d34bb6bf1ccc0ce74188aeac4527392967f130f03b77d1e8767dee02106fa235

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
12-07-2024 04:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/BaiduBarX.dll
Size

2.3MB
MD5

8c70775e64828cf1bc974aa850862620
SHA1

77fcbd8f8a9d2f5ea9051f26da104bef50195881
SHA256

7216f4e16b6ca0c2b3b9f6c28bd1618802e0963c72c26a7285fefaf0fe95aa9c
SHA512

2c5d699a5d80222b1b310f1f059643186b9d4755da502b840b5a2c6daff3fbfa836e45d3d98150c72a76b47077637400a2c2856e07ee9628e07017b93877bbaf
SSDEEP

49152:9VVPl8AlDw6JPul9zjJ+rEC0KaTda845t20Tu1IA2Nvvf:9VLPlD1BufPJ+h3vj

Score

7^/10

adware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2732	BarBroker.exe

Loads dropped DLL 8 IoCs

pid	Process
2208	regsvr32.exe
2208	regsvr32.exe
2208	regsvr32.exe
2208	regsvr32.exe
2208	regsvr32.exe
2208	regsvr32.exe
2208	regsvr32.exe
2208	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77FEF28E-EB96-44FF-B511-3185DEA48697}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{77FEF28E-EB96-44FF-B511-3185DEA48697}\NoExplorer = "1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{77FEF28E-EB96-44FF-B511-3185DEA48697}\id = "bdbar"	regsvr32.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Baidu\Toolbar\rc.dll	regsvr32.exe
File created	C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe	regsvr32.exe
File created	C:\Program Files (x86)\Baidu\Toolbar\BaiduBarX.dll	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Baidu\Toolbar\BaiduBarX.dll	regsvr32.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{B580CF65-E151-49C3-B73F-70B13FCA8E86} = "12"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}	BarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}\AppName = "BarBroker.exe"	BarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}\AppPath = "%ProgramFiles(x86)%\\Baidu\\Toolbar"	BarBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}\Policy = "3"	BarBroker.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Tool.1\CLSID\ = "{A7F05EE4-0426-454F-8013-C41E3596E9E9}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BECD27B-DCF5-4DEF-B066-486A47245C03}\LocalServer32\ = "\"C:\\Program Files (x86)\\Baidu\\Toolbar\\BarBroker.exe\""	BarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Tool.1\ = "°Ù¶È¹¤¾ßÀ¸¸¨Öú¶ÔÏó"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\ProgID\ = "BaiduBar.Tool.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D158174C-004B-4A2E-9410-5442C10C60D2}\ = "IBandIE"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}	BarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.BandIE\CLSID\ = "{77FEF28E-EB96-44FF-B511-3185DEA48697}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4C2BFEC9-F03C-4F74-932E-5723E603B4AC}\ = "ITool"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.3\CLSID\ = "{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BECD27B-DCF5-4DEF-B066-486A47245C03}\ProgID\ = "BarBroker.BDBroker.1"	BarBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3A8C9D89-3271-45F4-98C0-56B0F5A16172}	BarBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7EF05EFF-0E62-4040-8D81-73A10D8DE60F}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\BarBroker.EXE	BarBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BarBroker.BDBroker.1	BarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\ = "°Ù¶È¹¤¾ßÀ¸¸¨Öú¶ÔÏó"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}\ = "Baidu Toolbar BHO"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}\ = "BarBroker"	BarBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.ToolBand\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2923508C-9425-4A61-B9CE-A98239055916}\TypeLib\Version = "1.0"	BarBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.BandIE.1\ = "Baidu Toolbar BHO"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BECD27B-DCF5-4DEF-B066-486A47245C03}\VersionIndependentProgID	BarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3A8C9D89-3271-45F4-98C0-56B0F5A16172}\1.0\FLAGS\ = "0"	BarBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.BandIE	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.1\ = "°Ù¶È¹¤¾ßÀ¸¸öÐÔ»¯Ê×Ò³Ö§³Ö×é¼þ"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D158174C-004B-4A2E-9410-5442C10C60D2}\TypeLib\ = "{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BarBroker.BDBroker.1\CLSID\ = "{5BECD27B-DCF5-4DEF-B066-486A47245C03}"	BarBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.BandIE\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.2\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BECD27B-DCF5-4DEF-B066-486A47245C03}\ = "BDBroker Class"	BarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}\TypeLib\ = "{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.ToolBand.1\ = "Baidu Toolbar"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Tool\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2923508C-9425-4A61-B9CE-A98239055916}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	BarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}\VersionIndependentProgID\ = "BaiduBarX.BandIE"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}\InprocServer32\ = "C:\\Program Files (x86)\\Baidu\\Toolbar\\BaiduBarX.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.BandIE.1\CLSID\ = "{77FEF28E-EB96-44FF-B511-3185DEA48697}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BECD27B-DCF5-4DEF-B066-486A47245C03}\TypeLib	BarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7EF05EFF-0E62-4040-8D81-73A10D8DE60F}\TypeLib\ = "{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Tool	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}\1.0\HELPDIR\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7EF05EFF-0E62-4040-8D81-73A10D8DE60F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4C2BFEC9-F03C-4F74-932E-5723E603B4AC}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Tool\ = "°Ù¶È¹¤¾ßÀ¸¸¨Öú¶ÔÏó"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4C2BFEC9-F03C-4F74-932E-5723E603B4AC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Tool\CLSID\ = "{A7F05EE4-0426-454F-8013-C41E3596E9E9}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.1\CLSID\ = "{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}\VersionIndependentProgID\ = "BaiduBarEx.BDHomePage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4C2BFEC9-F03C-4F74-932E-5723E603B4AC}\ = "ITool"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D158174C-004B-4A2E-9410-5442C10C60D2}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BarBroker.BDBroker\ = "BDBroker Class"	BarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BECD27B-DCF5-4DEF-B066-486A47245C03}\AppID = "{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}"	BarBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7EF05EFF-0E62-4040-8D81-73A10D8DE60F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.2	regsvr32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2208	2336	regsvr32.exe	30
PID 2336 wrote to memory of 2208	2336	regsvr32.exe	30
PID 2336 wrote to memory of 2208	2336	regsvr32.exe	30
PID 2336 wrote to memory of 2208	2336	regsvr32.exe	30
PID 2336 wrote to memory of 2208	2336	regsvr32.exe	30
PID 2336 wrote to memory of 2208	2336	regsvr32.exe	30
PID 2336 wrote to memory of 2208	2336	regsvr32.exe	30
PID 2208 wrote to memory of 2732	2208	regsvr32.exe	31
PID 2208 wrote to memory of 2732	2208	regsvr32.exe	31
PID 2208 wrote to memory of 2732	2208	regsvr32.exe	31
PID 2208 wrote to memory of 2732	2208	regsvr32.exe	31

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PROGRAM_FILES\Baidu\Toolbar\BaiduBarX_Tmp\BaiduBarX.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\$PROGRAM_FILES\Baidu\Toolbar\BaiduBarX_Tmp\BaiduBarX.dll
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe
    "C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe" -RegServer
    3⤵
    - Executes dropped EXE
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\Baidu\Toolbar\BaiduBarX.dll

Filesize
2.3MB

MD5
8c70775e64828cf1bc974aa850862620

SHA1
77fcbd8f8a9d2f5ea9051f26da104bef50195881

SHA256
7216f4e16b6ca0c2b3b9f6c28bd1618802e0963c72c26a7285fefaf0fe95aa9c

SHA512
2c5d699a5d80222b1b310f1f059643186b9d4755da502b840b5a2c6daff3fbfa836e45d3d98150c72a76b47077637400a2c2856e07ee9628e07017b93877bbaf

Download Submit
\Program Files (x86)\Baidu\Toolbar\BarBroker.exe

Filesize
221KB

MD5
dea4340d1295890634b894f3f9def140

SHA1
d6fa4ec2463775fbb59055522546a53257ab1d76

SHA256
617526fef62a0be7c40e3a9e99ca358d2ec4db3751fa1a8a9b00fc1cdd6c0405

SHA512
ada53ccf483a395947d31ccb4967469f128eaee20f5671c372fbd921db6e4f263aa4d3a91b7d8b8f3b17cf634db1b13a72695eb16391a403917925236d3ede9d

Download Submit
\Program Files (x86)\Baidu\Toolbar\rc.dll

Filesize
361KB

MD5
2020d680fb0c37c7980dc76c6ea3ece6

SHA1
70e8eca8550dcf09bacb3736d86c505c39da2317

SHA256
dcff68acdeb530eb9e98417375c070832680fef8749ea3ba86651e3dac7d2c07

SHA512
94de5ca902f540fd4f5d34f3da91b9c9113e378735706f6be956556eef74070ac9a84223fcce0bd6a4b9f904fa352dc56ab37ad937ba42faf224313791f678a7

Download Submit
memory/2208-2-0x00000000026B0000-0x00000000028F7000-memory.dmp

Filesize
2.3MB

Download
memory/2208-9-0x0000000000940000-0x000000000099A000-memory.dmp

Filesize
360KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads