5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136

General

Target

5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Size

249KB
MD5

36ef261ba68a28a00001b6bd7a82cb9a
SHA1

ff0fb25344375988d26d3abcc72e4fff0a4a0870
SHA256

5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136
SHA512

c442a970597137bcb3601cd1ccd94e0b2147abf466da04e38ab900efe15781e7457876303972fe146e0adfe13056b0d812726c467396d55fe7e108b1998258fd
SSDEEP

6144:Ku3dwQ0I2o7lVAOTbjfSGFb/ZTWHIXuNrDUMW:DN17vAOtFbRbuNDW

Score

7^/10

adware discovery stealer

Malware Config

Signatures

Loads dropped DLL 2 IoCs

Processes:

5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe

pid	process
4496	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
4496	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77FEF28E-EB96-44FF-B511-3185DEA48697}	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77FEF28E-EB96-44FF-B511-3185DEA48697}\id = "bdbar"	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe

Drops file in Program Files directory 3 IoCs

Processes:

5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe

description	ioc	process
File opened for modification	C:\Progra~1\Baidu\bar\SETAA3F.tmp	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
File created	C:\Progra~1\Baidu\bar\SETAA3F.tmp	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
File opened for modification	C:\Progra~1\Baidu\bar\BaiDuBar.dll	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{B580CF65-E151-49C3-B73F-70B13FCA8E86} = 00	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe

Modifies registry class 64 IoCs

Processes:

5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Baidu	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{464C8A26-31E9-411C-9583-5B858E631DCC}\TypeLib	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\InprocServer32	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MimeFilter.AdFilter\ = "AdFilter Class"	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6AFC2761-1253-427C-9A56-385B4609BE1D}	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6AFC2761-1253-427C-9A56-385B4609BE1D}\1.0\HELPDIR	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{89FDCC4B-8D91-49B0-81A6-18BCFF582735}\ = "IBaidu"	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A294F8EB-86D9-4C4A-8B3E-909253761C64}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Baidu\CurVer	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE14F22E-BE14-4F08-A80F-F27BC3A67B2D}\InprocServer32\ThreadingModel = "Apartment"	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C76C055-ED6E-4535-A70F-CD476E727F67}\InprocServer32\ThreadingModel = "Apartment"	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BandIE.1\CLSID\ = "{77FEF28E-EB96-44FF-B511-3185DEA48697}"	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}\TypeLib	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{464C8A26-31E9-411C-9583-5B858E631DCC}	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{464C8A26-31E9-411C-9583-5B858E631DCC}\ProxyStubClsid32	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\ = "Tool Class"	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\InprocServer32	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\TypeLib	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{464C8A26-31E9-411C-9583-5B858E631DCC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A294F8EB-86D9-4C4A-8B3E-909253761C64}\TypeLib	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Baidu.1\CLSID\ = "{B580CF65-E151-49C3-B73F-70B13FCA8E86}"	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\Programmable	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\InprocServer32\ = "C:\\Progra~1\\Baidu\\bar\\BaiDuBar.dll"	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C76C055-ED6E-4535-A70F-CD476E727F67}\InprocServer32	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}\TypeLib\ = "{6AFC2761-1253-427C-9A56-385B4609BE1D}"	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{96249369-D3DC-4AE6-8A3B-E7109D46E98D}\TypeLib\ = "{6AFC2761-1253-427C-9A56-385B4609BE1D}"	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{464C8A26-31E9-411C-9583-5B858E631DCC}\TypeLib\ = "{6AFC2761-1253-427C-9A56-385B4609BE1D}"	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Tool\CurVer\ = "BaiduBar.Tool.1"	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\VersionIndependentProgID	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE14F22E-BE14-4F08-A80F-F27BC3A67B2D}\InprocServer32	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BandIE.1	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{96249369-D3DC-4AE6-8A3B-E7109D46E98D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A294F8EB-86D9-4C4A-8B3E-909253761C64}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{96249369-D3DC-4AE6-8A3B-E7109D46E98D}	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C76C055-ED6E-4535-A70F-CD476E727F67}\InprocServer32\ = "C:\\Progra~1\\Baidu\\bar\\BaiDuBar.dll"	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BandIE\CurVer	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6AFC2761-1253-427C-9A56-385B4609BE1D}\1.0\FLAGS\ = "0"	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6AFC2761-1253-427C-9A56-385B4609BE1D}\1.0\0\win32\ = "C:\\Progra~1\\Baidu\\bar\\BaiDuBar.dll"	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{89FDCC4B-8D91-49B0-81A6-18BCFF582735}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A294F8EB-86D9-4C4A-8B3E-909253761C64}	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MimeFilter.AdFilter\CurVer\ = "MimeFilter.AdFilter.1"	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.DropTarget.1\CLSID	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{96249369-D3DC-4AE6-8A3B-E7109D46E98D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A294F8EB-86D9-4C4A-8B3E-909253761C64}\ProxyStubClsid32	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Tool	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE14F22E-BE14-4F08-A80F-F27BC3A67B2D}\VersionIndependentProgID\ = "MimeFilter.AdFilter"	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{96249369-D3DC-4AE6-8A3B-E7109D46E98D}\ProxyStubClsid32	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{464C8A26-31E9-411C-9583-5B858E631DCC}\TypeLib\Version = "1.0"	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\VersionIndependentProgID\ = "BaiduBar.Baidu"	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE14F22E-BE14-4F08-A80F-F27BC3A67B2D}\ = "AdFilter Class"	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.DropTarget\CLSID\ = "{7C76C055-ED6E-4535-A70F-CD476E727F67}"	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BandIE\CLSID	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}\InprocServer32\ = "C:\\Progra~1\\Baidu\\bar\\BaiDuBar.dll"	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{89FDCC4B-8D91-49B0-81A6-18BCFF582735}\ProxyStubClsid32	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\ProgID\ = "BaiduBar.Baidu.1"	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\ProgID	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\ProgID\ = "BaiduBar.Tool.1"	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MimeFilter.AdFilter.1\CLSID	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.DropTarget	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MimeFilter.AdFilter	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C76C055-ED6E-4535-A70F-CD476E727F67}	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{96249369-D3DC-4AE6-8A3B-E7109D46E98D}\TypeLib	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Tool\CLSID	5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe

C:\Users\Admin\AppData\Local\Temp\5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe
"C:\Users\Admin\AppData\Local\Temp\5a72e52bdcc7e97e1ea0ef4a2d82c04cb91beaf1aa962d103d5c96578fe97136.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:4496

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Baidu\bar\BaiDuBar.dll
Filesize
372KB

MD5
ced1bb4a711333ba4168e38037452ac8

SHA1
771d1c78e9602a0f120a06bb190e8132634de303

SHA256
704e62591e79d24960a8d6a70baf4978d33f4d2692cb0e1cbe0fa5267dc487d1

SHA512
84416a53ce63aee8b2a739092d5403c0d48f338d964f00722fcb931c49c51109223f0d93f852d6cc30ba4686efef0209104a88a6da2becba0c4dad4b12bf651a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ADVPACK.DLL
Filesize
90KB

MD5
d553b62a8136d41289513c6405efea2d

SHA1
db48c3fd3993ff20511e47ffad14bfbdb9f438eb

SHA256
ce7cfb626807084186b248bbf2ef776eac086da936146f7d44956c2fcfaec1f8

SHA512
4a3767e8ac1e684a9a6eaced921b9599e34d5a4e83f034c7fe42bd8fd707a2b86f51ad485933fed5015554c3f9c4cf4b1357832964cc170d8cba86092fc9d2e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ADVPACK.DLL
Filesize
90KB

MD5
d553b62a8136d41289513c6405efea2d

SHA1
db48c3fd3993ff20511e47ffad14bfbdb9f438eb

SHA256
ce7cfb626807084186b248bbf2ef776eac086da936146f7d44956c2fcfaec1f8

SHA512
4a3767e8ac1e684a9a6eaced921b9599e34d5a4e83f034c7fe42bd8fd707a2b86f51ad485933fed5015554c3f9c4cf4b1357832964cc170d8cba86092fc9d2e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BaiduBar.dll
Filesize
372KB

MD5
ced1bb4a711333ba4168e38037452ac8

SHA1
771d1c78e9602a0f120a06bb190e8132634de303

SHA256
704e62591e79d24960a8d6a70baf4978d33f4d2692cb0e1cbe0fa5267dc487d1

SHA512
84416a53ce63aee8b2a739092d5403c0d48f338d964f00722fcb931c49c51109223f0d93f852d6cc30ba4686efef0209104a88a6da2becba0c4dad4b12bf651a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.inf
Filesize
587B

MD5
7dcb43aafb3600d3e342c0b5ee8ddae8

SHA1
208ddeaae6606a10109c91fe7f197924fe2aa762

SHA256
1b0b6edee40032df0a2540c0d31988fc3ea433ce305c349cd6235e709c60bbf4

SHA512
34f22dd9c7176f1c7dda532eede404e8308c16f8a62179c62f54383d75ee0caef40227ae1f8a34f6a598042aef5ce6748e53b3f559949c00cb86e56a0f7f4c89

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads