9513bf7baa2be54d9670522bbba5fd0accf34e0503ee494b29f6128f4753e919

Analysis

max time kernel
143s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 22:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9513bf7baa2be54d9670522bbba5fd0accf34e0503ee494b29f6128f4753e919.exe
Size

2.7MB
MD5

084aa8bb6812969a1170f64fe5e8e403
SHA1

91c1b50cf65f857e7da2b07c0e402a61e909bcde
SHA256

9513bf7baa2be54d9670522bbba5fd0accf34e0503ee494b29f6128f4753e919
SHA512

f5bd3e908107b0cb76cc938f91b7ca761ed53d7a61bf07ddb09f101b6b4635fe449fc7f0c544179d7983667563747adf56e5ceef4d6b16028d375d754086cb39
SSDEEP

49152:0+9V7KppWmD/M2BKQlic7SKjyoC3yE/Ac5mWxnmw1h:0C7Kpp1D/F7SK2oWNAxenj

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

lFvvfAR3xNMuupb.exe

pid process

1664 lFvvfAR3xNMuupb.exe

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b6349881-c809-4cb0-9c0f-fb59c6353ed7}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b6349881-c809-4cb0-9c0f-fb59c6353ed7}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b6349881-c809-4cb0-9c0f-fb59c6353ed7}\InprocServer32\ = "C:\\Program Files (x86)\\GoSave\\RRKiP5o0sqsdHx.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b6349881-c809-4cb0-9c0f-fb59c6353ed7}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Loads dropped DLL 3 IoCs

Processes:

lFvvfAR3xNMuupb.exeregsvr32.exeregsvr32.exe

pid process

1664 lFvvfAR3xNMuupb.exe
4840 regsvr32.exe
4820 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 5 IoCs

Processes:

lFvvfAR3xNMuupb.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pplabhdagbhfpohhlepibfbajbmpgnlc\2.0\manifest.json	lFvvfAR3xNMuupb.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pplabhdagbhfpohhlepibfbajbmpgnlc\2.0\manifest.json	lFvvfAR3xNMuupb.exe
File created	C:\Users\DefaultAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\pplabhdagbhfpohhlepibfbajbmpgnlc\2.0\manifest.json	lFvvfAR3xNMuupb.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\pplabhdagbhfpohhlepibfbajbmpgnlc\2.0\manifest.json	lFvvfAR3xNMuupb.exe
File created	C:\Users\WDAGUtilityAccount\AppData\Local\Google\Chrome\User Data\Default\Extensions\pplabhdagbhfpohhlepibfbajbmpgnlc\2.0\manifest.json	lFvvfAR3xNMuupb.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

lFvvfAR3xNMuupb.exeregsvr32.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b6349881-c809-4cb0-9c0f-fb59c6353ed7}	lFvvfAR3xNMuupb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b6349881-c809-4cb0-9c0f-fb59c6353ed7}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b6349881-c809-4cb0-9c0f-fb59c6353ed7}\ = "GoSave"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b6349881-c809-4cb0-9c0f-fb59c6353ed7}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b6349881-c809-4cb0-9c0f-fb59c6353ed7}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b6349881-c809-4cb0-9c0f-fb59c6353ed7}	lFvvfAR3xNMuupb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b6349881-c809-4cb0-9c0f-fb59c6353ed7}\ = "GoSave"	lFvvfAR3xNMuupb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b6349881-c809-4cb0-9c0f-fb59c6353ed7}\NoExplorer = "1"	lFvvfAR3xNMuupb.exe

Drops file in System32 directory 4 IoCs

Processes:

lFvvfAR3xNMuupb.exe

description	ioc	process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	lFvvfAR3xNMuupb.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	lFvvfAR3xNMuupb.exe
File opened for modification	C:\Windows\System32\GroupPolicy	lFvvfAR3xNMuupb.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	lFvvfAR3xNMuupb.exe

Drops file in Program Files directory 8 IoCs

Processes:

lFvvfAR3xNMuupb.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\GoSave\RRKiP5o0sqsdHx.x64.dll	lFvvfAR3xNMuupb.exe
File created	C:\Program Files (x86)\GoSave\RRKiP5o0sqsdHx.dll	lFvvfAR3xNMuupb.exe
File opened for modification	C:\Program Files (x86)\GoSave\RRKiP5o0sqsdHx.dll	lFvvfAR3xNMuupb.exe
File created	C:\Program Files (x86)\GoSave\RRKiP5o0sqsdHx.tlb	lFvvfAR3xNMuupb.exe
File opened for modification	C:\Program Files (x86)\GoSave\RRKiP5o0sqsdHx.tlb	lFvvfAR3xNMuupb.exe
File created	C:\Program Files (x86)\GoSave\RRKiP5o0sqsdHx.dat	lFvvfAR3xNMuupb.exe
File opened for modification	C:\Program Files (x86)\GoSave\RRKiP5o0sqsdHx.dat	lFvvfAR3xNMuupb.exe
File created	C:\Program Files (x86)\GoSave\RRKiP5o0sqsdHx.x64.dll	lFvvfAR3xNMuupb.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

regsvr32.exelFvvfAR3xNMuupb.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{b6349881-c809-4cb0-9c0f-fb59c6353ed7}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	lFvvfAR3xNMuupb.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{b6349881-c809-4cb0-9c0f-fb59c6353ed7}	lFvvfAR3xNMuupb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{B6349881-C809-4CB0-9C0F-FB59C6353ED7}	lFvvfAR3xNMuupb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	lFvvfAR3xNMuupb.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{B6349881-C809-4CB0-9C0F-FB59C6353ED7}	regsvr32.exe

Modifies registry class 64 IoCs

Processes:

lFvvfAR3xNMuupb.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	lFvvfAR3xNMuupb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	lFvvfAR3xNMuupb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b6349881-c809-4cb0-9c0f-fb59c6353ed7}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b6349881-c809-4cb0-9c0f-fb59c6353ed7}\InprocServer32\ = "C:\\Program Files (x86)\\GoSave\\RRKiP5o0sqsdHx.x64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B6349881-C809-4CB0-9C0F-FB59C6353ED7}\Implemented Categories	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b6349881-c809-4cb0-9c0f-fb59c6353ed7}\InprocServer32	lFvvfAR3xNMuupb.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b6349881-c809-4cb0-9c0f-fb59c6353ed7}\VersionIndependentProgID	lFvvfAR3xNMuupb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b6349881-c809-4cb0-9c0f-fb59c6353ed7}\InprocServer32\ThreadingModel = "Apartment"	lFvvfAR3xNMuupb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	lFvvfAR3xNMuupb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	lFvvfAR3xNMuupb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b6349881-c809-4cb0-9c0f-fb59c6353ed7}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b6349881-c809-4cb0-9c0f-fb59c6353ed7}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{b6349881-c809-4cb0-9c0f-fb59c6353ed7}"	lFvvfAR3xNMuupb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID	lFvvfAR3xNMuupb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	lFvvfAR3xNMuupb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	lFvvfAR3xNMuupb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b6349881-c809-4cb0-9c0f-fb59c6353ed7}\ProgID\ = ".9"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b6349881-c809-4cb0-9c0f-fb59c6353ed7}\VersionIndependentProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b6349881-c809-4cb0-9c0f-fb59c6353ed7}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9"	lFvvfAR3xNMuupb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b6349881-c809-4cb0-9c0f-fb59c6353ed7}\InprocServer32\ = "C:\\Program Files (x86)\\GoSave\\RRKiP5o0sqsdHx.dll"	lFvvfAR3xNMuupb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b6349881-c809-4cb0-9c0f-fb59c6353ed7}\Programmable	lFvvfAR3xNMuupb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\GoSave"	lFvvfAR3xNMuupb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	lFvvfAR3xNMuupb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.	lFvvfAR3xNMuupb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b6349881-c809-4cb0-9c0f-fb59c6353ed7}\ = "GoSave"	lFvvfAR3xNMuupb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	lFvvfAR3xNMuupb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	lFvvfAR3xNMuupb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	lFvvfAR3xNMuupb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b6349881-c809-4cb0-9c0f-fb59c6353ed7}\VersionIndependentProgID\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID\ = "{b6349881-c809-4cb0-9c0f-fb59c6353ed7}"	lFvvfAR3xNMuupb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6349881-C809-4CB0-9C0F-FB59C6353ED7}	lFvvfAR3xNMuupb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	lFvvfAR3xNMuupb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b6349881-c809-4cb0-9c0f-fb59c6353ed7}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b6349881-c809-4cb0-9c0f-fb59c6353ed7}\ProgID\ = ".9"	lFvvfAR3xNMuupb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	lFvvfAR3xNMuupb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6349881-C809-4CB0-9C0F-FB59C6353ED7}\Implemented Categories	lFvvfAR3xNMuupb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	lFvvfAR3xNMuupb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	lFvvfAR3xNMuupb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	lFvvfAR3xNMuupb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	lFvvfAR3xNMuupb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{b6349881-c809-4cb0-9c0f-fb59c6353ed7}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b6349881-c809-4cb0-9c0f-fb59c6353ed7}	lFvvfAR3xNMuupb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b6349881-c809-4cb0-9c0f-fb59c6353ed7}\InprocServer32	lFvvfAR3xNMuupb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	lFvvfAR3xNMuupb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	lFvvfAR3xNMuupb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B6349881-C809-4CB0-9C0F-FB59C6353ED7}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	lFvvfAR3xNMuupb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	lFvvfAR3xNMuupb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B6349881-C809-4CB0-9C0F-FB59C6353ED7}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	lFvvfAR3xNMuupb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\GoSave\\RRKiP5o0sqsdHx.tlb"	lFvvfAR3xNMuupb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	lFvvfAR3xNMuupb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	lFvvfAR3xNMuupb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	lFvvfAR3xNMuupb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	lFvvfAR3xNMuupb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b6349881-c809-4cb0-9c0f-fb59c6353ed7}\ProgID	lFvvfAR3xNMuupb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b6349881-c809-4cb0-9c0f-fb59c6353ed7}\VersionIndependentProgID	lFvvfAR3xNMuupb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	lFvvfAR3xNMuupb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	lFvvfAR3xNMuupb.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{b6349881-c809-4cb0-9c0f-fb59c6353ed7}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B6349881-C809-4CB0-9C0F-FB59C6353ED7}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	lFvvfAR3xNMuupb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	lFvvfAR3xNMuupb.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

lFvvfAR3xNMuupb.exe

pid	process
1664	lFvvfAR3xNMuupb.exe
1664	lFvvfAR3xNMuupb.exe
1664	lFvvfAR3xNMuupb.exe
1664	lFvvfAR3xNMuupb.exe
1664	lFvvfAR3xNMuupb.exe
1664	lFvvfAR3xNMuupb.exe
1664	lFvvfAR3xNMuupb.exe
1664	lFvvfAR3xNMuupb.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

9513bf7baa2be54d9670522bbba5fd0accf34e0503ee494b29f6128f4753e919.exelFvvfAR3xNMuupb.exeregsvr32.exe

description	pid	process	target process
PID 4576 wrote to memory of 1664	4576	9513bf7baa2be54d9670522bbba5fd0accf34e0503ee494b29f6128f4753e919.exe	lFvvfAR3xNMuupb.exe
PID 4576 wrote to memory of 1664	4576	9513bf7baa2be54d9670522bbba5fd0accf34e0503ee494b29f6128f4753e919.exe	lFvvfAR3xNMuupb.exe
PID 4576 wrote to memory of 1664	4576	9513bf7baa2be54d9670522bbba5fd0accf34e0503ee494b29f6128f4753e919.exe	lFvvfAR3xNMuupb.exe
PID 1664 wrote to memory of 4840	1664	lFvvfAR3xNMuupb.exe	regsvr32.exe
PID 1664 wrote to memory of 4840	1664	lFvvfAR3xNMuupb.exe	regsvr32.exe
PID 1664 wrote to memory of 4840	1664	lFvvfAR3xNMuupb.exe	regsvr32.exe
PID 4840 wrote to memory of 4820	4840	regsvr32.exe	regsvr32.exe
PID 4840 wrote to memory of 4820	4840	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

lFvvfAR3xNMuupb.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{b6349881-c809-4cb0-9c0f-fb59c6353ed7} = "1"	lFvvfAR3xNMuupb.exe

C:\Users\Admin\AppData\Local\Temp\9513bf7baa2be54d9670522bbba5fd0accf34e0503ee494b29f6128f4753e919.exe
"C:\Users\Admin\AppData\Local\Temp\9513bf7baa2be54d9670522bbba5fd0accf34e0503ee494b29f6128f4753e919.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4576

C:\Users\Admin\AppData\Local\Temp\157a768e\lFvvfAR3xNMuupb.exe
"C:\Users\Admin\AppData\Local\Temp/157a768e/lFvvfAR3xNMuupb.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1664

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\GoSave\RRKiP5o0sqsdHx.x64.dll"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4840

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\GoSave\RRKiP5o0sqsdHx.x64.dll"
4⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:4820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4948

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GoSave\RRKiP5o0sqsdHx.dat
Filesize
4KB

MD5
0ba462c958ee5eeeff6c46cf1923b78a

SHA1
1050cf516856633213f81d43ca8bd67e6550780d

SHA256
cee812fd8afd2c942928aea24753452a11145a46a5135aef09863e1d5b9cc727

SHA512
19d1dc213a67ada838e0e3bf76cc06f061b05affcc89fc114fff85938e9f8b8af730636d9693f7843a126938a36a68de0e6b610eaac298ae812b45e4f7c840df

Download Submit
C:\Program Files (x86)\GoSave\RRKiP5o0sqsdHx.dll
Filesize
738KB

MD5
49961c7c9a7aef57f49adf50d1c810f6

SHA1
fc2078aeff5d5abee27c9e8a500cb2d6ae755b05

SHA256
c80abdc502d18db54137edc2680a498402c765999814b7fe1b2a7b69a64ce846

SHA512
8ad2c3dbd3b4390e4c49561f25ff2acdd4ab4468074e213f3efc81a598f71620e8f21fc87114623a6c0509997e47e1c4f5ffe703c7421ae313f7ba536df2772f

Download Submit
C:\Program Files (x86)\GoSave\RRKiP5o0sqsdHx.tlb
Filesize
3KB

MD5
e3ab22d8beac0180520ab5289a64419b

SHA1
1456ba2c78b293e5a80185fefdf05f5dbe424937

SHA256
0d3342857b67678dd76e6a24e137f0d75ba399bb48bf5095d7e4f7dfa0bbe416

SHA512
c04163026ffa1c6fab34b4fdbf23702148c7c2a31dd356d26f9541027db078b6433aff3a5f749a209a3acbcf3a853a9b5f77984540e21be1f823ce92bcbfc4bf

Download Submit
C:\Program Files (x86)\GoSave\RRKiP5o0sqsdHx.x64.dll
Filesize
872KB

MD5
337b97dbbcc7ad4d75fb5a90652e6de3

SHA1
50e50243af1819e62a7512d85e6dd67b8e1ed103

SHA256
b501a7a1e233ac26b0ba2fbbf54cbb782f98bc5484537e584fcbf4dcf5cc3f0c

SHA512
dab62835e885457c481d7ee4d76c1bc89278d5dc22178301629c78ad3215e1a4627a95f50b03587d8978e85cbba829f31acedf21c23773f5c526b0f76c8cf09e

Download Submit
C:\Program Files (x86)\GoSave\RRKiP5o0sqsdHx.x64.dll
Filesize
872KB

MD5
337b97dbbcc7ad4d75fb5a90652e6de3

SHA1
50e50243af1819e62a7512d85e6dd67b8e1ed103

SHA256
b501a7a1e233ac26b0ba2fbbf54cbb782f98bc5484537e584fcbf4dcf5cc3f0c

SHA512
dab62835e885457c481d7ee4d76c1bc89278d5dc22178301629c78ad3215e1a4627a95f50b03587d8978e85cbba829f31acedf21c23773f5c526b0f76c8cf09e

Download Submit
C:\Program Files (x86)\GoSave\RRKiP5o0sqsdHx.x64.dll
Filesize
872KB

MD5
337b97dbbcc7ad4d75fb5a90652e6de3

SHA1
50e50243af1819e62a7512d85e6dd67b8e1ed103

SHA256
b501a7a1e233ac26b0ba2fbbf54cbb782f98bc5484537e584fcbf4dcf5cc3f0c

SHA512
dab62835e885457c481d7ee4d76c1bc89278d5dc22178301629c78ad3215e1a4627a95f50b03587d8978e85cbba829f31acedf21c23773f5c526b0f76c8cf09e

Download Submit
C:\Users\Admin\AppData\Local\Temp\157a768e\[email protected]\bootstrap.js
Filesize
2KB

MD5
df13f711e20e9c80171846d4f2f7ae06

SHA1
56d29cda58427efe0e21d3880d39eb1b0ef60bee

SHA256
6c325461fba531a94cf8cbdcfc52755494973df0629ce0ee3fef734ab0838fc4

SHA512
6c51cee3bf13f164c4a5c9884cc6053cbf9db9701d34c07dc5761d2c047d3d1f7a361b32996a430107e9a4ce68a29149d747a84c76778a1e8780719a3d30470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\157a768e\[email protected]\chrome.manifest
Filesize
35B

MD5
76085074ac52435b13bcd7016da0d113

SHA1
1c0ec9b376a2167ecb07ec952caa8d6e621194b6

SHA256
34693ea4d2cd3e91e155310957f0135c0a680cde5128acf92ac362b5a9012e94

SHA512
d966f2d3606d6bd20bdc5d54f36fefa4fa4a072d432e607fad0573a45bd325432bae0417cb9601889a7e7bd38f76a6de9bd8e47ac90516ffd2dcf62ab2fa86e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\157a768e\[email protected]\content\bg.js
Filesize
8KB

MD5
3b1e3027ab519e46d838b55d4d089335

SHA1
68131f9666587f8f9f25bf484ebf230498d49072

SHA256
a3c193075971f6a945ca984a9f8cb5b4c7f7379b78759812f6ddb26a96a4572e

SHA512
69b0dc61df1aaaa09dcdf716ec04eb1bfe686997bc302465af8f034c937066fed63c7b05b169ac120195ae6bafa5d813c436b6fca2af9e2a37730c32bee621c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\157a768e\[email protected]\install.rdf
Filesize
598B

MD5
7fa8e793883d133d0d88be54d368b25f

SHA1
a489ac95898b1afbc955c2399ae8137fb0e554ba

SHA256
725ea8e7b871e414f4b2cca0570c8cdfffc02e317bbb615aee30de90eb24b50f

SHA512
bd2b181986b3430211af997688cb85371165ae1b8983afd856b0826607be061fb4cc284c19a39e049d7409bff298172be9c3df1a1608850978e3041482947ff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\157a768e\RRKiP5o0sqsdHx.dll
Filesize
738KB

MD5
49961c7c9a7aef57f49adf50d1c810f6

SHA1
fc2078aeff5d5abee27c9e8a500cb2d6ae755b05

SHA256
c80abdc502d18db54137edc2680a498402c765999814b7fe1b2a7b69a64ce846

SHA512
8ad2c3dbd3b4390e4c49561f25ff2acdd4ab4468074e213f3efc81a598f71620e8f21fc87114623a6c0509997e47e1c4f5ffe703c7421ae313f7ba536df2772f

Download Submit
C:\Users\Admin\AppData\Local\Temp\157a768e\RRKiP5o0sqsdHx.tlb
Filesize
3KB

MD5
e3ab22d8beac0180520ab5289a64419b

SHA1
1456ba2c78b293e5a80185fefdf05f5dbe424937

SHA256
0d3342857b67678dd76e6a24e137f0d75ba399bb48bf5095d7e4f7dfa0bbe416

SHA512
c04163026ffa1c6fab34b4fdbf23702148c7c2a31dd356d26f9541027db078b6433aff3a5f749a209a3acbcf3a853a9b5f77984540e21be1f823ce92bcbfc4bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\157a768e\RRKiP5o0sqsdHx.x64.dll
Filesize
872KB

MD5
337b97dbbcc7ad4d75fb5a90652e6de3

SHA1
50e50243af1819e62a7512d85e6dd67b8e1ed103

SHA256
b501a7a1e233ac26b0ba2fbbf54cbb782f98bc5484537e584fcbf4dcf5cc3f0c

SHA512
dab62835e885457c481d7ee4d76c1bc89278d5dc22178301629c78ad3215e1a4627a95f50b03587d8978e85cbba829f31acedf21c23773f5c526b0f76c8cf09e

Download Submit
C:\Users\Admin\AppData\Local\Temp\157a768e\lFvvfAR3xNMuupb.dat
Filesize
4KB

MD5
0ba462c958ee5eeeff6c46cf1923b78a

SHA1
1050cf516856633213f81d43ca8bd67e6550780d

SHA256
cee812fd8afd2c942928aea24753452a11145a46a5135aef09863e1d5b9cc727

SHA512
19d1dc213a67ada838e0e3bf76cc06f061b05affcc89fc114fff85938e9f8b8af730636d9693f7843a126938a36a68de0e6b610eaac298ae812b45e4f7c840df

Download Submit
C:\Users\Admin\AppData\Local\Temp\157a768e\lFvvfAR3xNMuupb.exe
Filesize
772KB

MD5
5ed7019dcd0008dbcd8e54017b8c7dd9

SHA1
7e4457da2ff06c2170bad636c9eb7c1bb436fd06

SHA256
7f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7

SHA512
10cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db

Download Submit
C:\Users\Admin\AppData\Local\Temp\157a768e\lFvvfAR3xNMuupb.exe
Filesize
772KB

MD5
5ed7019dcd0008dbcd8e54017b8c7dd9

SHA1
7e4457da2ff06c2170bad636c9eb7c1bb436fd06

SHA256
7f069fe03db518eee8162ba5f65f98f2afd28137dfde9450d26cd47f6cea8eb7

SHA512
10cef6104aeca8f7a135d4ffffb907b127f055477af4d98228c7385f0da15677357dfed13fc442ee173f85245224fc4b0ae100b832514c80802c5e5a054b70db

Download Submit
C:\Users\Admin\AppData\Local\Temp\157a768e\pplabhdagbhfpohhlepibfbajbmpgnlc\Dz.js
Filesize
6KB

MD5
18c1a41c7923b764a8232330e9cdc3a2

SHA1
bf8f03b029eb9aacd089da0d0af44942b8f0be9c

SHA256
ecbaabfeac5da92beba64f861295572cefab51814dfb6488906a671cc625caa0

SHA512
6abe473397575a120f026fee1e4c88bc4bd9894387088e184b0736d2fed2083e4dfd84b4166c95ae28ef6a14b9b42a076a812e5b5f02e67dfb1ba428ee64e0e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\157a768e\pplabhdagbhfpohhlepibfbajbmpgnlc\background.html
Filesize
139B

MD5
baa039aaf2547982d45f0b1e0b1bd6b1

SHA1
ac0d18f1db59f6e6bae4b75497b06854acedfa78

SHA256
c849c0c2273b386f0b1b40d2999d44a3ce4e03503bee28411a23cdf23e94ee0a

SHA512
8cecd0f8a6b6427500d40c68efcfa1a7c9411304904f058d5f774007c51dfe2b3c8d90f99d95f4b2871a1c3a088cdc9039a4e384160e83ce9c7bb74d80bd058d

Download Submit
C:\Users\Admin\AppData\Local\Temp\157a768e\pplabhdagbhfpohhlepibfbajbmpgnlc\content.js
Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\157a768e\pplabhdagbhfpohhlepibfbajbmpgnlc\lsdb.js
Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\157a768e\pplabhdagbhfpohhlepibfbajbmpgnlc\manifest.json
Filesize
498B

MD5
640199ea4621e34510de919f6a54436f

SHA1
dc65dbfad02bd2688030bd56ca1cab85917a9937

SHA256
e4aa7c089e32d14ddf584e9de6d007ec16581cd30c248ff7284bc0eb7757d4af

SHA512
d64bc524d6df7c4c21a5ddfb0e6636317482ef4dc28006bd0a38d5e26c2db75626f216143026bf8acf3baa11d86c278e902c78afad4f806ca36f9e54bc75ff0a

Download Submit
memory/1664-132-0x0000000000000000-mapping.dmp

Download
memory/4820-152-0x0000000000000000-mapping.dmp

Download
memory/4840-149-0x0000000000000000-mapping.dmp

Download