4fbdde800542ed7446db9a2a87ee0da5a8479f547779aa138a4d3f5a17343677

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/02/2025, 02:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Baidu-TB-ASBar.exe
Size

1.7MB
MD5

424444bb9df402afaa5d6f4192a2d6b1
SHA1

d6276ad753aa55af08094226cdb3e8c6e05f659a
SHA256

907386b1d5c28e5b994a14335b64dd508292e2fdb7fec38ce031a750f107564e
SHA512

baf4294525564754c5d2191cf9856fecbf3e6444bcc5d3c36a9e8f054c6c4d25afd7e37414d9b93bd0abe21a2b88c66a7cf309043b53160616a68b213b253d24
SSDEEP

49152:U9OO1/OTzu4c0Vm2R9y/aFt8vsUb+0tkOci:U4cOS2T9y/aFt8LFtkti

Score

7^/10

adware discovery stealer

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2108	BarBroker.exe
2684	BaiduSetupAx_3.exe
2740	ASBarBroker.exe

Loads dropped DLL 27 IoCs

pid	Process
1836	Baidu-TB-ASBar.exe
1836	Baidu-TB-ASBar.exe
1836	Baidu-TB-ASBar.exe
1836	Baidu-TB-ASBar.exe
1836	Baidu-TB-ASBar.exe
1836	Baidu-TB-ASBar.exe
1836	Baidu-TB-ASBar.exe
1836	Baidu-TB-ASBar.exe
1836	Baidu-TB-ASBar.exe
2684	BaiduSetupAx_3.exe
2108	BarBroker.exe
2108	BarBroker.exe
2108	BarBroker.exe
1836	Baidu-TB-ASBar.exe
2684	BaiduSetupAx_3.exe
1836	Baidu-TB-ASBar.exe
2684	BaiduSetupAx_3.exe
2684	BaiduSetupAx_3.exe
1836	Baidu-TB-ASBar.exe
1836	Baidu-TB-ASBar.exe
1836	Baidu-TB-ASBar.exe
1836	Baidu-TB-ASBar.exe
1836	Baidu-TB-ASBar.exe
1836	Baidu-TB-ASBar.exe
2740	ASBarBroker.exe
2740	ASBarBroker.exe
2740	ASBarBroker.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 5 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77FEF28E-EB96-44FF-B511-3185DEA48697}	Baidu-TB-ASBar.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{77FEF28E-EB96-44FF-B511-3185DEA48697}\NoExplorer = "1"	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{77FEF28E-EB96-44FF-B511-3185DEA48697}\id = "bdbar"	Baidu-TB-ASBar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA09512-29D2-DA79-09F9-035AEFB20428}	Baidu-TB-ASBar.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{5CA09512-29D2-DA79-09F9-035AEFB20428}\NoExplorer = "1"	Baidu-TB-ASBar.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Baidu\{5CA09512-29D2-DA79-09F9-035AEFB20428}\ASBarBroker.exe	Baidu-TB-ASBar.exe
File created	C:\Program Files (x86)\Baidu\Toolbar\BaiduBarX_Tmp\rc.dll	Baidu-TB-ASBar.exe
File opened for modification	C:\Program Files (x86)\Baidu\Toolbar\BaiduBarX.dll	Baidu-TB-ASBar.exe
File created	C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe	Baidu-TB-ASBar.exe
File created	C:\Program Files (x86)\Baidu\Toolbar\BaiduSetupAx_3.exe	Baidu-TB-ASBar.exe
File created	\??\c:\program files (x86)\baidu\{5ca09512-29d2-da79-09f9-035aefb20428}\addressbar.dll	Baidu-TB-ASBar.exe
File created	C:\Program Files (x86)\Baidu\Toolbar\BaiduBarX_Tmp\BarBroker.exe	Baidu-TB-ASBar.exe
File created	C:\Program Files (x86)\Baidu\AddressBar.dll	Baidu-TB-ASBar.exe
File created	C:\Program Files (x86)\Baidu\{5CA09512-29D2-DA79-09F9-035AEFB20428}\conf.xml	Baidu-TB-ASBar.exe
File created	C:\Program Files (x86)\Baidu\Toolbar\BaiduBarX_Tmp\BaiduBarX.dll	Baidu-TB-ASBar.exe
File created	C:\Program Files (x86)\Baidu\ASBarBroker.exe	Baidu-TB-ASBar.exe
File created	C:\Program Files (x86)\Baidu\Toolbar\rc.dll	Baidu-TB-ASBar.exe
File opened for modification	C:\Program Files (x86)\Baidu\AddressBar.dll	Baidu-TB-ASBar.exe
File created	C:\Program Files (x86)\Baidu\conf.xml	Baidu-TB-ASBar.exe
File created	C:\Program Files (x86)\Baidu\Toolbar\BaiduBarX.dll	Baidu-TB-ASBar.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Downloaded Program Files\259442517\BaiduSetupAx_3.dll	BaiduSetupAx_3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baidu-TB-ASBar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BaiduSetupAx_3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BarBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ASBarBroker.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes"	Baidu-TB-ASBar.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights	ASBarBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\AppPath = "C:\\Program Files (x86)\\Baidu\\{5CA09512-29D2-DA79-09F9-035AEFB20428}"	ASBarBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\Policy = "3"	ASBarBroker.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}\AppName = "BarBroker.exe"	BarBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TypedURLs\url1 = "http://www.baidu.com/index.php?tn=71099019_adr&ch=33&addresssearch=1"	Baidu-TB-ASBar.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}	ASBarBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\AppName = "ASBarBroker.exe"	ASBarBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}\URL = "http://www.baidu.com/s?wd={searchTerms}&ie={inputEncoding}&oe={outputEncoding}&bar=13&tn=71099019_cb"	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TypedURLs\url1 = "http://www.baidu.com/index.php?tn=baidudg&addresssearch=1"	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}\AppPath = "%ProgramFiles(x86)%\\Baidu\\Toolbar"	BarBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}\URL = "http://www.baidu.com/s?wd={searchTerms}&ie={inputEncoding}&oe={outputEncoding}&abar=2&tn=71099019_adr&ch=33"	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\AppPath = "C:\\Program Files (x86)\\Baidu\\{5CA09512-29D2-DA79-09F9-035AEFB20428}"	ASBarBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}"	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}\FaviconURL = "http://www.baidu.com/favicon.ico"	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}\SuggestionsURL_JSON = "http://suggestion.baidu.com/su?wd={searchTerms}&action=opensearch&ie={inputEncoding}&from=ie8"	Baidu-TB-ASBar.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}\Policy = "3"	BarBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}	ASBarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\AppPath = "%ProgramFiles(x86)%\\Baidu\\AddressBar"	ASBarBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}	ASBarBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	ASBarBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}\DisplayName = "百度一下，你就知道"	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{B580CF65-E151-49C3-B73F-70B13FCA8E86} = "12"	Baidu-TB-ASBar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}	BarBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TypedURLs	Baidu-TB-ASBar.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\{B8E20CD7-BAC2-4820-9AA6-1060B3AF25E2}	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\AppName = "ASBarBroker.exe"	ASBarBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TypedURLs\url2 = "http://www.baidu.com/index.php?tn=baidudg&addresssearch=2"	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TypedURLs\url2 = "http://www.baidu.com/index.php?tn=71099019_adr&ch=33&addresssearch=2"	Baidu-TB-ASBar.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}\Policy = "3"	ASBarBroker.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA677CC1-D6FA-4B55-825D-6C493F56ED84}\ = "ISnavHttpProtocol"	Baidu-TB-ASBar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1DD31B76-C57E-49ba-94BC-BF53F0C82CD4}	ASBarBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91878E42-FC03-4785-B513-1F9E613D1027}\TypeLib	ASBarBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Tool	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EB7C6ED8-2913-1026-AF92-5B561213F1C6}\TypeLib\Version = "1.0"	BaiduSetupAx_3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\ = "°Ù¶È¹¤¾ßÀ¸¸¨Öú¶ÔÏó"	Baidu-TB-ASBar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.2\CLSID	Baidu-TB-ASBar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AddressSearch.SnavHttpProtocol\CLSID	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE575A61-09BD-4F3A-B8B5-B55B813B44EC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FA677CC1-D6FA-4B55-825D-6C493F56ED84}\ = "ISnavHttpProtocol"	Baidu-TB-ASBar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}\VersionIndependentProgID	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}\InprocServer32\ = "C:\\Program Files (x86)\\Baidu\\Toolbar\\BaiduBarX.dll"	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FBEDBA6C-44A2-43b9-BD49-20EB6E0C4E86}\TypeLib\ = "{F9BC0421-BB5C-447d-8547-BB45AFA80A4D}"	Baidu-TB-ASBar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{23A2B2B7-21DE-4B88-AFBA-5A918ABBF463}\VersionIndependentProgID	Baidu-TB-ASBar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BarBroker.BDBroker.1\CLSID	BarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D02E3AB9-7796-40CB-BDFC-20D834FE1F75}\1.0\FLAGS\ = "0"	ASBarBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2923508C-9425-4A61-B9CE-A98239055916}\ProxyStubClsid32	BarBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\5CA09512-29D2-DA79-09F9-035AEFB20428.Addr\CurVer	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AddressSearch.JsObject\CurVer\ = "AddressSearch.JsObject.1"	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91878E42-FC03-4785-B513-1F9E613D1027}\LocalServer32\ = "\"C:\\PROGRA~2\\baidu\\{5CA09~1\\ASBarBroker.exe\""	ASBarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D02E3AB9-7796-40CB-BDFC-20D834FE1F75}\1.0\0\win32\ = "C:\\PROGRA~2\\baidu\\{5CA09~1\\ASBarBroker.exe"	ASBarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.BDLogin\ = "BDLogin Class"	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7EF05EFF-0E62-4040-8D81-73A10D8DE60F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FE575A61-09BD-4F3A-B8B5-B55B813B44EC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Baidu-TB-ASBar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FA677CC1-D6FA-4B55-825D-6C493F56ED84}	Baidu-TB-ASBar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D02E3AB9-7796-40CB-BDFC-20D834FE1F75}\1.0\0\win32	ASBarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.ToolBand.1\CLSID\ = "{B580CF65-E151-49C3-B73F-70B13FCA8E86}"	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.5\CLSID\ = "{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}"	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage.4\CLSID\ = "{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}"	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2923508C-9425-4A61-B9CE-A98239055916}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	BarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ASBarBroker.BDBroker.1\ = "BDBroker Class"	ASBarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCB380C4-D350-44BE-8791-50216F4747AC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ASBarBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\InprocServer32	Baidu-TB-ASBar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Tool.1\CLSID	Baidu-TB-ASBar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}\InprocServer32	Baidu-TB-ASBar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5CA09512-29D2-DA79-09F9-035AEFB20428}\InprocServer32	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ASBarBroker.BDBroker\CLSID\ = "{91878E42-FC03-4785-B513-1F9E613D1027}"	ASBarBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ASBarBroker.BDBroker.1	ASBarBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ASBarBroker.BDBroker.1\CLSID	ASBarBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91878E42-FC03-4785-B513-1F9E613D1027}	ASBarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91878E42-FC03-4785-B513-1F9E613D1027}\VersionIndependentProgID\ = "ASBarBroker.BDBroker"	ASBarBroker.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BarBroker.BDBroker\ = "BDBroker Class"	BarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.BandIE.1\CLSID\ = "{77FEF28E-EB96-44FF-B511-3185DEA48697}"	Baidu-TB-ASBar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C773CA2-F142-4B2C-981A-FD3B1BEC1578}	Baidu-TB-ASBar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2923508C-9425-4A61-B9CE-A98239055916}	BarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2923508C-9425-4A61-B9CE-A98239055916}\ = "IBDBroker"	BarBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}\InprocServer32	Baidu-TB-ASBar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{7A33CE9E-4F33-4B4E-B263-6AEEAB6C3DC2}	BarBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EB7C6ED8-2913-1026-AF92-5B561213F1C6}	BaiduSetupAx_3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\5CA09512-29D2-DA79-09F9-035AEFB20428.Addr.1\CLSID	Baidu-TB-ASBar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AddressSearch.SnavHttpProtocol	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarX.ToolBand\CLSID\ = "{B580CF65-E151-49C3-B73F-70B13FCA8E86}"	Baidu-TB-ASBar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11CC93E4-0BE6-4f8f-82AA-D577FB955B05}\Programmable	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage\ = "°Ù¶È¹¤¾ßÀ¸¸öÐÔ»¯Ê×Ò³Ö§³Ö×é¼þ"	Baidu-TB-ASBar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FBEDBA6C-44A2-43b9-BD49-20EB6E0C4E86}\ProgID	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FBEDBA6C-44A2-43b9-BD49-20EB6E0C4E86}\VersionIndependentProgID\ = "AddressSearch.SnavHttpProtocol"	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4D89001B-5B5B-4E76-A1F5-638E49DB7A58}\ = "IJsObject"	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BDHomePage\CLSID\ = "{E5D5D4A1-17F0-41D7-B1C6-0979F91E6F46}"	Baidu-TB-ASBar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7EF05EFF-0E62-4040-8D81-73A10D8DE60F}\ProxyStubClsid32	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5BECD27B-DCF5-4DEF-B066-486A47245C03}\ = "BDBroker Class"	BarBroker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AddressSearch.JsObject\ = "JsObject Class"	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FBEDBA6C-44A2-43b9-BD49-20EB6E0C4E86}\ = "SnavHttpProtocol Class"	Baidu-TB-ASBar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FE575A61-09BD-4F3A-B8B5-B55B813B44EC}\TypeLib\ = "{F9BC0421-BB5C-447D-8547-BB45AFA80A4D}"	Baidu-TB-ASBar.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	1836	Baidu-TB-ASBar.exe
Token: SeBackupPrivilege	1836	Baidu-TB-ASBar.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 2108	1836	Baidu-TB-ASBar.exe	30
PID 1836 wrote to memory of 2108	1836	Baidu-TB-ASBar.exe	30
PID 1836 wrote to memory of 2108	1836	Baidu-TB-ASBar.exe	30
PID 1836 wrote to memory of 2108	1836	Baidu-TB-ASBar.exe	30
PID 1836 wrote to memory of 2108	1836	Baidu-TB-ASBar.exe	30
PID 1836 wrote to memory of 2108	1836	Baidu-TB-ASBar.exe	30
PID 1836 wrote to memory of 2108	1836	Baidu-TB-ASBar.exe	30
PID 1836 wrote to memory of 2684	1836	Baidu-TB-ASBar.exe	31
PID 1836 wrote to memory of 2684	1836	Baidu-TB-ASBar.exe	31
PID 1836 wrote to memory of 2684	1836	Baidu-TB-ASBar.exe	31
PID 1836 wrote to memory of 2684	1836	Baidu-TB-ASBar.exe	31
PID 1836 wrote to memory of 2684	1836	Baidu-TB-ASBar.exe	31
PID 1836 wrote to memory of 2684	1836	Baidu-TB-ASBar.exe	31
PID 1836 wrote to memory of 2684	1836	Baidu-TB-ASBar.exe	31
PID 1836 wrote to memory of 2740	1836	Baidu-TB-ASBar.exe	32
PID 1836 wrote to memory of 2740	1836	Baidu-TB-ASBar.exe	32
PID 1836 wrote to memory of 2740	1836	Baidu-TB-ASBar.exe	32
PID 1836 wrote to memory of 2740	1836	Baidu-TB-ASBar.exe	32
PID 1836 wrote to memory of 2740	1836	Baidu-TB-ASBar.exe	32
PID 1836 wrote to memory of 2740	1836	Baidu-TB-ASBar.exe	32
PID 1836 wrote to memory of 2740	1836	Baidu-TB-ASBar.exe	32

C:\Users\Admin\AppData\Local\Temp\Baidu-TB-ASBar.exe
"C:\Users\Admin\AppData\Local\Temp\Baidu-TB-ASBar.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe
  "C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe" -RegServer
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:2108
- C:\Program Files (x86)\Baidu\Toolbar\BaiduSetupAx_3.exe
  "C:\Program Files (x86)\Baidu\Toolbar\BaiduSetupAx_3.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2684
- C:\PROGRA~2\baidu\{5CA09~1\ASBarBroker.exe
  "C:\PROGRA~2\baidu\{5CA09~1\ASBarBroker.exe" -RegServer
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Baidu\{5CA09~1\conf.xml

Filesize
333B

MD5
fb7642dc5caa4e83d702110d82b604c5

SHA1
e9be3a834a272846d0cee27e5559a0bd25aa8833

SHA256
914ff2b0bfdd2bb86e10bdb7907543be9671021ff342c866a458853e516c8fc1

SHA512
4bcbc6f357b7c41c61135f68e901a883382901d351e67974f18f4b941cff3460ec55501cb7f5f7b4ee1c7b03d4853bdce7b13e099fcc18393c124a50c937f32e

Download Submit
C:\Program Files (x86)\Baidu\Toolbar\BarBroker.exe

Filesize
230KB

MD5
d46c87577e5793173113750ac106bf82

SHA1
c7667d96f7f40a8c7f962bc041416ed0a9eaf028

SHA256
5326dc341619708246cab00c1b5eac442b49434b33ee38abb4e08bb0beac2d43

SHA512
08e50e0c7160227f789950f1ad306a7643d9033331ed6b8bc71e3468aaa80904d89be34a0369115b643f051808522297015d7b6b80e21588f4fd2177cfdfa53a

Download Submit
\PROGRA~2\Baidu\{5CA09~1\ASBarBroker.exe

Filesize
131KB

MD5
0c0d10f50bd70f50851f9028dcbab561

SHA1
6590eaeff686c15c269e2697eb07a96b0eefe125

SHA256
68d6c9464decad7deeaf6fab1fd203cd64a8ab26093ac613999e3042e3c83d90

SHA512
159f2e006b1f166525a0b9197083673ead801c7625d68d73ac93e4b28a20db0742ed612728fc3088815fb6a749de0065e88e6755293faebaaf46d9f183b5f90c

Download Submit
\Program Files (x86)\Baidu\AddressBar.dll

Filesize
1.1MB

MD5
fa01bb721c480a3b08a76cf811812b07

SHA1
d3e2703e86d56a67290005de12812f37d45ceb18

SHA256
f02c847b82ea4bf98f214020c0d61f2039f6972e043b7502ee3c7b864687a6ff

SHA512
4e678b4426963c012ef4db7231dbe2199546f82cf71ac7d800cf56873779ad2b164329b5173c09249f422c60b6fa580c135b9141df08a13c0b8a06d9fb07ff91

Download Submit
\Program Files (x86)\Baidu\Toolbar\BaiduBarX_Tmp\BaiduBarX.dll

Filesize
2.4MB

MD5
e9e1884c564283e30e3f856d1f9f8f80

SHA1
6200823787f1a1c6acb2b687e620dcc26eb1f3f0

SHA256
4b2a125d3d19ca691e4ef46dda0b290a6d3cdbd58e35728148fa43da8ef52f0c

SHA512
a0fadb771e3c8a26ae81d790ce07642981232f205af5576e4bbbb0ca29993f0f98b64a1f51868ebf58a7d6bb4ad491821525d299b5ba2c81c8a3ceb1a5745c3e

Download Submit
\Program Files (x86)\Baidu\Toolbar\BaiduSetupAx_3.exe

Filesize
342KB

MD5
cbc974c12b052b0c5c9dfe7633a2617b

SHA1
6df8d5392455627efec8ac56ba047eede022a48b

SHA256
45fca64a1025e24dc9ee4c25806411e94a0a951bd037fc39e8b8d0c0c51911a5

SHA512
ffcda7b5193b5a101cfe75eb33d1954e4c579f0969fa257163ea4b02d4708e04e98af9dfb16c50c32e6f41e1e79e9bdd5e6adfa9872722c4e3f35852c413bd64

Download Submit
\Program Files (x86)\Baidu\Toolbar\rc.dll

Filesize
498KB

MD5
14e54c67ae4c4a9c611e6e0e9e9d8352

SHA1
f9b2846e9813027bd1f4d04d1f2760170277c095

SHA256
9f0b741ac6046f05bc1eae34bdf5347abab4c59f3a4de56027e46c7f60066574

SHA512
4d3855b3854bfa9dbcee443661bf4416c4f6272eb74f8edb10df5bb1366e98afec4055f6a86a501d985a3e9de8b48f5f5aa8ee5b6285bc22dd374f26a2d262ca

Download Submit
\Users\Admin\AppData\Local\Temp\nsjC709.tmp\System.dll

Filesize
11KB

MD5
bf712f32249029466fa86756f5546950

SHA1
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

SHA256
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

SHA512
13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

Download Submit
\Windows\Downloaded Program Files\259442517\BaiduSetupAx_3.dll

Filesize
644KB

MD5
cdfa842044f18f77ec20318d1271dcab

SHA1
c2a9d6c8abfebbf8019a28eafc0ab6c81a8de44a

SHA256
59cb9ee31a4bd348b9aed8d5a55e17544380e499de8ed4e863e9920fcff3c95a

SHA512
f8ca1088063365d8d9e6d2e709d835777df863827dd70b857c46117ff9fa29181ab7e9565c33bf3d4297464ecf75b0eab46c5fe3373d95c2d5874c4d4bfe0e0c

Download Submit
memory/1836-23-0x00000000036D0000-0x0000000003949000-memory.dmp

Filesize
2.5MB

Download
memory/1836-28-0x0000000003B50000-0x0000000003BCC000-memory.dmp

Filesize
496KB

Download
memory/1836-80-0x0000000004280000-0x00000000043A7000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads