38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627

General

Target

38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Size

4.1MB
MD5

bc86c3323999c7fc4ae41e87e1bdaae3
SHA1

5f35c2f05c7119702a4f71c41672e635c54e486b
SHA256

38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627
SHA512

da1774acd7af93cc1822cfd14b1f2b473314b5df2cdc4b5e3dfb6052da4acef54e9582a99267b2facf27b14933e7a3a40b3b287626201c5bcb56892dbc06d543
SSDEEP

98304:dCcdTavEvKj+lN7FtMVbAaFa4oLN2Cmm3TbiQWsKf+0gcwXysMos+JrTl2bVIQHT:dTDU+b4oIvo

Score

8^/10

adware discovery persistence stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7506ac37-4fb9-421b-be42-b9025c2b0142}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7506ac37-4fb9-421b-be42-b9025c2b0142}\InprocServer32\ = "C:\\Program Files (x86)\\GoSiave\\1EkZ44ONVlv7kF.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7506ac37-4fb9-421b-be42-b9025c2b0142}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7506ac37-4fb9-421b-be42-b9025c2b0142}\InprocServer32	regsvr32.exe

Loads dropped DLL 3 IoCs

Processes:

38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exeregsvr32.exeregsvr32.exe

pid process

1356 38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
1036 regsvr32.exe
1648 regsvr32.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1356	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
1036	regsvr32.exe
1648	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exeregsvr32.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{7506ac37-4fb9-421b-be42-b9025c2b0142}	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7506ac37-4fb9-421b-be42-b9025c2b0142}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7506ac37-4fb9-421b-be42-b9025c2b0142}\ = "GoSiave"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7506ac37-4fb9-421b-be42-b9025c2b0142}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7506ac37-4fb9-421b-be42-b9025c2b0142}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{7506ac37-4fb9-421b-be42-b9025c2b0142}	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{7506ac37-4fb9-421b-be42-b9025c2b0142}\ = "GoSiave"	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{7506ac37-4fb9-421b-be42-b9025c2b0142}\NoExplorer = "1"	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe

Drops file in Program Files directory 8 IoCs

Processes:

38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe

description	ioc	process
File created	C:\Program Files (x86)\GoSiave\1EkZ44ONVlv7kF.tlb	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
File opened for modification	C:\Program Files (x86)\GoSiave\1EkZ44ONVlv7kF.tlb	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
File created	C:\Program Files (x86)\GoSiave\1EkZ44ONVlv7kF.dat	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
File opened for modification	C:\Program Files (x86)\GoSiave\1EkZ44ONVlv7kF.dat	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
File created	C:\Program Files (x86)\GoSiave\1EkZ44ONVlv7kF.x64.dll	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
File opened for modification	C:\Program Files (x86)\GoSiave\1EkZ44ONVlv7kF.x64.dll	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
File created	C:\Program Files (x86)\GoSiave\1EkZ44ONVlv7kF.dll	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
File opened for modification	C:\Program Files (x86)\GoSiave\1EkZ44ONVlv7kF.dll	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{7506ac37-4fb9-421b-be42-b9025c2b0142}	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{7506AC37-4FB9-421B-BE42-B9025C2B0142}	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{7506AC37-4FB9-421B-BE42-B9025C2B0142}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{7506ac37-4fb9-421b-be42-b9025c2b0142}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe

Modifies registry class 64 IoCs

Processes:

38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{7506ac37-4fb9-421b-be42-b9025c2b0142}"	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7506ac37-4fb9-421b-be42-b9025c2b0142}\InprocServer32	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7506ac37-4fb9-421b-be42-b9025c2b0142}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7506ac37-4fb9-421b-be42-b9025c2b0142}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7506ac37-4fb9-421b-be42-b9025c2b0142}\VersionIndependentProgID\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7506ac37-4fb9-421b-be42-b9025c2b0142}	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7506ac37-4fb9-421b-be42-b9025c2b0142}\ProgID\ = ".9"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9"	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7506ac37-4fb9-421b-be42-b9025c2b0142}\VersionIndependentProgID	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\ = "GoSiave"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "GoSiave"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7506AC37-4FB9-421B-BE42-B9025C2B0142}\Implemented Categories	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\GoSiave\\1EkZ44ONVlv7kF.tlb"	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7506ac37-4fb9-421b-be42-b9025c2b0142}\InprocServer32\ = "C:\\Program Files (x86)\\GoSiave\\1EkZ44ONVlv7kF.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7506ac37-4fb9-421b-be42-b9025c2b0142}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7506ac37-4fb9-421b-be42-b9025c2b0142}\ = "GoSiave"	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7506ac37-4fb9-421b-be42-b9025c2b0142}	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\GoSiave"	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7506ac37-4fb9-421b-be42-b9025c2b0142}\ProgID	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7506ac37-4fb9-421b-be42-b9025c2b0142}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7506AC37-4FB9-421B-BE42-B9025C2B0142}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7506ac37-4fb9-421b-be42-b9025c2b0142}\VersionIndependentProgID	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7506ac37-4fb9-421b-be42-b9025c2b0142}\Programmable	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7506AC37-4FB9-421B-BE42-B9025C2B0142}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\..9	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7506ac37-4fb9-421b-be42-b9025c2b0142}\Programmable	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7506ac37-4fb9-421b-be42-b9025c2b0142}\ProgID\ = ".9"	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7506ac37-4fb9-421b-be42-b9025c2b0142}\VersionIndependentProgID\	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7506ac37-4fb9-421b-be42-b9025c2b0142}\InprocServer32\ = "C:\\Program Files (x86)\\GoSiave\\1EkZ44ONVlv7kF.dll"	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7506ac37-4fb9-421b-be42-b9025c2b0142}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7506AC37-4FB9-421B-BE42-B9025C2B0142}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "GoSiave"	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7506ac37-4fb9-421b-be42-b9025c2b0142}\InprocServer32	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7506ac37-4fb9-421b-be42-b9025c2b0142}\InprocServer32	regsvr32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exeregsvr32.exe

description	pid	process	target process
PID 1356 wrote to memory of 1036	1356	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe	regsvr32.exe
PID 1356 wrote to memory of 1036	1356	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe	regsvr32.exe
PID 1356 wrote to memory of 1036	1356	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe	regsvr32.exe
PID 1356 wrote to memory of 1036	1356	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe	regsvr32.exe
PID 1356 wrote to memory of 1036	1356	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe	regsvr32.exe
PID 1356 wrote to memory of 1036	1356	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe	regsvr32.exe
PID 1356 wrote to memory of 1036	1356	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe	regsvr32.exe
PID 1036 wrote to memory of 1648	1036	regsvr32.exe	regsvr32.exe
PID 1036 wrote to memory of 1648	1036	regsvr32.exe	regsvr32.exe
PID 1036 wrote to memory of 1648	1036	regsvr32.exe	regsvr32.exe
PID 1036 wrote to memory of 1648	1036	regsvr32.exe	regsvr32.exe
PID 1036 wrote to memory of 1648	1036	regsvr32.exe	regsvr32.exe
PID 1036 wrote to memory of 1648	1036	regsvr32.exe	regsvr32.exe
PID 1036 wrote to memory of 1648	1036	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{7506ac37-4fb9-421b-be42-b9025c2b0142} = "1"	38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe

C:\Users\Admin\AppData\Local\Temp\38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe
"C:\Users\Admin\AppData\Local\Temp\38e53b000a39d89f2e9196415766d046c056080557b3d1b3d43f10afb09ec627.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1356

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\GoSiave\1EkZ44ONVlv7kF.x64.dll"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1036

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\GoSiave\1EkZ44ONVlv7kF.x64.dll"
3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:1648

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GoSiave\1EkZ44ONVlv7kF.dat
Filesize
3KB

MD5
af4ab9268e825238c7f916b96aec779a

SHA1
c251368cbcddfd9add0646a9ec2d8f372d21bd72

SHA256
825834a34592f5c370c5258009a1e3661234253074c794f657e41d6f2018b488

SHA512
24e42d7ea9e7b83e4f16c198d1f43ea6e3ab41a1c27ee3350f602b370890d2975b6eee7fa2a7c2b83d389e7e3b6fea8759b44987da1918747bebf2f7ceceac76

Download Submit
C:\Program Files (x86)\GoSiave\1EkZ44ONVlv7kF.tlb
Filesize
3KB

MD5
115d6d22fe2278653b9b429687bc4cdc

SHA1
0098ed796e103cd85780a48c00c65942010187fc

SHA256
55cdbc42ce94a3e3115a4c53fff47473525ed9af69ae774bbbd78a83ab60c9f3

SHA512
ba72fde0fba9c78d03da94d50e77fcd2469c9f6242ad2a475cc67f2f76742f1435af105d4c2c5353bb3f1083a423d702f461b0fe63e63edc774f4c6aada19bd6

Download Submit
C:\Program Files (x86)\GoSiave\1EkZ44ONVlv7kF.x64.dll
Filesize
695KB

MD5
fb4a23e7f4ef5c4cdaa5a87ed0eff861

SHA1
f1fb97557ccc7c54dec798931f59bf0085e40fa2

SHA256
b64a38d8fa5b1be931e49e53f5c0ec1a5c1d47f17cd33484bde4cd05b3f8a1d4

SHA512
42bd11ca1dc2ad2da4500e6fbf1ecaac739f530e63362fdee01b5bb2f4e44ed4da78db9799ba5e2bb9ac79ef4b64b5be683aa6fdf20bca0660f9031c8dc0c127

Download Submit
\Program Files (x86)\GoSiave\1EkZ44ONVlv7kF.dll
Filesize
615KB

MD5
1eaa91e0947d30dd98e8fef4de5511c0

SHA1
100957224870c455f723a3023485c1367e778428

SHA256
770877c5eeb92ae93fc752e2648bf63811f9d33b322c7b24a25d12f881ff343c

SHA512
a1263ed470cb4b07ccda33d7220315810dc21d6d79a629ced6e07e2f61c9b6706dc8a58765d18eac91d2184e3ab0a2f2e84148e16e7426b7fa68b6315f1d2a3d

Download Submit
\Program Files (x86)\GoSiave\1EkZ44ONVlv7kF.x64.dll
Filesize
695KB

MD5
fb4a23e7f4ef5c4cdaa5a87ed0eff861

SHA1
f1fb97557ccc7c54dec798931f59bf0085e40fa2

SHA256
b64a38d8fa5b1be931e49e53f5c0ec1a5c1d47f17cd33484bde4cd05b3f8a1d4

SHA512
42bd11ca1dc2ad2da4500e6fbf1ecaac739f530e63362fdee01b5bb2f4e44ed4da78db9799ba5e2bb9ac79ef4b64b5be683aa6fdf20bca0660f9031c8dc0c127

Download Submit
\Program Files (x86)\GoSiave\1EkZ44ONVlv7kF.x64.dll
Filesize
695KB

MD5
fb4a23e7f4ef5c4cdaa5a87ed0eff861

SHA1
f1fb97557ccc7c54dec798931f59bf0085e40fa2

SHA256
b64a38d8fa5b1be931e49e53f5c0ec1a5c1d47f17cd33484bde4cd05b3f8a1d4

SHA512
42bd11ca1dc2ad2da4500e6fbf1ecaac739f530e63362fdee01b5bb2f4e44ed4da78db9799ba5e2bb9ac79ef4b64b5be683aa6fdf20bca0660f9031c8dc0c127

Download Submit
memory/1036-61-0x0000000000000000-mapping.dmp

Download
memory/1356-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1356-55-0x0000000002A00000-0x0000000002AA1000-memory.dmp

Filesize
644KB

Download
memory/1648-65-0x0000000000000000-mapping.dmp

Download
memory/1648-66-0x000007FEFB9C1000-0x000007FEFB9C3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads