Overview
overview
7Static
static
3b0aaa8a594...18.exe
windows7-x64
7b0aaa8a594...18.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$TEMPLATES...at.exe
windows7-x64
1$TEMPLATES...at.exe
windows10-2004-x64
3$TEMPLATES/readme.exe
windows7-x64
3$TEMPLATES/readme.exe
windows10-2004-x64
3$PROGRAMFI...ar.dll
windows7-x64
7$PROGRAMFI...ar.dll
windows10-2004-x64
7$TEMPLATES...cs.dll
windows7-x64
3$TEMPLATES...cs.dll
windows10-2004-x64
3KKDock.exe
windows7-x64
3KKDock.exe
windows10-2004-x64
3uninst.exe
windows7-x64
7uninst.exe
windows10-2004-x64
7Analysis
-
max time kernel
94s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2024 10:33
Static task
static1
Behavioral task
behavioral1
Sample
b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
b0aaa8a5948c20836ba7b590cd451551_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$TEMPLATES/installstat.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
$TEMPLATES/installstat.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$TEMPLATES/readme.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral10
Sample
$TEMPLATES/readme.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$PROGRAMFILES/Baidu/AddressBar/AddressBar_Tmp/AddressBar.dll
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral12
Sample
$PROGRAMFILES/Baidu/AddressBar/AddressBar_Tmp/AddressBar.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$TEMPLATES/statistics.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
$TEMPLATES/statistics.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
KKDock.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral16
Sample
KKDock.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
uninst.exe
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral18
Sample
uninst.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
$PROGRAMFILES/Baidu/AddressBar/AddressBar_Tmp/AddressBar.dll
-
Size
510KB
-
MD5
09279fab3646f9cce9a59b56042eb1d4
-
SHA1
0c7b50c7ba7aad340eefad07f0e2550ea20af95e
-
SHA256
ba4eff0e211de087aa56d1ea4acb429b1c7ec642451c16c7a54e2f1b453f3d9c
-
SHA512
45f7f0c7daacecb210d7c6b73d96ec89cd992741b707634f145a3b930523437565f8d14faacaf4a1ccf45a81f7860d776c74ac6a2476e78ebadf9f137c37715a
-
SSDEEP
12288:NkvfqN8YA/XWvDs6YRZpVGE2tYz0r/kq6ljj:NFDs6YRZpVGE2a4rP6ljj
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ASBarBroker.exepid Process 2564 ASBarBroker.exe -
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exepid Process 2928 regsvr32.exe 2928 regsvr32.exe -
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
regsvr32.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000000-0593-4356-9CF7-1D8C2B3343C0} regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000000-0593-4356-9CF7-1D8C2B3343C0}\NoExplorer = "1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000000-0593-4356-9CF7-1D8C2B3343C0}\id = "AddressBar" regsvr32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
regsvr32.exedescription ioc Process File opened for modification \??\PhysicalDrive0 regsvr32.exe -
Drops file in Program Files directory 3 IoCs
Processes:
regsvr32.exedescription ioc Process File created C:\Program Files (x86)\Baidu\AddressBar\AddressBar.dll regsvr32.exe File opened for modification C:\Program Files (x86)\Baidu\AddressBar\AddressBar.dll regsvr32.exe File created C:\Program Files (x86)\Baidu\AddressBar\ASBarBroker.exe regsvr32.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
regsvr32.exeASBarBroker.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ASBarBroker.exe -
Processes:
regsvr32.exeASBarBroker.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}\URL = "http://www.baidu.com/s?wd={searchTerms}&ie={inputEncoding}&oe={outputEncoding}&abar=2&tn=baidudg" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\AppName = "ASBarBroker.exe" ASBarBroker.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\Policy = "3" ASBarBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url1 = "http://www.baidu.com/index.php?tn=baidudg&addresssearch=1" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2} regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}\FaviconURL = "http://www.baidu.com/favicon.ico" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4} ASBarBroker.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\TypedURLs regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}\DisplayName = "百度一下,你就知道" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\AppPath = "%ProgramFiles(x86)%\\Baidu\\AddressBar" ASBarBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url2 = "http://www.baidu.com/index.php?tn=baidudg&addresssearch=2" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}\SuggestionsURL_JSON = "http://suggestion.baidu.com/su?wd={searchTerms}&action=opensearch&ie={inputEncoding}&from=ie8" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\SearchScopes regsvr32.exe -
Modifies registry class 64 IoCs
Processes:
regsvr32.exeASBarBroker.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AddressSearch.SearchHook\CLSID\ = "{00000000-0593-4356-9CF7-1D8C2B3343C0}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000000-0593-4356-9CF7-1D8C2B3343C0}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D02E3AB9-7796-40CB-BDFC-20D834FE1F75}\1.0\ = "ASBarBroker 1.0 Type Library" ASBarBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FBEDBA6C-44A2-43b9-BD49-20EB6E0C4E86}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FBEDBA6C-44A2-43b9-BD49-20EB6E0C4E86}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCB380C4-D350-44BE-8791-50216F4747AC}\TypeLib\ = "{D02E3AB9-7796-40CB-BDFC-20D834FE1F75}" ASBarBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AddressSearch.JsObject regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FBEDBA6C-44A2-43b9-BD49-20EB6E0C4E86}\ProgID\ = "AddressSearch.SnavHttpProtocol.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCB380C4-D350-44BE-8791-50216F4747AC}\ = "IBDBroker" ASBarBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCB380C4-D350-44BE-8791-50216F4747AC}\ProxyStubClsid32 ASBarBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4D89001B-5B5B-4E76-A1F5-638E49DB7A58}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000000-0593-4356-9CF7-1D8C2B3343C0}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000000-0593-4356-9CF7-1D8C2B3343C0}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AddressSearch.JsObject\CLSID\ = "{11CC93E4-0BE6-4f8f-82AA-D577FB955B05}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91878E42-FC03-4785-B513-1F9E613D1027}\VersionIndependentProgID\ = "ASBarBroker.BDBroker" ASBarBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11CC93E4-0BE6-4f8f-82AA-D577FB955B05}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91878E42-FC03-4785-B513-1F9E613D1027}\TypeLib ASBarBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AddressSearch.SnavHttpProtocol.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D02E3AB9-7796-40CB-BDFC-20D834FE1F75}\1.0\HELPDIR ASBarBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FBEDBA6C-44A2-43b9-BD49-20EB6E0C4E86} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FCB380C4-D350-44BE-8791-50216F4747AC}\TypeLib\ = "{D02E3AB9-7796-40CB-BDFC-20D834FE1F75}" ASBarBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE575A61-09BD-4F3A-B8B5-B55B813B44EC}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA677CC1-D6FA-4B55-825D-6C493F56ED84}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ASBarBroker.BDBroker ASBarBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11CC93E4-0BE6-4f8f-82AA-D577FB955B05}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AddressSearch.SnavHttpProtocol.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE575A61-09BD-4F3A-B8B5-B55B813B44EC}\ = "ISearchHook" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4D89001B-5B5B-4E76-A1F5-638E49DB7A58}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCB380C4-D350-44BE-8791-50216F4747AC}\TypeLib ASBarBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AddressSearch.JsObject\CurVer regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AddressSearch.SnavHttpProtocol.1\CLSID\ = "{FBEDBA6C-44A2-43b9-BD49-20EB6E0C4E86}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AddressSearch.SnavHttpProtocol regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FCB380C4-D350-44BE-8791-50216F4747AC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" ASBarBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91878E42-FC03-4785-B513-1F9E613D1027}\ProgID ASBarBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91878E42-FC03-4785-B513-1F9E613D1027}\VersionIndependentProgID ASBarBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11CC93E4-0BE6-4f8f-82AA-D577FB955B05}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9BC0421-BB5C-447D-8547-BB45AFA80A4D}\1.0\HELPDIR\ regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FA677CC1-D6FA-4B55-825D-6C493F56ED84}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000000-0593-4356-9CF7-1D8C2B3343C0}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4} ASBarBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FCB380C4-D350-44BE-8791-50216F4747AC} ASBarBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FBEDBA6C-44A2-43b9-BD49-20EB6E0C4E86}\VersionIndependentProgID\ = "AddressSearch.SnavHttpProtocol" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4D89001B-5B5B-4E76-A1F5-638E49DB7A58} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FBEDBA6C-44A2-43b9-BD49-20EB6E0C4E86}\InprocServer32\ = "C:\\Program Files (x86)\\Baidu\\AddressBar\\AddressBar.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE575A61-09BD-4F3A-B8B5-B55B813B44EC}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4D89001B-5B5B-4E76-A1F5-638E49DB7A58}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4D89001B-5B5B-4E76-A1F5-638E49DB7A58}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91878E42-FC03-4785-B513-1F9E613D1027} ASBarBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91878E42-FC03-4785-B513-1F9E613D1027}\ = "BDBroker Class" ASBarBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D02E3AB9-7796-40CB-BDFC-20D834FE1F75}\1.0 ASBarBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FCB380C4-D350-44BE-8791-50216F4747AC}\ProxyStubClsid32 ASBarBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9BC0421-BB5C-447D-8547-BB45AFA80A4D}\1.0\HELPDIR regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FA677CC1-D6FA-4B55-825D-6C493F56ED84} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ASBarBroker.EXE ASBarBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ASBarBroker.BDBroker\CurVer ASBarBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ASBarBroker.BDBroker\CurVer\ = "ASBarBroker.BDBroker.1" ASBarBroker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11CC93E4-0BE6-4f8f-82AA-D577FB955B05} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91878E42-FC03-4785-B513-1F9E613D1027}\ProgID\ = "ASBarBroker.BDBroker.1" ASBarBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11CC93E4-0BE6-4f8f-82AA-D577FB955B05}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4D89001B-5B5B-4E76-A1F5-638E49DB7A58}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FBEDBA6C-44A2-43b9-BD49-20EB6E0C4E86}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9BC0421-BB5C-447D-8547-BB45AFA80A4D} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9BC0421-BB5C-447D-8547-BB45AFA80A4D}\1.0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000000-0593-4356-9CF7-1D8C2B3343C0} regsvr32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid Process procid_target PID 4584 wrote to memory of 2928 4584 regsvr32.exe 82 PID 4584 wrote to memory of 2928 4584 regsvr32.exe 82 PID 4584 wrote to memory of 2928 4584 regsvr32.exe 82 PID 2928 wrote to memory of 2564 2928 regsvr32.exe 83 PID 2928 wrote to memory of 2564 2928 regsvr32.exe 83 PID 2928 wrote to memory of 2564 2928 regsvr32.exe 83
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\Baidu\AddressBar\AddressBar_Tmp\AddressBar.dll1⤵
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\Baidu\AddressBar\AddressBar_Tmp\AddressBar.dll2⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Program Files (x86)\Baidu\AddressBar\ASBarBroker.exe"C:\Program Files (x86)\Baidu\AddressBar\ASBarBroker.exe" -RegServer3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
PID:2564
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
125KB
MD58dd475fb69bfebb99a8d1c922a05f41f
SHA1f787d1a59a119166a6e1978d92a8498d338b469a
SHA256df0f74728c622c03b267e7f4347ce8ee760484578433e16d95015af0a288c8c7
SHA512efc69105dac4fe864e56bb8a5e5db3805c72fe16c11649035de7e52966e064e32496dc86727c1b008ce20fb0802e43007a3fd61aac3ab8ced79a5b5fd5ee36e4
-
Filesize
510KB
MD509279fab3646f9cce9a59b56042eb1d4
SHA10c7b50c7ba7aad340eefad07f0e2550ea20af95e
SHA256ba4eff0e211de087aa56d1ea4acb429b1c7ec642451c16c7a54e2f1b453f3d9c
SHA51245f7f0c7daacecb210d7c6b73d96ec89cd992741b707634f145a3b930523437565f8d14faacaf4a1ccf45a81f7860d776c74ac6a2476e78ebadf9f137c37715a