467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea

General

Target

467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
Size

3.8MB
MD5

b916286a7d10c0f991429563d7d1b06c
SHA1

67f3ae2e0798cf6551ba7fa7b3a16ddb45c0115e
SHA256

467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea
SHA512

d76f91053777b7d6e07561c5c70c15fe94628c7d9a139c15d1e39c25c8fe61299bea196a715094cfba1856dd505001746c23a3f64f45a5b57f7ece25dd2e4045
SSDEEP

98304:XH7yls78W9+aK5BkAOvO9HZefjS8/UFtiJ5J:XH7yls7tA3pZefj1

Score

8^/10

adware discovery persistence stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f9df49dc-0bd6-4a60-8cb3-156f80bf3152}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f9df49dc-0bd6-4a60-8cb3-156f80bf3152}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f9df49dc-0bd6-4a60-8cb3-156f80bf3152}\InprocServer32\ = "C:\\Program Files (x86)\\GaoSAvea\\0JqO2WTtgbDGHf.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f9df49dc-0bd6-4a60-8cb3-156f80bf3152}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Loads dropped DLL 3 IoCs

Processes:

467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exeregsvr32.exeregsvr32.exe

pid process

4624 467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
204 regsvr32.exe
4736 regsvr32.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
4624	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
204	regsvr32.exe
4736	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exe467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f9df49dc-0bd6-4a60-8cb3-156f80bf3152}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f9df49dc-0bd6-4a60-8cb3-156f80bf3152}\ = "GaoSAvea"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f9df49dc-0bd6-4a60-8cb3-156f80bf3152}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f9df49dc-0bd6-4a60-8cb3-156f80bf3152}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f9df49dc-0bd6-4a60-8cb3-156f80bf3152}	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f9df49dc-0bd6-4a60-8cb3-156f80bf3152}\ = "GaoSAvea"	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f9df49dc-0bd6-4a60-8cb3-156f80bf3152}\NoExplorer = "1"	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f9df49dc-0bd6-4a60-8cb3-156f80bf3152}	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe

Drops file in Program Files directory 8 IoCs

Processes:

467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\GaoSAvea\0JqO2WTtgbDGHf.x64.dll	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
File created	C:\Program Files (x86)\GaoSAvea\0JqO2WTtgbDGHf.dll	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
File opened for modification	C:\Program Files (x86)\GaoSAvea\0JqO2WTtgbDGHf.dll	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
File created	C:\Program Files (x86)\GaoSAvea\0JqO2WTtgbDGHf.tlb	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
File opened for modification	C:\Program Files (x86)\GaoSAvea\0JqO2WTtgbDGHf.tlb	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
File created	C:\Program Files (x86)\GaoSAvea\0JqO2WTtgbDGHf.dat	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
File opened for modification	C:\Program Files (x86)\GaoSAvea\0JqO2WTtgbDGHf.dat	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
File created	C:\Program Files (x86)\GaoSAvea\0JqO2WTtgbDGHf.x64.dll	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exeregsvr32.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{F9DF49DC-0BD6-4A60-8CB3-156F80BF3152}	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVEDEXTENSIONSMIGRATION\{F9DF49DC-0BD6-4A60-8CB3-156F80BF3152}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{f9df49dc-0bd6-4a60-8cb3-156f80bf3152}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{f9df49dc-0bd6-4a60-8cb3-156f80bf3152}	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe

Modifies registry class 64 IoCs

Processes:

467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9"	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f9df49dc-0bd6-4a60-8cb3-156f80bf3152}\VersionIndependentProgID	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f9df49dc-0bd6-4a60-8cb3-156f80bf3152}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID\ = "{f9df49dc-0bd6-4a60-8cb3-156f80bf3152}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f9df49dc-0bd6-4a60-8cb3-156f80bf3152}\ProgID	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9DF49DC-0BD6-4A60-8CB3-156F80BF3152}	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{f9df49dc-0bd6-4a60-8cb3-156f80bf3152}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "GaoSAvea"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\GaoSAvea\\0JqO2WTtgbDGHf.tlb"	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f9df49dc-0bd6-4a60-8cb3-156f80bf3152}\ProgID\ = ".9"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f9df49dc-0bd6-4a60-8cb3-156f80bf3152}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\ = "GaoSAvea"	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "GaoSAvea"	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F9DF49DC-0BD6-4A60-8CB3-156F80BF3152}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f9df49dc-0bd6-4a60-8cb3-156f80bf3152}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f9df49dc-0bd6-4a60-8cb3-156f80bf3152}	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{f9df49dc-0bd6-4a60-8cb3-156f80bf3152}"	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f9df49dc-0bd6-4a60-8cb3-156f80bf3152}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f9df49dc-0bd6-4a60-8cb3-156f80bf3152}\InprocServer32\ = "C:\\Program Files (x86)\\GaoSAvea\\0JqO2WTtgbDGHf.x64.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f9df49dc-0bd6-4a60-8cb3-156f80bf3152}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\..9	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f9df49dc-0bd6-4a60-8cb3-156f80bf3152}\ProgID\ = ".9"	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f9df49dc-0bd6-4a60-8cb3-156f80bf3152}\ = "GaoSAvea"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f9df49dc-0bd6-4a60-8cb3-156f80bf3152}\InprocServer32	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f9df49dc-0bd6-4a60-8cb3-156f80bf3152}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f9df49dc-0bd6-4a60-8cb3-156f80bf3152}\ = "GaoSAvea"	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f9df49dc-0bd6-4a60-8cb3-156f80bf3152}\Programmable	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f9df49dc-0bd6-4a60-8cb3-156f80bf3152}\VersionIndependentProgID	regsvr32.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exeregsvr32.exe

description	pid	process	target process
PID 4624 wrote to memory of 204	4624	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe	regsvr32.exe
PID 4624 wrote to memory of 204	4624	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe	regsvr32.exe
PID 4624 wrote to memory of 204	4624	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe	regsvr32.exe
PID 204 wrote to memory of 4736	204	regsvr32.exe	regsvr32.exe
PID 204 wrote to memory of 4736	204	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{f9df49dc-0bd6-4a60-8cb3-156f80bf3152} = "1"	467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe

C:\Users\Admin\AppData\Local\Temp\467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe
"C:\Users\Admin\AppData\Local\Temp\467d7ca0ee0a19f60665e9709a3c4a0475dd6dbd49deebfa4ed8ca7fe5f320ea.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4624

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\GaoSAvea\0JqO2WTtgbDGHf.x64.dll"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:204

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\GaoSAvea\0JqO2WTtgbDGHf.x64.dll"
3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:4736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GaoSAvea\0JqO2WTtgbDGHf.dat
Filesize
3KB

MD5
2d8d8f87b270ed9fe233718ea2f96c33

SHA1
f387dc4fbf9347940c75b89583bece87ebac1da0

SHA256
6f58208c106cbdcb09fa05bc2cbbf7f63e96f373601452ccb3c78b0582741290

SHA512
6261ef7f58a9f565584fa9cc036977f3f3701535fca39c7d4b9d91aa77fa76cd29c2b3f4a37ae168375217e7effef84143d489c58454778f3bc7c68346cc4351

Download Submit
C:\Program Files (x86)\GaoSAvea\0JqO2WTtgbDGHf.dll
Filesize
611KB

MD5
23a76cebd4442a5c81b58da519eac909

SHA1
e640584aa3ce6f666098e4b3c69203e1d7484548

SHA256
426cf8cfba58e437f1add68a6e8072b773b19e1fb4cad0ee3a065ba2358d06de

SHA512
e192b47cbb2ef9f91637cb370866b2233c00c36e5fae5d72ca9da4f478a113fb65128456cd75c57134192deb6157e4c5e3379c19d448ce9364444b37660d2fbd

Download Submit
C:\Program Files (x86)\GaoSAvea\0JqO2WTtgbDGHf.tlb
Filesize
3KB

MD5
4f10ec1039aef56bdfc26e48d57461b3

SHA1
f3dedd15bab08bad8d418f2f7b892defb357670b

SHA256
98362dd931236aa92fb7ebd4dcb56986dfc8f5471d48105ab47e3b57249e2eb8

SHA512
4162289976a8eeb362bcc3f8f8f54cabdc4d4bff9e91f2bee211c748fc43e47b1a51a54b85aebcc24a79471790aa98ca81ede7a40d946cd00df601762e83f6b3

Download Submit
C:\Program Files (x86)\GaoSAvea\0JqO2WTtgbDGHf.x64.dll
Filesize
692KB

MD5
dd6c687a7bc8036ff03c493edaf43fea

SHA1
cc4258585f61d57dd465270dbb7c0d82a2021a5f

SHA256
8bb13e80a99d9631efc47771fa8ee332d880acdc4e1baaabc2ad17c16823091c

SHA512
084f49f3b7a76b23a73b2957d227c953903e270f74bf1d7405a5d68e2f716b52db7e7e156469de5425125a3a27856e2e97172279cba70a213f5ba33188cacc8c

Download Submit
C:\Program Files (x86)\GaoSAvea\0JqO2WTtgbDGHf.x64.dll
Filesize
692KB

MD5
dd6c687a7bc8036ff03c493edaf43fea

SHA1
cc4258585f61d57dd465270dbb7c0d82a2021a5f

SHA256
8bb13e80a99d9631efc47771fa8ee332d880acdc4e1baaabc2ad17c16823091c

SHA512
084f49f3b7a76b23a73b2957d227c953903e270f74bf1d7405a5d68e2f716b52db7e7e156469de5425125a3a27856e2e97172279cba70a213f5ba33188cacc8c

Download Submit
C:\Program Files (x86)\GaoSAvea\0JqO2WTtgbDGHf.x64.dll
Filesize
692KB

MD5
dd6c687a7bc8036ff03c493edaf43fea

SHA1
cc4258585f61d57dd465270dbb7c0d82a2021a5f

SHA256
8bb13e80a99d9631efc47771fa8ee332d880acdc4e1baaabc2ad17c16823091c

SHA512
084f49f3b7a76b23a73b2957d227c953903e270f74bf1d7405a5d68e2f716b52db7e7e156469de5425125a3a27856e2e97172279cba70a213f5ba33188cacc8c

Download Submit
memory/204-138-0x0000000000000000-mapping.dmp

Download
memory/4624-132-0x0000000003970000-0x0000000003A11000-memory.dmp

Filesize
644KB

Download
memory/4736-141-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads