7b7d6486a2949310dee64ef4d0c51939251fca19213efc6b861231435046fd7a

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 07:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a7b95d799bfc4252f650808872bcd31_JaffaCakes118.exe
Size

991KB
MD5

1a7b95d799bfc4252f650808872bcd31
SHA1

27f428ad55d6dd7921ad8cab710ac6975bda7134
SHA256

7b7d6486a2949310dee64ef4d0c51939251fca19213efc6b861231435046fd7a
SHA512

4de6da802aa5e1899be0b2bf2ea973c73f90d547b16db3ca20e8cc08a8a27d32a669726e4e287ac2d7992f9af0f6d0da8e0f178212d40c54b47a18b85f7f299e
SSDEEP

24576:UpniXLZcchleJIqycPVQr+5IG/WUgRvkWdbSsaPsa3kY2+mO8i:KiX9c0cyGQr+3IRvkQy13O+mOh

Score

7^/10

adware discovery stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

is-J36B1.tmpbaiducb.exe

pid process

2176 is-J36B1.tmp
1904 baiducb.exe
Loads dropped DLL 2 IoCs

Processes:

baiducb.exe

pid process

1904 baiducb.exe
1904 baiducb.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
2176	is-J36B1.tmp
1904	baiducb.exe

pid	process
1904	baiducb.exe
1904	baiducb.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

baiducb.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77FEF28E-EB96-44FF-B511-3185DEA48697}	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77FEF28E-EB96-44FF-B511-3185DEA48697}\id = "bdbar"	baiducb.exe

Drops file in Program Files directory 3 IoCs

Processes:

baiducb.exe

description	ioc	process
File opened for modification	C:\Progra~1\Baidu\bar\SET344E.tmp	baiducb.exe
File created	C:\Progra~1\Baidu\bar\SET344E.tmp	baiducb.exe
File opened for modification	C:\Progra~1\Baidu\bar\BaiDuBar.dll	baiducb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 23 IoCs

adware spyware

Modify Registry

T1112

Processes:

baiducb.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷ÍøÒ³	baiducb.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷ÍøÒ³\Contexts = 10	baiducb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷ÐÂÎÅ\ = "res://C:\\Progra~1\\Baidu\\bar\\BaiDuBar.dll/BAIDUNEWS.HTM"	baiducb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷MP3\ = "res://C:\\Progra~1\\Baidu\\bar\\BaiDuBar.dll/BAIDUMP3.HTM"	baiducb.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷¸è´Ê\Contexts = 10	baiducb.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷Ìù°É\Contexts = 10	baiducb.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{B580CF65-E151-49C3-B73F-70B13FCA8E86} = 00	baiducb.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷ÐÂÎÅ\Contexts = 10	baiducb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷¸è´Ê\ = "res://C:\\Progra~1\\Baidu\\bar\\BaiDuBar.dll/BAIDULYRIC.HTM"	baiducb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\°Ù¶È-´ÊµäËÑË÷\ = "res://C:\\Progra~1\\Baidu\\bar\\BaiDuBar.dll/BAIDU_DIC.HTM"	baiducb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷ÍøÒ³\ = "res://C:\\Progra~1\\Baidu\\bar\\BaiDuBar.dll/BAIDUSEARCH.HTM"	baiducb.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷MP3	baiducb.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷MP3\Contexts = 10	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar	baiducb.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷Í¼Æ¬	baiducb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷Í¼Æ¬\ = "res://C:\\Progra~1\\Baidu\\bar\\BaiDuBar.dll/BAIDUIMG.HTM"	baiducb.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷Í¼Æ¬\Contexts = 10	baiducb.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷¸è´Ê	baiducb.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷Ìù°É	baiducb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷Ìù°É\ = "res://C:\\Progra~1\\Baidu\\bar\\BaiDuBar.dll/BAIDUPOST.HTM"	baiducb.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\°Ù¶È-´ÊµäËÑË÷	baiducb.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷ÐÂÎÅ	baiducb.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\°Ù¶È-´ÊµäËÑË÷\Contexts = 10	baiducb.exe

Modifies registry class 64 IoCs

Processes:

baiducb.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{464C8A26-31E9-411C-9583-5B858E631DCC}\TypeLib	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}\TypeLib	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\Programmable	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Tool\CLSID	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.DropTarget\CurVer	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}\VersionIndependentProgID\ = "BaiduBarEx.BandIE"	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MimeFilter.AdFilter.1\ = "AdFilter Class"	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BandIE\CLSID	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{464C8A26-31E9-411C-9583-5B858E631DCC}	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A294F8EB-86D9-4C4A-8B3E-909253761C64}\TypeLib\ = "{6AFC2761-1253-427C-9A56-385B4609BE1D}"	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\InprocServer32\ = "C:\\Progra~1\\Baidu\\bar\\BaiDuBar.dll"	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.DropTarget.1\ = "DropTarget Class"	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BandIE\CLSID\ = "{77FEF28E-EB96-44FF-B511-3185DEA48697}"	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{96249369-D3DC-4AE6-8A3B-E7109D46E98D}	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE14F22E-BE14-4F08-A80F-F27BC3A67B2D}\TypeLib	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{89FDCC4B-8D91-49B0-81A6-18BCFF582735}\TypeLib\Version = "1.0"	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{96249369-D3DC-4AE6-8A3B-E7109D46E98D}\ = "ITool"	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{96249369-D3DC-4AE6-8A3B-E7109D46E98D}\ProxyStubClsid32	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MimeFilter.AdFilter.1	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MimeFilter.AdFilter\ = "AdFilter Class"	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MimeFilter.AdFilter\CLSID\ = "{FE14F22E-BE14-4F08-A80F-F27BC3A67B2D}"	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE14F22E-BE14-4F08-A80F-F27BC3A67B2D}\InprocServer32\ = "C:\\Progra~1\\Baidu\\bar\\BaiDuBar.dll"	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{96249369-D3DC-4AE6-8A3B-E7109D46E98D}\TypeLib	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}\InprocServer32\ThreadingModel = "Apartment"	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{89FDCC4B-8D91-49B0-81A6-18BCFF582735}\ProxyStubClsid32	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{89FDCC4B-8D91-49B0-81A6-18BCFF582735}\TypeLib\ = "{6AFC2761-1253-427C-9A56-385B4609BE1D}"	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{464C8A26-31E9-411C-9583-5B858E631DCC}\ProxyStubClsid32	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\ProgID	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Tool.1\ = "Tool Class"	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MimeFilter.AdFilter\CLSID	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MimeFilter.AdFilter\CurVer\ = "MimeFilter.AdFilter.1"	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A294F8EB-86D9-4C4A-8B3E-909253761C64}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\ProgID\ = "BaiduBar.Baidu.1"	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MimeFilter.AdFilter.1\CLSID\ = "{FE14F22E-BE14-4F08-A80F-F27BC3A67B2D}"	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6AFC2761-1253-427C-9A56-385B4609BE1D}\1.0\ = "BaiduBarEx 1.0 Type Library"	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{89FDCC4B-8D91-49B0-81A6-18BCFF582735}	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{96249369-D3DC-4AE6-8A3B-E7109D46E98D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{464C8A26-31E9-411C-9583-5B858E631DCC}\ProxyStubClsid32	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Baidu.1\CLSID	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Baidu.1\CLSID\ = "{B580CF65-E151-49C3-B73F-70B13FCA8E86}"	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Baidu	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{96249369-D3DC-4AE6-8A3B-E7109D46E98D}	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.DropTarget\CLSID	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}\TypeLib\ = "{6AFC2761-1253-427C-9A56-385B4609BE1D}"	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6AFC2761-1253-427C-9A56-385B4609BE1D}\1.0	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{89FDCC4B-8D91-49B0-81A6-18BCFF582735}	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Baidu\CurVer\ = "BaiduBar.Baidu.1"	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Tool\CurVer\ = "BaiduBar.Tool.1"	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE14F22E-BE14-4F08-A80F-F27BC3A67B2D}	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{89FDCC4B-8D91-49B0-81A6-18BCFF582735}\ProxyStubClsid32	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{464C8A26-31E9-411C-9583-5B858E631DCC}\ = "IAdFilter"	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{464C8A26-31E9-411C-9583-5B858E631DCC}\TypeLib\Version = "1.0"	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A294F8EB-86D9-4C4A-8B3E-909253761C64}	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6AFC2761-1253-427C-9A56-385B4609BE1D}\1.0\HELPDIR	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{464C8A26-31E9-411C-9583-5B858E631DCC}\TypeLib	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A294F8EB-86D9-4C4A-8B3E-909253761C64}\TypeLib\Version = "1.0"	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\Programmable	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE14F22E-BE14-4F08-A80F-F27BC3A67B2D}\VersionIndependentProgID\ = "MimeFilter.AdFilter"	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.DropTarget.1	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C76C055-ED6E-4535-A70F-CD476E727F67}\VersionIndependentProgID	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BandIE\CurVer	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}\ProgID	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Baidu\CLSID	baiducb.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

1a7b95d799bfc4252f650808872bcd31_JaffaCakes118.exeis-J36B1.tmp

description	pid	process	target process
PID 3440 wrote to memory of 2176	3440	1a7b95d799bfc4252f650808872bcd31_JaffaCakes118.exe	is-J36B1.tmp
PID 3440 wrote to memory of 2176	3440	1a7b95d799bfc4252f650808872bcd31_JaffaCakes118.exe	is-J36B1.tmp
PID 3440 wrote to memory of 2176	3440	1a7b95d799bfc4252f650808872bcd31_JaffaCakes118.exe	is-J36B1.tmp
PID 2176 wrote to memory of 1904	2176	is-J36B1.tmp	baiducb.exe
PID 2176 wrote to memory of 1904	2176	is-J36B1.tmp	baiducb.exe
PID 2176 wrote to memory of 1904	2176	is-J36B1.tmp	baiducb.exe

C:\Users\Admin\AppData\Local\Temp\1a7b95d799bfc4252f650808872bcd31_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1a7b95d799bfc4252f650808872bcd31_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3440

C:\Users\Admin\AppData\Local\Temp\is-KCQTV.tmp\is-J36B1.tmp
"C:\Users\Admin\AppData\Local\Temp\is-KCQTV.tmp\is-J36B1.tmp" /SL4 $800E0 "C:\Users\Admin\AppData\Local\Temp\1a7b95d799bfc4252f650808872bcd31_JaffaCakes118.exe" 783304 52224
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2176

C:\Users\Admin\AppData\Local\Temp\is-88TAV.tmp\baiducb.exe
"C:\Users\Admin\AppData\Local\Temp\is-88TAV.tmp\baiducb.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:1904

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ADVPACK.DLL
Filesize
90KB

MD5
d553b62a8136d41289513c6405efea2d

SHA1
db48c3fd3993ff20511e47ffad14bfbdb9f438eb

SHA256
ce7cfb626807084186b248bbf2ef776eac086da936146f7d44956c2fcfaec1f8

SHA512
4a3767e8ac1e684a9a6eaced921b9599e34d5a4e83f034c7fe42bd8fd707a2b86f51ad485933fed5015554c3f9c4cf4b1357832964cc170d8cba86092fc9d2e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BaiduBar.dll
Filesize
286KB

MD5
e4bc62a44704db1e93d4e839781d1920

SHA1
1e9dcd259beff683a81432bf2539b047700a2f9a

SHA256
e58dfa77619ef7d60c9f7ef40db74a81643ecf1886d1960be65578b18183b318

SHA512
3bbc9e0745406863c27e9cb98bdd403b192840d905a9bba9bb02e86581d16805292c197c8a79ae6ee2f22c1ddc50f763b6e4ae95d21a9055b94abeb17ccdef04

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.inf
Filesize
586B

MD5
c16ee16e5e62d584f951648a69624ee0

SHA1
8dc6ce55244f1af441103ccf5ab3ce82cf740bfd

SHA256
91d09fb03928ce0689b08377c745d8d49758f4d13d46c842dc073dd645f52359

SHA512
d3f2c8e18a2dbf6fb0deb4c6f8af68c11f2a3dcf50acb526117e805ac4c82c592642ba554b0fd5713a5e4a0dd0a3acf81eab3370389615634fda954c083a4b1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-88TAV.tmp\baiducb.exe
Filesize
222KB

MD5
68af74f9069626a3aec0cf038de102db

SHA1
64d1472f511d140794fb954a6444a58c0c0b9538

SHA256
2cd991b41ed34ef85bd30005fcced10ad19cb50a99d62ff48ca86044185e591c

SHA512
a5ec034ca8f84cdf7fdc5d31ee394a03339c0266a0339ac25b442b5c4e6beb88faf13bd9848eb9fb6fd6aef4ab3ac167e6576f20d5c8f9809f1dff247fd5dfb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KCQTV.tmp\is-J36B1.tmp
Filesize
634KB

MD5
d291acbf9866b8846fe0629e690feb1a

SHA1
293314b11340d798d3c74e2416e2a43f267a25d6

SHA256
ab3e1fa210171e5ed2decc615c9328379ee3d29b55ee0e5d7ef6bece43f583eb

SHA512
320e68a67fdcf13dc25640cf68468abd9e0dc51b647f95277eebbd06c7c5ee298b1f68d4a01deb886979e42cbc3eddf16ac4db18884a96b1535598ba11ba36ed

Download Submit
memory/2176-9-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2176-58-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3440-1-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3440-3-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download
memory/3440-57-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download