe
PID 1356 wrote to memory of 1160	1356	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe	regsvr32.exe
PID 1356 wrote to memory of 1160	1356	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe	regsvr32.exe
PID 1356 wrote to memory of 1160	1356	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe	regsvr32.exe
PID 1356 wrote to memory of 1160	1356	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe	regsvr32.exe
PID 1356 wrote to memory of 1160	1356	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe	regsvr32.exe
PID 1160 wrote to memory of 1140	1160	regsvr32.exe	regsvr32.exe
PID 1160 wrote to memory of 1140	1160	regsvr32.exe	regsvr32.exe
PID 1160 wrote to memory of 1140	1160	regsvr32.exe	regsvr32.exe
PID 1160 wrote to memory of 1140	1160	regsvr32.exe	regsvr32.exe
PID 1160 wrote to memory of 1140	1160	regsvr32.exe	regsvr32.exe
PID 1160 wrote to memory of 1140	1160	regsvr32.exe	regsvr32.exe
PID 1160 wrote to memory of 1140	1160	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{436934f9-67ee-4703-8dd1-8e39762d04de} = "1"	9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe

C:\Users\Admin\AppData\Local\Temp\9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe
"C:\Users\Admin\AppData\Local\Temp\9a2aaa4e13e7de8cc43635692713a1cc93d84412e5745cd2bd2a90c5d10c0117.exe"
1⤵
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1356

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\GoSave\upTsQ64wiB8cmM.x64.dll"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\GoSave\upTsQ64wiB8cmM.x64.dll"
3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:1140

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GoSave\upTsQ64wiB8cmM.dat

Filesize
4KB

MD5
a4f167657a330f71ae072a3759b23884

SHA1
a499678870603d2c5c7598a586c06c4dc6e986cf

SHA256
5420f281d8c94dc4e8c1a2aa6616036e4d53c710c50cf6a8111daefd80ae562a

SHA512
51f0ac99d128f7ffebf8aea0861c78519ce186c3e5f128c03e37179b24c7a0f83350c210dd4de4b28cfdb6291dfb05b014d819f7ad772c3cfcd77db9196bff5b

Download Submit
C:\Program Files (x86)\GoSave\upTsQ64wiB8cmM.tlb

Filesize
3KB

MD5
b826030b97202e2efa7f7a60493c61a7

SHA1
8145289ac846d579df907dc43fa79fa5866f2930

SHA256
df318425290a57dbdaffd19be838eb1317d38d00be224272168375251cb2f83f

SHA512
246becba94b93fa2e79e9938efe94fd325e18ecd1ce93f642e184ba89d230a5cdf5596272e6ace3a7e9440e5aa9eb153bb8bc5ab6f3bc518fca9b790d4f8d6db

Download Submit
C:\Program Files (x86)\GoSave\upTsQ64wiB8cmM.x64.dll

Filesize
879KB

MD5
0b282547d65c4597ac0f2c5cc09c3b37

SHA1
43a626f01c7ead04cee4b8523b02ee7248271051

SHA256
c8dbfff7b084eb5ff31be01fbd03f392b4c7cb192e904810c7a9e60b985be846

SHA512
541a816d8981656a697f96a89daad2a2d84c9f4a0769175babf8a2785ad6580c2fc3180575a8feeab39f5956176ef4ed4c80f433b557775c359ca3659219da30

Download Submit
\Program Files (x86)\GoSave\upTsQ64wiB8cmM.dll

Filesize
741KB

MD5
0f2db92a7d763af605b6273a4aa18382

SHA1
c9e6e9eb3c2050c86afa1b79e437ea8c8252573f

SHA256
ebdf480f55d619da9a5f23810ef174f5e789d81899bf4f63371cfd95e402658a

SHA512
824230a31cd7e7410c369dae190c1a3bec7498f52740b484e5d09c76265dbd71fb989f5ce889ca8a4f1ae28eb740e39d020b9581aa0496ae394d6ff3874038e5

Download Submit
\Program Files (x86)\GoSave\upTsQ64wiB8cmM.x64.dll

Filesize
879KB

MD5
0b282547d65c4597ac0f2c5cc09c3b37

SHA1
43a626f01c7ead04cee4b8523b02ee7248271051

SHA256
c8dbfff7b084eb5ff31be01fbd03f392b4c7cb192e904810c7a9e60b985be846

SHA512
541a816d8981656a697f96a89daad2a2d84c9f4a0769175babf8a2785ad6580c2fc3180575a8feeab39f5956176ef4ed4c80f433b557775c359ca3659219da30

Download Submit
\Program Files (x86)\GoSave\upTsQ64wiB8cmM.x64.dll

Filesize
879KB

MD5
0b282547d65c4597ac0f2c5cc09c3b37

SHA1
43a626f01c7ead04cee4b8523b02ee7248271051

SHA256
c8dbfff7b084eb5ff31be01fbd03f392b4c7cb192e904810c7a9e60b985be846

SHA512
541a816d8981656a697f96a89daad2a2d84c9f4a0769175babf8a2785ad6580c2fc3180575a8feeab39f5956176ef4ed4c80f433b557775c359ca3659219da30

Download Submit
memory/1140-65-0x0000000000000000-mapping.dmp

Download
memory/1140-66-0x000007FEFC461000-0x000007FEFC463000-memory.dmp

Filesize
8KB

Download
memory/1160-61-0x0000000000000000-mapping.dmp

Download
memory/1356-54-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download
memory/1356-55-0x00000000008B0000-0x0000000000977000-memory.dmp

Filesize
796KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads