9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9

General

Target

9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Size

3.8MB
MD5

c62c0c091732bc1283526bde84307202
SHA1

d46869eb825bd99fd70680b1392416df3575f958
SHA256

9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9
SHA512

c519e69ca72a0968d351c779490882a7a0dc0b06c380838049b88b834660a531fe25235e1628ad4667a6222c596b108025bbc3f168a44eec0dca62d54748b29a
SSDEEP

98304:mRuq+e3PUhz9fcGut1v2v/g4aNUyZpV8SpYjx9ql0VxZ:hzhERFV8xZ

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{805a995c-878c-4cb0-92cb-6399c35661d4}\InprocServer32\ = "C:\\Program Files (x86)\\GoiSave\\XvBQtmjj5fSV6G.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{805a995c-878c-4cb0-92cb-6399c35661d4}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{805a995c-878c-4cb0-92cb-6399c35661d4}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{805a995c-878c-4cb0-92cb-6399c35661d4}\InprocServer32	regsvr32.exe

Loads dropped DLL 3 IoCs

Processes:

9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exeregsvr32.exeregsvr32.exe

pid process

1600 9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
1728 regsvr32.exe
520 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

Processes:

9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mnnkaeohkkfhjppcmkbohbfdonphdfmg\2.0\manifest.json	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\mnnkaeohkkfhjppcmkbohbfdonphdfmg\2.0\manifest.json	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\mnnkaeohkkfhjppcmkbohbfdonphdfmg\2.0\manifest.json	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exe9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{805a995c-878c-4cb0-92cb-6399c35661d4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{805a995c-878c-4cb0-92cb-6399c35661d4}	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{805a995c-878c-4cb0-92cb-6399c35661d4}\ = "GoiSave"	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{805a995c-878c-4cb0-92cb-6399c35661d4}\NoExplorer = "1"	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{805a995c-878c-4cb0-92cb-6399c35661d4}	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{805a995c-878c-4cb0-92cb-6399c35661d4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{805a995c-878c-4cb0-92cb-6399c35661d4}\ = "GoiSave"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{805a995c-878c-4cb0-92cb-6399c35661d4}\NoExplorer = "1"	regsvr32.exe

Drops file in System32 directory 4 IoCs

Processes:

9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe

Drops file in Program Files directory 8 IoCs

Processes:

9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe

description	ioc	process
File created	C:\Program Files (x86)\GoiSave\XvBQtmjj5fSV6G.x64.dll	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
File opened for modification	C:\Program Files (x86)\GoiSave\XvBQtmjj5fSV6G.x64.dll	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
File created	C:\Program Files (x86)\GoiSave\XvBQtmjj5fSV6G.dll	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
File opened for modification	C:\Program Files (x86)\GoiSave\XvBQtmjj5fSV6G.dll	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
File created	C:\Program Files (x86)\GoiSave\XvBQtmjj5fSV6G.tlb	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
File opened for modification	C:\Program Files (x86)\GoiSave\XvBQtmjj5fSV6G.tlb	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
File created	C:\Program Files (x86)\GoiSave\XvBQtmjj5fSV6G.dat	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
File opened for modification	C:\Program Files (x86)\GoiSave\XvBQtmjj5fSV6G.dat	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

regsvr32.exe9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{805a995c-878c-4cb0-92cb-6399c35661d4}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{805a995c-878c-4cb0-92cb-6399c35661d4}	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{805A995C-878C-4CB0-92CB-6399C35661D4}	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{805A995C-878C-4CB0-92CB-6399C35661D4}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exe9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{805A995C-878C-4CB0-92CB-6399C35661D4}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{805a995c-878c-4cb0-92cb-6399c35661d4}	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{805a995c-878c-4cb0-92cb-6399c35661d4}\InprocServer32\ = "C:\\Program Files (x86)\\GoiSave\\XvBQtmjj5fSV6G.dll"	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "GoiSave"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{805a995c-878c-4cb0-92cb-6399c35661d4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{805A995C-878C-4CB0-92CB-6399C35661D4}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{805a995c-878c-4cb0-92cb-6399c35661d4}\Programmable	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{805a995c-878c-4cb0-92cb-6399c35661d4}\InprocServer32	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{805a995c-878c-4cb0-92cb-6399c35661d4}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{805a995c-878c-4cb0-92cb-6399c35661d4}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{805a995c-878c-4cb0-92cb-6399c35661d4}\ProgID	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{805a995c-878c-4cb0-92cb-6399c35661d4}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{805a995c-878c-4cb0-92cb-6399c35661d4}\ProgID	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{805a995c-878c-4cb0-92cb-6399c35661d4}\ProgID\ = ".9"	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{805a995c-878c-4cb0-92cb-6399c35661d4}\VersionIndependentProgID	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\GoiSave\\XvBQtmjj5fSV6G.tlb"	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{805A995C-878C-4CB0-92CB-6399C35661D4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{805a995c-878c-4cb0-92cb-6399c35661d4}"	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID\ = "{805a995c-878c-4cb0-92cb-6399c35661d4}"	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{805a995c-878c-4cb0-92cb-6399c35661d4}\VersionIndependentProgID\	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\ = "GoiSave"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{805a995c-878c-4cb0-92cb-6399c35661d4}\InprocServer32\ThreadingModel = "Apartment"	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{805a995c-878c-4cb0-92cb-6399c35661d4}\Programmable	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{805a995c-878c-4cb0-92cb-6399c35661d4}	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{805a995c-878c-4cb0-92cb-6399c35661d4}\ProgID\ = ".9"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{805a995c-878c-4cb0-92cb-6399c35661d4}\ = "GoiSave"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{805a995c-878c-4cb0-92cb-6399c35661d4}\VersionIndependentProgID\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{805a995c-878c-4cb0-92cb-6399c35661d4}\InprocServer32\ = "C:\\Program Files (x86)\\GoiSave\\XvBQtmjj5fSV6G.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{805a995c-878c-4cb0-92cb-6399c35661d4}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{805a995c-878c-4cb0-92cb-6399c35661d4}\InprocServer32	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{805a995c-878c-4cb0-92cb-6399c35661d4}\VersionIndependentProgID	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe

pid	process
1600	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
1600	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exeregsvr32.exe

description	pid	process	target process
PID 1600 wrote to memory of 1728	1600	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe	regsvr32.exe
PID 1600 wrote to memory of 1728	1600	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe	regsvr32.exe
PID 1600 wrote to memory of 1728	1600	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe	regsvr32.exe
PID 1600 wrote to memory of 1728	1600	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe	regsvr32.exe
PID 1600 wrote to memory of 1728	1600	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe	regsvr32.exe
PID 1600 wrote to memory of 1728	1600	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe	regsvr32.exe
PID 1600 wrote to memory of 1728	1600	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe	regsvr32.exe
PID 1728 wrote to memory of 520	1728	regsvr32.exe	regsvr32.exe
PID 1728 wrote to memory of 520	1728	regsvr32.exe	regsvr32.exe
PID 1728 wrote to memory of 520	1728	regsvr32.exe	regsvr32.exe
PID 1728 wrote to memory of 520	1728	regsvr32.exe	regsvr32.exe
PID 1728 wrote to memory of 520	1728	regsvr32.exe	regsvr32.exe
PID 1728 wrote to memory of 520	1728	regsvr32.exe	regsvr32.exe
PID 1728 wrote to memory of 520	1728	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{805a995c-878c-4cb0-92cb-6399c35661d4} = "1"	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe

C:\Users\Admin\AppData\Local\Temp\9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe
"C:\Users\Admin\AppData\Local\Temp\9da0254ee2acabf4bc69a5e5c09bddbee65e158984dfd4989bd816d065be1fb9.exe"
1⤵
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1600

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\GoiSave\XvBQtmjj5fSV6G.x64.dll"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\GoiSave\XvBQtmjj5fSV6G.x64.dll"
3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:520

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GoiSave\XvBQtmjj5fSV6G.dat
Filesize
5KB

MD5
378952ded7fd92ee5db1e8ca691839fb

SHA1
8b56d862dbce53ff0798a1588197ef78dad30d9f

SHA256
03bdcd0a449e7b06a4257d7c3a8d132cefc70a48844a3ff43eeb1fff6aad925e

SHA512
d78ad72412ff8e48fb4a8d52e1453401c8af70d730607290e0c430c669b1eed5eaf71be5592f62e7f4452921f708382aa062c39137d6f9eb1f31d4edd2a69a54

Download Submit
C:\Program Files (x86)\GoiSave\XvBQtmjj5fSV6G.tlb
Filesize
3KB

MD5
a6a73f1a452ca95398b6dc3fd5e17164

SHA1
c9ac5a4c9f748a7d9511e354b0a7e70756150e16

SHA256
9ee94cc3fe8448ee7f2758a8a4834e220744544954cc4eac820a2392eb8a0692

SHA512
3ad4f49cb336cd559d57003be0b651996069dc1b585501f534f50ba33e2eaa456f0d876e20b77c91d03c17aa5151510535b6aa75e3591dc9188f3910d3de40a5

Download Submit
C:\Program Files (x86)\GoiSave\XvBQtmjj5fSV6G.x64.dll
Filesize
701KB

MD5
e871358a5ec05daf462f0207ac39f057

SHA1
329a89f3f034faef6de160b50661854a851671fa

SHA256
dfcb071f1af3cdef73955a74b91a4c71893d1e251a3c40b53397db6013d5581d

SHA512
9b8da63c4204c8f1846b413ee2b1040270e626bb96a0eac763bdfba5997811c38a608f033e1bdfc1a09fd124c1998c5214e572e74c3580d8f4134b705b8dfc9e

Download Submit
\Program Files (x86)\GoiSave\XvBQtmjj5fSV6G.dll
Filesize
622KB

MD5
18302eec6f8f71f505986c43101e2742

SHA1
c370c11f8722a7e31175862f532fa49dbf5ec7dc

SHA256
9a6a2bcf52012cbb3497838a8db024da0d6a07a30c0f71bd22748b24bbf631d5

SHA512
bb1a3b446ee2b4145c186b53e99ae4297e2e33159f6ae8d64b2d57d326a8f546f82d49f8a772b7dc2016722c7c0f0c00feccab4ca9005865772d9591da0b2227

Download Submit
\Program Files (x86)\GoiSave\XvBQtmjj5fSV6G.x64.dll
Filesize
701KB

MD5
e871358a5ec05daf462f0207ac39f057

SHA1
329a89f3f034faef6de160b50661854a851671fa

SHA256
dfcb071f1af3cdef73955a74b91a4c71893d1e251a3c40b53397db6013d5581d

SHA512
9b8da63c4204c8f1846b413ee2b1040270e626bb96a0eac763bdfba5997811c38a608f033e1bdfc1a09fd124c1998c5214e572e74c3580d8f4134b705b8dfc9e

Download Submit
\Program Files (x86)\GoiSave\XvBQtmjj5fSV6G.x64.dll
Filesize
701KB

MD5
e871358a5ec05daf462f0207ac39f057

SHA1
329a89f3f034faef6de160b50661854a851671fa

SHA256
dfcb071f1af3cdef73955a74b91a4c71893d1e251a3c40b53397db6013d5581d

SHA512
9b8da63c4204c8f1846b413ee2b1040270e626bb96a0eac763bdfba5997811c38a608f033e1bdfc1a09fd124c1998c5214e572e74c3580d8f4134b705b8dfc9e

Download Submit
memory/520-68-0x0000000000000000-mapping.dmp

Download
memory/520-69-0x000007FEFB781000-0x000007FEFB783000-memory.dmp

Filesize
8KB

Download
memory/1600-54-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download
memory/1600-55-0x0000000001060000-0x0000000001103000-memory.dmp

Filesize
652KB

Download
memory/1728-64-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads