Overview

overview

7

Static

static

IDMan.exe

windows7_x64

7

IDMan.exe

windows10_x64

7

Resubmissions

12-09-2021 12:11

210912-pcmeysccc3 7

11-09-2021 15:00

210911-sdk53abea2 7

Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-en
  • submitted
    11-09-2021 15:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    IDMan.exe

  • Size

    5.4MB

  • MD5

    9cf336cc118a12ef6b9c7e1a8def8af6

  • SHA1

    fbf3d5f7e1e34c7a4215b7ab8cef5065222ae59c

  • SHA256

    6dfc9ff4cb327d959df26226952ba79a9b0ec3590de54d34533a290581774041

  • SHA512

    fb7adb2c03160d0ca750be5849f1845f1f57432321863d0e5f3b94f8d7d45ab3dd06d0bd0c146c0e88da2caedc6369bb03b273556145534126940cde4aceafd8

Score
7/10
adwarepersistencespywarestealer

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Installs/modifies Browser Helper Object 2 TTPs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 24 IoCs
    adwarespyware
  • Modifies registry class 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\IDMan.exe
    "C:\Users\Admin\AppData\Local\Temp\IDMan.exe"
    1⤵
    • Adds Run key to start application
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"
      2⤵
        PID:1772
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:932
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
          3⤵
          • Checks processor information in registry
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:812
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="812.0.50459252\1104004067" -parentBuildID 20200403170909 -prefsHandle 1196 -prefMapHandle 1188 -prefsLen 1 -prefMapSize 219537 -appdir "C:\Program Files\Mozilla Firefox\browser" - 812 "\\.\pipe\gecko-crash-server-pipe.812" 1268 gpu
            4⤵
              PID:1760
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="812.3.1841518939\1652697524" -childID 1 -isForBrowser -prefsHandle 1756 -prefMapHandle 1752 -prefsLen 122 -prefMapSize 219537 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 812 "\\.\pipe\gecko-crash-server-pipe.812" 1788 tab
              4⤵
                PID:1876
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="812.13.543044798\2133926920" -childID 2 -isForBrowser -prefsHandle 2540 -prefMapHandle 2532 -prefsLen 6979 -prefMapSize 219537 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 812 "\\.\pipe\gecko-crash-server-pipe.812" 2524 tab
                4⤵
                  PID:2144
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="812.20.1457930457\612808493" -childID 3 -isForBrowser -prefsHandle 3300 -prefMapHandle 3280 -prefsLen 7684 -prefMapSize 219537 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 812 "\\.\pipe\gecko-crash-server-pipe.812" 3312 tab
                  4⤵
                    PID:2364
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="812.27.957656848\1683629582" -childID 4 -isForBrowser -prefsHandle 3280 -prefMapHandle 3300 -prefsLen 7983 -prefMapSize 219537 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 812 "\\.\pipe\gecko-crash-server-pipe.812" 3224 tab
                    4⤵
                      PID:2652
                • C:\Windows\SysWOW64\regsvr32.exe
                  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"
                  2⤵
                    PID:2556
                  • C:\Windows\SysWOW64\regsvr32.exe
                    "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMIECC64.dll"
                    2⤵
                      PID:2572
                    • C:\Windows\SysWOW64\regsvr32.exe
                      "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMGetAll64.dll"
                      2⤵
                        PID:2596
                      • C:\Windows\SysWOW64\regsvr32.exe
                        "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\downlWithIDM64.dll"
                        2⤵
                          PID:2616

                      Network

                      MITRE ATT&CK Matrix ATT&CK v6

                      Initial Access

                      Execution

                      Persistence

                      Registry Run Keys / Startup Folder

                      1
                      T1060

                      Browser Extensions

                      1
                      T1176

                      Privilege Escalation

                      Defense Evasion

                      Modify Registry

                      3
                      T1112

                      Credential Access

                      Credentials in Files

                      1
                      T1081

                      Discovery

                      System Information Discovery

                      2
                      T1082

                      Query Registry

                      1
                      T1012

                      Lateral Movement

                      Collection

                      Data from Local System

                      1
                      T1005

                      Exfiltration

                      Command and Control

                      Impact

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • memory/812-56-0x0000000000000000-mapping.dmp
                        Download
                      • memory/932-55-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1684-52-0x0000000075AD1000-0x0000000075AD3000-memory.dmp
                        Filesize

                        8KB

                        Download
                      • memory/1760-59-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1772-53-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1876-64-0x0000000000000000-mapping.dmp
                        Download
                      • memory/2144-68-0x0000000000000000-mapping.dmp
                        Download
                      • memory/2364-71-0x0000000000000000-mapping.dmp
                        Download
                      • memory/2556-73-0x0000000000000000-mapping.dmp
                        Download
                      • memory/2572-75-0x0000000000000000-mapping.dmp
                        Download
                      • memory/2596-77-0x0000000000000000-mapping.dmp
                        Download
                      • memory/2616-79-0x0000000000000000-mapping.dmp
                        Download
                      • memory/2652-82-0x0000000000000000-mapping.dmp
                        Download