19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b

General

Target

19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Size

3.8MB
MD5

da1ad20f044065794ba34bdf308dec45
SHA1

f0408b43e082a0b0180f15899b6a721149ae7830
SHA256

19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b
SHA512

a017022671cb68ed1a5a5fe145e496e48f95a55009a3238023044c9b8d8cef2cab3126fd869547a8e2dd846cd2b174ccc2ca8d8ae60a8d10c369d298b60f0ef9
SSDEEP

98304:onWFymrPdw8pdIrf+rfnnTPv5BSCiG312v/g4aNUyZpV8SpYjx9ql7Y6qZe1xt7P:aOw1cF5FVtYF0xt7P

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4ef877a7-1ef5-4c31-b643-c5708036650b}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4ef877a7-1ef5-4c31-b643-c5708036650b}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4ef877a7-1ef5-4c31-b643-c5708036650b}\InprocServer32\ = "C:\\Program Files (x86)\\GoSaVe\\wpPeQDVtZN5LRm.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4ef877a7-1ef5-4c31-b643-c5708036650b}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Loads dropped DLL 3 IoCs

Processes:

19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exeregsvr32.exeregsvr32.exe

pid process

1356 19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
1000 regsvr32.exe
568 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

Processes:

19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\iodejjdnkchjcanlpklpnjfcnpbhomld\2.0\manifest.json	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\iodejjdnkchjcanlpklpnjfcnpbhomld\2.0\manifest.json	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\iodejjdnkchjcanlpklpnjfcnpbhomld\2.0\manifest.json	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exe19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4ef877a7-1ef5-4c31-b643-c5708036650b}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4ef877a7-1ef5-4c31-b643-c5708036650b}\ = "GoSaVe"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4ef877a7-1ef5-4c31-b643-c5708036650b}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4ef877a7-1ef5-4c31-b643-c5708036650b}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4ef877a7-1ef5-4c31-b643-c5708036650b}	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4ef877a7-1ef5-4c31-b643-c5708036650b}\ = "GoSaVe"	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4ef877a7-1ef5-4c31-b643-c5708036650b}\NoExplorer = "1"	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4ef877a7-1ef5-4c31-b643-c5708036650b}	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe

Drops file in System32 directory 4 IoCs

Processes:

19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe

description	ioc	process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
File opened for modification	C:\Windows\System32\GroupPolicy	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe

Drops file in Program Files directory 8 IoCs

Processes:

19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe

description	ioc	process
File created	C:\Program Files (x86)\GoSaVe\wpPeQDVtZN5LRm.dat	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
File opened for modification	C:\Program Files (x86)\GoSaVe\wpPeQDVtZN5LRm.dat	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
File created	C:\Program Files (x86)\GoSaVe\wpPeQDVtZN5LRm.x64.dll	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
File opened for modification	C:\Program Files (x86)\GoSaVe\wpPeQDVtZN5LRm.x64.dll	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
File created	C:\Program Files (x86)\GoSaVe\wpPeQDVtZN5LRm.dll	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
File opened for modification	C:\Program Files (x86)\GoSaVe\wpPeQDVtZN5LRm.dll	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
File created	C:\Program Files (x86)\GoSaVe\wpPeQDVtZN5LRm.tlb	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
File opened for modification	C:\Program Files (x86)\GoSaVe\wpPeQDVtZN5LRm.tlb	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{4ef877a7-1ef5-4c31-b643-c5708036650b}	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{4EF877A7-1EF5-4C31-B643-C5708036650B}	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{4EF877A7-1EF5-4C31-B643-C5708036650B}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{4ef877a7-1ef5-4c31-b643-c5708036650b}	regsvr32.exe

Modifies registry class 64 IoCs

Processes:

19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\ = "GoSaVe"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4ef877a7-1ef5-4c31-b643-c5708036650b}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{4ef877a7-1ef5-4c31-b643-c5708036650b}"	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4ef877a7-1ef5-4c31-b643-c5708036650b}	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\..9	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "GoSaVe"	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4ef877a7-1ef5-4c31-b643-c5708036650b}\InprocServer32\ = "C:\\Program Files (x86)\\GoSaVe\\wpPeQDVtZN5LRm.dll"	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4ef877a7-1ef5-4c31-b643-c5708036650b}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "GoSaVe"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4ef877a7-1ef5-4c31-b643-c5708036650b}\ = "GoSaVe"	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4ef877a7-1ef5-4c31-b643-c5708036650b}\ProgID	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4ef877a7-1ef5-4c31-b643-c5708036650b}\VersionIndependentProgID	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4ef877a7-1ef5-4c31-b643-c5708036650b}\InprocServer32	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4EF877A7-1EF5-4C31-B643-C5708036650B}\Implemented Categories	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4EF877A7-1EF5-4C31-B643-C5708036650B}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4ef877a7-1ef5-4c31-b643-c5708036650b}\ = "GoSaVe"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4ef877a7-1ef5-4c31-b643-c5708036650b}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4EF877A7-1EF5-4C31-B643-C5708036650B}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4ef877a7-1ef5-4c31-b643-c5708036650b}\ProgID	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4ef877a7-1ef5-4c31-b643-c5708036650b}\VersionIndependentProgID\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4ef877a7-1ef5-4c31-b643-c5708036650b}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID\ = "{4ef877a7-1ef5-4c31-b643-c5708036650b}"	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\GoSaVe"	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID\ = "{4ef877a7-1ef5-4c31-b643-c5708036650b}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\ = "GoSaVe"	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4ef877a7-1ef5-4c31-b643-c5708036650b}\Programmable	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4ef877a7-1ef5-4c31-b643-c5708036650b}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4ef877a7-1ef5-4c31-b643-c5708036650b}\InprocServer32\ = "C:\\Program Files (x86)\\GoSaVe\\wpPeQDVtZN5LRm.x64.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4ef877a7-1ef5-4c31-b643-c5708036650b}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4EF877A7-1EF5-4C31-B643-C5708036650B}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9"	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe

pid	process
1356	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
1356	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exeregsvr32.exe

description	pid	process	target process
PID 1356 wrote to memory of 1000	1356	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe	regsvr32.exe
PID 1356 wrote to memory of 1000	1356	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe	regsvr32.exe
PID 1356 wrote to memory of 1000	1356	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe	regsvr32.exe
PID 1356 wrote to memory of 1000	1356	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe	regsvr32.exe
PID 1356 wrote to memory of 1000	1356	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe	regsvr32.exe
PID 1356 wrote to memory of 1000	1356	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe	regsvr32.exe
PID 1356 wrote to memory of 1000	1356	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe	regsvr32.exe
PID 1000 wrote to memory of 568	1000	regsvr32.exe	regsvr32.exe
PID 1000 wrote to memory of 568	1000	regsvr32.exe	regsvr32.exe
PID 1000 wrote to memory of 568	1000	regsvr32.exe	regsvr32.exe
PID 1000 wrote to memory of 568	1000	regsvr32.exe	regsvr32.exe
PID 1000 wrote to memory of 568	1000	regsvr32.exe	regsvr32.exe
PID 1000 wrote to memory of 568	1000	regsvr32.exe	regsvr32.exe
PID 1000 wrote to memory of 568	1000	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{4ef877a7-1ef5-4c31-b643-c5708036650b} = "1"	19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe

C:\Users\Admin\AppData\Local\Temp\19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe
"C:\Users\Admin\AppData\Local\Temp\19c37908a06a5d128570c8db6034a9b50e1a85a0fda0d9e775e95a5e508cc77b.exe"
1⤵
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1356

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\GoSaVe\wpPeQDVtZN5LRm.x64.dll"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\GoSaVe\wpPeQDVtZN5LRm.x64.dll"
3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:568

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GoSaVe\wpPeQDVtZN5LRm.dat
Filesize
5KB

MD5
eda7a58fda1bc3650fcaffc9437c96f5

SHA1
eff1fe2609d5043c5bde3e60eef2740a7c581dc1

SHA256
5caff5a765083cf0fe5234556f391204dcac4d3e6168c610c4430811c96cf440

SHA512
459b22e58cdb382c739dea296c35ee6d66f03ae8cf477fe5da761a8dc0012e547ad69fb216c5de47811a93c5e8206570d29a63650faad85b46a8663aa9ac7164

Download Submit
C:\Program Files (x86)\GoSaVe\wpPeQDVtZN5LRm.tlb
Filesize
3KB

MD5
a6a73f1a452ca95398b6dc3fd5e17164

SHA1
c9ac5a4c9f748a7d9511e354b0a7e70756150e16

SHA256
9ee94cc3fe8448ee7f2758a8a4834e220744544954cc4eac820a2392eb8a0692

SHA512
3ad4f49cb336cd559d57003be0b651996069dc1b585501f534f50ba33e2eaa456f0d876e20b77c91d03c17aa5151510535b6aa75e3591dc9188f3910d3de40a5

Download Submit
C:\Program Files (x86)\GoSaVe\wpPeQDVtZN5LRm.x64.dll
Filesize
701KB

MD5
e871358a5ec05daf462f0207ac39f057

SHA1
329a89f3f034faef6de160b50661854a851671fa

SHA256
dfcb071f1af3cdef73955a74b91a4c71893d1e251a3c40b53397db6013d5581d

SHA512
9b8da63c4204c8f1846b413ee2b1040270e626bb96a0eac763bdfba5997811c38a608f033e1bdfc1a09fd124c1998c5214e572e74c3580d8f4134b705b8dfc9e

Download Submit
\Program Files (x86)\GoSaVe\wpPeQDVtZN5LRm.dll
Filesize
622KB

MD5
18302eec6f8f71f505986c43101e2742

SHA1
c370c11f8722a7e31175862f532fa49dbf5ec7dc

SHA256
9a6a2bcf52012cbb3497838a8db024da0d6a07a30c0f71bd22748b24bbf631d5

SHA512
bb1a3b446ee2b4145c186b53e99ae4297e2e33159f6ae8d64b2d57d326a8f546f82d49f8a772b7dc2016722c7c0f0c00feccab4ca9005865772d9591da0b2227

Download Submit
\Program Files (x86)\GoSaVe\wpPeQDVtZN5LRm.x64.dll
Filesize
701KB

MD5
e871358a5ec05daf462f0207ac39f057

SHA1
329a89f3f034faef6de160b50661854a851671fa

SHA256
dfcb071f1af3cdef73955a74b91a4c71893d1e251a3c40b53397db6013d5581d

SHA512
9b8da63c4204c8f1846b413ee2b1040270e626bb96a0eac763bdfba5997811c38a608f033e1bdfc1a09fd124c1998c5214e572e74c3580d8f4134b705b8dfc9e

Download Submit
\Program Files (x86)\GoSaVe\wpPeQDVtZN5LRm.x64.dll
Filesize
701KB

MD5
e871358a5ec05daf462f0207ac39f057

SHA1
329a89f3f034faef6de160b50661854a851671fa

SHA256
dfcb071f1af3cdef73955a74b91a4c71893d1e251a3c40b53397db6013d5581d

SHA512
9b8da63c4204c8f1846b413ee2b1040270e626bb96a0eac763bdfba5997811c38a608f033e1bdfc1a09fd124c1998c5214e572e74c3580d8f4134b705b8dfc9e

Download Submit
memory/568-65-0x0000000000000000-mapping.dmp

Download
memory/568-66-0x000007FEFB9C1000-0x000007FEFB9C3000-memory.dmp

Filesize
8KB

Download
memory/1000-61-0x0000000000000000-mapping.dmp

Download
memory/1356-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1356-55-0x00000000028D0000-0x0000000002973000-memory.dmp

Filesize
652KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads