Overview
overview
7Static
static
30408acb0dc...8c.exe
windows7-x64
70408acb0dc...8c.exe
windows10-2004-x64
7$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$_2_/$R0.dll
windows7-x64
6$_2_/$R0.dll
windows10-2004-x64
6$_2_/$R2/N...4_.exe
windows7-x64
1$_2_/$R2/N...4_.exe
windows10-2004-x64
1Analysis
-
max time kernel
120s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09/03/2024, 20:11
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
0408acb0dccdef57ecffe96b80ad479094a6667247691a847277f289cbad458c.exe
Resource
win7-20240221-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
0408acb0dccdef57ecffe96b80ad479094a6667247691a847277f289cbad458c.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
6 signatures
150 seconds
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral5
Sample
$_2_/$R0.dll
Resource
win7-20240221-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral6
Sample
$_2_/$R0.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
4 signatures
150 seconds
Behavioral task
behavioral7
Sample
$_2_/$R2/NSIS.Library.RegTool.v2.$_4_.exe
Resource
win7-20240220-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral8
Sample
$_2_/$R2/NSIS.Library.RegTool.v2.$_4_.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
0 signatures
150 seconds
General
-
Target
0408acb0dccdef57ecffe96b80ad479094a6667247691a847277f289cbad458c.exe
-
Size
114KB
-
MD5
1290ef5a7f576a4c3a7d623cb48b3341
-
SHA1
8102349bdb17f84950e96179c6017739d3d2adc9
-
SHA256
0408acb0dccdef57ecffe96b80ad479094a6667247691a847277f289cbad458c
-
SHA512
1157376dcd7795a3dc2ac0a7a034164d8969cec8df6c2b5adb645ed2ed58b17b53135ff58acadbc50480ef54e5ecba1d6c1910fc5bb4961db43843fa33e44b82
-
SSDEEP
3072:VKQXtg/sDHmJd45eYSdOi8ZH68JRbYs9il8KMcwwbU:VNpOFYOD8ZH68Xn9il8n+U
Malware Config
Signatures
-
Loads dropped DLL 4 IoCs
pid Process 1056 0408acb0dccdef57ecffe96b80ad479094a6667247691a847277f289cbad458c.exe 1056 0408acb0dccdef57ecffe96b80ad479094a6667247691a847277f289cbad458c.exe 1056 0408acb0dccdef57ecffe96b80ad479094a6667247691a847277f289cbad458c.exe 2532 regsvr32.exe -
Installs/modifies Browser Helper Object 2 TTPs 1 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{295AB8C6-FB22-4D17-8834-064E2BA0A6F0} 0408acb0dccdef57ecffe96b80ad479094a6667247691a847277f289cbad458c.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\system.ini regsvr32.exe File opened for modification C:\Windows\Intel\baiduc.dll regsvr32.exe File opened for modification C:\Windows\Intel\baiduc.dll 0408acb0dccdef57ecffe96b80ad479094a6667247691a847277f289cbad458c.exe File created C:\Windows\Intel\baiduc.dll 0408acb0dccdef57ecffe96b80ad479094a6667247691a847277f289cbad458c.exe File opened for modification C:\Windows\system.ini 0408acb0dccdef57ecffe96b80ad479094a6667247691a847277f289cbad458c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 41 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{295AB8C6-FB22-4D17-8834-064E2BA0A6F0}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{295AB8C6-FB22-4D17-8834-064E2BA0A6F0}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}\1.0\FLAGS 0408acb0dccdef57ecffe96b80ad479094a6667247691a847277f289cbad458c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\TypeLib\Version = "1.0" 0408acb0dccdef57ecffe96b80ad479094a6667247691a847277f289cbad458c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 0408acb0dccdef57ecffe96b80ad479094a6667247691a847277f289cbad458c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\TypeLib 0408acb0dccdef57ecffe96b80ad479094a6667247691a847277f289cbad458c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}\1.0\0\win32 0408acb0dccdef57ecffe96b80ad479094a6667247691a847277f289cbad458c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\TypeLib 0408acb0dccdef57ecffe96b80ad479094a6667247691a847277f289cbad458c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{295AB8C6-FB22-4D17-8834-064E2BA0A6F0}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\ProxyStubClsid32 0408acb0dccdef57ecffe96b80ad479094a6667247691a847277f289cbad458c.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{295AB8C6-FB22-4D17-8834-064E2BA0A6F0}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{295AB8C6-FB22-4D17-8834-064E2BA0A6F0} 0408acb0dccdef57ecffe96b80ad479094a6667247691a847277f289cbad458c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}\1.0\HELPDIR 0408acb0dccdef57ecffe96b80ad479094a6667247691a847277f289cbad458c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\ProxyStubClsid32 0408acb0dccdef57ecffe96b80ad479094a6667247691a847277f289cbad458c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\ = "IIEHelperObj2" 0408acb0dccdef57ecffe96b80ad479094a6667247691a847277f289cbad458c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{295AB8C6-FB22-4D17-8834-064E2BA0A6F0}\TypeLib\ = "{285AB8C5-FB22-4D17-8834-064E2BA0A6F0}" 0408acb0dccdef57ecffe96b80ad479094a6667247691a847277f289cbad458c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\ = "IIEHelperObj2" 0408acb0dccdef57ecffe96b80ad479094a6667247691a847277f289cbad458c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}\1.0\0\win32\ = "C:\\Windows\\Intel\\baiduc.dll" 0408acb0dccdef57ecffe96b80ad479094a6667247691a847277f289cbad458c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\TypeLib\Version = "1.0" 0408acb0dccdef57ecffe96b80ad479094a6667247691a847277f289cbad458c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{295AB8C6-FB22-4D17-8834-064E2BA0A6F0}\InprocServer32 0408acb0dccdef57ecffe96b80ad479094a6667247691a847277f289cbad458c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{295AB8C6-FB22-4D17-8834-064E2BA0A6F0}\InprocServer32\ = "C:\\Windows\\Intel\\baiduc.dll" 0408acb0dccdef57ecffe96b80ad479094a6667247691a847277f289cbad458c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{295AB8C6-FB22-4D17-8834-064E2BA0A6F0}\TypeLib 0408acb0dccdef57ecffe96b80ad479094a6667247691a847277f289cbad458c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}\1.0\FLAGS\ = "0" 0408acb0dccdef57ecffe96b80ad479094a6667247691a847277f289cbad458c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{295AB8C6-FB22-4D17-8834-064E2BA0A6F0}\InprocServer32\ = "C:\\Windows\\Intel\\baiduc.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{295AB8C6-FB22-4D17-8834-064E2BA0A6F0}\ = "Info cache" 0408acb0dccdef57ecffe96b80ad479094a6667247691a847277f289cbad458c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0} 0408acb0dccdef57ecffe96b80ad479094a6667247691a847277f289cbad458c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0} 0408acb0dccdef57ecffe96b80ad479094a6667247691a847277f289cbad458c.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{295AB8C6-FB22-4D17-8834-064E2BA0A6F0} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{295AB8C6-FB22-4D17-8834-064E2BA0A6F0}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}\1.0\ = "Pbtoo2s 1.0 Type Library" 0408acb0dccdef57ecffe96b80ad479094a6667247691a847277f289cbad458c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}\1.0\HELPDIR\ = "C:\\Windows\\Intel" 0408acb0dccdef57ecffe96b80ad479094a6667247691a847277f289cbad458c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\TypeLib\ = "{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}" 0408acb0dccdef57ecffe96b80ad479094a6667247691a847277f289cbad458c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{295AB8C6-FB22-4D17-8834-064E2BA0A6F0} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\TypeLib\ = "{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}" 0408acb0dccdef57ecffe96b80ad479094a6667247691a847277f289cbad458c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0} 0408acb0dccdef57ecffe96b80ad479094a6667247691a847277f289cbad458c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{295AB8C6-FB22-4D17-8834-064E2BA0A6F0}\ = "Info cache" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{295AB8C6-FB22-4D17-8834-064E2BA0A6F0}\TypeLib\ = "{285AB8C5-FB22-4D17-8834-064E2BA0A6F0}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{295AB8C6-FB22-4D17-8834-064E2BA0A6F0}\InprocServer32\ThreadingModel = "Apartment" 0408acb0dccdef57ecffe96b80ad479094a6667247691a847277f289cbad458c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}\1.0 0408acb0dccdef57ecffe96b80ad479094a6667247691a847277f289cbad458c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{385AB8C5-FB22-4D17-8834-064E2BA0A6F0}\1.0\0 0408acb0dccdef57ecffe96b80ad479094a6667247691a847277f289cbad458c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{385AB8C4-FB22-4D17-8834-064E2BA0A6F0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 0408acb0dccdef57ecffe96b80ad479094a6667247691a847277f289cbad458c.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1056 wrote to memory of 2532 1056 0408acb0dccdef57ecffe96b80ad479094a6667247691a847277f289cbad458c.exe 28 PID 1056 wrote to memory of 2532 1056 0408acb0dccdef57ecffe96b80ad479094a6667247691a847277f289cbad458c.exe 28 PID 1056 wrote to memory of 2532 1056 0408acb0dccdef57ecffe96b80ad479094a6667247691a847277f289cbad458c.exe 28 PID 1056 wrote to memory of 2532 1056 0408acb0dccdef57ecffe96b80ad479094a6667247691a847277f289cbad458c.exe 28 PID 1056 wrote to memory of 2532 1056 0408acb0dccdef57ecffe96b80ad479094a6667247691a847277f289cbad458c.exe 28 PID 1056 wrote to memory of 2532 1056 0408acb0dccdef57ecffe96b80ad479094a6667247691a847277f289cbad458c.exe 28 PID 1056 wrote to memory of 2532 1056 0408acb0dccdef57ecffe96b80ad479094a6667247691a847277f289cbad458c.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\0408acb0dccdef57ecffe96b80ad479094a6667247691a847277f289cbad458c.exe"C:\Users\Admin\AppData\Local\Temp\0408acb0dccdef57ecffe96b80ad479094a6667247691a847277f289cbad458c.exe"1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\regsvr32.exe"regsvr32.exe" "C:\Windows\Intel\baiduc.dll" /s2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies registry class
PID:2532
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
247B
MD533a151f0aed0feb7eb69c7cf80130ed2
SHA1c9b74684d9a9ee835a29f0d118d9c34c40dd95dc
SHA2568a01c2286f8bf7e14388879632959e8aec8d532fae119e47017ad1e05e6d5ca9
SHA512cbe1ad9035932a17c29bfb4fea8ac36443cda7d00dbc0b9e2bc3790c261e353f39c94eeeac7c53b48cc336bcb325b63dcf99c45008b4a0137e928fce0d693024
-
Filesize
10KB
MD5bf01b2d04e8fad306ba2f364cfc4edfa
SHA158f42b45ca9fc1818c4498ecd8bac088d20f2b18
SHA256d3f9c99e0c1c9acd81a1b33bc3dbd305140def90d10485c253cf1d455f0dc903
SHA51230ca1663d659c5efac7fed3d1aaba81c47d5d5fda77f30f021124c882b858732e17f917bfd0aa3ee7b269fad86e75b1b9388d8f916e7a4e2c9961669f2c772e7
-
Filesize
148KB
MD523061a514841f25b464965583ff6270f
SHA1489505e2275499b8c72b270eb24dcd18be3b7b4d
SHA256e55ab14c0f270e63657d89bd9fe0322520f42896c0dfa91eac8d812a1c25b2e5
SHA51249d4d7916f833468be9b9a9213b2c614f500c9f21339a2d55590adb9d3d77dfaf27b06ca1e84cc831c3f24a069f3b717ef527ea8503cb2508dcce2c0155c0939