Overview
overview
7Static
static
7JaffaCakes...f3.exe
windows7-x64
3JaffaCakes...f3.exe
windows10-2004-x64
3Apply.exe
windows7-x64
3Apply.exe
windows10-2004-x64
3Baidu-TB-ASBar.exe
windows7-x64
7Baidu-TB-ASBar.exe
windows10-2004-x64
3$PROGRAMFI...er.exe
windows7-x64
3$PROGRAMFI...er.exe
windows10-2004-x64
3$PROGRAMFI...ar.dll
windows7-x64
7$PROGRAMFI...ar.dll
windows10-2004-x64
7$PROGRAMFI...rX.dll
windows7-x64
7$PROGRAMFI...rX.dll
windows10-2004-x64
7$PROGRAMFI...er.exe
windows7-x64
3$PROGRAMFI...er.exe
windows10-2004-x64
3$PROGRAMFI...rc.dll
windows7-x64
3$PROGRAMFI...rc.dll
windows10-2004-x64
3Codecs/Avi...er.dll
windows7-x64
3Codecs/Avi...er.dll
windows10-2004-x64
3Codecs/CoreAAC.dll
windows7-x64
3Codecs/CoreAAC.dll
windows10-2004-x64
3Codecs/CoreAVC.dll
windows7-x64
3Codecs/CoreAVC.dll
windows10-2004-x64
3Codecs/FLV...er.dll
windows7-x64
3Codecs/FLV...er.dll
windows10-2004-x64
3Codecs/Haa...er.dll
windows7-x64
3Codecs/Haa...er.dll
windows10-2004-x64
3Codecs/Haali/avi.dll
windows7-x64
3Codecs/Haali/avi.dll
windows10-2004-x64
3Codecs/Haa...de.dll
windows7-x64
3Codecs/Haa...de.dll
windows10-2004-x64
3Codecs/Haa...ib.dll
windows7-x64
3Codecs/Haa...ib.dll
windows10-2004-x64
3Analysis
-
max time kernel
141s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
27/02/2025, 02:39
Behavioral task
behavioral1
Sample
JaffaCakes118_2a322d5874b626864489bccec81da3f3.exe
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral2
Sample
JaffaCakes118_2a322d5874b626864489bccec81da3f3.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Apply.exe
Resource
win7-20250207-en
windows7-x64
Behavioral task
behavioral4
Sample
Apply.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Baidu-TB-ASBar.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
Baidu-TB-ASBar.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$PROGRAMFILES/Baidu/ASBarBroker.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
$PROGRAMFILES/Baidu/ASBarBroker.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$PROGRAMFILES/Baidu/AddressBar.dll
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral10
Sample
$PROGRAMFILES/Baidu/AddressBar.dll
Resource
win10v2004-20250217-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$PROGRAMFILES/Baidu/Toolbar/BaiduBarX_Tmp/BaiduBarX.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
$PROGRAMFILES/Baidu/Toolbar/BaiduBarX_Tmp/BaiduBarX.dll
Resource
win10v2004-20250217-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$PROGRAMFILES/Baidu/Toolbar/BaiduBarX_Tmp/BarBroker.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
$PROGRAMFILES/Baidu/Toolbar/BaiduBarX_Tmp/BarBroker.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
$PROGRAMFILES/Baidu/Toolbar/BaiduBarX_Tmp/rc.dll
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral16
Sample
$PROGRAMFILES/Baidu/Toolbar/BaiduBarX_Tmp/rc.dll
Resource
win10v2004-20250217-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
Codecs/AviSplitter.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral18
Sample
Codecs/AviSplitter.dll
Resource
win10v2004-20250217-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
Codecs/CoreAAC.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral20
Sample
Codecs/CoreAAC.dll
Resource
win10v2004-20250217-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
Codecs/CoreAVC.dll
Resource
win7-20250207-en
windows7-x64
Behavioral task
behavioral22
Sample
Codecs/CoreAVC.dll
Resource
win10v2004-20250217-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
Codecs/FLVSplitter.dll
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral24
Sample
Codecs/FLVSplitter.dll
Resource
win10v2004-20250217-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
Codecs/Haali/Haalisplitter.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral26
Sample
Codecs/Haali/Haalisplitter.dll
Resource
win10v2004-20250217-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
Codecs/Haali/avi.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral28
Sample
Codecs/Haali/avi.dll
Resource
win10v2004-20250217-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
Codecs/Haali/mkunicode.dll
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral30
Sample
Codecs/Haali/mkunicode.dll
Resource
win10v2004-20250217-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
Codecs/Haali/mkzlib.dll
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral32
Sample
Codecs/Haali/mkzlib.dll
Resource
win10v2004-20250217-en
windows10-2004-x64
General
-
Target
$PROGRAMFILES/Baidu/Toolbar/BaiduBarX_Tmp/BaiduBarX.dll
-
Size
2.4MB
-
MD5
e9e1884c564283e30e3f856d1f9f8f80
-
SHA1
6200823787f1a1c6acb2b687e620dcc26eb1f3f0
-
SHA256
4b2a125d3d19ca691e4ef46dda0b290a6d3cdbd58e35728148fa43da8ef52f0c
-
SHA512
a0fadb771e3c8a26ae81d790ce07642981232f205af5576e4bbbb0ca29993f0f98b64a1f51868ebf58a7d6bb4ad491821525d299b5ba2c81c8a3ceb1a5745c3e
-
SSDEEP
49152:R4OPX6ZEGjOO7dL/GwcD01BsAigR/fYTULeh0soClqYktY:R4O/6WGjOO71Gr0TsAiZ0tCl5n
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 928 BaiduSetupAx_3.exe -
Loads dropped DLL 4 IoCs
pid Process 392 regsvr32.exe 392 regsvr32.exe 928 BaiduSetupAx_3.exe 928 BaiduSetupAx_3.exe -
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77FEF28E-EB96-44FF-B511-3185DEA48697} regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77FEF28E-EB96-44FF-B511-3185DEA48697}\NoExplorer = "1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77FEF28E-EB96-44FF-B511-3185DEA48697}\id = "bdbar" regsvr32.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\Baidu\Toolbar\BaiduBarX.dll regsvr32.exe File opened for modification C:\Program Files (x86)\Baidu\Toolbar\BaiduBarX.dll regsvr32.exe File created C:\Program Files (x86)\Baidu\Toolbar\BaiduSetupAx_3.exe regsvr32.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Downloaded Program Files\240623187\BaiduSetupAx_3.dll BaiduSetupAx_3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BaiduSetupAx_3.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Microsoft\Internet Explorer\Main regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes" regsvr32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{B580CF65-E151-49C3-B73F-70B13FCA8E86} = "12" regsvr32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.BDLogin\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23A2B2B7-21DE-4B88-AFBA-5A918ABBF463}\InprocServer32\ = "C:\\Program Files (x86)\\Baidu\\Toolbar\\BaiduBarX.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}\1.0\0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C891026-0BE9-434E-B807-118E6E5EA3B6}\ProgID BaiduSetupAx_3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C891026-0BE9-434E-B807-118E6E5EA3B6}\ProgID\ = "BaiduSetupAx.SetupCtrl.1" BaiduSetupAx_3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}\TypeLib\ = "{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}\ProgID\ = "BaiduBarX.BandIE.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.4\ = "°Ù¶È¹¤¾ßÀ¸¸öÐÔ»¯Ê×Ò³Ö§³Ö×é¼þ" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4C2BFEC9-F03C-4F74-932E-5723E603B4AC}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Tool.1\CLSID\ = "{A7F05EE4-0426-454F-8013-C41E3596E9E9}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Tool regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7EF05EFF-0E62-4040-8D81-73A10D8DE60F}\TypeLib\ = "{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4C2BFEC9-F03C-4F74-932E-5723E603B4AC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C891026-0BE9-434E-B807-118E6E5EA3B6}\MiscStatus\ = "0" BaiduSetupAx_3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB7C6ED8-2913-1026-AF92-5B561213F1C6}\ProxyStubClsid32 BaiduSetupAx_3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C773CA2-F142-4B2C-981A-FD3B1BEC1578}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5C891026-430F-4007-B033-B976ADBD3C27} BaiduSetupAx_3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.3\CLSID\ = "{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\BaiduSetupAx.DLL BaiduSetupAx_3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\VersionIndependentProgID\ = "BaiduBar.Tool" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.ToolBand\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}\InprocServer32\ = "C:\\Program Files (x86)\\Baidu\\Toolbar\\BaiduBarX.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D158174C-004B-4A2E-9410-5442C10C60D2}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C773CA2-F142-4B2C-981A-FD3B1BEC1578}\ = "IBDLogin" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.BandIE.1\CLSID\ = "{77FEF28E-EB96-44FF-B511-3185DEA48697}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.4\CLSID\ = "{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C773CA2-F142-4B2C-981A-FD3B1BEC1578}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduSetupAx.SetupCtrl BaiduSetupAx_3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.BandIE.1\ = "Baidu Toolbar BHO" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7EF05EFF-0E62-4040-8D81-73A10D8DE60F}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6C773CA2-F142-4B2C-981A-FD3B1BEC1578}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7EF05EFF-0E62-4040-8D81-73A10D8DE60F}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{7EC3D10F-D59E-463C-9767-18E20834919F} BaiduSetupAx_3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduSetupAx.SetupCtrl.1\ = "SetupCtrl Class" BaiduSetupAx_3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduSetupAx.SetupCtrl.1\CLSID\ = "{8C891026-0BE9-434E-B807-118E6E5EA3B6}" BaiduSetupAx_3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduSetupAx.SetupCtrl\CurVer BaiduSetupAx_3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C891026-0BE9-434E-B807-118E6E5EA3B6}\InprocServer32 BaiduSetupAx_3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.BDLogin regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.BDLogin\CurVer\ = "BaiduBarX.BDLogin.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{7EC3D10F-D59E-463C-9767-18E20834919F}\ = "BaiduSetupAx" BaiduSetupAx_3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.BandIE.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}\1.0\FLAGS\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\TypeLib\ = "{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C891026-0BE9-434E-B807-118E6E5EA3B6}\MiscStatus\1\ = "131473" BaiduSetupAx_3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.1\ = "°Ù¶È¹¤¾ßÀ¸¸öÐÔ»¯Ê×Ò³Ö§³Ö×é¼þ" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23A2B2B7-21DE-4B88-AFBA-5A918ABBF463}\TypeLib\ = "{D12F94FA-FC9A-41F7-B808-7FBB419DD7A6}" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7EF05EFF-0E62-4040-8D81-73A10D8DE60F}\ = "IBDHomePage" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C891026-0BE9-434E-B807-118E6E5EA3B6}\Version BaiduSetupAx_3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EB7C6ED8-2913-1026-AF92-5B561213F1C6}\TypeLib\Version = "1.0" BaiduSetupAx_3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduSetupAx.SetupCtrl\CLSID\ = "{8C891026-0BE9-434E-B807-118E6E5EA3B6}" BaiduSetupAx_3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduSetupAx.SetupCtrl\CurVer\ = "BaiduSetupAx.SetupCtrl.1" BaiduSetupAx_3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Tool\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage\CurVer\ = "BaiduBarEx.BDHomePage.5" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.BDLogin.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.ToolBand\CLSID\ = "{B580CF65-E151-49C3-B73F-70B13FCA8E86}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.ToolBand\CurVer\ = "BaiduBarX.ToolBand.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\Programmable regsvr32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4208 wrote to memory of 392 4208 regsvr32.exe 85 PID 4208 wrote to memory of 392 4208 regsvr32.exe 85 PID 4208 wrote to memory of 392 4208 regsvr32.exe 85 PID 392 wrote to memory of 928 392 regsvr32.exe 89 PID 392 wrote to memory of 928 392 regsvr32.exe 89 PID 392 wrote to memory of 928 392 regsvr32.exe 89
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\Baidu\Toolbar\BaiduBarX_Tmp\BaiduBarX.dll1⤵
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\Baidu\Toolbar\BaiduBarX_Tmp\BaiduBarX.dll2⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Program Files (x86)\Baidu\Toolbar\BaiduSetupAx_3.exe"C:\Program Files (x86)\Baidu\Toolbar\BaiduSetupAx_3.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:928
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.4MB
MD5e9e1884c564283e30e3f856d1f9f8f80
SHA16200823787f1a1c6acb2b687e620dcc26eb1f3f0
SHA2564b2a125d3d19ca691e4ef46dda0b290a6d3cdbd58e35728148fa43da8ef52f0c
SHA512a0fadb771e3c8a26ae81d790ce07642981232f205af5576e4bbbb0ca29993f0f98b64a1f51868ebf58a7d6bb4ad491821525d299b5ba2c81c8a3ceb1a5745c3e
-
Filesize
342KB
MD5cbc974c12b052b0c5c9dfe7633a2617b
SHA16df8d5392455627efec8ac56ba047eede022a48b
SHA25645fca64a1025e24dc9ee4c25806411e94a0a951bd037fc39e8b8d0c0c51911a5
SHA512ffcda7b5193b5a101cfe75eb33d1954e4c579f0969fa257163ea4b02d4708e04e98af9dfb16c50c32e6f41e1e79e9bdd5e6adfa9872722c4e3f35852c413bd64
-
Filesize
11KB
MD5bf712f32249029466fa86756f5546950
SHA175ac4dc4808ac148ddd78f6b89a51afbd4091c2e
SHA2567851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
SHA51213f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4
-
Filesize
644KB
MD5cdfa842044f18f77ec20318d1271dcab
SHA1c2a9d6c8abfebbf8019a28eafc0ab6c81a8de44a
SHA25659cb9ee31a4bd348b9aed8d5a55e17544380e499de8ed4e863e9920fcff3c95a
SHA512f8ca1088063365d8d9e6d2e709d835777df863827dd70b857c46117ff9fa29181ab7e9565c33bf3d4297464ecf75b0eab46c5fe3373d95c2d5874c4d4bfe0e0c