Overview
overview
7Static
static
7Mp3Cutter-v2.54.exe
windows7-x64
7Mp3Cutter-v2.54.exe
windows10-2004-x64
7$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3$TEMP/Baid...ar.exe
windows7-x64
1$TEMP/Baid...ar.exe
windows10-2004-x64
1$PROGRAM_F...rX.dll
windows7-x64
7$PROGRAM_F...rX.dll
windows10-2004-x64
7$PROGRAM_F...er.exe
windows7-x64
1$PROGRAM_F...er.exe
windows10-2004-x64
1$PROGRAM_F...rc.dll
windows7-x64
1$PROGRAM_F...rc.dll
windows10-2004-x64
1$TEMP/tang...er.exe
windows7-x64
7$TEMP/tang...er.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3Thunder.exe
windows7-x64
7Thunder.exe
windows10-2004-x64
7$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$WINDIR/sy...71.dll
windows7-x64
1$WINDIR/sy...71.dll
windows10-2004-x64
1$WINDIR/sy...13.dll
windows7-x64
1$WINDIR/sy...13.dll
windows10-2004-x64
1$WINDIR/sy...71.dll
windows7-x64
3$WINDIR/sy...71.dll
windows10-2004-x64
1$WINDIR/sy...71.dll
windows7-x64
3$WINDIR/sy...71.dll
windows10-2004-x64
3$WINDIR/sy...b1.dll
windows7-x64
3$WINDIR/sy...b1.dll
windows10-2004-x64
3Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27/02/2024, 18:39
Behavioral task
behavioral1
Sample
Mp3Cutter-v2.54.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral2
Sample
Mp3Cutter-v2.54.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$TEMP/Baidu-Toolbar.exe
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral8
Sample
$TEMP/Baidu-Toolbar.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/BaiduBarX.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral10
Sample
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/BaiduBarX.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/BarBroker.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral12
Sample
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/BarBroker.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/rc.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral14
Sample
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/rc.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
$TEMP/tango_mp3cutter.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral16
Sample
$TEMP/tango_mp3cutter.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral18
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
Thunder.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral20
Sample
Thunder.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral22
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
$WINDIR/system32/atl71.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral24
Sample
$WINDIR/system32/atl71.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
$WINDIR/system32/libpng13.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral26
Sample
$WINDIR/system32/libpng13.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
$WINDIR/system32/msvcp71.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral28
Sample
$WINDIR/system32/msvcp71.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
$WINDIR/system32/msvcr71.dll
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral30
Sample
$WINDIR/system32/msvcr71.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
$WINDIR/system32/zlib1.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral32
Sample
$WINDIR/system32/zlib1.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
General
-
Target
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/BaiduBarX.dll
-
Size
2.3MB
-
MD5
3c2b8a41a1706ca9aa5efc33defaf7cc
-
SHA1
d9f8608170901445f69585dbc7d07d3d205e987e
-
SHA256
3fa7b750c18fbc761feaf3c738c0804ea8f02969b73764082b94ff7f60ce13b5
-
SHA512
9704f399f9beb80d3e91cb8f0bd018351ff031c0fb390ef3d4fdb7b90faf9f0993d49579f8ccafa7e3480f502c1594021f72e1d990327e72e6aa01ecbbd9277c
-
SSDEEP
49152:KY470bLUv62Xa2mXExRCZfETFPSHAnUWTOeKDF7ssT9F:f470bLUv62Xa2jxR2cXq
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2392 BarBroker.exe -
Loads dropped DLL 5 IoCs
pid Process 2928 regsvr32.exe 2928 regsvr32.exe 2928 regsvr32.exe 2928 regsvr32.exe 2928 regsvr32.exe -
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77FEF28E-EB96-44FF-B511-3185DEA48697} regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{77FEF28E-EB96-44FF-B511-3185DEA48697}\NoExplorer = "1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{77FEF28E-EB96-44FF-B511-3185DEA48697}\id = "bdbar" regsvr32.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\Baidu\Toolbar\BaiduBarX.dll regsvr32.exe File opened for modification C:\Program Files (x86)\Baidu\Toolbar\BaiduBarX.dll regsvr32.exe File created C:\Program Files (x86)\Baidu\Toolbar\rc.dll regsvr32.exe File created C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe regsvr32.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}\AppName = "BarBroker.exe" BarBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}\AppPath = "%ProgramFiles(x86)%\\Baidu\\Toolbar" BarBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}\Policy = "3" BarBroker.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{B580CF65-E151-49C3-B73F-70B13FCA8E86} = "12" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2} BarBroker.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}\ = "Baidu Toolbar BHO" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage\CurVer\ = "BaiduBarEx.BDHomePage.5" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7EF05EFF-0E62-4040-8D81-73A10D8DE60F}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BECD27B-DCF5-4DEF-B066-486A47245C03}\LocalServer32 BarBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7EF05EFF-0E62-4040-8D81-73A10D8DE60F}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4C2BFEC9-F03C-4F74-932E-5723E603B4AC}\ = "ITool" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3A8C9D89-3271-45F4-98C0-56B0F5A16172}\1.0\0 BarBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2923508C-9425-4A61-B9CE-A98239055916}\TypeLib BarBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Tool\CurVer regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.1\ = "°Ù¶È¹¤¾ßÀ¸¸öÐÔ»¯Ê×Ò³Ö§³Ö×é¼þ" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage\CurVer regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D158174C-004B-4A2E-9410-5442C10C60D2}\ = "IBandIE" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Tool regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.4\CLSID\ = "{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}\ = "°Ù¶È¹¤¾ßÀ¸¸öÐÔ»¯Ê×Ò³Ö§³Ö×é¼þ" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BECD27B-DCF5-4DEF-B066-486A47245C03}\ProgID\ = "BarBroker.BDBroker.1" BarBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}\ProgID\ = "BaiduBarEx.BDHomePage.5" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D158174C-004B-4A2E-9410-5442C10C60D2}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3A8C9D89-3271-45F4-98C0-56B0F5A16172}\1.0\FLAGS\ = "0" BarBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.BandIE regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7EF05EFF-0E62-4040-8D81-73A10D8DE60F}\ = "IBDHomePage" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\ = "Baidu Toolbar" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7EF05EFF-0E62-4040-8D81-73A10D8DE60F}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3A8C9D89-3271-45F4-98C0-56B0F5A16172}\1.0\HELPDIR\ BarBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}\VersionIndependentProgID\ = "BaiduBarX.BandIE" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.2\CLSID\ = "{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}\1.0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}\1.0\ = "BaiduBarX 1.0 Type Library" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BECD27B-DCF5-4DEF-B066-486A47245C03}\AppID = "{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}" BarBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.BandIE.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage\CLSID\ = "{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7EF05EFF-0E62-4040-8D81-73A10D8DE60F}\TypeLib\Version = "1.0" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BarBroker.BDBroker\CLSID BarBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.4\ = "°Ù¶È¹¤¾ßÀ¸¸öÐÔ»¯Ê×Ò³Ö§³Ö×é¼þ" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}\1.0\0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D158174C-004B-4A2E-9410-5442C10C60D2} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4C2BFEC9-F03C-4F74-932E-5723E603B4AC} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BECD27B-DCF5-4DEF-B066-486A47245C03}\TypeLib BarBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3A8C9D89-3271-45F4-98C0-56B0F5A16172} BarBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2923508C-9425-4A61-B9CE-A98239055916}\TypeLib\Version = "1.0" BarBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.BandIE\ = "Baidu Toolbar BHO" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.3\ = "°Ù¶È¹¤¾ßÀ¸¸öÐÔ»¯Ê×Ò³Ö§³Ö×é¼þ" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4C2BFEC9-F03C-4F74-932E-5723E603B4AC}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2923508C-9425-4A61-B9CE-A98239055916}\TypeLib BarBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.ToolBand\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2923508C-9425-4A61-B9CE-A98239055916} BarBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}\InprocServer32\ = "C:\\Program Files (x86)\\Baidu\\Toolbar\\BaiduBarX.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}\1.0\HELPDIR regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D158174C-004B-4A2E-9410-5442C10C60D2}\TypeLib\ = "{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BECD27B-DCF5-4DEF-B066-486A47245C03} BarBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2923508C-9425-4A61-B9CE-A98239055916}\ProxyStubClsid32 BarBroker.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2180 wrote to memory of 2928 2180 regsvr32.exe 28 PID 2180 wrote to memory of 2928 2180 regsvr32.exe 28 PID 2180 wrote to memory of 2928 2180 regsvr32.exe 28 PID 2180 wrote to memory of 2928 2180 regsvr32.exe 28 PID 2180 wrote to memory of 2928 2180 regsvr32.exe 28 PID 2180 wrote to memory of 2928 2180 regsvr32.exe 28 PID 2180 wrote to memory of 2928 2180 regsvr32.exe 28 PID 2928 wrote to memory of 2392 2928 regsvr32.exe 29 PID 2928 wrote to memory of 2392 2928 regsvr32.exe 29 PID 2928 wrote to memory of 2392 2928 regsvr32.exe 29 PID 2928 wrote to memory of 2392 2928 regsvr32.exe 29
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PROGRAM_FILES\Baidu\Toolbar\BaiduBarX_Tmp\BaiduBarX.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\$PROGRAM_FILES\Baidu\Toolbar\BaiduBarX_Tmp\BaiduBarX.dll2⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe"C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe" -RegServer3⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies registry class
PID:2392
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5515d563b812034eaecbc4586cd056810
SHA15dd72e8df3507de916726873bb36849a40bd248d
SHA256d78db4102515a1e9615225851eaa5ae1451b26c31f24cdc5c8bc167b10633181
SHA512a389f59635a59aa2bb36f420c986250d3f69cab3353749567601971cafb0cbe5f92daf1af0d92bac2c3c7525a09f98b2f62a3f580a6e16f10472014f1b55c553
-
Filesize
31KB
MD57b910994076710c3f73206471ba4225f
SHA157b37035dc43ce70c6dd81b79345cd47632936f3
SHA256bef0b10eaa964c6b59cfe55a618834991db76420d7fafb17e4be7267348b6887
SHA512278d56f8f1a1d9572cd42295aef3fa2c84fbebdeed9187eb1b546422ea05162c5ede3b97bf6c70ed9b893df437a7825ef6a370bfecddd87d1b0e2f82c8e3e3d1
-
Filesize
2.3MB
MD53c2b8a41a1706ca9aa5efc33defaf7cc
SHA1d9f8608170901445f69585dbc7d07d3d205e987e
SHA2563fa7b750c18fbc761feaf3c738c0804ea8f02969b73764082b94ff7f60ce13b5
SHA5129704f399f9beb80d3e91cb8f0bd018351ff031c0fb390ef3d4fdb7b90faf9f0993d49579f8ccafa7e3480f502c1594021f72e1d990327e72e6aa01ecbbd9277c
-
Filesize
139KB
MD5aa227e7d1c65b3b5745a9abab5eb3169
SHA1d76f9a6622ee6b4903513398b33f3410ad1de180
SHA25605bd041deb4a318b769cfc7243d3df8d81fbd18851948aebd2a0045159b2bc55
SHA512df6e27d506e4c46c02e01d58b20569f16677ebdf829b6a4f99dc32254e5cd6b359e3e71f02950ce9f61e4cf1eb7b3ad07ba142ef83d35ec0e371f5e26fd74b8a
-
Filesize
128KB
MD5378c0b90c838a82996e5b2076f87c305
SHA1bf199b96ab706982f4568159c2b6eb7278575ff6
SHA25689b51be4b06cbdde80e0fc256502ef42b005b55d6596e7843a46e9ce6b7349f7
SHA512f772a398fde3553c1f70716ddd6dc60df96262bbf01492ffe8a8bd04be81dcc2ae21bdae34a0389170af79ddf519e01decae2ef49edffddc6d2d7af5d9f807be
-
Filesize
229KB
MD512541c0a098a1ed1756be6d54d5fbc2c
SHA15ad9876ddf91ef9992a1ec83bf70becab5c3be23
SHA25686eeaecc3ef104471423d3e280b26d03d95b80122e8178ab98d582115b403a06
SHA5120f5d9292f3548b69d65688002554cc957b9b6b3e7179b1f0fa31fc4c134b9536378b74b6295223437d02827d97696952abac9566a8904edb2fb8cab577593c5b
-
Filesize
369KB
MD5a75aab3e55d19694dc896a17e4fe5cb4
SHA11d5bcdaf5bf213d22eb865f2ac90c4059c5c3e23
SHA256b0b1f00b4cfebbed6772af28a7b89edd6c1786f671672cf0e476499e34dfbe33
SHA512da41da1bbb97548dee9aa07b0a7cbdc11804dd770b46f94f4ed15637e4f9622c3987ea04ffc0e0a54b5272524197d4fb96251a74e390cb5c1a46bfdb1343e4b1