4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95

General

Target

4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Size

3.8MB
MD5

bce2d74590ea903ff9454cac6f8b6a77
SHA1

8a4e406e02f6f7cc82a601a5262d486e9bdf9b11
SHA256

4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95
SHA512

58d798a9a943c386c9b7ab91a6ca47ddd0c61ae75c1e50a35344f7157027e02ce2c272736b67ea3f0c0e97f308d1bbbfccba70c41a65d7847bf204328a792e1b
SSDEEP

98304:dH7A0R4JU9KAK5BkAOvOMHZGfjS8/UFtiJ5w:dH7A0R4eA3aZGfjk

Score

8^/10

adware discovery persistence stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ec4f75ac-1999-4662-b536-3b49af7f85f6}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ec4f75ac-1999-4662-b536-3b49af7f85f6}\InprocServer32\ = "C:\\Program Files (x86)\\GaoSavue\\DQ27OwamwShizC.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ec4f75ac-1999-4662-b536-3b49af7f85f6}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ec4f75ac-1999-4662-b536-3b49af7f85f6}\InprocServer32	regsvr32.exe

Loads dropped DLL 3 IoCs

Processes:

4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exeregsvr32.exeregsvr32.exe

pid process

1360 4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
3724 regsvr32.exe
2884 regsvr32.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1360	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
3724	regsvr32.exe
2884	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exeregsvr32.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ec4f75ac-1999-4662-b536-3b49af7f85f6}	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ec4f75ac-1999-4662-b536-3b49af7f85f6}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ec4f75ac-1999-4662-b536-3b49af7f85f6}\ = "GaoSavue"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ec4f75ac-1999-4662-b536-3b49af7f85f6}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ec4f75ac-1999-4662-b536-3b49af7f85f6}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ec4f75ac-1999-4662-b536-3b49af7f85f6}	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ec4f75ac-1999-4662-b536-3b49af7f85f6}\ = "GaoSavue"	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ec4f75ac-1999-4662-b536-3b49af7f85f6}\NoExplorer = "1"	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe

Drops file in Program Files directory 8 IoCs

Processes:

4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\GaoSavue\DQ27OwamwShizC.dat	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
File created	C:\Program Files (x86)\GaoSavue\DQ27OwamwShizC.x64.dll	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
File opened for modification	C:\Program Files (x86)\GaoSavue\DQ27OwamwShizC.x64.dll	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
File created	C:\Program Files (x86)\GaoSavue\DQ27OwamwShizC.dll	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
File opened for modification	C:\Program Files (x86)\GaoSavue\DQ27OwamwShizC.dll	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
File created	C:\Program Files (x86)\GaoSavue\DQ27OwamwShizC.tlb	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
File opened for modification	C:\Program Files (x86)\GaoSavue\DQ27OwamwShizC.tlb	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
File created	C:\Program Files (x86)\GaoSavue\DQ27OwamwShizC.dat	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{ec4f75ac-1999-4662-b536-3b49af7f85f6}	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{EC4F75AC-1999-4662-B536-3B49AF7F85F6}	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{EC4F75AC-1999-4662-B536-3B49AF7F85F6}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{ec4f75ac-1999-4662-b536-3b49af7f85f6}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe

Modifies registry class 64 IoCs

Processes:

4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ec4f75ac-1999-4662-b536-3b49af7f85f6}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ec4f75ac-1999-4662-b536-3b49af7f85f6}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ec4f75ac-1999-4662-b536-3b49af7f85f6}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EC4F75AC-1999-4662-B536-3B49AF7F85F6}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ec4f75ac-1999-4662-b536-3b49af7f85f6}\ProgID\ = ".9"	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EC4F75AC-1999-4662-B536-3B49AF7F85F6}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\GaoSavue\\DQ27OwamwShizC.tlb"	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\GaoSavue"	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ec4f75ac-1999-4662-b536-3b49af7f85f6}\InprocServer32\ = "C:\\Program Files (x86)\\GaoSavue\\DQ27OwamwShizC.dll"	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ec4f75ac-1999-4662-b536-3b49af7f85f6}\ProgID	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ec4f75ac-1999-4662-b536-3b49af7f85f6}\VersionIndependentProgID	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EC4F75AC-1999-4662-B536-3B49AF7F85F6}	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\..9	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9"	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ec4f75ac-1999-4662-b536-3b49af7f85f6}\Programmable	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EC4F75AC-1999-4662-B536-3B49AF7F85F6}\Implemented Categories	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID\ = "{ec4f75ac-1999-4662-b536-3b49af7f85f6}"	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ec4f75ac-1999-4662-b536-3b49af7f85f6}\Programmable	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{ec4f75ac-1999-4662-b536-3b49af7f85f6}"	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "GaoSavue"	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ec4f75ac-1999-4662-b536-3b49af7f85f6}\InprocServer32	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ec4f75ac-1999-4662-b536-3b49af7f85f6}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ec4f75ac-1999-4662-b536-3b49af7f85f6}\VersionIndependentProgID\	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID\ = "{ec4f75ac-1999-4662-b536-3b49af7f85f6}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ec4f75ac-1999-4662-b536-3b49af7f85f6}\ProgID\ = ".9"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ec4f75ac-1999-4662-b536-3b49af7f85f6}\InprocServer32\ThreadingModel = "Apartment"	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ec4f75ac-1999-4662-b536-3b49af7f85f6}\VersionIndependentProgID\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ec4f75ac-1999-4662-b536-3b49af7f85f6}\InprocServer32\ = "C:\\Program Files (x86)\\GaoSavue\\DQ27OwamwShizC.x64.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ec4f75ac-1999-4662-b536-3b49af7f85f6}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ec4f75ac-1999-4662-b536-3b49af7f85f6}\ProgID	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exeregsvr32.exe

description	pid	process	target process
PID 1360 wrote to memory of 3724	1360	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe	regsvr32.exe
PID 1360 wrote to memory of 3724	1360	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe	regsvr32.exe
PID 1360 wrote to memory of 3724	1360	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe	regsvr32.exe
PID 3724 wrote to memory of 2884	3724	regsvr32.exe	regsvr32.exe
PID 3724 wrote to memory of 2884	3724	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{ec4f75ac-1999-4662-b536-3b49af7f85f6} = "1"	4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe

C:\Users\Admin\AppData\Local\Temp\4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe
"C:\Users\Admin\AppData\Local\Temp\4e64dde801c2725ddf48109b5b474dd62a612f9b680673284d025e19488e7b95.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1360

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\GaoSavue\DQ27OwamwShizC.x64.dll"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3724

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\GaoSavue\DQ27OwamwShizC.x64.dll"
3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:2884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GaoSavue\DQ27OwamwShizC.dat
Filesize
4KB

MD5
6e69adcbe7498a97b806ba62133deed8

SHA1
178b8c44fe081eb2f2e7381cc1eb236482cf6932

SHA256
b66068d506295a62828569d0104bf34a3e8c200757c6589d6c03a603e0b779cd

SHA512
0e4e574758867e6aab62c3c9cfb06f47dd6c48cde82a49f3294a5add41779010daad442782e016a271a6c5e87201553214ceca915a6c4db3cd54d7e452b5760b

Download Submit
C:\Program Files (x86)\GaoSavue\DQ27OwamwShizC.dll
Filesize
611KB

MD5
23a76cebd4442a5c81b58da519eac909

SHA1
e640584aa3ce6f666098e4b3c69203e1d7484548

SHA256
426cf8cfba58e437f1add68a6e8072b773b19e1fb4cad0ee3a065ba2358d06de

SHA512
e192b47cbb2ef9f91637cb370866b2233c00c36e5fae5d72ca9da4f478a113fb65128456cd75c57134192deb6157e4c5e3379c19d448ce9364444b37660d2fbd

Download Submit
C:\Program Files (x86)\GaoSavue\DQ27OwamwShizC.tlb
Filesize
3KB

MD5
4f10ec1039aef56bdfc26e48d57461b3

SHA1
f3dedd15bab08bad8d418f2f7b892defb357670b

SHA256
98362dd931236aa92fb7ebd4dcb56986dfc8f5471d48105ab47e3b57249e2eb8

SHA512
4162289976a8eeb362bcc3f8f8f54cabdc4d4bff9e91f2bee211c748fc43e47b1a51a54b85aebcc24a79471790aa98ca81ede7a40d946cd00df601762e83f6b3

Download Submit
C:\Program Files (x86)\GaoSavue\DQ27OwamwShizC.x64.dll
Filesize
692KB

MD5
dd6c687a7bc8036ff03c493edaf43fea

SHA1
cc4258585f61d57dd465270dbb7c0d82a2021a5f

SHA256
8bb13e80a99d9631efc47771fa8ee332d880acdc4e1baaabc2ad17c16823091c

SHA512
084f49f3b7a76b23a73b2957d227c953903e270f74bf1d7405a5d68e2f716b52db7e7e156469de5425125a3a27856e2e97172279cba70a213f5ba33188cacc8c

Download Submit
C:\Program Files (x86)\GaoSavue\DQ27OwamwShizC.x64.dll
Filesize
692KB

MD5
dd6c687a7bc8036ff03c493edaf43fea

SHA1
cc4258585f61d57dd465270dbb7c0d82a2021a5f

SHA256
8bb13e80a99d9631efc47771fa8ee332d880acdc4e1baaabc2ad17c16823091c

SHA512
084f49f3b7a76b23a73b2957d227c953903e270f74bf1d7405a5d68e2f716b52db7e7e156469de5425125a3a27856e2e97172279cba70a213f5ba33188cacc8c

Download Submit
C:\Program Files (x86)\GaoSavue\DQ27OwamwShizC.x64.dll
Filesize
692KB

MD5
dd6c687a7bc8036ff03c493edaf43fea

SHA1
cc4258585f61d57dd465270dbb7c0d82a2021a5f

SHA256
8bb13e80a99d9631efc47771fa8ee332d880acdc4e1baaabc2ad17c16823091c

SHA512
084f49f3b7a76b23a73b2957d227c953903e270f74bf1d7405a5d68e2f716b52db7e7e156469de5425125a3a27856e2e97172279cba70a213f5ba33188cacc8c

Download Submit
memory/1360-132-0x0000000002CB0000-0x0000000002D51000-memory.dmp

Filesize
644KB

Download
memory/2884-141-0x0000000000000000-mapping.dmp

Download
memory/3724-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads