5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f

General

Target

5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Size

3.0MB
MD5

056c33b99c939ea5ca6b9b377a61f12f
SHA1

838712a9653b6ff2148cd93316a01950f74f3264
SHA256

5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f
SHA512

c3e98c2afafc8b6e583bacbcfe248c893969b3709f3ec88ff2e53696abd56fab8899675879c2bd79ef9878230fd11313c140ae13a0d1aa7df0fc6763443a4816
SSDEEP

49152:q4FgVFi4wUF9UQhdkACdBIGi+M3X8awr2HNRQIWiK6tKHU8cQ:3WVFi4wUDUQDRCdBQN3XSCHNRoXj

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{af0fc644-df0f-40ca-a6e2-0a1af606b539}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{af0fc644-df0f-40ca-a6e2-0a1af606b539}\InprocServer32\ = "C:\\Program Files (x86)\\GoSuavue\\UfSOXYwPyYsJRY.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{af0fc644-df0f-40ca-a6e2-0a1af606b539}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{af0fc644-df0f-40ca-a6e2-0a1af606b539}\InprocServer32	regsvr32.exe

Loads dropped DLL 3 IoCs

Processes:

5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exeregsvr32.exeregsvr32.exe

pid process

996 5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
1780 regsvr32.exe
868 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

Processes:

5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fljldigfkebnanedjnkkljlkedfdjogo\2.0\manifest.json	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\fljldigfkebnanedjnkkljlkedfdjogo\2.0\manifest.json	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\fljldigfkebnanedjnkkljlkedfdjogo\2.0\manifest.json	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exeregsvr32.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{af0fc644-df0f-40ca-a6e2-0a1af606b539}	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{af0fc644-df0f-40ca-a6e2-0a1af606b539}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{af0fc644-df0f-40ca-a6e2-0a1af606b539}\ = "GoSuavue"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{af0fc644-df0f-40ca-a6e2-0a1af606b539}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{af0fc644-df0f-40ca-a6e2-0a1af606b539}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{af0fc644-df0f-40ca-a6e2-0a1af606b539}	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{af0fc644-df0f-40ca-a6e2-0a1af606b539}\ = "GoSuavue"	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{af0fc644-df0f-40ca-a6e2-0a1af606b539}\NoExplorer = "1"	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe

Drops file in System32 directory 4 IoCs

Processes:

5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
File opened for modification	C:\Windows\System32\GroupPolicy	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe

Drops file in Program Files directory 8 IoCs

Processes:

5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\GoSuavue\UfSOXYwPyYsJRY.dat	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
File created	C:\Program Files (x86)\GoSuavue\UfSOXYwPyYsJRY.x64.dll	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
File opened for modification	C:\Program Files (x86)\GoSuavue\UfSOXYwPyYsJRY.x64.dll	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
File created	C:\Program Files (x86)\GoSuavue\UfSOXYwPyYsJRY.dll	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
File opened for modification	C:\Program Files (x86)\GoSuavue\UfSOXYwPyYsJRY.dll	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
File created	C:\Program Files (x86)\GoSuavue\UfSOXYwPyYsJRY.tlb	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
File opened for modification	C:\Program Files (x86)\GoSuavue\UfSOXYwPyYsJRY.tlb	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
File created	C:\Program Files (x86)\GoSuavue\UfSOXYwPyYsJRY.dat	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

regsvr32.exe5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{af0fc644-df0f-40ca-a6e2-0a1af606b539}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{af0fc644-df0f-40ca-a6e2-0a1af606b539}	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{AF0FC644-DF0F-40CA-A6E2-0A1AF606B539}	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{AF0FC644-DF0F-40CA-A6E2-0A1AF606B539}	regsvr32.exe

Modifies registry class 64 IoCs

Processes:

5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\ = "GoSuavue"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{af0fc644-df0f-40ca-a6e2-0a1af606b539}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{af0fc644-df0f-40ca-a6e2-0a1af606b539}\ = "GoSuavue"	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{af0fc644-df0f-40ca-a6e2-0a1af606b539}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{af0fc644-df0f-40ca-a6e2-0a1af606b539}\ProgID\ = ".9"	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AF0FC644-DF0F-40CA-A6E2-0A1AF606B539}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{af0fc644-df0f-40ca-a6e2-0a1af606b539}"	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{af0fc644-df0f-40ca-a6e2-0a1af606b539}\InprocServer32	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{af0fc644-df0f-40ca-a6e2-0a1af606b539}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{af0fc644-df0f-40ca-a6e2-0a1af606b539}\InprocServer32\ = "C:\\Program Files (x86)\\GoSuavue\\UfSOXYwPyYsJRY.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9"	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{af0fc644-df0f-40ca-a6e2-0a1af606b539}\ = "GoSuavue"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{af0fc644-df0f-40ca-a6e2-0a1af606b539}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{af0fc644-df0f-40ca-a6e2-0a1af606b539}\Programmable	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{af0fc644-df0f-40ca-a6e2-0a1af606b539}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID\ = "{af0fc644-df0f-40ca-a6e2-0a1af606b539}"	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{af0fc644-df0f-40ca-a6e2-0a1af606b539}	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{af0fc644-df0f-40ca-a6e2-0a1af606b539}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{af0fc644-df0f-40ca-a6e2-0a1af606b539}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{af0fc644-df0f-40ca-a6e2-0a1af606b539}\Programmable	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{af0fc644-df0f-40ca-a6e2-0a1af606b539}\VersionIndependentProgID	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{af0fc644-df0f-40ca-a6e2-0a1af606b539}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "GoSuavue"	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{af0fc644-df0f-40ca-a6e2-0a1af606b539}\InprocServer32	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{af0fc644-df0f-40ca-a6e2-0a1af606b539}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{af0fc644-df0f-40ca-a6e2-0a1af606b539}	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CLSID	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{af0fc644-df0f-40ca-a6e2-0a1af606b539}\InprocServer32\ThreadingModel = "Apartment"	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{af0fc644-df0f-40ca-a6e2-0a1af606b539}\ProgID	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe

pid	process
996	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
996	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exeregsvr32.exe

description	pid	process	target process
PID 996 wrote to memory of 1780	996	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe	regsvr32.exe
PID 996 wrote to memory of 1780	996	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe	regsvr32.exe
PID 996 wrote to memory of 1780	996	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe	regsvr32.exe
PID 996 wrote to memory of 1780	996	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe	regsvr32.exe
PID 996 wrote to memory of 1780	996	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe	regsvr32.exe
PID 996 wrote to memory of 1780	996	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe	regsvr32.exe
PID 996 wrote to memory of 1780	996	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe	regsvr32.exe
PID 1780 wrote to memory of 868	1780	regsvr32.exe	regsvr32.exe
PID 1780 wrote to memory of 868	1780	regsvr32.exe	regsvr32.exe
PID 1780 wrote to memory of 868	1780	regsvr32.exe	regsvr32.exe
PID 1780 wrote to memory of 868	1780	regsvr32.exe	regsvr32.exe
PID 1780 wrote to memory of 868	1780	regsvr32.exe	regsvr32.exe
PID 1780 wrote to memory of 868	1780	regsvr32.exe	regsvr32.exe
PID 1780 wrote to memory of 868	1780	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{af0fc644-df0f-40ca-a6e2-0a1af606b539} = "1"	5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe

C:\Users\Admin\AppData\Local\Temp\5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe
"C:\Users\Admin\AppData\Local\Temp\5115f5af5863280972ca2000aff07cc3c3f2b8cd563fab4c8fd90eb5974c8a8f.exe"
1⤵
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:996

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\GoSuavue\UfSOXYwPyYsJRY.x64.dll"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\GoSuavue\UfSOXYwPyYsJRY.x64.dll"
3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:868

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GoSuavue\UfSOXYwPyYsJRY.dat
Filesize
4KB

MD5
ece81e546ae0928b9057b1a8e0de89de

SHA1
cacac8aef6c4abffa0689d7ed1c05c873e2eee95

SHA256
ffb0596a6397788c50bd01a3837e12917ecfee50909394587872b1e244b2f5f6

SHA512
56f3ac0181f84409542de210b9a31335b213a0d9f4d0d8b0e0fc1482b43f526f2c76f6d7f33388b0250b6b00c3f751b6f3fb152f062e99a84729967984bebf27

Download Submit
C:\Program Files (x86)\GoSuavue\UfSOXYwPyYsJRY.tlb
Filesize
3KB

MD5
92756a87f506c53ffa4f08473e79b5ae

SHA1
125c2f2d08520c51f8746ede70f746ef8a6de3cf

SHA256
7e1a9e2e2faea603ec96b5d3a906eb86a495cbe2ca4be8bc6a902e7bf2981877

SHA512
1aaef6b900b931ed65d48b7258558ca3dad7b47c3f269f5b3af78210fbf07f438db132dfe8f5cf3f24d75b9ef5a537fa5c057f43d04c068220d4cfb8d93b192e

Download Submit
C:\Program Files (x86)\GoSuavue\UfSOXYwPyYsJRY.x64.dll
Filesize
689KB

MD5
343075f940027d076b1a8a928e4ecd7c

SHA1
2c544aa0b1c2872afdaf49e966fc46bf1a0b348f

SHA256
8c2ec31e34cd2bfc4c9a3464abf774d7e13796c29cd615042ae8661b3530e3b0

SHA512
3a0a2076b991582e9c355426673950e06ccb1d9c7efc7be37ada2330b28152661d0535292f6e00f63045639e69d47de200cd2d378194e65b56317921e3fd675f

Download Submit
\Program Files (x86)\GoSuavue\UfSOXYwPyYsJRY.dll
Filesize
610KB

MD5
44786626cc0757d485d2ae91232f06e7

SHA1
f8416c9f7d1647afa38f3304510f7ad9456af2c0

SHA256
5b0d904dbc30696d9ef9326edb60bb068514bc858a348534c4d91b5435618906

SHA512
f4dd00c5ca0bdf9f3f32d8c2ffcbe57bedf8bfbb1c1454a7af39d4c0bdc6e59de2dc98be304708272e7dd980f46e1b964497e40579f1406999aca49f3c054cdf

Download Submit
\Program Files (x86)\GoSuavue\UfSOXYwPyYsJRY.x64.dll
Filesize
689KB

MD5
343075f940027d076b1a8a928e4ecd7c

SHA1
2c544aa0b1c2872afdaf49e966fc46bf1a0b348f

SHA256
8c2ec31e34cd2bfc4c9a3464abf774d7e13796c29cd615042ae8661b3530e3b0

SHA512
3a0a2076b991582e9c355426673950e06ccb1d9c7efc7be37ada2330b28152661d0535292f6e00f63045639e69d47de200cd2d378194e65b56317921e3fd675f

Download Submit
\Program Files (x86)\GoSuavue\UfSOXYwPyYsJRY.x64.dll
Filesize
689KB

MD5
343075f940027d076b1a8a928e4ecd7c

SHA1
2c544aa0b1c2872afdaf49e966fc46bf1a0b348f

SHA256
8c2ec31e34cd2bfc4c9a3464abf774d7e13796c29cd615042ae8661b3530e3b0

SHA512
3a0a2076b991582e9c355426673950e06ccb1d9c7efc7be37ada2330b28152661d0535292f6e00f63045639e69d47de200cd2d378194e65b56317921e3fd675f

Download Submit
memory/868-81-0x000007FEFBBF1000-0x000007FEFBBF3000-memory.dmp

Filesize
8KB

Download
memory/868-80-0x0000000000000000-mapping.dmp

Download
memory/996-71-0x0000000000516000-0x0000000000519000-memory.dmp

Filesize
12KB

Download
memory/996-66-0x0000000000512000-0x0000000000516000-memory.dmp

Filesize
16KB

Download
memory/996-68-0x0000000000512000-0x0000000000516000-memory.dmp

Filesize
16KB

Download
memory/996-69-0x0000000000512000-0x0000000000516000-memory.dmp

Filesize
16KB

Download
memory/996-54-0x00000000760E1000-0x00000000760E3000-memory.dmp

Filesize
8KB

Download
memory/996-70-0x0000000000516000-0x0000000000519000-memory.dmp

Filesize
12KB

Download
memory/996-72-0x0000000000516000-0x0000000000519000-memory.dmp

Filesize
12KB

Download
memory/996-73-0x0000000000516000-0x0000000000519000-memory.dmp

Filesize
12KB

Download
memory/996-74-0x0000000000516000-0x0000000000519000-memory.dmp

Filesize
12KB

Download
memory/996-67-0x0000000000512000-0x0000000000516000-memory.dmp

Filesize
16KB

Download
memory/996-55-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/996-65-0x0000000000512000-0x0000000000516000-memory.dmp

Filesize
16KB

Download
memory/996-64-0x0000000000512000-0x0000000000516000-memory.dmp

Filesize
16KB

Download
memory/996-63-0x0000000000512000-0x0000000000516000-memory.dmp

Filesize
16KB

Download
memory/996-62-0x0000000000512000-0x0000000000516000-memory.dmp

Filesize
16KB

Download
memory/996-61-0x0000000000512000-0x0000000000516000-memory.dmp

Filesize
16KB

Download
memory/996-60-0x0000000000512000-0x0000000000516000-memory.dmp

Filesize
16KB

Download
memory/1780-76-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads