Analysis

  • max time kernel
    22s
  • max time network
    110s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    21-04-2021 23:04

General

  • Target

    IDM Pre-Crack @RedBlueHit.exe

  • Size

    6.8MB

  • MD5

    8201273cfefcff5b91f7d74304590da2

  • SHA1

    2551eae3464f3ed02028adfbcb704853562efa97

  • SHA256

    ad727f56774154d1e7fc7e6ffff7b5d53e18b96b98a00af4aa6bd464d09064d0

  • SHA512

    6a9ba0872bd0acceace12876afc95a087990279e3121dedf4baaabb93710224c4a920ed412c75d450a0d4f2c7b1be336907c0f08d2f57aaf4ca60dc3587cdd2c

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 24 IoCs
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\IDM Pre-Crack @RedBlueHit.exe
    "C:\Users\Admin\AppData\Local\Temp\IDM Pre-Crack @RedBlueHit.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:668
    • C:\Users\Admin\AppData\Local\Temp\is-DB8OE.tmp\IDM Pre-Crack @RedBlueHit.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-DB8OE.tmp\IDM Pre-Crack @RedBlueHit.tmp" /SL5="$2013C,6759428,142336,C:\Users\Admin\AppData\Local\Temp\IDM Pre-Crack @RedBlueHit.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:3064
      • C:\Windows\SysWOW64\taskkill.exe
        "taskkill.exe" /f /im "IDMIntegrator64.exe"
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2244
      • C:\Windows\SysWOW64\taskkill.exe
        "taskkill.exe" /f /im "IEMonitor.exe"
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:856
      • C:\Windows\SysWOW64\taskkill.exe
        "taskkill.exe" /f /im "idmmkb.dll"
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3864
      • C:\Windows\SysWOW64\taskkill.exe
        "taskkill.exe" /f /im "IDMan.exe"
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3936
      • C:\Program Files (x86)\Internet Download Manager\IDMan.exe
        "C:\Program Files (x86)\Internet Download Manager\IDMan.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Modifies system certificate store
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2204

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Browser Extensions

1
T1176

Defense Evasion

Modify Registry

3
T1112

Install Root Certificate

1
T1130

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx
    MD5

    30b63645fd01ca12d3c465e3f5a620e5

    SHA1

    068995be2f253a93d4955854f944015a964598e3

    SHA256

    589ad74284362ff9d9f6b8bc27a0f7bea8b5b46e1f411a65c21d8f66527952cc

    SHA512

    d238ec30a134504f529e47be86c1161890ee65589f0b38d41b830d398868b011f053850347ee67c647dca151f8401aeeab4bb7ffe3589fc308b97695c7b6a417

  • C:\Program Files (x86)\Internet Download Manager\IDMGetAll.dll
    MD5

    d04845fab1c667c04458d0a981f3898e

    SHA1

    f30267bb7037a11669605c614fb92734be998677

    SHA256

    33a8a6b9413d60a38237bafc4c331dfebf0bf64f8057abc335b4a6a6b95c9381

    SHA512

    ccd166dbe9aaba3795963af7d63b1a561de90153c2eaefb12f3e9f9ddebd9b1f7861ee76f45b4ef19d41ca514f3796e98b3c3660596730be8d8eb9e1048ef59e

  • C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll
    MD5

    88f83ad79e64dcef42756a42d68799dc

    SHA1

    75ff8c043387529ea536e5f7da7d526ff066852a

    SHA256

    135f7df262609a992c197e1f6ba06285d14d755574f937f1aa67d177b5cf171b

    SHA512

    e366ef8db07191a6ab7099ddf88ad35ec2daba266a01ff498bf68f373cdd3984a7345ed957e0c1341f27fd4e0eddba3cbff43a23cb3c74979807376b438dcc7a

  • C:\Program Files (x86)\Internet Download Manager\IDMan.exe
    MD5

    8e24a1cb555bcb3f96a7c43c819440bd

    SHA1

    38a5e5e7fa390408e9e92b9472ed4b5a94952147

    SHA256

    ec4c18ccc9166835ae99e7315327aaf1155a549f207afcb403ad60e09e05cb77

    SHA512

    e09013bd8dfe39926cdc62fba754568aad41b357dd6caf7bbaf56fb4768a961c79bcef14e0ed499fb963b82d12da2ee3daf59f25b28b00ca4739c06fc396e035

  • C:\Program Files (x86)\Internet Download Manager\IDMan.exe
    MD5

    8e24a1cb555bcb3f96a7c43c819440bd

    SHA1

    38a5e5e7fa390408e9e92b9472ed4b5a94952147

    SHA256

    ec4c18ccc9166835ae99e7315327aaf1155a549f207afcb403ad60e09e05cb77

    SHA512

    e09013bd8dfe39926cdc62fba754568aad41b357dd6caf7bbaf56fb4768a961c79bcef14e0ed499fb963b82d12da2ee3daf59f25b28b00ca4739c06fc396e035

  • C:\Program Files (x86)\Internet Download Manager\IDManTypeInfo.tlb
    MD5

    60adb0ad984d5c3a4289ced459913963

    SHA1

    f8508d53a8d9d46e7e437a9f9c04dbfaf4d69519

    SHA256

    d421d11ef7cf2b766ca6fbc8e837912b2100339c686d48ca56f650649f7b9343

    SHA512

    2ca09a3b971218fc7116871d854a44e1c1a7abb16afca73bcbfa1e92fda1b8cf82e9b93c3dbc7b4e0efb9e31874b8ac592f151b08428bf1281a8a8d977e3a3fb

  • C:\Program Files (x86)\Internet Download Manager\Languages\idm_fa.lng
    MD5

    88dba7e850c1a4e13e78322136a61c49

    SHA1

    e95de8aa4919b06ac6661bb4c973a95579303e27

    SHA256

    bdc81db3e7cab8d8022697065d5b1d328bc47423edef9530e3eb8db60c75a245

    SHA512

    391ccdbda3b36e93bf88a84eba614d8e09e0a5b17715f181ba0781e987b3cca093a21219d156051ef8e3eb300e1a091fba829ae909b5dd8e1d4ba25329dd5670

  • C:\Program Files (x86)\Internet Download Manager\Toolbar\3d_style_3.tbi
    MD5

    b7012c6bfcae70e44811b5259d922098

    SHA1

    84b96ed7dced1cd96553950af4f8df8212e55a1e

    SHA256

    dda7fe7637626c6f47f859fd377cc41b93aaf101c9dcd6d7677b9f8c84293464

    SHA512

    06332ee6c75a38f16a3a614a525880fa7d61fea1e1840091b575e1cf53bfd2328ffbae3bdcac581653560a59bc4f3962c1968026ef8fcccc45e234db93b6236e

  • C:\Program Files (x86)\Internet Download Manager\Toolbar\PureFlat.tbi
    MD5

    7383a950fd9cf4e544d6c0daa11f3dc6

    SHA1

    04b1f5372560a000aa87d3afd2d400e6fae5b9b2

    SHA256

    b4a3be388ba7abdbd86b9bbf6d775ac2505860d16f714c46e1b761b0ce706e1b

    SHA512

    b0b63c6a3e716c568a904b888b0516ae715d13b157b83f9973ae9758349c2df8232e7ca1aa2536e8010e81be333e55bf13f52f3922143d0ee77dc9a7ad16bc7b

  • C:\Program Files (x86)\Internet Download Manager\defexclist.txt
    MD5

    a62792690dd91e037dca14ba3dcea5d8

    SHA1

    8f2ebe238b140a4669661e5b71466465a66806ec

    SHA256

    3eed4504cf60a193d0d40682a0eb5c5216be3ff4a8261088772ab2f0c7b4a1e7

    SHA512

    30f217f29b92d78916b034c5c05536658880239e708bf70248be41e32e4e6069113355bc7d182f7c7b301a2c3c98fae512cde50711204e11deb5f55b8734f974

  • C:\Program Files (x86)\Internet Download Manager\downlWithIDM.dll
    MD5

    b94d0711637b322b8aa1fb96250c86b6

    SHA1

    4f555862896014b856763f3d667bce14ce137c8b

    SHA256

    38ac192d707f3ec697dd5fe01a0c6fc424184793df729f427c0cf5dfab6705fe

    SHA512

    72cdb05b4f45e9053ae2d12334dae412e415aebd018568c522fa5fe0f94dd26c7fe7bb81ccd8d6c7b5b42c795b3207dffa6345b8db24ce17beb601829e37a369

  • C:\Program Files (x86)\Internet Download Manager\idmfc.dat
    MD5

    385f6876166771d57c2fb1e38130862d

    SHA1

    68378a679f40b92e69e9400d89b5cb1598e51b05

    SHA256

    8b92d6d42aa302b5a50c2017474ff33552d31d59d7cf3256aceeac9eef6e96f8

    SHA512

    97bcb4150d0f87311d9042ccaf5009c8854f1cfe9003a475479fce6af2006f3eb72814a14ed6c4379ee76fcd0adb6dcf943ad726be9b383dfd0c6c91bf5f05bc

  • C:\Program Files (x86)\Internet Download Manager\idmfsa.dll
    MD5

    235f64226fcd9926fb3a64a4bf6f4cc8

    SHA1

    8f7339ca7577ff80e3df5f231c3c2c69f20a412a

    SHA256

    6f0ed0a7a21e73811675e8a13d35c7daa6309214477296a07fe52a3d477578ad

    SHA512

    9c6be540cffb43211e464656c16cb0f6f88fb7224087b690ca910acbd433eaf5479508f088b6e6b5437dd260923e26dd928a861db6a3ce76607ad9e77628262d

  • C:\Program Files (x86)\Internet Download Manager\idmvs.dll
    MD5

    71050a07bda7a02820b96f9e1961927b

    SHA1

    02061768f2b0c9619e84ac847b53a6b4e2e99cef

    SHA256

    4f961233461704deb3a46e7f334f8426a82e3c344c75553b29bb481a7fd9c2f4

    SHA512

    5184227eca7bd6a4c82ef8fab95036ce165cd8e86a9e2ed921f9edec9961978a488179260010d9f2f846ba1d90fac3ca6e1f93984182a781fafb94df7c0e780b

  • C:\Users\Admin\AppData\Local\Temp\is-DB8OE.tmp\IDM Pre-Crack @RedBlueHit.tmp
    MD5

    2068d03c862340650fad99f98b38e661

    SHA1

    42fb4a4bd5340299fe9d0c4c2da1224012f4792b

    SHA256

    8a7e49d12a386cb489639e84489b64a6c6f2ad3023d2ebd40878bdc5503a3105

    SHA512

    2b8a0f1ec3340c22690382bf438d23b449aab97e428c276fd7e5ed9f7d98ae7b97d1531f047811ea594a4342fea0328ecfeb460793b648bd38ba8ec4cd7453a4

  • C:\Users\Admin\AppData\Local\Temp\is-DB8OE.tmp\IDM Pre-Crack @RedBlueHit.tmp
    MD5

    2068d03c862340650fad99f98b38e661

    SHA1

    42fb4a4bd5340299fe9d0c4c2da1224012f4792b

    SHA256

    8a7e49d12a386cb489639e84489b64a6c6f2ad3023d2ebd40878bdc5503a3105

    SHA512

    2b8a0f1ec3340c22690382bf438d23b449aab97e428c276fd7e5ed9f7d98ae7b97d1531f047811ea594a4342fea0328ecfeb460793b648bd38ba8ec4cd7453a4

  • \Program Files (x86)\Internet Download Manager\IDMGetAll.dll
    MD5

    d04845fab1c667c04458d0a981f3898e

    SHA1

    f30267bb7037a11669605c614fb92734be998677

    SHA256

    33a8a6b9413d60a38237bafc4c331dfebf0bf64f8057abc335b4a6a6b95c9381

    SHA512

    ccd166dbe9aaba3795963af7d63b1a561de90153c2eaefb12f3e9f9ddebd9b1f7861ee76f45b4ef19d41ca514f3796e98b3c3660596730be8d8eb9e1048ef59e

  • \Program Files (x86)\Internet Download Manager\IDMIECC.dll
    MD5

    88f83ad79e64dcef42756a42d68799dc

    SHA1

    75ff8c043387529ea536e5f7da7d526ff066852a

    SHA256

    135f7df262609a992c197e1f6ba06285d14d755574f937f1aa67d177b5cf171b

    SHA512

    e366ef8db07191a6ab7099ddf88ad35ec2daba266a01ff498bf68f373cdd3984a7345ed957e0c1341f27fd4e0eddba3cbff43a23cb3c74979807376b438dcc7a

  • \Program Files (x86)\Internet Download Manager\downlWithIDM.dll
    MD5

    b94d0711637b322b8aa1fb96250c86b6

    SHA1

    4f555862896014b856763f3d667bce14ce137c8b

    SHA256

    38ac192d707f3ec697dd5fe01a0c6fc424184793df729f427c0cf5dfab6705fe

    SHA512

    72cdb05b4f45e9053ae2d12334dae412e415aebd018568c522fa5fe0f94dd26c7fe7bb81ccd8d6c7b5b42c795b3207dffa6345b8db24ce17beb601829e37a369

  • \Program Files (x86)\Internet Download Manager\idmfsa.dll
    MD5

    235f64226fcd9926fb3a64a4bf6f4cc8

    SHA1

    8f7339ca7577ff80e3df5f231c3c2c69f20a412a

    SHA256

    6f0ed0a7a21e73811675e8a13d35c7daa6309214477296a07fe52a3d477578ad

    SHA512

    9c6be540cffb43211e464656c16cb0f6f88fb7224087b690ca910acbd433eaf5479508f088b6e6b5437dd260923e26dd928a861db6a3ce76607ad9e77628262d

  • \Program Files (x86)\Internet Download Manager\idmvs.dll
    MD5

    71050a07bda7a02820b96f9e1961927b

    SHA1

    02061768f2b0c9619e84ac847b53a6b4e2e99cef

    SHA256

    4f961233461704deb3a46e7f334f8426a82e3c344c75553b29bb481a7fd9c2f4

    SHA512

    5184227eca7bd6a4c82ef8fab95036ce165cd8e86a9e2ed921f9edec9961978a488179260010d9f2f846ba1d90fac3ca6e1f93984182a781fafb94df7c0e780b

  • memory/668-114-0x0000000000400000-0x000000000042D000-memory.dmp
    Filesize

    180KB

  • memory/856-121-0x0000000000000000-mapping.dmp
  • memory/2204-124-0x0000000000000000-mapping.dmp
  • memory/2244-120-0x0000000000000000-mapping.dmp
  • memory/3064-118-0x0000000000590000-0x0000000000591000-memory.dmp
    Filesize

    4KB

  • memory/3064-115-0x0000000000000000-mapping.dmp
  • memory/3864-122-0x0000000000000000-mapping.dmp
  • memory/3936-123-0x0000000000000000-mapping.dmp