f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8

General

Target

f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Size

4.6MB
MD5

deccbdcc495fd0426959cfbb72b4a0df
SHA1

ef872a61a81f609711cd458c68357a8692246b2c
SHA256

f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8
SHA512

72c6025be5c19349cf20de36d7c9f377a47dfff8e01d34297747c48603d13c24523f6938b6ae87acf3b2105dbfb35cdbd9e8bc9e55d20fa11855fad257b163e5
SSDEEP

49152:9iBJ2SpAZG133gmLEI10XOv0TP6oYlCXTAkA+ZuK2rFPIWoiwVdNFWPE/B/u:sUMp13QmQI10XOcTP+mrcZHf+Wc/d

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84990a5d-ed51-4154-a018-462490315453}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84990a5d-ed51-4154-a018-462490315453}\InprocServer32\ = "C:\\Program Files (x86)\\GoSave\\T3pTSbazNWEy4h.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84990a5d-ed51-4154-a018-462490315453}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84990a5d-ed51-4154-a018-462490315453}\InprocServer32	regsvr32.exe

Loads dropped DLL 3 IoCs

Processes:

f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exeregsvr32.exeregsvr32.exe

pid process

1136 f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
1208 regsvr32.exe
1724 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

Processes:

f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hhlpbojbocgijbdjlhajeodlcjhlknoc\2.0\manifest.json	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\hhlpbojbocgijbdjlhajeodlcjhlknoc\2.0\manifest.json	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\hhlpbojbocgijbdjlhajeodlcjhlknoc\2.0\manifest.json	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{84990a5d-ed51-4154-a018-462490315453}	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{84990a5d-ed51-4154-a018-462490315453}\ = "GoSave"	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{84990a5d-ed51-4154-a018-462490315453}\NoExplorer = "1"	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{84990a5d-ed51-4154-a018-462490315453}	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{84990a5d-ed51-4154-a018-462490315453}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{84990a5d-ed51-4154-a018-462490315453}\ = "GoSave"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{84990a5d-ed51-4154-a018-462490315453}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{84990a5d-ed51-4154-a018-462490315453}	regsvr32.exe

Drops file in System32 directory 4 IoCs

Processes:

f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
File opened for modification	C:\Windows\System32\GroupPolicy	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe

Drops file in Program Files directory 8 IoCs

Processes:

f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\GoSave\T3pTSbazNWEy4h.tlb	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
File created	C:\Program Files (x86)\GoSave\T3pTSbazNWEy4h.dat	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
File opened for modification	C:\Program Files (x86)\GoSave\T3pTSbazNWEy4h.dat	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
File created	C:\Program Files (x86)\GoSave\T3pTSbazNWEy4h.x64.dll	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
File opened for modification	C:\Program Files (x86)\GoSave\T3pTSbazNWEy4h.x64.dll	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
File created	C:\Program Files (x86)\GoSave\T3pTSbazNWEy4h.dll	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
File opened for modification	C:\Program Files (x86)\GoSave\T3pTSbazNWEy4h.dll	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
File created	C:\Program Files (x86)\GoSave\T3pTSbazNWEy4h.tlb	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

regsvr32.exef64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{84990a5d-ed51-4154-a018-462490315453}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{84990a5d-ed51-4154-a018-462490315453}	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{84990A5D-ED51-4154-A018-462490315453}	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{84990A5D-ED51-4154-A018-462490315453}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe

Modifies registry class 64 IoCs

Processes:

f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84990a5d-ed51-4154-a018-462490315453}\VersionIndependentProgID\	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84990a5d-ed51-4154-a018-462490315453}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84990a5d-ed51-4154-a018-462490315453}	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\GoSave"	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\ = "GoSave"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84990a5d-ed51-4154-a018-462490315453}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84990a5d-ed51-4154-a018-462490315453}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84990A5D-ED51-4154-A018-462490315453}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84990a5d-ed51-4154-a018-462490315453}	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84990A5D-ED51-4154-A018-462490315453}	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84990a5d-ed51-4154-a018-462490315453}\ = "GoSave"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84990a5d-ed51-4154-a018-462490315453}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84990a5d-ed51-4154-a018-462490315453}\InprocServer32\ = "C:\\Program Files (x86)\\GoSave\\T3pTSbazNWEy4h.dll"	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "GoSave"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{84990a5d-ed51-4154-a018-462490315453}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\..9	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9"	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84990a5d-ed51-4154-a018-462490315453}\ProgID\ = ".9"	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84990A5D-ED51-4154-A018-462490315453}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84990a5d-ed51-4154-a018-462490315453}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84990a5d-ed51-4154-a018-462490315453}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84990a5d-ed51-4154-a018-462490315453}\ = "GoSave"	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84990a5d-ed51-4154-a018-462490315453}\InprocServer32\ThreadingModel = "Apartment"	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84990a5d-ed51-4154-a018-462490315453}\InprocServer32	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84990a5d-ed51-4154-a018-462490315453}\ProgID	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84990a5d-ed51-4154-a018-462490315453}\VersionIndependentProgID\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84990a5d-ed51-4154-a018-462490315453}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84990a5d-ed51-4154-a018-462490315453}\ProgID\ = ".9"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84990a5d-ed51-4154-a018-462490315453}\VersionIndependentProgID	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe

pid	process
1136	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
1136	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
1136	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
1136	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exeregsvr32.exe

description	pid	process	target process
PID 1136 wrote to memory of 1208	1136	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe	regsvr32.exe
PID 1136 wrote to memory of 1208	1136	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe	regsvr32.exe
PID 1136 wrote to memory of 1208	1136	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe	regsvr32.exe
PID 1136 wrote to memory of 1208	1136	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe	regsvr32.exe
PID 1136 wrote to memory of 1208	1136	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe	regsvr32.exe
PID 1136 wrote to memory of 1208	1136	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe	regsvr32.exe
PID 1136 wrote to memory of 1208	1136	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe	regsvr32.exe
PID 1208 wrote to memory of 1724	1208	regsvr32.exe	regsvr32.exe
PID 1208 wrote to memory of 1724	1208	regsvr32.exe	regsvr32.exe
PID 1208 wrote to memory of 1724	1208	regsvr32.exe	regsvr32.exe
PID 1208 wrote to memory of 1724	1208	regsvr32.exe	regsvr32.exe
PID 1208 wrote to memory of 1724	1208	regsvr32.exe	regsvr32.exe
PID 1208 wrote to memory of 1724	1208	regsvr32.exe	regsvr32.exe
PID 1208 wrote to memory of 1724	1208	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{84990a5d-ed51-4154-a018-462490315453} = "1"	f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe

C:\Users\Admin\AppData\Local\Temp\f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe
"C:\Users\Admin\AppData\Local\Temp\f64ffa7c6b17e8b0dc6cab0e4c3665f85861e6f87b8b318eb39448550bf3c7d8.exe"
1⤵
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1136

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\GoSave\T3pTSbazNWEy4h.x64.dll"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\GoSave\T3pTSbazNWEy4h.x64.dll"
3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:1724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GoSave\T3pTSbazNWEy4h.dat

Filesize
4KB

MD5
c7b6b6cbe8e20769f601d4db99884c7b

SHA1
e7051be6d2e40696b89bbd24dbe02cab197748f5

SHA256
fec77ddae89d6dddd3c4fe387c8c073dec1e33682ed2df1551f64a2419faacb6

SHA512
d3e8321d305f4369cdb1345fa8de875ce4a9122fbbff75c9b0ea0e17aab15018cf3ff39d4404255df913fc1385f71f3f90c87764b4780de6b063eebcbdab19c3

Download Submit
C:\Program Files (x86)\GoSave\T3pTSbazNWEy4h.tlb

Filesize
3KB

MD5
b826030b97202e2efa7f7a60493c61a7

SHA1
8145289ac846d579df907dc43fa79fa5866f2930

SHA256
df318425290a57dbdaffd19be838eb1317d38d00be224272168375251cb2f83f

SHA512
246becba94b93fa2e79e9938efe94fd325e18ecd1ce93f642e184ba89d230a5cdf5596272e6ace3a7e9440e5aa9eb153bb8bc5ab6f3bc518fca9b790d4f8d6db

Download Submit
C:\Program Files (x86)\GoSave\T3pTSbazNWEy4h.x64.dll

Filesize
879KB

MD5
0b282547d65c4597ac0f2c5cc09c3b37

SHA1
43a626f01c7ead04cee4b8523b02ee7248271051

SHA256
c8dbfff7b084eb5ff31be01fbd03f392b4c7cb192e904810c7a9e60b985be846

SHA512
541a816d8981656a697f96a89daad2a2d84c9f4a0769175babf8a2785ad6580c2fc3180575a8feeab39f5956176ef4ed4c80f433b557775c359ca3659219da30

Download Submit
\Program Files (x86)\GoSave\T3pTSbazNWEy4h.dll

Filesize
741KB

MD5
0f2db92a7d763af605b6273a4aa18382

SHA1
c9e6e9eb3c2050c86afa1b79e437ea8c8252573f

SHA256
ebdf480f55d619da9a5f23810ef174f5e789d81899bf4f63371cfd95e402658a

SHA512
824230a31cd7e7410c369dae190c1a3bec7498f52740b484e5d09c76265dbd71fb989f5ce889ca8a4f1ae28eb740e39d020b9581aa0496ae394d6ff3874038e5

Download Submit
\Program Files (x86)\GoSave\T3pTSbazNWEy4h.x64.dll

Filesize
879KB

MD5
0b282547d65c4597ac0f2c5cc09c3b37

SHA1
43a626f01c7ead04cee4b8523b02ee7248271051

SHA256
c8dbfff7b084eb5ff31be01fbd03f392b4c7cb192e904810c7a9e60b985be846

SHA512
541a816d8981656a697f96a89daad2a2d84c9f4a0769175babf8a2785ad6580c2fc3180575a8feeab39f5956176ef4ed4c80f433b557775c359ca3659219da30

Download Submit
\Program Files (x86)\GoSave\T3pTSbazNWEy4h.x64.dll

Filesize
879KB

MD5
0b282547d65c4597ac0f2c5cc09c3b37

SHA1
43a626f01c7ead04cee4b8523b02ee7248271051

SHA256
c8dbfff7b084eb5ff31be01fbd03f392b4c7cb192e904810c7a9e60b985be846

SHA512
541a816d8981656a697f96a89daad2a2d84c9f4a0769175babf8a2785ad6580c2fc3180575a8feeab39f5956176ef4ed4c80f433b557775c359ca3659219da30

Download Submit
memory/1136-54-0x0000000075F51000-0x0000000075F53000-memory.dmp

Filesize
8KB

Download
memory/1136-55-0x0000000002CC0000-0x0000000002D87000-memory.dmp

Filesize
796KB

Download
memory/1208-63-0x0000000000000000-mapping.dmp

Download
memory/1724-67-0x0000000000000000-mapping.dmp

Download
memory/1724-68-0x000007FEFB871000-0x000007FEFB873000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads