326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a

General

Target

326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Size

3.9MB
MD5

640bc75e9f1c4b02946ce31a5e303374
SHA1

0c6bb118760a10244d38cae129559c9d38e9cf01
SHA256

326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a
SHA512

61ad426845378743e94c5bf310df18d2506195206488ca0266748f81a85b7e0daa02cc165a790690807b80d0ce067fc8baa67e3bffc2067d3854c32b50709b48
SSDEEP

49152:qckv4xU82hq5SGQR3RKGCARgGruOtabbGZ/H7MDXYLS13f/kV9R7gUYAa:wAJO3RXqGrRWuHQD2y0Vb

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{14911b71-7cae-4ccc-9a20-8c7a589daba0}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{14911b71-7cae-4ccc-9a20-8c7a589daba0}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{14911b71-7cae-4ccc-9a20-8c7a589daba0}\InprocServer32\ = "C:\\Program Files (x86)\\GooSave\\7JnFPKVjzTaKbm.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{14911b71-7cae-4ccc-9a20-8c7a589daba0}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Loads dropped DLL 3 IoCs

Processes:

326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exeregsvr32.exeregsvr32.exe

pid process

1416 326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
836 regsvr32.exe
632 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

Processes:

326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jdanogelnjemkfgjjhpcgnbaolddeomf\2.0\manifest.json	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\jdanogelnjemkfgjjhpcgnbaolddeomf\2.0\manifest.json	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\jdanogelnjemkfgjjhpcgnbaolddeomf\2.0\manifest.json	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exe326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{14911b71-7cae-4ccc-9a20-8c7a589daba0}\ = "GooSave"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{14911b71-7cae-4ccc-9a20-8c7a589daba0}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{14911b71-7cae-4ccc-9a20-8c7a589daba0}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{14911b71-7cae-4ccc-9a20-8c7a589daba0}	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{14911b71-7cae-4ccc-9a20-8c7a589daba0}\ = "GooSave"	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{14911b71-7cae-4ccc-9a20-8c7a589daba0}\NoExplorer = "1"	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{14911b71-7cae-4ccc-9a20-8c7a589daba0}	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{14911b71-7cae-4ccc-9a20-8c7a589daba0}	regsvr32.exe

Drops file in System32 directory 4 IoCs

Processes:

326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
File opened for modification	C:\Windows\System32\GroupPolicy	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe

Drops file in Program Files directory 8 IoCs

Processes:

326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe

description	ioc	process
File created	C:\Program Files (x86)\GooSave\7JnFPKVjzTaKbm.dat	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
File opened for modification	C:\Program Files (x86)\GooSave\7JnFPKVjzTaKbm.dat	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
File created	C:\Program Files (x86)\GooSave\7JnFPKVjzTaKbm.x64.dll	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
File opened for modification	C:\Program Files (x86)\GooSave\7JnFPKVjzTaKbm.x64.dll	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
File created	C:\Program Files (x86)\GooSave\7JnFPKVjzTaKbm.dll	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
File opened for modification	C:\Program Files (x86)\GooSave\7JnFPKVjzTaKbm.dll	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
File created	C:\Program Files (x86)\GooSave\7JnFPKVjzTaKbm.tlb	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
File opened for modification	C:\Program Files (x86)\GooSave\7JnFPKVjzTaKbm.tlb	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

regsvr32.exe326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{14911b71-7cae-4ccc-9a20-8c7a589daba0}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{14911b71-7cae-4ccc-9a20-8c7a589daba0}	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{14911B71-7CAE-4CCC-9A20-8C7A589DABA0}	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{14911B71-7CAE-4CCC-9A20-8C7A589DABA0}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe

Modifies registry class 64 IoCs

Processes:

326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{14911b71-7cae-4ccc-9a20-8c7a589daba0}\ = "GooSave"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{14911b71-7cae-4ccc-9a20-8c7a589daba0}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14911b71-7cae-4ccc-9a20-8c7a589daba0}\InprocServer32	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\ = "GooSave"	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14911b71-7cae-4ccc-9a20-8c7a589daba0}\ = "GooSave"	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9"	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14911b71-7cae-4ccc-9a20-8c7a589daba0}\ProgID\ = ".9"	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14911b71-7cae-4ccc-9a20-8c7a589daba0}\VersionIndependentProgID\	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14911b71-7cae-4ccc-9a20-8c7a589daba0}\Programmable	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14911b71-7cae-4ccc-9a20-8c7a589daba0}\InprocServer32\ = "C:\\Program Files (x86)\\GooSave\\7JnFPKVjzTaKbm.dll"	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14911b71-7cae-4ccc-9a20-8c7a589daba0}	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib"	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{14911b71-7cae-4ccc-9a20-8c7a589daba0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{14911b71-7cae-4ccc-9a20-8c7a589daba0}\VersionIndependentProgID\	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{14911b71-7cae-4ccc-9a20-8c7a589daba0}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14911b71-7cae-4ccc-9a20-8c7a589daba0}\InprocServer32	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\..9\CLSID\ = "{14911b71-7cae-4ccc-9a20-8c7a589daba0}"	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{14911b71-7cae-4ccc-9a20-8c7a589daba0}\Programmable	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{14911b71-7cae-4ccc-9a20-8c7a589daba0}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14911b71-7cae-4ccc-9a20-8c7a589daba0}	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14911b71-7cae-4ccc-9a20-8c7a589daba0}\ProgID	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\Version = "1.0"	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{14911b71-7cae-4ccc-9a20-8c7a589daba0}\VersionIndependentProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{14911b71-7cae-4ccc-9a20-8c7a589daba0}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\..9	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ = "IPlaghinMein"	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.\CurVer\ = ".9"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{14911B71-7CAE-4CCC-9A20-8C7A589DABA0}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14911b71-7cae-4ccc-9a20-8c7a589daba0}\InprocServer32\ThreadingModel = "Apartment"	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14911B71-7CAE-4CCC-9A20-8C7A589DABA0}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\GooSave\\7JnFPKVjzTaKbm.tlb"	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\GooSave"	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe

pid	process
1416	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
1416	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exeregsvr32.exe

description	pid	process	target process
PID 1416 wrote to memory of 836	1416	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe	regsvr32.exe
PID 1416 wrote to memory of 836	1416	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe	regsvr32.exe
PID 1416 wrote to memory of 836	1416	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe	regsvr32.exe
PID 1416 wrote to memory of 836	1416	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe	regsvr32.exe
PID 1416 wrote to memory of 836	1416	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe	regsvr32.exe
PID 1416 wrote to memory of 836	1416	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe	regsvr32.exe
PID 1416 wrote to memory of 836	1416	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe	regsvr32.exe
PID 836 wrote to memory of 632	836	regsvr32.exe	regsvr32.exe
PID 836 wrote to memory of 632	836	regsvr32.exe	regsvr32.exe
PID 836 wrote to memory of 632	836	regsvr32.exe	regsvr32.exe
PID 836 wrote to memory of 632	836	regsvr32.exe	regsvr32.exe
PID 836 wrote to memory of 632	836	regsvr32.exe	regsvr32.exe
PID 836 wrote to memory of 632	836	regsvr32.exe	regsvr32.exe
PID 836 wrote to memory of 632	836	regsvr32.exe	regsvr32.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{14911b71-7cae-4ccc-9a20-8c7a589daba0} = "1"	326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe

C:\Users\Admin\AppData\Local\Temp\326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe
"C:\Users\Admin\AppData\Local\Temp\326743d580d12b72e14bbd9265ff18322a646ed076e855ccc4c50d5a08bae88a.exe"
1⤵
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1416

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Program Files (x86)\GooSave\7JnFPKVjzTaKbm.x64.dll"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\GooSave\7JnFPKVjzTaKbm.x64.dll"
3⤵
- Registers COM server for autorun
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:632

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GooSave\7JnFPKVjzTaKbm.dat
Filesize
5KB

MD5
40e3d82764766d5286968f5bd177c7b5

SHA1
31c8f0c514013a727f59adb6a2c8c0dffd5ae3fc

SHA256
4bdbaaac6e57eafb7c11de21d61606b5efd8ab6f2ba99a8b9c4e281725c7e2a4

SHA512
38f3cb75d28e3dd78ccad2d5eaaa8e171657b48548f8d37abfc80d2e06ae4dcc812e342a22279cb1db28ca40252c8ebaf296d808627efed588091a800c7c6a07

Download Submit
C:\Program Files (x86)\GooSave\7JnFPKVjzTaKbm.tlb
Filesize
3KB

MD5
f63e45b75ed3562f6c50814744974217

SHA1
b28e268b0d187638768b26677a4e8d169f1a2534

SHA256
1270f4ef72d9acd732bcd1fcb557b4b7cc8d7096aa41bd15dc3842a6c7c88299

SHA512
550870876ab15911cc27bcbd4418296057f3a406e709ab7cd920a2cd0c0cc0a3876d85665a3d3be937a6f0ffb052b90cafcdabcac96ec90f0e0c4c90846dc687

Download Submit
C:\Program Files (x86)\GooSave\7JnFPKVjzTaKbm.x64.dll
Filesize
695KB

MD5
e36b4bca5cf4357a407a67e8f06a0a6a

SHA1
20241811c3f501e3dae9f42aeb1fc42e7225944e

SHA256
c496fc61570914401adfe0250668ef0b884f2e06eaca10edf8993773f58b5bcd

SHA512
d9b005a2b02fc45283b5f1ffe9ce373ef3249562402a6893e6888f10beb3dc62f16f25db9640de636af438fa290b1e7065dc127e86b46e6efd5484717e9e74b1

Download Submit
\Program Files (x86)\GooSave\7JnFPKVjzTaKbm.dll
Filesize
616KB

MD5
70cef77fc8c44081de97f5194ac56278

SHA1
fcf04dc14f17b655d5201cc7da5af9a17281dea5

SHA256
10cabc84f17c476cf41a1281421b28be0c6784e25445988fdb536acf999c3ec2

SHA512
0883aa731f245d484d4ece4e9dcb3067e4451c5e967a5d34c860137bc572142f2666d83c5f9806918d7fe371bd8a7c58ac39b23110c7cb7331c3e97dc3c8cda3

Download Submit
\Program Files (x86)\GooSave\7JnFPKVjzTaKbm.x64.dll
Filesize
695KB

MD5
e36b4bca5cf4357a407a67e8f06a0a6a

SHA1
20241811c3f501e3dae9f42aeb1fc42e7225944e

SHA256
c496fc61570914401adfe0250668ef0b884f2e06eaca10edf8993773f58b5bcd

SHA512
d9b005a2b02fc45283b5f1ffe9ce373ef3249562402a6893e6888f10beb3dc62f16f25db9640de636af438fa290b1e7065dc127e86b46e6efd5484717e9e74b1

Download Submit
\Program Files (x86)\GooSave\7JnFPKVjzTaKbm.x64.dll
Filesize
695KB

MD5
e36b4bca5cf4357a407a67e8f06a0a6a

SHA1
20241811c3f501e3dae9f42aeb1fc42e7225944e

SHA256
c496fc61570914401adfe0250668ef0b884f2e06eaca10edf8993773f58b5bcd

SHA512
d9b005a2b02fc45283b5f1ffe9ce373ef3249562402a6893e6888f10beb3dc62f16f25db9640de636af438fa290b1e7065dc127e86b46e6efd5484717e9e74b1

Download Submit
memory/632-65-0x0000000000000000-mapping.dmp

Download
memory/632-66-0x000007FEFBE41000-0x000007FEFBE43000-memory.dmp

Filesize
8KB

Download
memory/836-61-0x0000000000000000-mapping.dmp

Download
memory/1416-54-0x0000000075F01000-0x0000000075F03000-memory.dmp

Filesize
8KB

Download
memory/1416-55-0x00000000027D0000-0x0000000002876000-memory.dmp

Filesize
664KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads