004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e

General

Target

004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Size

4.2MB
MD5

84acffe0945fa6405e5b8ae78fa897ad
SHA1

7bd08714e73575508960250637a375a8f96e91ca
SHA256

004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e
SHA512

9770015bdf1c550b27d726de2b285496c36ea7ab2fbebb9b9262baecfdf93be563ae50e93af1221724db46bc71c27926679d003314dcc0d5d21d74d0a12e81d8
SSDEEP

49152:PBcOGkGzvk5f5lvJhw+NCkstpMlWzZSoi6yvWMpjL6HidrTYx6S/+h1Zz34IJB6K:+cRJhGwO2R6Hi5Te/k12HP

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00232C34-19E8-4D43-BAA3-9A54A3BC26D3}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00232C34-19E8-4D43-BAA3-9A54A3BC26D3}\InprocServer32\ = "C:\\Program Files (x86)\\GoSave\\YwoAU00r.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00232C34-19E8-4D43-BAA3-9A54A3BC26D3}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00232C34-19E8-4D43-BAA3-9A54A3BC26D3}\InprocServer32	regsvr32.exe

Loads dropped DLL 3 IoCs

Processes:

004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exeregsvr32.exeregsvr32.exe

pid process

364 004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
1256 regsvr32.exe
1936 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

Processes:

004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe

description	ioc	process
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoblkfkkcjgacngnfjhnlegggkfijemf\2.0\manifest.json	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoblkfkkcjgacngnfjhnlegggkfijemf\2.0\manifest.json	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoblkfkkcjgacngnfjhnlegggkfijemf\2.0\manifest.json	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exe004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00232C34-19E8-4D43-BAA3-9A54A3BC26D3}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00232C34-19E8-4D43-BAA3-9A54A3BC26D3}\ = "GoSave"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00232C34-19E8-4D43-BAA3-9A54A3BC26D3}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00232C34-19E8-4D43-BAA3-9A54A3BC26D3}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{00232C34-19E8-4D43-BAA3-9A54A3BC26D3}	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{00232C34-19E8-4D43-BAA3-9A54A3BC26D3}\ = "GoSave"	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{00232C34-19E8-4D43-BAA3-9A54A3BC26D3}\NoExplorer = "1"	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{00232C34-19E8-4D43-BAA3-9A54A3BC26D3}	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe

Drops file in System32 directory 4 IoCs

Processes:

004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe

description	ioc	process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
File opened for modification	C:\Windows\System32\GroupPolicy	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe

Drops file in Program Files directory 8 IoCs

Processes:

004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe

description	ioc	process
File created	C:\Program Files (x86)\GoSave\YwoAU00r.tlb	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
File opened for modification	C:\Program Files (x86)\GoSave\YwoAU00r.tlb	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
File created	C:\Program Files (x86)\GoSave\YwoAU00r.dat	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
File opened for modification	C:\Program Files (x86)\GoSave\YwoAU00r.dat	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
File created	C:\Program Files (x86)\GoSave\YwoAU00r.x64.dll	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
File opened for modification	C:\Program Files (x86)\GoSave\YwoAU00r.x64.dll	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
File created	C:\Program Files (x86)\GoSave\YwoAU00r.dll	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
File opened for modification	C:\Program Files (x86)\GoSave\YwoAU00r.dll	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

regsvr32.exe004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{00232C34-19E8-4D43-BAA3-9A54A3BC26D3}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{00232C34-19E8-4D43-BAA3-9A54A3BC26D3}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{00232C34-19E8-4D43-BAA3-9A54A3BC26D3}	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Key deleted	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{00232C34-19E8-4D43-BAA3-9A54A3BC26D3}	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Key deleted	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe

Modifies registry class 64 IoCs

Processes:

004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00232C34-19E8-4D43-BAA3-9A54A3BC26D3}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00232C34-19E8-4D43-BAA3-9A54A3BC26D3}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GoSaaVee.GoSaaVee\CLSID	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00232C34-19E8-4D43-BAA3-9A54A3BC26D3}\ = "GoSave"	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00232C34-19E8-4D43-BAA3-9A54A3BC26D3}\Implemented Categories	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00232C34-19E8-4D43-BAA3-9A54A3BC26D3}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GoSaaVee.GoSaaVee.2.0\CLSID	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00232C34-19E8-4D43-BAA3-9A54A3BC26D3}\ProgID	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GoSaaVee.GoSaaVee.2.0	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GoSaaVee.GoSaaVee\CurVer	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00232C34-19E8-4D43-BAA3-9A54A3BC26D3}\Programmable	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoSaaVee.GoSaaVee\CLSID\ = "{00232C34-19E8-4D43-BAA3-9A54A3BC26D3}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00232C34-19E8-4D43-BAA3-9A54A3BC26D3}\InprocServer32\ = "C:\\Program Files (x86)\\GoSave\\YwoAU00r.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoSaaVee.GoSaaVee.2.0\ = "GoSave"	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00232C34-19E8-4D43-BAA3-9A54A3BC26D3}\ProgID	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\GoSave"	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00232C34-19E8-4D43-BAA3-9A54A3BC26D3}\ProgID\ = "GoSaaVee.2.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoSaaVee.GoSaaVee\CLSID\ = "{00232C34-19E8-4D43-BAA3-9A54A3BC26D3}"	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00232C34-19E8-4D43-BAA3-9A54A3BC26D3}\InprocServer32	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoSaaVee.GoSaaVee.2.0\ = "GoSave"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00232C34-19E8-4D43-BAA3-9A54A3BC26D3}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00232C34-19E8-4D43-BAA3-9A54A3BC26D3}	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00232C34-19E8-4D43-BAA3-9A54A3BC26D3}\InprocServer32\ThreadingModel = "Apartment"	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00232C34-19E8-4D43-BAA3-9A54A3BC26D3}	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00232C34-19E8-4D43-BAA3-9A54A3BC26D3}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoSaaVee.GoSaaVee.2.0\CLSID\ = "{00232C34-19E8-4D43-BAA3-9A54A3BC26D3}"	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00232C34-19E8-4D43-BAA3-9A54A3BC26D3}\Programmable	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00232C34-19E8-4D43-BAA3-9A54A3BC26D3}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoSaaVee.GoSaaVee.2.0\CLSID\ = "{00232C34-19E8-4D43-BAA3-9A54A3BC26D3}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00232C34-19E8-4D43-BAA3-9A54A3BC26D3}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00232C34-19E8-4D43-BAA3-9A54A3BC26D3}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoSaaVee.GoSaaVee\CurVer\ = "GoSaaVee.2.0"	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00232C34-19E8-4D43-BAA3-9A54A3BC26D3}\VersionIndependentProgID	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00232C34-19E8-4D43-BAA3-9A54A3BC26D3}\InprocServer32	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe

pid	process
364	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
364	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
364	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exeregsvr32.exe

description	pid	process	target process
PID 364 wrote to memory of 1256	364	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe	regsvr32.exe
PID 364 wrote to memory of 1256	364	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe	regsvr32.exe
PID 364 wrote to memory of 1256	364	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe	regsvr32.exe
PID 364 wrote to memory of 1256	364	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe	regsvr32.exe
PID 364 wrote to memory of 1256	364	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe	regsvr32.exe
PID 364 wrote to memory of 1256	364	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe	regsvr32.exe
PID 364 wrote to memory of 1256	364	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe	regsvr32.exe
PID 1256 wrote to memory of 1936	1256	regsvr32.exe	regsvr32.exe
PID 1256 wrote to memory of 1936	1256	regsvr32.exe	regsvr32.exe
PID 1256 wrote to memory of 1936	1256	regsvr32.exe	regsvr32.exe
PID 1256 wrote to memory of 1936	1256	regsvr32.exe	regsvr32.exe
PID 1256 wrote to memory of 1936	1256	regsvr32.exe	regsvr32.exe
PID 1256 wrote to memory of 1936	1256	regsvr32.exe	regsvr32.exe
PID 1256 wrote to memory of 1936	1256	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{00232C34-19E8-4D43-BAA3-9A54A3BC26D3} = "1"	004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe

C:\Users\Admin\AppData\Local\Temp\004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe
"C:\Users\Admin\AppData\Local\Temp\004c546b06529ed7eb56ead01076c934be41eee6cc5b4b071a2573c60f32883e.exe"
1⤵
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:364

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\GoSave\YwoAU00r.x64.dll"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1256

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\GoSave\YwoAU00r.x64.dll"
3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:1936

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GoSave\YwoAU00r.dat
Filesize
4KB

MD5
6f5c83e533d1727a64b30ebe2a2abe2b

SHA1
b4fd87b6b2d8a5b6ecf797ca820c967c07f34922

SHA256
4fb543944c581fbe699b2f1f60cf1f73660e33c86483a462fbce32be34a02751

SHA512
674e15b271c90f578425a086b1bebee0ee9fdb1d05d6ca682af285a57bce36822ce08967728e99f4ce6d8617bcdca8e290178300318677aa71de17c96fdd95d7

Download Submit
C:\Program Files (x86)\GoSave\YwoAU00r.tlb
Filesize
3KB

MD5
574ddcb724f3fab6a03b853ef3dc3f44

SHA1
8a997deadbc10060190233c0de3ee64f4f9a3953

SHA256
f9d636396c3198c52a22f13eed47bc67b700d88aea8b6642bc697b3564659884

SHA512
14ba09a06c93f88f463ac386f5d259d8ac291a25c06bef67e230e0a05d24f1f9aedbd81ee47117895a795d1bf06372c7397d4f48997942a1c153b8fa5e974afc

Download Submit
C:\Program Files (x86)\GoSave\YwoAU00r.x64.dll
Filesize
702KB

MD5
a429a08f10780e89abc026ed484d87e3

SHA1
58617bc16204037d834fb6c196f1b2b52758af97

SHA256
f6e2ff66a565e8d536779431a9a53754c48d2bd9ea5db36a1e24a394e7498fe8

SHA512
eda7d445d369d39db2f65ffdb25b8d01d09cc39c4f80c20d96352e1cf4b565c364c02cd2a6b6f2a212fa19a3b997966be911adaf7c36007e5dbd2991157261b3

Download Submit
\Program Files (x86)\GoSave\YwoAU00r.dll
Filesize
626KB

MD5
2e9a1a1b8f6efeb0b77605db4cb85deb

SHA1
84b3c6984ba0e9d91932c5c95ca8342f3000dde1

SHA256
ddef11259a498b2a878a262c11ead94d6c23d8c0d73d404f52c68c4607d4cfd8

SHA512
ab469f4daecb517f054ec3c81ba384ba3f4e7309bf0f3e88d1c978700326b488c3d552b39ede3e4c79ec265b7f235bc74f9d533b7c602d72f4ee27ea437b7180

Download Submit
\Program Files (x86)\GoSave\YwoAU00r.x64.dll
Filesize
702KB

MD5
a429a08f10780e89abc026ed484d87e3

SHA1
58617bc16204037d834fb6c196f1b2b52758af97

SHA256
f6e2ff66a565e8d536779431a9a53754c48d2bd9ea5db36a1e24a394e7498fe8

SHA512
eda7d445d369d39db2f65ffdb25b8d01d09cc39c4f80c20d96352e1cf4b565c364c02cd2a6b6f2a212fa19a3b997966be911adaf7c36007e5dbd2991157261b3

Download Submit
\Program Files (x86)\GoSave\YwoAU00r.x64.dll
Filesize
702KB

MD5
a429a08f10780e89abc026ed484d87e3

SHA1
58617bc16204037d834fb6c196f1b2b52758af97

SHA256
f6e2ff66a565e8d536779431a9a53754c48d2bd9ea5db36a1e24a394e7498fe8

SHA512
eda7d445d369d39db2f65ffdb25b8d01d09cc39c4f80c20d96352e1cf4b565c364c02cd2a6b6f2a212fa19a3b997966be911adaf7c36007e5dbd2991157261b3

Download Submit
memory/364-54-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/364-55-0x00000000009C0000-0x0000000000A62000-memory.dmp

Filesize
648KB

Download
memory/1256-61-0x0000000000000000-mapping.dmp

Download
memory/1936-65-0x0000000000000000-mapping.dmp

Download
memory/1936-66-0x000007FEFBD91000-0x000007FEFBD93000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads