8bd05c7e27e65b921ae28194857ff2769f249dd942342a70ff0878e678a3ed22

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/02/2025, 20:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/Baidu-TB-ASBar.exe
Size

1.3MB
MD5

d848ef0636ea49d340f074f939db817b
SHA1

56a9d762d288ab173b7bfd42c9902e12b673bdb7
SHA256

c91716ba6dd14b67c3ccd797ac90a07f535b9d1db9a2a58c20738c791bc793ba
SHA512

6117d668f40bc468e20cd93527435858c23557ef24947ed8fe7206db4b02a34eaa0b37a1f3d3897057b74bec23d784b1f462faf2027e007ba52b503269b5cbc5
SSDEEP

24576:Q2kD39pDYvFHvnLdktGrNX8syDaOmQuHYwRjXq8kWfPRwxVdBwQOOTG8Yz:Q2kLfYvFvnBFBXIgpRD/kWfPRYVMYTGB

Score

7^/10

adware discovery stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2768	BarBroker.exe
2560	ASBarBroker.exe

Loads dropped DLL 26 IoCs

pid	Process
2448	Baidu-TB-ASBar.exe
2448	Baidu-TB-ASBar.exe
2448	Baidu-TB-ASBar.exe
2448	Baidu-TB-ASBar.exe
2448	Baidu-TB-ASBar.exe
2448	Baidu-TB-ASBar.exe
2448	Baidu-TB-ASBar.exe
2448	Baidu-TB-ASBar.exe
2448	Baidu-TB-ASBar.exe
2448	Baidu-TB-ASBar.exe
2448	Baidu-TB-ASBar.exe
2448	Baidu-TB-ASBar.exe
2768	BarBroker.exe
2768	BarBroker.exe
2768	BarBroker.exe
2448	Baidu-TB-ASBar.exe
2448	Baidu-TB-ASBar.exe
2448	Baidu-TB-ASBar.exe
2448	Baidu-TB-ASBar.exe
2448	Baidu-TB-ASBar.exe
2448	Baidu-TB-ASBar.exe
2448	Baidu-TB-ASBar.exe
2448	Baidu-TB-ASBar.exe
2560	ASBarBroker.exe
2560	ASBarBroker.exe
2560	ASBarBroker.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 5 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77FEF28E-EB96-44FF-B511-3185DEA48697}	Baidu-TB-ASBar.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{77FEF28E-EB96-44FF-B511-3185DEA48697}\NoExplorer = "1"	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{77FEF28E-EB96-44FF-B511-3185DEA48697}\id = "bdbar"	Baidu-TB-ASBar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA09512-29D2-DA79-09F9-035AEFB20428}	Baidu-TB-ASBar.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{5CA09512-29D2-DA79-09F9-035AEFB20428}\NoExplorer = "1"	Baidu-TB-ASBar.exe

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Baidu\{5CA09512-29D2-DA79-09F9-035AEFB20428}\conf.xml	Baidu-TB-ASBar.exe
File created	C:\Program Files (x86)\Baidu\{5CA09512-29D2-DA79-09F9-035AEFB20428}\ASBarBroker.exe	Baidu-TB-ASBar.exe
File opened for modification	C:\Program Files (x86)\Baidu\Toolbar\BaiduBarX_Tmp\BaiduBarX.dll	Baidu-TB-ASBar.exe
File created	C:\Program Files (x86)\Baidu\Toolbar\BaiduBarX_Tmp\BaiduBarX.dll	Baidu-TB-ASBar.exe
File opened for modification	C:\Program Files (x86)\Baidu\AddressBar.dll	Baidu-TB-ASBar.exe
File created	C:\Program Files (x86)\Baidu\AddressBar.dll	Baidu-TB-ASBar.exe
File opened for modification	C:\Program Files (x86)\Baidu\ASBarBroker.exe	Baidu-TB-ASBar.exe
File opened for modification	C:\Program Files (x86)\Baidu\Toolbar\BaiduBarX.dll	Baidu-TB-ASBar.exe
File created	C:\Program Files (x86)\Baidu\Toolbar\BaiduBarX_Tmp\rc.dll	Baidu-TB-ASBar.exe
File created	\??\c:\program files (x86)\baidu\{5ca09512-29d2-da79-09f9-035aefb20428}\addressbar.dll	Baidu-TB-ASBar.exe
File opened for modification	C:\Program Files (x86)\Baidu\Toolbar\BaiduBarX_Tmp\BarBroker.exe	Baidu-TB-ASBar.exe
File created	C:\Program Files (x86)\Baidu\Toolbar\BaiduBarX_Tmp\BarBroker.exe	Baidu-TB-ASBar.exe
File created	C:\Program Files (x86)\Baidu\conf.xml	Baidu-TB-ASBar.exe
File opened for modification	C:\Program Files (x86)\Baidu\Toolbar\BaiduBarX_Tmp\rc.dll	Baidu-TB-ASBar.exe
File created	C:\Program Files (x86)\Baidu\ASBarBroker.exe	Baidu-TB-ASBar.exe
File opened for modification	C:\Program Files (x86)\Baidu\conf.xml	Baidu-TB-ASBar.exe
File created	C:\Program Files (x86)\Baidu\Toolbar\BaiduBarX.dll	Baidu-TB-ASBar.exe
File created	C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe	Baidu-TB-ASBar.exe
File created	C:\Program Files (x86)\Baidu\Toolbar\rc.dll	Baidu-TB-ASBar.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baidu-TB-ASBar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BarBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ASBarBroker.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes"	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}\URL = "http://www.baidu.com/s?wd={searchTerms}&ie={inputEncoding}&oe={outputEncoding}&bar=13&tn=chenjunhao80_cb"	Baidu-TB-ASBar.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes	Baidu-TB-ASBar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}	ASBarBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\Policy = "3"	ASBarBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}\URL = "http://www.baidu.com/s?wd={searchTerms}&ie={inputEncoding}&oe={outputEncoding}&abar=2&tn=14015055_adr&ch=33"	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\AppName = "ASBarBroker.exe"	ASBarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{B580CF65-E151-49C3-B73F-70B13FCA8E86} = "12"	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TypedURLs\url1 = "http://www.baidu.com/index.php?tn=baidudg&addresssearch=1"	Baidu-TB-ASBar.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}	ASBarBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}\DisplayName = "百度一下，你就知道"	Baidu-TB-ASBar.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\AppName = "ASBarBroker.exe"	ASBarBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\Policy = "3"	ASBarBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}	ASBarBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TypedURLs	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TypedURLs\url2 = "http://www.baidu.com/index.php?tn=14015055_adr&ch=33&addresssearch=2"	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\AppPath = "%ProgramFiles(x86)%\\Baidu\\AddressBar"	ASBarBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Low Rights	ASBarBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}"	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}\FaviconURL = "http://www.baidu.com/favicon.ico"	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}\SuggestionsURL_JSON = "http://suggestion.baidu.com/su?wd={searchTerms}&action=opensearch&ie={inputEncoding}&from=ie8"	Baidu-TB-ASBar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}	BarBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TypedURLs\url2 = "http://www.baidu.com/index.php?tn=baidudg&addresssearch=2"	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TypedURLs\url1 = "http://www.baidu.com/index.php?tn=14015055_adr&ch=33&addresssearch=1"	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\AppPath = "C:\\Program Files (x86)\\Baidu\\{5CA09512-29D2-DA79-09F9-035AEFB20428}"	ASBarBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}\AppName = "BarBroker.exe"	BarBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}\Policy = "3"	BarBroker.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}	Baidu-TB-ASBar.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	ASBarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}\AppPath = "%ProgramFiles(x86)%\\Baidu\\Toolbar"	BarBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\AppPath = "C:\\Program Files (x86)\\Baidu\\{5CA09512-29D2-DA79-09F9-035AEFB20428}"	ASBarBroker.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}\VersionIndependentProgID\ = "BaiduBarEx.BDHomePage"	Baidu-TB-ASBar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D158174C-004B-4A2E-9410-5442C10C60D2}\TypeLib	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\BarBroker.EXE\AppID = "{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}"	BarBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BarBroker.BDBroker	BarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BECD27B-DCF5-4DEF-B066-486A47245C03}\AppID = "{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}"	BarBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5CA09512-29D2-DA79-09F9-035AEFB20428}\VersionIndependentProgID	Baidu-TB-ASBar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FBEDBA6C-44A2-43b9-BD49-20EB6E0C4E86}\TypeLib	Baidu-TB-ASBar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.ToolBand\CLSID	Baidu-TB-ASBar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23A2B2B7-21DE-4B88-AFBA-5A918ABBF463}	Baidu-TB-ASBar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23A2B2B7-21DE-4B88-AFBA-5A918ABBF463}\ProgID	Baidu-TB-ASBar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D158174C-004B-4A2E-9410-5442C10C60D2}	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5CA09512-29D2-DA79-09F9-035AEFB20428}\Programmable\	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5CA09512-29D2-DA79-09F9-035AEFB20428}\TypeLib\ = "{F9BC0421-BB5C-447d-8547-BB45AFA80A4D}"	Baidu-TB-ASBar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9BC0421-BB5C-447D-8547-BB45AFA80A4D}\1.0\FLAGS	Baidu-TB-ASBar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9BC0421-BB5C-447D-8547-BB45AFA80A4D}\1.0\0	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Tool.1\CLSID\ = "{A7F05EE4-0426-454F-8013-C41E3596E9E9}"	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7EF05EFF-0E62-4040-8D81-73A10D8DE60F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AddressSearch.SnavHttpProtocol.1\CLSID\ = "{FBEDBA6C-44A2-43b9-BD49-20EB6E0C4E86}"	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4D89001B-5B5B-4E76-A1F5-638E49DB7A58}\ = "IJsObject"	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FCB380C4-D350-44BE-8791-50216F4747AC}\ = "IBDBroker"	ASBarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FCB380C4-D350-44BE-8791-50216F4747AC}\TypeLib\Version = "1.0"	ASBarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\TypeLib\ = "{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}"	Baidu-TB-ASBar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11CC93E4-0BE6-4f8f-82AA-D577FB955B05}	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AddressSearch.SnavHttpProtocol\CLSID\ = "{FBEDBA6C-44A2-43b9-BD49-20EB6E0C4E86}"	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FE575A61-09BD-4F3A-B8B5-B55B813B44EC}\TypeLib\Version = "1.0"	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91878E42-FC03-4785-B513-1F9E613D1027}\ = "BDBroker Class"	ASBarBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91878E42-FC03-4785-B513-1F9E613D1027}\LocalServer32	ASBarBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D02E3AB9-7796-40CB-BDFC-20D834FE1F75}\1.0\0	ASBarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.BandIE.1\CLSID\ = "{77FEF28E-EB96-44FF-B511-3185DEA48697}"	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.BandIE\CLSID\ = "{77FEF28E-EB96-44FF-B511-3185DEA48697}"	Baidu-TB-ASBar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\5CA09512-29D2-DA79-09F9-035AEFB20428.Addr.1\CLSID	Baidu-TB-ASBar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AddressSearch.JsObject.1	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9BC0421-BB5C-447D-8547-BB45AFA80A4D}\1.0\FLAGS\ = "0"	Baidu-TB-ASBar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ASBarBroker.EXE	ASBarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91878E42-FC03-4785-B513-1F9E613D1027}\VersionIndependentProgID\ = "ASBarBroker.BDBroker"	ASBarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91878E42-FC03-4785-B513-1F9E613D1027}\LocalServer32\ = "\"C:\\PROGRA~2\\baidu\\{5CA09~1\\ASBarBroker.exe\""	ASBarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.2\ = "°Ù¶È¹¤¾ßÀ¸¸öÐÔ»¯Ê×Ò³Ö§³Ö×é¼þ"	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage\CurVer\ = "BaiduBarEx.BDHomePage.5"	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4C2BFEC9-F03C-4F74-932E-5723E603B4AC}\TypeLib\ = "{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}"	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D158174C-004B-4A2E-9410-5442C10C60D2}\TypeLib\ = "{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}"	Baidu-TB-ASBar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11CC93E4-0BE6-4f8f-82AA-D577FB955B05}\TypeLib	Baidu-TB-ASBar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA677CC1-D6FA-4B55-825D-6C493F56ED84}\ProxyStubClsid32	Baidu-TB-ASBar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.2\CLSID	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage\ = "°Ù¶È¹¤¾ßÀ¸¸öÐÔ»¯Ê×Ò³Ö§³Ö×é¼þ"	Baidu-TB-ASBar.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23A2B2B7-21DE-4B88-AFBA-5A918ABBF463}\Programmable	Baidu-TB-ASBar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7EF05EFF-0E62-4040-8D81-73A10D8DE60F}\TypeLib	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4C2BFEC9-F03C-4F74-932E-5723E603B4AC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Baidu-TB-ASBar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2923508C-9425-4A61-B9CE-A98239055916}\TypeLib	BarBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\5CA09512-29D2-DA79-09F9-035AEFB20428.Addr	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE575A61-09BD-4F3A-B8B5-B55B813B44EC}\ = "ISearchHook"	Baidu-TB-ASBar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.BandIE\CurVer	Baidu-TB-ASBar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23A2B2B7-21DE-4B88-AFBA-5A918ABBF463}\Programmable	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D158174C-004B-4A2E-9410-5442C10C60D2}\TypeLib\ = "{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}"	Baidu-TB-ASBar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BarBroker.BDBroker\CLSID	BarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\5CA09512-29D2-DA79-09F9-035AEFB20428.Addr\ = "5CA09512-29D2-DA79-09F9-035AEFB20428 Class"	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FBEDBA6C-44A2-43b9-BD49-20EB6E0C4E86}\VersionIndependentProgID\ = "AddressSearch.SnavHttpProtocol"	Baidu-TB-ASBar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FA677CC1-D6FA-4B55-825D-6C493F56ED84}\ProxyStubClsid32	Baidu-TB-ASBar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D02E3AB9-7796-40CB-BDFC-20D834FE1F75}	ASBarBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.ToolBand.1	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Tool\CurVer\ = "BaiduBar.Tool.1"	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.5\CLSID\ = "{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}"	Baidu-TB-ASBar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4C2BFEC9-F03C-4F74-932E-5723E603B4AC}\TypeLib	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FBEDBA6C-44A2-43b9-BD49-20EB6E0C4E86}\TypeLib\ = "{F9BC0421-BB5C-447d-8547-BB45AFA80A4D}"	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9BC0421-BB5C-447D-8547-BB45AFA80A4D}\1.0\HELPDIR\	Baidu-TB-ASBar.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	2448	Baidu-TB-ASBar.exe
Token: SeBackupPrivilege	2448	Baidu-TB-ASBar.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2768	2448	Baidu-TB-ASBar.exe	30
PID 2448 wrote to memory of 2768	2448	Baidu-TB-ASBar.exe	30
PID 2448 wrote to memory of 2768	2448	Baidu-TB-ASBar.exe	30
PID 2448 wrote to memory of 2768	2448	Baidu-TB-ASBar.exe	30
PID 2448 wrote to memory of 2768	2448	Baidu-TB-ASBar.exe	30
PID 2448 wrote to memory of 2768	2448	Baidu-TB-ASBar.exe	30
PID 2448 wrote to memory of 2768	2448	Baidu-TB-ASBar.exe	30
PID 2448 wrote to memory of 2560	2448	Baidu-TB-ASBar.exe	31
PID 2448 wrote to memory of 2560	2448	Baidu-TB-ASBar.exe	31
PID 2448 wrote to memory of 2560	2448	Baidu-TB-ASBar.exe	31
PID 2448 wrote to memory of 2560	2448	Baidu-TB-ASBar.exe	31
PID 2448 wrote to memory of 2560	2448	Baidu-TB-ASBar.exe	31
PID 2448 wrote to memory of 2560	2448	Baidu-TB-ASBar.exe	31
PID 2448 wrote to memory of 2560	2448	Baidu-TB-ASBar.exe	31

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Baidu-TB-ASBar.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Baidu-TB-ASBar.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe
  "C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe" -RegServer
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:2768
- C:\PROGRA~2\baidu\{5CA09~1\ASBarBroker.exe
  "C:\PROGRA~2\baidu\{5CA09~1\ASBarBroker.exe" -RegServer
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Baidu\{5CA09~1\ASBarBroker.exe

Filesize
129KB

MD5
74f5e70ef8ed469759474c64ac6fd35b

SHA1
ff52fa0039c835bf78356dc87ba1390e7e4dafe5

SHA256
d7a15f7a7c8e48876aebf99056d212e57c7c1c250be7f61a96e44b0161f27da2

SHA512
a528b1d17d1dfe54d46decd7b553f090d1372a30528aa88ce74eb6b4ede20a9f0f247cd1785c956d33dd0c4b7d776b6fc1e052ba3da99db1548ba7f4ba4ade8e

Download Submit
C:\PROGRA~2\Baidu\{5CA09~1\conf.xml

Filesize
333B

MD5
7586734b2ff8a3dfe8968bfd70be9d0b

SHA1
91bdad6fcc4e6a2a0efb8886d53481a1f6508b63

SHA256
6ee461fe144e794a4ed8de17f2f85dc3d4a51cfe7e6b3619c294ddb256c7eb8d

SHA512
76ebef92b0e20a2183bd723b49b25f5a011c5ce0371d9e8eb161fea8ef8f1414fab4c0eabc598d4b1ad48f98519dfaf6a1590a4a90cc1da8c47c8e2b0bed71e9

Download Submit
C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe

Filesize
232KB

MD5
6b224c78c4b3433e754676dfab012142

SHA1
0ef3ad9248de0f4cef24ff110c87157c8433cc83

SHA256
567ea2b8aee289f74b5affd5ff6e22ca0fd68d03071670ae060359fc5dae2e88

SHA512
9561fa4efe992781a5692c7da7eb9b765668b7592f41417c3de9e1841f8e85f6dfc3fcd0233842489da54157c81c31211123bda45798539efa696f8cae6149d7

Download Submit
\Program Files (x86)\Baidu\AddressBar.dll

Filesize
1.1MB

MD5
1650515a849b044871bd0703ebc87ff1

SHA1
fa99046655efcf31bc8df831bfef9ee0c94b070a

SHA256
d0b8a57c604cd89a37fbe6e56412ed9a4bdf04b61d16300f4409167a76206b85

SHA512
3593716fd0c4a56ac0e7ef92803b3553ad94c2abd7d547939004af804f00b60a7bec890aaa51810f6fc42c2b182daf20109a4548c66231d87307321d12a9951c

Download Submit
\Program Files (x86)\Baidu\Toolbar\BaiduBarX_Tmp\BaiduBarX.dll

Filesize
2.7MB

MD5
9929bf8efb3087a1a832fc09ac97bef4

SHA1
4df24505648dec56488d68cd1ce5265c4c31e5bb

SHA256
2867243b3b6584986098d5e5f921f2dff5dfe5fe605725b263371bc8ff3fa279

SHA512
a172e659ac803bf8ed260af80caf6e94ab076e6759a8f77e30e0cf8dd99fb0db690db7b0656bfeb3bae324082665d6ca219d775591df988f90be0d5633054cdb

Download Submit
\Program Files (x86)\Baidu\Toolbar\rc.dll

Filesize
496KB

MD5
51e4f617d2ad241171f437001565ac71

SHA1
1af01b7428e3493825451980e25306941ca50e31

SHA256
ca30dd00c9586efc075376c4b53fdcc2dcee6c1ad3ee83eb8f801e95d1dd250a

SHA512
93044c79020a710dc85a848fef030084b41e12334492e7a11973107c7d79e352c1ea7b9f8fc0f116d5fce341cb6d3317acd4fa8fb5396765cc3724773f571e6f

Download Submit
memory/2448-23-0x0000000003990000-0x0000000003C45000-memory.dmp

Filesize
2.7MB

Download
memory/2448-36-0x0000000003D50000-0x0000000003DCC000-memory.dmp

Filesize
496KB

Download
memory/2448-80-0x0000000004550000-0x0000000004676000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads