Analysis
-
max time kernel
151s -
max time network
80s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-09-2021 15:00
Static task
static1
Behavioral task
behavioral1
Sample
IDMan.exe
Resource
win7-en
Behavioral task
behavioral2
Sample
IDMan.exe
Resource
win10v20210408
General
-
Target
IDMan.exe
-
Size
5.4MB
-
MD5
9cf336cc118a12ef6b9c7e1a8def8af6
-
SHA1
fbf3d5f7e1e34c7a4215b7ab8cef5065222ae59c
-
SHA256
6dfc9ff4cb327d959df26226952ba79a9b0ec3590de54d34533a290581774041
-
SHA512
fb7adb2c03160d0ca750be5849f1845f1f57432321863d0e5f3b94f8d7d45ab3dd06d0bd0c146c0e88da2caedc6369bb03b273556145534126940cde4aceafd8
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
IDMan.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run IDMan.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\IDMan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDMan.exe /onboot" IDMan.exe -
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe -
Processes:
IDMan.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM IDMan.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MenuExt\Download all links with IDM IDMan.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MenuExt\Download all links with IDM\contexts = "243" IDMan.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" IDMan.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" IDMan.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "IDMan.exe" IDMan.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\contexts = "243" IDMan.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4} IDMan.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop IDMan.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006} IDMan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" IDMan.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEExt.htm" IDMan.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy IDMan.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe" IDMan.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3" IDMan.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel IDMan.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\MenuExt\Download all links with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEGetAll.htm" IDMan.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Low Rights IDMan.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "IDMan.exe" IDMan.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3" IDMan.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A} IDMan.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" IDMan.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3" IDMan.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" IDMan.exe -
Modifies registry class 15 IoCs
Processes:
IDMan.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4} IDMan.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\WOW6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}\Therad = "1" IDMan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32 IDMan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDMan.exe" IDMan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\RunAs = "Interactive User" IDMan.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\WOW6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}\Model = "253" IDMan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID IDMan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID\ = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" IDMan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan.CIDMLinkTransmitter" IDMan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\AppID = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" IDMan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan" IDMan.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ROTFlags = "1" IDMan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter IDMan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4} IDMan.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\WOW6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7} IDMan.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
IDMan.exedescription pid process Token: SeRestorePrivilege 628 IDMan.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
IDMan.exepid process 628 IDMan.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
IDMan.exepid process 628 IDMan.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
Processes:
IDMan.exefirefox.exepid process 628 IDMan.exe 628 IDMan.exe 628 IDMan.exe 628 IDMan.exe 628 IDMan.exe 628 IDMan.exe 628 IDMan.exe 628 IDMan.exe 2520 firefox.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
IDMan.exefirefox.exefirefox.exedescription pid process target process PID 628 wrote to memory of 888 628 IDMan.exe regsvr32.exe PID 628 wrote to memory of 888 628 IDMan.exe regsvr32.exe PID 628 wrote to memory of 888 628 IDMan.exe regsvr32.exe PID 628 wrote to memory of 2332 628 IDMan.exe firefox.exe PID 628 wrote to memory of 2332 628 IDMan.exe firefox.exe PID 2332 wrote to memory of 2520 2332 firefox.exe firefox.exe PID 2332 wrote to memory of 2520 2332 firefox.exe firefox.exe PID 2332 wrote to memory of 2520 2332 firefox.exe firefox.exe PID 2332 wrote to memory of 2520 2332 firefox.exe firefox.exe PID 2332 wrote to memory of 2520 2332 firefox.exe firefox.exe PID 2332 wrote to memory of 2520 2332 firefox.exe firefox.exe PID 2332 wrote to memory of 2520 2332 firefox.exe firefox.exe PID 2332 wrote to memory of 2520 2332 firefox.exe firefox.exe PID 2332 wrote to memory of 2520 2332 firefox.exe firefox.exe PID 628 wrote to memory of 2256 628 IDMan.exe regsvr32.exe PID 628 wrote to memory of 2256 628 IDMan.exe regsvr32.exe PID 628 wrote to memory of 2256 628 IDMan.exe regsvr32.exe PID 628 wrote to memory of 768 628 IDMan.exe regsvr32.exe PID 628 wrote to memory of 768 628 IDMan.exe regsvr32.exe PID 628 wrote to memory of 768 628 IDMan.exe regsvr32.exe PID 628 wrote to memory of 740 628 IDMan.exe regsvr32.exe PID 628 wrote to memory of 740 628 IDMan.exe regsvr32.exe PID 628 wrote to memory of 740 628 IDMan.exe regsvr32.exe PID 628 wrote to memory of 1424 628 IDMan.exe regsvr32.exe PID 628 wrote to memory of 1424 628 IDMan.exe regsvr32.exe PID 628 wrote to memory of 1424 628 IDMan.exe regsvr32.exe PID 2520 wrote to memory of 1160 2520 firefox.exe firefox.exe PID 2520 wrote to memory of 1160 2520 firefox.exe firefox.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\IDMan.exe"C:\Users\Admin\AppData\Local\Temp\IDMan.exe"1⤵
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"2⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html3⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2520.0.553970039\1796094598" -parentBuildID 20200403170909 -prefsHandle 1500 -prefMapHandle 1492 -prefsLen 1 -prefMapSize 219680 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2520 "\\.\pipe\gecko-crash-server-pipe.2520" 1560 gpu4⤵
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"2⤵
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMIECC64.dll"2⤵
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMGetAll64.dll"2⤵
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\downlWithIDM64.dll"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/740-140-0x0000000000000000-mapping.dmp
-
memory/768-139-0x0000000000000000-mapping.dmp
-
memory/888-114-0x0000000000000000-mapping.dmp
-
memory/1160-348-0x0000000000000000-mapping.dmp
-
memory/1424-141-0x0000000000000000-mapping.dmp
-
memory/2256-138-0x0000000000000000-mapping.dmp
-
memory/2332-115-0x0000000000000000-mapping.dmp
-
memory/2520-116-0x0000000000000000-mapping.dmp