Analysis

  • max time kernel
    93s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/01/2025, 16:18

General

  • Target

    $PROGRAM_FILES/Baidu/Toolbar/BaiduBarX_Tmp/BaiduBarX.dll

  • Size

    2.3MB

  • MD5

    73e815b7dc46cee5be197dc4f81dd3f1

  • SHA1

    610013942da6c1d9db80e9bb2624baf290d7d7bb

  • SHA256

    92be55ea5d5eacfc9120467c4fbc2090c824cd8a232fab11e1a83433faf0285d

  • SHA512

    b893d52579d99b5a44f69f5dc91d7f3df860409000915df2124bff353fdeb87b7e023fa7572e698b71b271c3e66d2ba65155fd97bc0abd43cf952673d889f246

  • SSDEEP

    49152:EDww2rO+skTKEW/+5sgN51uNDqWwTSbSbHUWTDnU9iZoY8:2wwuRskTKX/+5sgN51bLA

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in Program Files directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 8 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PROGRAM_FILES\Baidu\Toolbar\BaiduBarX_Tmp\BaiduBarX.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2424
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\$PROGRAM_FILES\Baidu\Toolbar\BaiduBarX_Tmp\BaiduBarX.dll
      2⤵
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1288
      • C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe
        "C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe" -RegServer
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Modifies registry class
        PID:4512

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Baidu\Toolbar\BaiduBarX.dll

          Filesize

          2.3MB

          MD5

          73e815b7dc46cee5be197dc4f81dd3f1

          SHA1

          610013942da6c1d9db80e9bb2624baf290d7d7bb

          SHA256

          92be55ea5d5eacfc9120467c4fbc2090c824cd8a232fab11e1a83433faf0285d

          SHA512

          b893d52579d99b5a44f69f5dc91d7f3df860409000915df2124bff353fdeb87b7e023fa7572e698b71b271c3e66d2ba65155fd97bc0abd43cf952673d889f246

        • C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe

          Filesize

          229KB

          MD5

          f87f4f7c0278667dc2d88ec6d7b6022d

          SHA1

          5650e64099f23359dfcc7c8c9380d7157e236c61

          SHA256

          06d7a9d5379d303aa0498757fea75fdfe7c8bdb922a2c5672b0fbe8726460bdd

          SHA512

          777c0c9d000495be084bb0127840c5b175d556d2da8ddbe30b04a99c8e271796cb1ce0ee2eac4c7b6d938fc17abdcba85fd1e4320620ca45b5a1fd31fa9cc8ae

        • C:\Program Files (x86)\Baidu\Toolbar\rc.dll

          Filesize

          369KB

          MD5

          989404e09f568db722a978f0cddc2d91

          SHA1

          b4144e15cb05c125cf06d63203e8ad4b889b9b12

          SHA256

          f97d8a7717605f48441b01bbbaf54952553787a9cdd394c0efbde870897c5f12

          SHA512

          c05eba31bfb2cd201043defa809399252a185d76c7815abf58146bee18b265e8113966dd6cc1b5fff714d45d293b8424c0ba2459e7e6a893a3575c7c4813a638

        • memory/1288-14-0x0000000002D50000-0x0000000002DAC000-memory.dmp

          Filesize

          368KB

        • memory/1288-4-0x0000000003110000-0x0000000003369000-memory.dmp

          Filesize

          2.3MB