Overview
overview
7Static
static
334ff09035e...18.exe
windows7-x64
334ff09035e...18.exe
windows10-2004-x64
3$PLUGINSDI...64.dll
windows7-x64
3$PLUGINSDI...64.dll
windows10-2004-x64
3$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...ew.dll
windows7-x64
3$PLUGINSDI...ew.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/inetc.dll
windows7-x64
3$PLUGINSDIR/inetc.dll
windows10-2004-x64
3$TEMP/KWMU...te.exe
windows7-x64
7$TEMP/KWMU...te.exe
windows10-2004-x64
7$PLUGINSDI...64.dll
windows7-x64
3$PLUGINSDI...64.dll
windows10-2004-x64
3$PLUGINSDI...ew.dll
windows7-x64
3$PLUGINSDI...ew.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/inetc.dll
windows7-x64
3$PLUGINSDIR/inetc.dll
windows10-2004-x64
3$TEMP/soba...wo.exe
windows7-x64
7$TEMP/soba...wo.exe
windows10-2004-x64
1$PROGRAM_F...er.exe
windows7-x64
1$PROGRAM_F...er.exe
windows10-2004-x64
1$PROGRAM_F...ar.dll
windows7-x64
7$PROGRAM_F...ar.dll
windows10-2004-x64
7$PROGRAM_F...rX.dll
windows7-x64
7$PROGRAM_F...rX.dll
windows10-2004-x64
7Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
10/07/2024, 13:54
Static task
static1
Behavioral task
behavioral1
Sample
34ff09035e69a5cc710b3bf8229922aa_JaffaCakes118.exe
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral2
Sample
34ff09035e69a5cc710b3bf8229922aa_JaffaCakes118.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/Base64.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/Base64.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$PLUGINSDIR/KillProcDLL.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral8
Sample
$PLUGINSDIR/KillProcDLL.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$PLUGINSDIR/KuWoNsis_new.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral10
Sample
$PLUGINSDIR/KuWoNsis_new.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral12
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$PLUGINSDIR/inetc.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral14
Sample
$PLUGINSDIR/inetc.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
$TEMP/KWMUSIC/DownloadUpdate.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral16
Sample
$TEMP/KWMUSIC/DownloadUpdate.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
$PLUGINSDIR/Base64.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral18
Sample
$PLUGINSDIR/Base64.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
$PLUGINSDIR/KuWoNsis_new.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral20
Sample
$PLUGINSDIR/KuWoNsis_new.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral22
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
$PLUGINSDIR/inetc.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral24
Sample
$PLUGINSDIR/inetc.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
$TEMP/sobar/Baidu-TB-ASBar-Silent_kuwo.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral26
Sample
$TEMP/sobar/Baidu-TB-ASBar-Silent_kuwo.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
$PROGRAM_FILES/Baidu/ASBarBroker.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral28
Sample
$PROGRAM_FILES/Baidu/ASBarBroker.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
$PROGRAM_FILES/Baidu/AddressBar.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral30
Sample
$PROGRAM_FILES/Baidu/AddressBar.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/BaiduBarX.dll
Resource
win7-20240705-en
windows7-x64
General
-
Target
$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/BaiduBarX.dll
-
Size
2.7MB
-
MD5
71946bb03e05a64a16a0656e09e6b5eb
-
SHA1
788f4ddc25c4d83f86d333c19a4bf0194b9475f5
-
SHA256
c2335cdd499511baf39d434b2e7e884b2792808696dc5621e9001bebcac68348
-
SHA512
3cb13346691788f443f80d19b2d15123bfc30070c89b15a46627e2694319ea0c500a2d6914a2f01c1f588dded0631b59f3ae93aad3af7960766c45f52b87697d
-
SSDEEP
49152:y+iYHeGF8oBqZeyk4ErwrbS1zK/bmN0xThIAywkLFmTmjIGiANja:xFem8oBqZeyk4ErwfS1fNyitLHI5
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2392 BarBroker.exe -
Loads dropped DLL 5 IoCs
pid Process 1588 regsvr32.exe 1588 regsvr32.exe 1588 regsvr32.exe 1588 regsvr32.exe 1588 regsvr32.exe -
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77FEF28E-EB96-44FF-B511-3185DEA48697} regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{77FEF28E-EB96-44FF-B511-3185DEA48697}\NoExplorer = "1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{77FEF28E-EB96-44FF-B511-3185DEA48697}\id = "bdbar" regsvr32.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\Baidu\Toolbar\BaiduBarX.dll regsvr32.exe File opened for modification C:\Program Files (x86)\Baidu\Toolbar\BaiduBarX.dll regsvr32.exe File created C:\Program Files (x86)\Baidu\Toolbar\rc.dll regsvr32.exe File created C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe regsvr32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}\Policy = "3" BarBroker.exe Key created \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Main regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes" regsvr32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{B580CF65-E151-49C3-B73F-70B13FCA8E86} = "12" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2} BarBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}\AppName = "BarBroker.exe" BarBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}\AppPath = "%ProgramFiles(x86)%\\Baidu\\Toolbar" BarBroker.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage\CurVer regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}\ = "°Ù¶È¹¤¾ßÀ¸¸öÐÔ»¯Ê×Ò³Ö§³Ö×é¼þ" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.BDLogin.1\ = "BDLogin Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23A2B2B7-21DE-4B88-AFBA-5A918ABBF463}\InprocServer32\ = "C:\\Program Files (x86)\\Baidu\\Toolbar\\BaiduBarX.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\ = "°Ù¶È¹¤¾ßÀ¸¸¨Öú¶ÔÏó" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23A2B2B7-21DE-4B88-AFBA-5A918ABBF463}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}\1.0\0\win32\ = "C:\\Program Files (x86)\\Baidu\\Toolbar\\BaiduBarX.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BarBroker.BDBroker\CLSID BarBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.BandIE\CurVer\ = "BaiduBarX.BandIE.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}\Programmable regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23A2B2B7-21DE-4B88-AFBA-5A918ABBF463}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C773CA2-F142-4B2C-981A-FD3B1BEC1578}\TypeLib\ = "{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.BandIE regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23A2B2B7-21DE-4B88-AFBA-5A918ABBF463}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2923508C-9425-4A61-B9CE-A98239055916}\ = "IBDBroker" BarBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\TypeLib\ = "{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}\1.0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Tool\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D158174C-004B-4A2E-9410-5442C10C60D2}\TypeLib\ = "{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BarBroker.BDBroker BarBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BECD27B-DCF5-4DEF-B066-486A47245C03}\VersionIndependentProgID BarBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Tool\ = "°Ù¶È¹¤¾ßÀ¸¸¨Öú¶ÔÏó" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}\TypeLib\ = "{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.BDLogin.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BECD27B-DCF5-4DEF-B066-486A47245C03}\AppID = "{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}" BarBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2923508C-9425-4A61-B9CE-A98239055916}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" BarBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}\VersionIndependentProgID\ = "BaiduBarX.BandIE" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.BandIE\CLSID\ = "{77FEF28E-EB96-44FF-B511-3185DEA48697}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BarBroker.BDBroker.1 BarBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3A8C9D89-3271-45F4-98C0-56B0F5A16172}\1.0\FLAGS BarBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.ToolBand\CLSID\ = "{B580CF65-E151-49C3-B73F-70B13FCA8E86}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23A2B2B7-21DE-4B88-AFBA-5A918ABBF463}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D158174C-004B-4A2E-9410-5442C10C60D2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2923508C-9425-4A61-B9CE-A98239055916}\TypeLib\Version = "1.0" BarBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}\ProgID\ = "BaiduBarEx.BDHomePage.5" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23A2B2B7-21DE-4B88-AFBA-5A918ABBF463} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4C2BFEC9-F03C-4F74-932E-5723E603B4AC} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BarBroker.BDBroker.1\ = "BDBroker Class" BarBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Tool.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.BDLogin.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7EF05EFF-0E62-4040-8D81-73A10D8DE60F}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D158174C-004B-4A2E-9410-5442C10C60D2}\ = "IBandIE" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C773CA2-F142-4B2C-981A-FD3B1BEC1578} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C773CA2-F142-4B2C-981A-FD3B1BEC1578}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Tool.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.BDLogin\ = "BDLogin Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D158174C-004B-4A2E-9410-5442C10C60D2}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2923508C-9425-4A61-B9CE-A98239055916}\ProxyStubClsid32 BarBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Tool\CLSID\ = "{A7F05EE4-0426-454F-8013-C41E3596E9E9}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.5\CLSID regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23A2B2B7-21DE-4B88-AFBA-5A918ABBF463}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4C2BFEC9-F03C-4F74-932E-5723E603B4AC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6C773CA2-F142-4B2C-981A-FD3B1BEC1578}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.BandIE.1\CLSID\ = "{77FEF28E-EB96-44FF-B511-3185DEA48697}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Tool regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.5\ = "°Ù¶È¹¤¾ßÀ¸¸öÐÔ»¯Ê×Ò³Ö§³Ö×é¼þ" regsvr32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1912 wrote to memory of 1588 1912 regsvr32.exe 30 PID 1912 wrote to memory of 1588 1912 regsvr32.exe 30 PID 1912 wrote to memory of 1588 1912 regsvr32.exe 30 PID 1912 wrote to memory of 1588 1912 regsvr32.exe 30 PID 1912 wrote to memory of 1588 1912 regsvr32.exe 30 PID 1912 wrote to memory of 1588 1912 regsvr32.exe 30 PID 1912 wrote to memory of 1588 1912 regsvr32.exe 30 PID 1588 wrote to memory of 2392 1588 regsvr32.exe 31 PID 1588 wrote to memory of 2392 1588 regsvr32.exe 31 PID 1588 wrote to memory of 2392 1588 regsvr32.exe 31 PID 1588 wrote to memory of 2392 1588 regsvr32.exe 31
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PROGRAM_FILES\Baidu\Toolbar\BaiduBarX_Tmp\BaiduBarX.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\$PROGRAM_FILES\Baidu\Toolbar\BaiduBarX_Tmp\BaiduBarX.dll2⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe"C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe" -RegServer3⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies registry class
PID:2392
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD571946bb03e05a64a16a0656e09e6b5eb
SHA1788f4ddc25c4d83f86d333c19a4bf0194b9475f5
SHA256c2335cdd499511baf39d434b2e7e884b2792808696dc5621e9001bebcac68348
SHA5123cb13346691788f443f80d19b2d15123bfc30070c89b15a46627e2694319ea0c500a2d6914a2f01c1f588dded0631b59f3ae93aad3af7960766c45f52b87697d
-
Filesize
228KB
MD57965293df77012fdb3a480510fffd207
SHA150e24936d86769254f42d9a45b8bb4eee3ea5de6
SHA256aec87468a90c73184fd19d66ab9b7284cfd36762e7045dbdeefff78469a3c349
SHA512c917b05f84e466ec84c22878b0ff70a9efbeef6d8c3a221fb789a08483e1087894f53567efa931fcc5c39e433026dcac095d6cede220a3aee8e735b8c0e6ce74
-
Filesize
500KB
MD5108539b4c8375e9c463ccbfac8eb5402
SHA120d6d9ca9f75b2970fd31e3f2140aee8c2587205
SHA25662216ef4c28936f8b9d608d52718a154fa91fc794d600b37c9e6ee03bc9d0123
SHA5122ece1e8176f38f8cbf094b16705b69a242c2d1ca4dd72a5af5337dd052950f6a07224bf52bee01e6d580aa7d9d7a01725a1e4a1a4e719c2a984064178849433b