02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf

Analysis

max time kernel
103s
max time network
107s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 19:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
Size

4.4MB
MD5

0e08621052fb6adcbb1a423150cc9077
SHA1

5c5e551ef27220c9f2008dc04e2b34b72f3b7fc5
SHA256

02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf
SHA512

e1f67193d666c6411106dbb1c0c29d55a933f28ab8ae03839cf6e1f9f102930cb842be433e62dacc6d08e06de3434f9c10d5a38c462c38b4eac973f09db88f07
SSDEEP

98304:KkWVs/OZ1eJtWPLZtSrJY811P9xMvMz/B0+IqdFAD8oBdJnorTiGh3+RPneF1wyS:KjUYuGpKL58F

Score

8^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ECDB15FD-C816-6C2D-F2F0-DD9896AB2410}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ECDB15FD-C816-6C2D-F2F0-DD9896AB2410}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ECDB15FD-C816-6C2D-F2F0-DD9896AB2410}\InprocServer32\ = "C:\\Program Files (x86)\\GOSaVVe\\w2h8d.x64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ECDB15FD-C816-6C2D-F2F0-DD9896AB2410}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Loads dropped DLL 3 IoCs

pid	Process
1776	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
1888	regsvr32.exe
1596	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpmaklkjeeooijnjchofmmidnhoampbl\2.0\manifest.json	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpmaklkjeeooijnjchofmmidnhoampbl\2.0\manifest.json	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpmaklkjeeooijnjchofmmidnhoampbl\2.0\manifest.json	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ECDB15FD-C816-6C2D-F2F0-DD9896AB2410}\ = "GOSaVVe"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ECDB15FD-C816-6C2D-F2F0-DD9896AB2410}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ECDB15FD-C816-6C2D-F2F0-DD9896AB2410}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{ECDB15FD-C816-6C2D-F2F0-DD9896AB2410}	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{ECDB15FD-C816-6C2D-F2F0-DD9896AB2410}\ = "GOSaVVe"	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{ECDB15FD-C816-6C2D-F2F0-DD9896AB2410}\NoExplorer = "1"	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{ECDB15FD-C816-6C2D-F2F0-DD9896AB2410}	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ECDB15FD-C816-6C2D-F2F0-DD9896AB2410}	regsvr32.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\GOSaVVe\w2h8d.dll	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
File created	C:\Program Files (x86)\GOSaVVe\w2h8d.tlb	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
File opened for modification	C:\Program Files (x86)\GOSaVVe\w2h8d.tlb	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
File created	C:\Program Files (x86)\GOSaVVe\w2h8d.dat	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
File opened for modification	C:\Program Files (x86)\GOSaVVe\w2h8d.dat	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
File created	C:\Program Files (x86)\GOSaVVe\w2h8d.x64.dll	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
File opened for modification	C:\Program Files (x86)\GOSaVVe\w2h8d.x64.dll	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
File created	C:\Program Files (x86)\GOSaVVe\w2h8d.dll	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{ECDB15FD-C816-6C2D-F2F0-DD9896AB2410}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{ECDB15FD-C816-6C2D-F2F0-DD9896AB2410}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{ECDB15FD-C816-6C2D-F2F0-DD9896AB2410}	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{ECDB15FD-C816-6C2D-F2F0-DD9896AB2410}	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ECDB15FD-C816-6C2D-F2F0-DD9896AB2410}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GuoSaavei.GuoSaavei\ = "GOSaVVe"	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ECDB15FD-C816-6C2D-F2F0-DD9896AB2410}\ = "GOSaVVe"	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\Program Files (x86)\\GOSaVVe\\w2h8d.tlb"	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ECDB15FD-C816-6C2D-F2F0-DD9896AB2410}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ECDB15FD-C816-6C2D-F2F0-DD9896AB2410}\VersionIndependentProgID\ = "GuoSaavei"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0"	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\Version = "1.0"	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ECDB15FD-C816-6C2D-F2F0-DD9896AB2410}\InprocServer32	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ECDB15FD-C816-6C2D-F2F0-DD9896AB2410}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ECDB15FD-C816-6C2D-F2F0-DD9896AB2410}\ = "GOSaVVe"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GuoSaavei.GuoSaavei.2.0\ = "GOSaVVe"	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ECDB15FD-C816-6C2D-F2F0-DD9896AB2410}\Programmable	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GuoSaavei.GuoSaavei.2.0\CLSID\ = "{ECDB15FD-C816-6C2D-F2F0-DD9896AB2410}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GuoSaavei.GuoSaavei\CurVer\ = "GuoSaavei.2.0"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ECDB15FD-C816-6C2D-F2F0-DD9896AB2410}\VersionIndependentProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ECDB15FD-C816-6C2D-F2F0-DD9896AB2410}	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ECDB15FD-C816-6C2D-F2F0-DD9896AB2410}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GuoSaavei.GuoSaavei\CurVer	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ECDB15FD-C816-6C2D-F2F0-DD9896AB2410}\VersionIndependentProgID	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ECDB15FD-C816-6C2D-F2F0-DD9896AB2410}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ECDB15FD-C816-6C2D-F2F0-DD9896AB2410}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}"	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\TypeLib	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GuoSaavei.GuoSaavei\CLSID\ = "{ECDB15FD-C816-6C2D-F2F0-DD9896AB2410}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GuoSaavei.GuoSaavei	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ECDB15FD-C816-6C2D-F2F0-DD9896AB2410}\ProgID\ = "GuoSaavei.2.0"	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ECDB15FD-C816-6C2D-F2F0-DD9896AB2410}\ProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ECDB15FD-C816-6C2D-F2F0-DD9896AB2410}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GuoSaavei.GuoSaavei.2.0	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GuoSaavei.GuoSaavei.2.0\CLSID	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GuoSaavei.GuoSaavei\CLSID	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\ProxyStubClsid32	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ = "IRegistry"	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}\ProxyStubClsid32	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ECDB15FD-C816-6C2D-F2F0-DD9896AB2410}\ProgID\ = "GuoSaavei.2.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ECDB15FD-C816-6C2D-F2F0-DD9896AB2410}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GuoSaavei.GuoSaavei.2.0\CLSID\ = "{ECDB15FD-C816-6C2D-F2F0-DD9896AB2410}"	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ECDB15FD-C816-6C2D-F2F0-DD9896AB2410}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B41579A-1996-42F9-8F84-7B7786818CEF}\TypeLib\Version = "1.0"	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\TypeLib	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7041156A-0D2B-4DCD-A8EE-D0608BFCB2D0}\ = "ILocalStorage"	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1776	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
1776	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 1888	1776	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe	28
PID 1776 wrote to memory of 1888	1776	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe	28
PID 1776 wrote to memory of 1888	1776	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe	28
PID 1776 wrote to memory of 1888	1776	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe	28
PID 1776 wrote to memory of 1888	1776	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe	28
PID 1776 wrote to memory of 1888	1776	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe	28
PID 1776 wrote to memory of 1888	1776	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe	28
PID 1888 wrote to memory of 1596	1888	regsvr32.exe	29
PID 1888 wrote to memory of 1596	1888	regsvr32.exe	29
PID 1888 wrote to memory of 1596	1888	regsvr32.exe	29
PID 1888 wrote to memory of 1596	1888	regsvr32.exe	29
PID 1888 wrote to memory of 1596	1888	regsvr32.exe	29
PID 1888 wrote to memory of 1596	1888	regsvr32.exe	29
PID 1888 wrote to memory of 1596	1888	regsvr32.exe	29

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{ECDB15FD-C816-6C2D-F2F0-DD9896AB2410} = "1"	02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe

C:\Users\Admin\AppData\Local\Temp\02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe
"C:\Users\Admin\AppData\Local\Temp\02247b6acaab422a5e97c09ee795d039b50c0ce3881002802cd35e4b7426ffdf.exe"
1⤵
- Loads dropped DLL
- Drops Chrome extension
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1776
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s "C:\Program Files (x86)\GOSaVVe\w2h8d.x64.dll"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Windows\system32\regsvr32.exe
    /s "C:\Program Files (x86)\GOSaVVe\w2h8d.x64.dll"
    3⤵
    - Registers COM server for autorun
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:1596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GOSaVVe\w2h8d.dat

Filesize
5KB

MD5
95e71b0a78a57866ca0f1dc9e7b81ad3

SHA1
4f7ec5270a3102afb6d8191d0766c32f93417749

SHA256
997ce500b32c7ec25ea9df813ffedfc89db7c135686357bbb632251ca475abe5

SHA512
c23d0474925972c3a1cf162a090b6efb502ac2ce80d1c8e41c98c6e3e571e4233345a561b7dd1c41e72c618aa89440b7bbd2a85e0612ac04fb4d3961e853908b

Download Submit
C:\Program Files (x86)\GOSaVVe\w2h8d.tlb

Filesize
3KB

MD5
fb73184b9c1bfaa44e6cbdb593fd2909

SHA1
4585af18986a5e24c544fcecd9e02e3006f440d1

SHA256
c89fa0e13aa5c8930b6f28648653b815d4a93cd13e8d7d0f1bf8bf1a49920edb

SHA512
2e130f61d2211b7d2799905937b78d5119c3b22580c467dcfe757d8ac5b1e86c33fb69e3c67a6267f4db0a2730dc7cc399b8020d077b30d77428f54ec03523ed

Download Submit
C:\Program Files (x86)\GOSaVVe\w2h8d.x64.dll

Filesize
699KB

MD5
1fe3d25ff48d168cb86094de5401cab0

SHA1
c6e746f4c629185d8ef71d275845e1d072483923

SHA256
5cecdf46cd265705f19edaabc14272048a1da3563ed099303f8ed47ba3056a04

SHA512
ba3df2cf1031830fc9847c3213ec9fcd1c36c646071b2e5ae12b4bbf502a199e704131b6c53954a6ff969ba611e13743e89f0b26614b831d8b39c61a484c9be4

Download Submit
\Program Files (x86)\GOSaVVe\w2h8d.dll

Filesize
619KB

MD5
d87bbe9d29b88e94ba03b16567033ddf

SHA1
19102742808244a23ca403d983dfd9f7088fffe3

SHA256
fdbce4dd2b45ac64620fc875bd12d8706a197bc3def75cdc33b9984f039da5b5

SHA512
24ea28c1104ee07604124842a99e359a53644e7693515dcf1b9a4dc7c8258c9d1bdc8b78b7018582521b6d41aebb96a1a38b6994fe83a12e29418bb011c69d03

Download Submit
\Program Files (x86)\GOSaVVe\w2h8d.x64.dll

Filesize
699KB

MD5
1fe3d25ff48d168cb86094de5401cab0

SHA1
c6e746f4c629185d8ef71d275845e1d072483923

SHA256
5cecdf46cd265705f19edaabc14272048a1da3563ed099303f8ed47ba3056a04

SHA512
ba3df2cf1031830fc9847c3213ec9fcd1c36c646071b2e5ae12b4bbf502a199e704131b6c53954a6ff969ba611e13743e89f0b26614b831d8b39c61a484c9be4

Download Submit
\Program Files (x86)\GOSaVVe\w2h8d.x64.dll

Filesize
699KB

MD5
1fe3d25ff48d168cb86094de5401cab0

SHA1
c6e746f4c629185d8ef71d275845e1d072483923

SHA256
5cecdf46cd265705f19edaabc14272048a1da3563ed099303f8ed47ba3056a04

SHA512
ba3df2cf1031830fc9847c3213ec9fcd1c36c646071b2e5ae12b4bbf502a199e704131b6c53954a6ff969ba611e13743e89f0b26614b831d8b39c61a484c9be4

Download Submit
memory/1596-65-0x0000000000000000-mapping.dmp

Download
memory/1596-66-0x000007FEFBF91000-0x000007FEFBF93000-memory.dmp

Filesize
8KB

Download
memory/1776-54-0x0000000075C31000-0x0000000075C33000-memory.dmp

Filesize
8KB

Download
memory/1776-55-0x00000000029A0000-0x0000000002A44000-memory.dmp

Filesize
656KB

Download
memory/1888-61-0x0000000000000000-mapping.dmp

Download