4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95

General

Target

4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Size

3.8MB
MD5

bce2d74590ea903ff9454cac6f8b6a77
SHA1

8a4e406e02f6f7cc82a601a5262d486e9bdf9b11
SHA256

4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95
SHA512

58d798a9a943c386c9b7ab91a6ca47ddd0c61ae75c1e50a35344f7157027e02ce2c272736b67ea3f0c0e97f308d1bbbfccba70c41a65d7847bf204328a792e1b
SSDEEP

98304:dH7A0R4JU9KAK5BkAOvOMHZGfjS8/UFtiJ5w:dH7A0R4eA3aZGfjk

Score

8^/10

adware discovery persistence stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ec4f75ac-1999-4662-b536-3b49af7f85f6}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ec4f75ac-1999-4662-b536-3b49af7f85f6}\InprocServer32\ = "C:\\Program Files (x86)\\GaoSavue\\DQ27OwamwShizC.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ec4f75ac-1999-4662-b536-3b49af7f85f6}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ec4f75ac-1999-4662-b536-3b49af7f85f6}\InprocServer32	regsvr32.exe

Loads dropped DLL 3 IoCs

Processes:

4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exeregsvr32.exeregsvr32.exe

pid process

1428 4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
1044 regsvr32.exe
844 regsvr32.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1428	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
1044	regsvr32.exe
844	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exe4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ec4f75ac-1999-4662-b536-3b49af7f85f6}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{ec4f75ac-1999-4662-b536-3b49af7f85f6}	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{ec4f75ac-1999-4662-b536-3b49af7f85f6}\ = "GaoSavue"	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{ec4f75ac-1999-4662-b536-3b49af7f85f6}\NoExplorer = "1"	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{ec4f75ac-1999-4662-b536-3b49af7f85f6}	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ec4f75ac-1999-4662-b536-3b49af7f85f6}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ec4f75ac-1999-4662-b536-3b49af7f85f6}\ = "GaoSavue"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ec4f75ac-1999-4662-b536-3b49af7f85f6}\NoExplorer = "1"	regsvr32.exe

Drops file in Program Files directory 8 IoCs

Processes:

4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe

description	ioc	process
File created	C:\Program Files (x86)\GaoSavue\DQ27OwamwShizC.dll	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
File opened for modification	C:\Program Files (x86)\GaoSavue\DQ27OwamwShizC.dll	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
File created	C:\Program Files (x86)\GaoSavue\DQ27OwamwShizC.tlb	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
File opened for modification	C:\Program Files (x86)\GaoSavue\DQ27OwamwShizC.tlb	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
File created	C:\Program Files (x86)\GaoSavue\DQ27OwamwShizC.dat	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
File opened for modification	C:\Program Files (x86)\GaoSavue\DQ27OwamwShizC.dat	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
File created	C:\Program Files (x86)\GaoSavue\DQ27OwamwShizC.x64.dll	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
File opened for modification	C:\Program Files (x86)\GaoSavue\DQ27OwamwShizC.x64.dll	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

regsvr32.exe4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{ec4f75ac-1999-4662-b536-3b49af7f85f6}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{ec4f75ac-1999-4662-b536-3b49af7f85f6}	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{EC4F75AC-1999-4662-B536-3B49AF7F85F6}	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{EC4F75AC-1999-4662-B536-3B49AF7F85F6}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe

Modifies registry class 64 IoCs

Processes:

4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\GaoSavue\\DQ27OwamwShizC.tlb"	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ec4f75ac-1999-4662-b536-3b49af7f85f6}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EC4F75AC-1999-4662-B536-3B49AF7F85F6}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ec4f75ac-1999-4662-b536-3b49af7f85f6}\ProgID	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ec4f75ac-1999-4662-b536-3b49af7f85f6}\Programmable	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ec4f75ac-1999-4662-b536-3b49af7f85f6}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9"	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ec4f75ac-1999-4662-b536-3b49af7f85f6}	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ec4f75ac-1999-4662-b536-3b49af7f85f6}\ = "GaoSavue"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ec4f75ac-1999-4662-b536-3b49af7f85f6}\ = "GaoSavue"	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ec4f75ac-1999-4662-b536-3b49af7f85f6}\ProgID	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ec4f75ac-1999-4662-b536-3b49af7f85f6}\InprocServer32\ThreadingModel = "Apartment"	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ec4f75ac-1999-4662-b536-3b49af7f85f6}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ec4f75ac-1999-4662-b536-3b49af7f85f6}\ProgID\ = ".9"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EC4F75AC-1999-4662-B536-3B49AF7F85F6}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ec4f75ac-1999-4662-b536-3b49af7f85f6}\VersionIndependentProgID\	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ec4f75ac-1999-4662-b536-3b49af7f85f6}\InprocServer32	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EC4F75AC-1999-4662-B536-3B49AF7F85F6}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "GaoSavue"	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\GaoSavue"	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ec4f75ac-1999-4662-b536-3b49af7f85f6}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ec4f75ac-1999-4662-b536-3b49af7f85f6}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID\ = "{ec4f75ac-1999-4662-b536-3b49af7f85f6}"	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ec4f75ac-1999-4662-b536-3b49af7f85f6}\VersionIndependentProgID	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ec4f75ac-1999-4662-b536-3b49af7f85f6}\VersionIndependentProgID	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\ = "GaoSavue"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ec4f75ac-1999-4662-b536-3b49af7f85f6}\InprocServer32\ = "C:\\Program Files (x86)\\GaoSavue\\DQ27OwamwShizC.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ec4f75ac-1999-4662-b536-3b49af7f85f6}	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ec4f75ac-1999-4662-b536-3b49af7f85f6}\InprocServer32\ = "C:\\Program Files (x86)\\GaoSavue\\DQ27OwamwShizC.dll"	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ec4f75ac-1999-4662-b536-3b49af7f85f6}\InprocServer32	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EC4F75AC-1999-4662-B536-3B49AF7F85F6}	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exeregsvr32.exe

description	pid	process	target process
PID 1428 wrote to memory of 1044	1428	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe	regsvr32.exe
PID 1428 wrote to memory of 1044	1428	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe	regsvr32.exe
PID 1428 wrote to memory of 1044	1428	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe	regsvr32.exe
PID 1428 wrote to memory of 1044	1428	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe	regsvr32.exe
PID 1428 wrote to memory of 1044	1428	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe	regsvr32.exe
PID 1428 wrote to memory of 1044	1428	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe	regsvr32.exe
PID 1428 wrote to memory of 1044	1428	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe	regsvr32.exe
PID 1044 wrote to memory of 844	1044	regsvr32.exe	regsvr32.exe
PID 1044 wrote to memory of 844	1044	regsvr32.exe	regsvr32.exe
PID 1044 wrote to memory of 844	1044	regsvr32.exe	regsvr32.exe
PID 1044 wrote to memory of 844	1044	regsvr32.exe	regsvr32.exe
PID 1044 wrote to memory of 844	1044	regsvr32.exe	regsvr32.exe
PID 1044 wrote to memory of 844	1044	regsvr32.exe	regsvr32.exe
PID 1044 wrote to memory of 844	1044	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{ec4f75ac-1999-4662-b536-3b49af7f85f6} = "1"	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe

C:\Users\Admin\AppData\Local\Temp\4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
"C:\Users\Admin\AppData\Local\Temp\4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1428
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s "C:\Program Files (x86)\GaoSavue\DQ27OwamwShizC.x64.dll"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1044
- - C:\Windows\system32\regsvr32.exe
    /s "C:\Program Files (x86)\GaoSavue\DQ27OwamwShizC.x64.dll"
    3⤵
    - Registers COM server for autorun
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GaoSavue\DQ27OwamwShizC.dat

Filesize
4KB

MD5
6e69adcbe7498a97b806ba62133deed8

SHA1
178b8c44fe081eb2f2e7381cc1eb236482cf6932

SHA256
b66068d506295a62828569d0104bf34a3e8c200757c6589d6c03a603e0b779cd

SHA512
0e4e574758867e6aab62c3c9cfb06f47dd6c48cde82a49f3294a5add41779010daad442782e016a271a6c5e87201553214ceca915a6c4db3cd54d7e452b5760b

Download Submit
C:\Program Files (x86)\GaoSavue\DQ27OwamwShizC.tlb

Filesize
3KB

MD5
4f10ec1039aef56bdfc26e48d57461b3

SHA1
f3dedd15bab08bad8d418f2f7b892defb357670b

SHA256
98362dd931236aa92fb7ebd4dcb56986dfc8f5471d48105ab47e3b57249e2eb8

SHA512
4162289976a8eeb362bcc3f8f8f54cabdc4d4bff9e91f2bee211c748fc43e47b1a51a54b85aebcc24a79471790aa98ca81ede7a40d946cd00df601762e83f6b3

Download Submit
C:\Program Files (x86)\GaoSavue\DQ27OwamwShizC.x64.dll

Filesize
692KB

MD5
dd6c687a7bc8036ff03c493edaf43fea

SHA1
cc4258585f61d57dd465270dbb7c0d82a2021a5f

SHA256
8bb13e80a99d9631efc47771fa8ee332d880acdc4e1baaabc2ad17c16823091c

SHA512
084f49f3b7a76b23a73b2957d227c953903e270f74bf1d7405a5d68e2f716b52db7e7e156469de5425125a3a27856e2e97172279cba70a213f5ba33188cacc8c

Download Submit
\Program Files (x86)\GaoSavue\DQ27OwamwShizC.dll

Filesize
611KB

MD5
23a76cebd4442a5c81b58da519eac909

SHA1
e640584aa3ce6f666098e4b3c69203e1d7484548

SHA256
426cf8cfba58e437f1add68a6e8072b773b19e1fb4cad0ee3a065ba2358d06de

SHA512
e192b47cbb2ef9f91637cb370866b2233c00c36e5fae5d72ca9da4f478a113fb65128456cd75c57134192deb6157e4c5e3379c19d448ce9364444b37660d2fbd

Download Submit
\Program Files (x86)\GaoSavue\DQ27OwamwShizC.x64.dll

Filesize
692KB

MD5
dd6c687a7bc8036ff03c493edaf43fea

SHA1
cc4258585f61d57dd465270dbb7c0d82a2021a5f

SHA256
8bb13e80a99d9631efc47771fa8ee332d880acdc4e1baaabc2ad17c16823091c

SHA512
084f49f3b7a76b23a73b2957d227c953903e270f74bf1d7405a5d68e2f716b52db7e7e156469de5425125a3a27856e2e97172279cba70a213f5ba33188cacc8c

Download Submit
\Program Files (x86)\GaoSavue\DQ27OwamwShizC.x64.dll

Filesize
692KB

MD5
dd6c687a7bc8036ff03c493edaf43fea

SHA1
cc4258585f61d57dd465270dbb7c0d82a2021a5f

SHA256
8bb13e80a99d9631efc47771fa8ee332d880acdc4e1baaabc2ad17c16823091c

SHA512
084f49f3b7a76b23a73b2957d227c953903e270f74bf1d7405a5d68e2f716b52db7e7e156469de5425125a3a27856e2e97172279cba70a213f5ba33188cacc8c

Download Submit
memory/844-65-0x0000000000000000-mapping.dmp

Download
memory/844-66-0x000007FEFBAC1000-0x000007FEFBAC3000-memory.dmp

Filesize
8KB

Download
memory/1044-61-0x0000000000000000-mapping.dmp

Download
memory/1428-54-0x0000000075591000-0x0000000075593000-memory.dmp

Filesize
8KB

Download
memory/1428-55-0x00000000027C0000-0x0000000002861000-memory.dmp

Filesize
644KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads