Overview
overview
7Static
static
7JaffaCakes...f3.exe
windows7-x64
3JaffaCakes...f3.exe
windows10-2004-x64
3Apply.exe
windows7-x64
3Apply.exe
windows10-2004-x64
3Baidu-TB-ASBar.exe
windows7-x64
7Baidu-TB-ASBar.exe
windows10-2004-x64
3$PROGRAMFI...er.exe
windows7-x64
3$PROGRAMFI...er.exe
windows10-2004-x64
3$PROGRAMFI...ar.dll
windows7-x64
7$PROGRAMFI...ar.dll
windows10-2004-x64
7$PROGRAMFI...rX.dll
windows7-x64
7$PROGRAMFI...rX.dll
windows10-2004-x64
7$PROGRAMFI...er.exe
windows7-x64
3$PROGRAMFI...er.exe
windows10-2004-x64
3$PROGRAMFI...rc.dll
windows7-x64
3$PROGRAMFI...rc.dll
windows10-2004-x64
3Codecs/Avi...er.dll
windows7-x64
3Codecs/Avi...er.dll
windows10-2004-x64
3Codecs/CoreAAC.dll
windows7-x64
3Codecs/CoreAAC.dll
windows10-2004-x64
3Codecs/CoreAVC.dll
windows7-x64
3Codecs/CoreAVC.dll
windows10-2004-x64
3Codecs/FLV...er.dll
windows7-x64
3Codecs/FLV...er.dll
windows10-2004-x64
3Codecs/Haa...er.dll
windows7-x64
3Codecs/Haa...er.dll
windows10-2004-x64
3Codecs/Haali/avi.dll
windows7-x64
3Codecs/Haali/avi.dll
windows10-2004-x64
3Codecs/Haa...de.dll
windows7-x64
3Codecs/Haa...de.dll
windows10-2004-x64
3Codecs/Haa...ib.dll
windows7-x64
3Codecs/Haa...ib.dll
windows10-2004-x64
3Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/02/2025, 02:39
Behavioral task
behavioral1
Sample
JaffaCakes118_2a322d5874b626864489bccec81da3f3.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
JaffaCakes118_2a322d5874b626864489bccec81da3f3.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral3
Sample
Apply.exe
Resource
win7-20250207-en
Behavioral task
behavioral4
Sample
Apply.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral5
Sample
Baidu-TB-ASBar.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
Baidu-TB-ASBar.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral7
Sample
$PROGRAMFILES/Baidu/ASBarBroker.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
$PROGRAMFILES/Baidu/ASBarBroker.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral9
Sample
$PROGRAMFILES/Baidu/AddressBar.dll
Resource
win7-20241010-en
Behavioral task
behavioral10
Sample
$PROGRAMFILES/Baidu/AddressBar.dll
Resource
win10v2004-20250217-en
Behavioral task
behavioral11
Sample
$PROGRAMFILES/Baidu/Toolbar/BaiduBarX_Tmp/BaiduBarX.dll
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
$PROGRAMFILES/Baidu/Toolbar/BaiduBarX_Tmp/BaiduBarX.dll
Resource
win10v2004-20250217-en
Behavioral task
behavioral13
Sample
$PROGRAMFILES/Baidu/Toolbar/BaiduBarX_Tmp/BarBroker.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
$PROGRAMFILES/Baidu/Toolbar/BaiduBarX_Tmp/BarBroker.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral15
Sample
$PROGRAMFILES/Baidu/Toolbar/BaiduBarX_Tmp/rc.dll
Resource
win7-20241010-en
Behavioral task
behavioral16
Sample
$PROGRAMFILES/Baidu/Toolbar/BaiduBarX_Tmp/rc.dll
Resource
win10v2004-20250217-en
Behavioral task
behavioral17
Sample
Codecs/AviSplitter.dll
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
Codecs/AviSplitter.dll
Resource
win10v2004-20250217-en
Behavioral task
behavioral19
Sample
Codecs/CoreAAC.dll
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
Codecs/CoreAAC.dll
Resource
win10v2004-20250217-en
Behavioral task
behavioral21
Sample
Codecs/CoreAVC.dll
Resource
win7-20250207-en
Behavioral task
behavioral22
Sample
Codecs/CoreAVC.dll
Resource
win10v2004-20250217-en
Behavioral task
behavioral23
Sample
Codecs/FLVSplitter.dll
Resource
win7-20240729-en
Behavioral task
behavioral24
Sample
Codecs/FLVSplitter.dll
Resource
win10v2004-20250217-en
Behavioral task
behavioral25
Sample
Codecs/Haali/Haalisplitter.dll
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
Codecs/Haali/Haalisplitter.dll
Resource
win10v2004-20250217-en
Behavioral task
behavioral27
Sample
Codecs/Haali/avi.dll
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
Codecs/Haali/avi.dll
Resource
win10v2004-20250217-en
Behavioral task
behavioral29
Sample
Codecs/Haali/mkunicode.dll
Resource
win7-20241010-en
Behavioral task
behavioral30
Sample
Codecs/Haali/mkunicode.dll
Resource
win10v2004-20250217-en
Behavioral task
behavioral31
Sample
Codecs/Haali/mkzlib.dll
Resource
win7-20241023-en
Behavioral task
behavioral32
Sample
Codecs/Haali/mkzlib.dll
Resource
win10v2004-20250217-en
General
-
Target
$PROGRAMFILES/Baidu/Toolbar/BaiduBarX_Tmp/BaiduBarX.dll
-
Size
2.4MB
-
MD5
e9e1884c564283e30e3f856d1f9f8f80
-
SHA1
6200823787f1a1c6acb2b687e620dcc26eb1f3f0
-
SHA256
4b2a125d3d19ca691e4ef46dda0b290a6d3cdbd58e35728148fa43da8ef52f0c
-
SHA512
a0fadb771e3c8a26ae81d790ce07642981232f205af5576e4bbbb0ca29993f0f98b64a1f51868ebf58a7d6bb4ad491821525d299b5ba2c81c8a3ceb1a5745c3e
-
SSDEEP
49152:R4OPX6ZEGjOO7dL/GwcD01BsAigR/fYTULeh0soClqYktY:R4O/6WGjOO71Gr0TsAiZ0tCl5n
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2096 BaiduSetupAx_3.exe -
Loads dropped DLL 4 IoCs
pid Process 2388 regsvr32.exe 2388 regsvr32.exe 2096 BaiduSetupAx_3.exe 2096 BaiduSetupAx_3.exe -
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77FEF28E-EB96-44FF-B511-3185DEA48697} regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{77FEF28E-EB96-44FF-B511-3185DEA48697}\NoExplorer = "1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{77FEF28E-EB96-44FF-B511-3185DEA48697}\id = "bdbar" regsvr32.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\Baidu\Toolbar\BaiduBarX.dll regsvr32.exe File opened for modification C:\Program Files (x86)\Baidu\Toolbar\BaiduBarX.dll regsvr32.exe File created C:\Program Files (x86)\Baidu\Toolbar\BaiduSetupAx_3.exe regsvr32.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Downloaded Program Files\259426480\BaiduSetupAx_3.dll BaiduSetupAx_3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BaiduSetupAx_3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes" regsvr32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{B580CF65-E151-49C3-B73F-70B13FCA8E86} = "12" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main regsvr32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.3 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23A2B2B7-21DE-4B88-AFBA-5A918ABBF463}\VersionIndependentProgID\ = "BaiduBarX.BDLogin" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4C2BFEC9-F03C-4F74-932E-5723E603B4AC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D158174C-004B-4A2E-9410-5442C10C60D2}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EB7C6ED8-2913-1026-AF92-5B561213F1C6}\TypeLib\Version = "1.0" BaiduSetupAx_3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\ = "°Ù¶È¹¤¾ßÀ¸" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage\CLSID\ = "{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}\InprocServer32\ = "C:\\Program Files (x86)\\Baidu\\Toolbar\\BaiduBarX.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23A2B2B7-21DE-4B88-AFBA-5A918ABBF463}\VersionIndependentProgID regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23A2B2B7-21DE-4B88-AFBA-5A918ABBF463}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB7C6ED8-2913-1026-AF92-5B561213F1C6}\TypeLib\Version = "1.0" BaiduSetupAx_3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Tool\CLSID\ = "{A7F05EE4-0426-454F-8013-C41E3596E9E9}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}\1.0\HELPDIR regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduSetupAx.SetupCtrl\CLSID\ = "{8C891026-0BE9-434E-B807-118E6E5EA3B6}" BaiduSetupAx_3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C891026-0BE9-434E-B807-118E6E5EA3B6}\Version\ = "1.0" BaiduSetupAx_3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EB7C6ED8-2913-1026-AF92-5B561213F1C6}\TypeLib BaiduSetupAx_3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB7C6ED8-2913-1026-AF92-5B561213F1C6} BaiduSetupAx_3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23A2B2B7-21DE-4B88-AFBA-5A918ABBF463}\InprocServer32\ = "C:\\Program Files (x86)\\Baidu\\Toolbar\\BaiduBarX.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduSetupAx.SetupCtrl.1 BaiduSetupAx_3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C891026-0BE9-434E-B807-118E6E5EA3B6}\ToolboxBitmap32 BaiduSetupAx_3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Tool\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.5\ = "°Ù¶È¹¤¾ßÀ¸¸öÐÔ»¯Ê×Ò³Ö§³Ö×é¼þ" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.2\CLSID\ = "{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23A2B2B7-21DE-4B88-AFBA-5A918ABBF463}\ = "BDLogin Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23A2B2B7-21DE-4B88-AFBA-5A918ABBF463}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23A2B2B7-21DE-4B88-AFBA-5A918ABBF463}\ProgID\ = "BaiduBarX.BDLogin.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}\InprocServer32\ThreadingModel = "both" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D158174C-004B-4A2E-9410-5442C10C60D2} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.ToolBand regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.5\CLSID\ = "{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C891026-0BE9-434E-B807-118E6E5EA3B6}\ToolboxBitmap32\ = "C:\\Windows\\Downloaded Program Files\\259426480\\BaiduSetupAx_3.dll, 102" BaiduSetupAx_3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Tool.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\ProgID\ = "BaiduBar.Tool.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.BandIE.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.BandIE\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.4 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\TypeLib\ = "{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.4\ = "°Ù¶È¹¤¾ßÀ¸¸öÐÔ»¯Ê×Ò³Ö§³Ö×é¼þ" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23A2B2B7-21DE-4B88-AFBA-5A918ABBF463}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5C891026-430F-4007-B033-B976ADBD3C27}\1.0\FLAGS BaiduSetupAx_3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB7C6ED8-2913-1026-AF92-5B561213F1C6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" BaiduSetupAx_3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}\TypeLib regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\InprocServer32 regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23A2B2B7-21DE-4B88-AFBA-5A918ABBF463}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7EF05EFF-0E62-4040-8D81-73A10D8DE60F}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4C2BFEC9-F03C-4F74-932E-5723E603B4AC} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6C773CA2-F142-4B2C-981A-FD3B1BEC1578}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8C891026-0BE9-434E-B807-118E6E5EA3B6}\ProgID BaiduSetupAx_3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EB7C6ED8-2913-1026-AF92-5B561213F1C6}\TypeLib\ = "{5C891026-430F-4007-B033-B976ADBD3C27}" BaiduSetupAx_3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\TypeLib\ = "{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7EF05EFF-0E62-4040-8D81-73A10D8DE60F}\TypeLib\ = "{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D158174C-004B-4A2E-9410-5442C10C60D2}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5C891026-430F-4007-B033-B976ADBD3C27}\1.0\0\win32 BaiduSetupAx_3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.1 regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}\1.0\ = "BaiduBarX 1.0 Type Library" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduSetupAx.SetupCtrl.1\ = "SetupCtrl Class" BaiduSetupAx_3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduSetupAx.SetupCtrl\ = "SetupCtrl Class" BaiduSetupAx_3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5C891026-430F-4007-B033-B976ADBD3C27}\1.0\0\win32\ = "C:\\Windows\\Downloaded Program Files\\259426480\\BaiduSetupAx_3.dll" BaiduSetupAx_3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\VersionIndependentProgID\ = "BaiduBar.Tool" regsvr32.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2108 wrote to memory of 2388 2108 regsvr32.exe 30 PID 2108 wrote to memory of 2388 2108 regsvr32.exe 30 PID 2108 wrote to memory of 2388 2108 regsvr32.exe 30 PID 2108 wrote to memory of 2388 2108 regsvr32.exe 30 PID 2108 wrote to memory of 2388 2108 regsvr32.exe 30 PID 2108 wrote to memory of 2388 2108 regsvr32.exe 30 PID 2108 wrote to memory of 2388 2108 regsvr32.exe 30 PID 2388 wrote to memory of 2096 2388 regsvr32.exe 31 PID 2388 wrote to memory of 2096 2388 regsvr32.exe 31 PID 2388 wrote to memory of 2096 2388 regsvr32.exe 31 PID 2388 wrote to memory of 2096 2388 regsvr32.exe 31 PID 2388 wrote to memory of 2096 2388 regsvr32.exe 31 PID 2388 wrote to memory of 2096 2388 regsvr32.exe 31 PID 2388 wrote to memory of 2096 2388 regsvr32.exe 31
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\Baidu\Toolbar\BaiduBarX_Tmp\BaiduBarX.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\Baidu\Toolbar\BaiduBarX_Tmp\BaiduBarX.dll2⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Program Files (x86)\Baidu\Toolbar\BaiduSetupAx_3.exe"C:\Program Files (x86)\Baidu\Toolbar\BaiduSetupAx_3.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2096
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.4MB
MD5e9e1884c564283e30e3f856d1f9f8f80
SHA16200823787f1a1c6acb2b687e620dcc26eb1f3f0
SHA2564b2a125d3d19ca691e4ef46dda0b290a6d3cdbd58e35728148fa43da8ef52f0c
SHA512a0fadb771e3c8a26ae81d790ce07642981232f205af5576e4bbbb0ca29993f0f98b64a1f51868ebf58a7d6bb4ad491821525d299b5ba2c81c8a3ceb1a5745c3e
-
Filesize
342KB
MD5cbc974c12b052b0c5c9dfe7633a2617b
SHA16df8d5392455627efec8ac56ba047eede022a48b
SHA25645fca64a1025e24dc9ee4c25806411e94a0a951bd037fc39e8b8d0c0c51911a5
SHA512ffcda7b5193b5a101cfe75eb33d1954e4c579f0969fa257163ea4b02d4708e04e98af9dfb16c50c32e6f41e1e79e9bdd5e6adfa9872722c4e3f35852c413bd64
-
Filesize
11KB
MD5bf712f32249029466fa86756f5546950
SHA175ac4dc4808ac148ddd78f6b89a51afbd4091c2e
SHA2567851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
SHA51213f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4
-
Filesize
644KB
MD5cdfa842044f18f77ec20318d1271dcab
SHA1c2a9d6c8abfebbf8019a28eafc0ab6c81a8de44a
SHA25659cb9ee31a4bd348b9aed8d5a55e17544380e499de8ed4e863e9920fcff3c95a
SHA512f8ca1088063365d8d9e6d2e709d835777df863827dd70b857c46117ff9fa29181ab7e9565c33bf3d4297464ecf75b0eab46c5fe3373d95c2d5874c4d4bfe0e0c