c9cf241b510622abc59c2c15a217a7dab5467c09548e3b24401ae202401a69bb

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10/07/2024, 13:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$TEMP/sobar/Baidu-TB-ASBar-Silent_kuwo.exe
Size

1.3MB
MD5

8ea8a0ed6b1d1e8dac94d077db2829a9
SHA1

d6a0ac5e6050b094b13c6394a30cb9e814d95c6a
SHA256

b601c7af794efc689a621c07c603b823045064fce3ab9b6cfe636dc911f8a205
SHA512

3ce7525d3a767f3e5e4cff7d4d5c95fb57dba548ac85184722ba9119a6c3637eeba8b356e796c7ca75224fe284e1ca721f707a9aa230158df91e57f360ea981b
SSDEEP

24576:j2hb7qMRVe4uCpatoAKlERcbLoGgnDmUW+KpsiQpcolabndso7zJk1r4CN:j2NVeN/2AKOGbInIuAolabndNXi19N

Score

7^/10

adware discovery stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2896	BarBroker.exe
2608	ASBarBroker.exe

Loads dropped DLL 26 IoCs

pid	Process
2352	Baidu-TB-ASBar-Silent_kuwo.exe
2352	Baidu-TB-ASBar-Silent_kuwo.exe
2352	Baidu-TB-ASBar-Silent_kuwo.exe
2352	Baidu-TB-ASBar-Silent_kuwo.exe
2352	Baidu-TB-ASBar-Silent_kuwo.exe
2352	Baidu-TB-ASBar-Silent_kuwo.exe
2352	Baidu-TB-ASBar-Silent_kuwo.exe
2352	Baidu-TB-ASBar-Silent_kuwo.exe
2352	Baidu-TB-ASBar-Silent_kuwo.exe
2352	Baidu-TB-ASBar-Silent_kuwo.exe
2352	Baidu-TB-ASBar-Silent_kuwo.exe
2352	Baidu-TB-ASBar-Silent_kuwo.exe
2896	BarBroker.exe
2896	BarBroker.exe
2896	BarBroker.exe
2352	Baidu-TB-ASBar-Silent_kuwo.exe
2352	Baidu-TB-ASBar-Silent_kuwo.exe
2352	Baidu-TB-ASBar-Silent_kuwo.exe
2352	Baidu-TB-ASBar-Silent_kuwo.exe
2352	Baidu-TB-ASBar-Silent_kuwo.exe
2352	Baidu-TB-ASBar-Silent_kuwo.exe
2352	Baidu-TB-ASBar-Silent_kuwo.exe
2352	Baidu-TB-ASBar-Silent_kuwo.exe
2608	ASBarBroker.exe
2608	ASBarBroker.exe
2608	ASBarBroker.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 5 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BF1E80D5-1697-C5E2-F5E6-873FF731DE35}	Baidu-TB-ASBar-Silent_kuwo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{BF1E80D5-1697-C5E2-F5E6-873FF731DE35}\NoExplorer = "1"	Baidu-TB-ASBar-Silent_kuwo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77FEF28E-EB96-44FF-B511-3185DEA48697}	Baidu-TB-ASBar-Silent_kuwo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{77FEF28E-EB96-44FF-B511-3185DEA48697}\NoExplorer = "1"	Baidu-TB-ASBar-Silent_kuwo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{77FEF28E-EB96-44FF-B511-3185DEA48697}\id = "bdbar"	Baidu-TB-ASBar-Silent_kuwo.exe

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Baidu\{BF1E80D5-1697-C5E2-F5E6-873FF731DE35}\ASBarBroker.exe	Baidu-TB-ASBar-Silent_kuwo.exe
File created	C:\Program Files (x86)\Baidu\Toolbar\BaiduBarX_Tmp\BarBroker.exe	Baidu-TB-ASBar-Silent_kuwo.exe
File created	C:\Program Files (x86)\Baidu\AddressBar.dll	Baidu-TB-ASBar-Silent_kuwo.exe
File created	C:\Program Files (x86)\Baidu\ASBarBroker.exe	Baidu-TB-ASBar-Silent_kuwo.exe
File opened for modification	C:\Program Files (x86)\Baidu\conf.xml	Baidu-TB-ASBar-Silent_kuwo.exe
File created	C:\Program Files (x86)\Baidu\conf.xml	Baidu-TB-ASBar-Silent_kuwo.exe
File opened for modification	C:\Program Files (x86)\Baidu\Toolbar\BaiduBarX.dll	Baidu-TB-ASBar-Silent_kuwo.exe
File created	C:\Program Files (x86)\Baidu\{BF1E80D5-1697-C5E2-F5E6-873FF731DE35}\conf.xml	Baidu-TB-ASBar-Silent_kuwo.exe
File opened for modification	C:\Program Files (x86)\Baidu\AddressBar.dll	Baidu-TB-ASBar-Silent_kuwo.exe
File created	C:\Program Files (x86)\Baidu\Toolbar\BaiduBarX.dll	Baidu-TB-ASBar-Silent_kuwo.exe
File created	C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe	Baidu-TB-ASBar-Silent_kuwo.exe
File created	C:\Program Files (x86)\Baidu\Toolbar\rc.dll	Baidu-TB-ASBar-Silent_kuwo.exe
File opened for modification	C:\Program Files (x86)\Baidu\Toolbar\BaiduBarX_Tmp\rc.dll	Baidu-TB-ASBar-Silent_kuwo.exe
File created	C:\Program Files (x86)\Baidu\Toolbar\BaiduBarX_Tmp\rc.dll	Baidu-TB-ASBar-Silent_kuwo.exe
File opened for modification	C:\Program Files (x86)\Baidu\Toolbar\BaiduBarX_Tmp\BarBroker.exe	Baidu-TB-ASBar-Silent_kuwo.exe
File opened for modification	C:\Program Files (x86)\Baidu\ASBarBroker.exe	Baidu-TB-ASBar-Silent_kuwo.exe
File created	C:\Program Files (x86)\Baidu\{BF1E80D5-1697-C5E2-F5E6-873FF731DE35}\AddressBar.dll	Baidu-TB-ASBar-Silent_kuwo.exe
File opened for modification	C:\Program Files (x86)\Baidu\Toolbar\BaiduBarX_Tmp\BaiduBarX.dll	Baidu-TB-ASBar-Silent_kuwo.exe
File created	C:\Program Files (x86)\Baidu\Toolbar\BaiduBarX_Tmp\BaiduBarX.dll	Baidu-TB-ASBar-Silent_kuwo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}\URL = "http://www.baidu.com/s?wd={searchTerms}&ie={inputEncoding}&oe={outputEncoding}&bar=13&tn=kwmusic_cb"	Baidu-TB-ASBar-Silent_kuwo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}\Policy = "3"	BarBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}	Baidu-TB-ASBar-Silent_kuwo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\AppPath = "C:\\Program Files (x86)\\Baidu\\{BF1E80D5-1697-C5E2-F5E6-873FF731DE35}"	ASBarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{B580CF65-E151-49C3-B73F-70B13FCA8E86} = "12"	Baidu-TB-ASBar-Silent_kuwo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TypedURLs\url1 = "http://www.baidu.com/index.php?tn=baidudg&addresssearch=1"	Baidu-TB-ASBar-Silent_kuwo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TypedURLs\url2 = "http://www.baidu.com/index.php?tn=baidudg&addresssearch=2"	Baidu-TB-ASBar-Silent_kuwo.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}	ASBarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\AppPath = "C:\\Program Files (x86)\\Baidu\\{BF1E80D5-1697-C5E2-F5E6-873FF731DE35}"	ASBarBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}	ASBarBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}\SuggestionsURL_JSON = "http://suggestion.baidu.com/su?wd={searchTerms}&action=opensearch&ie={inputEncoding}&from=ie8"	Baidu-TB-ASBar-Silent_kuwo.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TypedURLs	Baidu-TB-ASBar-Silent_kuwo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\AppPath = "%ProgramFiles(x86)%\\Baidu\\AddressBar"	ASBarBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\AppName = "ASBarBroker.exe"	ASBarBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}	Baidu-TB-ASBar-Silent_kuwo.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes	Baidu-TB-ASBar-Silent_kuwo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}"	Baidu-TB-ASBar-Silent_kuwo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}\AppPath = "%ProgramFiles(x86)%\\Baidu\\Toolbar"	BarBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TypedURLs\url2 = "http://www.baidu.com/index.php?tn=kwmusic_adr&addresssearch=2"	Baidu-TB-ASBar-Silent_kuwo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\AppName = "ASBarBroker.exe"	ASBarBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\Policy = "3"	ASBarBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	Baidu-TB-ASBar-Silent_kuwo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}\AppName = "BarBroker.exe"	BarBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}\FaviconURL = "http://www.baidu.com/favicon.ico"	Baidu-TB-ASBar-Silent_kuwo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}\URL = "http://www.baidu.com/s?wd={searchTerms}&ie={inputEncoding}&oe={outputEncoding}&abar=2&tn=kwmusic_adr"	Baidu-TB-ASBar-Silent_kuwo.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Low Rights	ASBarBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	ASBarBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes"	Baidu-TB-ASBar-Silent_kuwo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}\DisplayName = "百度一下，你就知道"	Baidu-TB-ASBar-Silent_kuwo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar	Baidu-TB-ASBar-Silent_kuwo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}	BarBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TypedURLs\url1 = "http://www.baidu.com/index.php?tn=kwmusic_adr&addresssearch=1"	Baidu-TB-ASBar-Silent_kuwo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}	ASBarBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\Policy = "3"	ASBarBroker.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6C773CA2-F142-4B2C-981A-FD3B1BEC1578}\ = "IBDLogin"	Baidu-TB-ASBar-Silent_kuwo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ASBarBroker.BDBroker\ = "BDBroker Class"	ASBarBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7EF05EFF-0E62-4040-8D81-73A10D8DE60F}\ProxyStubClsid32	Baidu-TB-ASBar-Silent_kuwo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3A8C9D89-3271-45F4-98C0-56B0F5A16172}\1.0\FLAGS\ = "0"	BarBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AddressSearch.SnavHttpProtocol.1\CLSID	Baidu-TB-ASBar-Silent_kuwo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FCB380C4-D350-44BE-8791-50216F4747AC}\ProxyStubClsid32	ASBarBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D02E3AB9-7796-40CB-BDFC-20D834FE1F75}\1.0	ASBarBroker.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\InprocServer32	Baidu-TB-ASBar-Silent_kuwo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D158174C-004B-4A2E-9410-5442C10C60D2}\TypeLib	Baidu-TB-ASBar-Silent_kuwo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BECD27B-DCF5-4DEF-B066-486A47245C03}\TypeLib\ = "{3A8C9D89-3271-45F4-98C0-56B0F5A16172}"	BarBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BF1E80D5-1697-C5E2-F5E6-873FF731DE35.Addr\CLSID	Baidu-TB-ASBar-Silent_kuwo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11CC93E4-0BE6-4f8f-82AA-D577FB955B05}\InprocServer32	Baidu-TB-ASBar-Silent_kuwo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AddressSearch.JsObject.1\CLSID\ = "{11CC93E4-0BE6-4f8f-82AA-D577FB955B05}"	Baidu-TB-ASBar-Silent_kuwo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4D89001B-5B5B-4E76-A1F5-638E49DB7A58}\ = "IJsObject"	Baidu-TB-ASBar-Silent_kuwo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D02E3AB9-7796-40CB-BDFC-20D834FE1F75}\1.0\HELPDIR	ASBarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.1\CLSID\ = "{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}"	Baidu-TB-ASBar-Silent_kuwo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3A8C9D89-3271-45F4-98C0-56B0F5A16172}\1.0\HELPDIR\	BarBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE575A61-09BD-4F3A-B8B5-B55B813B44EC}	Baidu-TB-ASBar-Silent_kuwo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.2\CLSID\ = "{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}"	Baidu-TB-ASBar-Silent_kuwo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6C773CA2-F142-4B2C-981A-FD3B1BEC1578}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Baidu-TB-ASBar-Silent_kuwo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AddressSearch.SnavHttpProtocol\CurVer	Baidu-TB-ASBar-Silent_kuwo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3A8C9D89-3271-45F4-98C0-56B0F5A16172}	BarBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2923508C-9425-4A61-B9CE-A98239055916}\TypeLib	BarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11CC93E4-0BE6-4f8f-82AA-D577FB955B05}\Programmable\	Baidu-TB-ASBar-Silent_kuwo.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23A2B2B7-21DE-4B88-AFBA-5A918ABBF463}\Programmable	Baidu-TB-ASBar-Silent_kuwo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BF1E80D5-1697-C5E2-F5E6-873FF731DE35.Addr\CurVer	Baidu-TB-ASBar-Silent_kuwo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7EF05EFF-0E62-4040-8D81-73A10D8DE60F}\TypeLib	Baidu-TB-ASBar-Silent_kuwo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7EF05EFF-0E62-4040-8D81-73A10D8DE60F}\TypeLib\Version = "1.0"	Baidu-TB-ASBar-Silent_kuwo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BarBroker.BDBroker\CurVer\ = "BarBroker.BDBroker.1"	BarBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE575A61-09BD-4F3A-B8B5-B55B813B44EC}\ProxyStubClsid32	Baidu-TB-ASBar-Silent_kuwo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FA677CC1-D6FA-4B55-825D-6C493F56ED84}	Baidu-TB-ASBar-Silent_kuwo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FA677CC1-D6FA-4B55-825D-6C493F56ED84}\ProxyStubClsid32	Baidu-TB-ASBar-Silent_kuwo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FCB380C4-D350-44BE-8791-50216F4747AC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ASBarBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.3\CLSID	Baidu-TB-ASBar-Silent_kuwo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}\ProgID\ = "BaiduBarEx.BDHomePage.5"	Baidu-TB-ASBar-Silent_kuwo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\InprocServer32\ = "C:\\Program Files (x86)\\Baidu\\Toolbar\\BaiduBarX.dll"	Baidu-TB-ASBar-Silent_kuwo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91878E42-FC03-4785-B513-1F9E613D1027}\TypeLib	ASBarBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.5	Baidu-TB-ASBar-Silent_kuwo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7EF05EFF-0E62-4040-8D81-73A10D8DE60F}	Baidu-TB-ASBar-Silent_kuwo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ASBarBroker.BDBroker.1\CLSID\ = "{91878E42-FC03-4785-B513-1F9E613D1027}"	ASBarBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage\CurVer	Baidu-TB-ASBar-Silent_kuwo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D158174C-004B-4A2E-9410-5442C10C60D2}\TypeLib\ = "{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}"	Baidu-TB-ASBar-Silent_kuwo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FBEDBA6C-44A2-43b9-BD49-20EB6E0C4E86}\TypeLib	Baidu-TB-ASBar-Silent_kuwo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3A8C9D89-3271-45F4-98C0-56B0F5A16172}\1.0\0\win32	BarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9BC0421-BB5C-447D-8547-BB45AFA80A4D}\1.0\0\win32\ = "C:\\Program Files (x86)\\Baidu\\{BF1E80D5-1697-C5E2-F5E6-873FF731DE35}\\AddressBar.dll"	Baidu-TB-ASBar-Silent_kuwo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA677CC1-D6FA-4B55-825D-6C493F56ED84}	Baidu-TB-ASBar-Silent_kuwo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Tool.1	Baidu-TB-ASBar-Silent_kuwo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\VersionIndependentProgID\ = "BaiduBar.Tool"	Baidu-TB-ASBar-Silent_kuwo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AddressSearch.SnavHttpProtocol.1\ = "SnavHttpProtocol Class"	Baidu-TB-ASBar-Silent_kuwo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4D89001B-5B5B-4E76-A1F5-638E49DB7A58}\TypeLib\Version = "1.0"	Baidu-TB-ASBar-Silent_kuwo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}\1.0\HELPDIR\	Baidu-TB-ASBar-Silent_kuwo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7EF05EFF-0E62-4040-8D81-73A10D8DE60F}\TypeLib\ = "{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}"	Baidu-TB-ASBar-Silent_kuwo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AddressSearch.SnavHttpProtocol\CurVer\ = "AddressSearch.SnavHttpProtocol.1"	Baidu-TB-ASBar-Silent_kuwo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Tool.1\CLSID\ = "{A7F05EE4-0426-454F-8013-C41E3596E9E9}"	Baidu-TB-ASBar-Silent_kuwo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}	Baidu-TB-ASBar-Silent_kuwo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23A2B2B7-21DE-4B88-AFBA-5A918ABBF463}\ = "BDLogin Class"	Baidu-TB-ASBar-Silent_kuwo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D158174C-004B-4A2E-9410-5442C10C60D2}\TypeLib\Version = "1.0"	Baidu-TB-ASBar-Silent_kuwo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4D89001B-5B5B-4E76-A1F5-638E49DB7A58}	Baidu-TB-ASBar-Silent_kuwo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}\TypeLib	Baidu-TB-ASBar-Silent_kuwo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7EF05EFF-0E62-4040-8D81-73A10D8DE60F}\ = "IBDHomePage"	Baidu-TB-ASBar-Silent_kuwo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6C773CA2-F142-4B2C-981A-FD3B1BEC1578}\TypeLib\Version = "1.0"	Baidu-TB-ASBar-Silent_kuwo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2923508C-9425-4A61-B9CE-A98239055916}\TypeLib\Version = "1.0"	BarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91878E42-FC03-4785-B513-1F9E613D1027}\TypeLib\ = "{D02E3AB9-7796-40cb-BDFC-20D834FE1F75}"	ASBarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.BandIE\CurVer\ = "BaiduBarX.BandIE.1"	Baidu-TB-ASBar-Silent_kuwo.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	2352	Baidu-TB-ASBar-Silent_kuwo.exe
Token: SeBackupPrivilege	2352	Baidu-TB-ASBar-Silent_kuwo.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2896	2352	Baidu-TB-ASBar-Silent_kuwo.exe	30
PID 2352 wrote to memory of 2896	2352	Baidu-TB-ASBar-Silent_kuwo.exe	30
PID 2352 wrote to memory of 2896	2352	Baidu-TB-ASBar-Silent_kuwo.exe	30
PID 2352 wrote to memory of 2896	2352	Baidu-TB-ASBar-Silent_kuwo.exe	30
PID 2352 wrote to memory of 2896	2352	Baidu-TB-ASBar-Silent_kuwo.exe	30
PID 2352 wrote to memory of 2896	2352	Baidu-TB-ASBar-Silent_kuwo.exe	30
PID 2352 wrote to memory of 2896	2352	Baidu-TB-ASBar-Silent_kuwo.exe	30
PID 2352 wrote to memory of 2608	2352	Baidu-TB-ASBar-Silent_kuwo.exe	31
PID 2352 wrote to memory of 2608	2352	Baidu-TB-ASBar-Silent_kuwo.exe	31
PID 2352 wrote to memory of 2608	2352	Baidu-TB-ASBar-Silent_kuwo.exe	31
PID 2352 wrote to memory of 2608	2352	Baidu-TB-ASBar-Silent_kuwo.exe	31
PID 2352 wrote to memory of 2608	2352	Baidu-TB-ASBar-Silent_kuwo.exe	31
PID 2352 wrote to memory of 2608	2352	Baidu-TB-ASBar-Silent_kuwo.exe	31
PID 2352 wrote to memory of 2608	2352	Baidu-TB-ASBar-Silent_kuwo.exe	31

C:\Users\Admin\AppData\Local\Temp\$TEMP\sobar\Baidu-TB-ASBar-Silent_kuwo.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMP\sobar\Baidu-TB-ASBar-Silent_kuwo.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe
  "C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe" -RegServer
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:2896
- C:\PROGRA~2\Baidu\{BF1E8~1\ASBarBroker.exe
  "C:\PROGRA~2\Baidu\{BF1E8~1\ASBarBroker.exe" -RegServer
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Baidu\{BF1E8~1\conf.xml

Filesize
332B

MD5
429f2ac83c17bc0e72d5c5e4bd46e83d

SHA1
04430a16b43b731c02271c4face28c7658f75174

SHA256
3ea9f3b8f6a22569425fc87829bba9e4659be93deffe9933e19552c5124db4fe

SHA512
d5d61d0a8995db7bcfde0effd6756b43bf375250553ecc0d0be7dc956901fbf35afbef3c2c3c1ac0193604f30a4f6e4f871e468952b0d60441911bc0495618e7

Download Submit
C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe

Filesize
228KB

MD5
7965293df77012fdb3a480510fffd207

SHA1
50e24936d86769254f42d9a45b8bb4eee3ea5de6

SHA256
aec87468a90c73184fd19d66ab9b7284cfd36762e7045dbdeefff78469a3c349

SHA512
c917b05f84e466ec84c22878b0ff70a9efbeef6d8c3a221fb789a08483e1087894f53567efa931fcc5c39e433026dcac095d6cede220a3aee8e735b8c0e6ce74

Download Submit
\PROGRA~2\Baidu\{BF1E8~1\ASBarBroker.exe

Filesize
129KB

MD5
0ebf8f583abb1ffb40c07b87eae4edb3

SHA1
ef91b3245f426b86c2b69fd9678176d3be05c009

SHA256
00a481ef9985281177c1f6cc6d055c2bdb719db224637e7eb474a3eaab6305cf

SHA512
0bca7bc46019628149afb00cd69d26fd59195c4cbecbb472f9afabf73e8b3eb1da20fdaa4ef03c0776d11b5c8532d16b40a927e4b8b68640067c145cb7e463b4

Download Submit
\Program Files (x86)\Baidu\AddressBar.dll

Filesize
1.1MB

MD5
57d9f8b6e595ef4a02d8630c53fddcc3

SHA1
523dedd35613dc3221657876a3f5248e38e2a842

SHA256
c9a2b8ff0be921e2ac2ff6993f7fecc486b02969254884f89af3a19babfcf7e6

SHA512
e95f144caa3bb636fd4a085a24a41d95ac6dae1c47d729400bb65a37527863b02b15e98cb62121f2155956f8a2b177f3b1a11d9ba08881858924d9bd75be985e

Download Submit
\Program Files (x86)\Baidu\Toolbar\BaiduBarX_Tmp\BaiduBarX.dll

Filesize
2.7MB

MD5
71946bb03e05a64a16a0656e09e6b5eb

SHA1
788f4ddc25c4d83f86d333c19a4bf0194b9475f5

SHA256
c2335cdd499511baf39d434b2e7e884b2792808696dc5621e9001bebcac68348

SHA512
3cb13346691788f443f80d19b2d15123bfc30070c89b15a46627e2694319ea0c500a2d6914a2f01c1f588dded0631b59f3ae93aad3af7960766c45f52b87697d

Download Submit
\Program Files (x86)\Baidu\Toolbar\rc.dll

Filesize
500KB

MD5
108539b4c8375e9c463ccbfac8eb5402

SHA1
20d6d9ca9f75b2970fd31e3f2140aee8c2587205

SHA256
62216ef4c28936f8b9d608d52718a154fa91fc794d600b37c9e6ee03bc9d0123

SHA512
2ece1e8176f38f8cbf094b16705b69a242c2d1ca4dd72a5af5337dd052950f6a07224bf52bee01e6d580aa7d9d7a01725a1e4a1a4e719c2a984064178849433b

Download Submit
memory/2352-23-0x00000000039C0000-0x0000000003C71000-memory.dmp

Filesize
2.7MB

Download
memory/2352-36-0x0000000003E80000-0x0000000003EFD000-memory.dmp

Filesize
500KB

Download
memory/2352-80-0x00000000044D0000-0x00000000045F6000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads