Overview

overview

7

Static

static

IDMan.exe

windows7_x64

7

Resubmissions

12-09-2021 12:11

210912-pcmeysccc3 7

11-09-2021 15:00

210911-sdk53abea2 7

Analysis

  • max time kernel
    141s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-en
  • submitted
    12-09-2021 12:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    IDMan.exe

  • Size

    5.4MB

  • MD5

    9cf336cc118a12ef6b9c7e1a8def8af6

  • SHA1

    fbf3d5f7e1e34c7a4215b7ab8cef5065222ae59c

  • SHA256

    6dfc9ff4cb327d959df26226952ba79a9b0ec3590de54d34533a290581774041

  • SHA512

    fb7adb2c03160d0ca750be5849f1845f1f57432321863d0e5f3b94f8d7d45ab3dd06d0bd0c146c0e88da2caedc6369bb03b273556145534126940cde4aceafd8

Score
7/10
adwarepersistencespywarestealer

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Installs/modifies Browser Helper Object 2 TTPs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 24 IoCs
    adwarespyware
  • Modifies registry class 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\IDMan.exe
    "C:\Users\Admin\AppData\Local\Temp\IDMan.exe"
    1⤵
    • Adds Run key to start application
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1088
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"
      2⤵
        PID:1204
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:396
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
          3⤵
          • Checks processor information in registry
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:1500
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1500.0.1528011718\1825718275" -parentBuildID 20200403170909 -prefsHandle 1184 -prefMapHandle 1176 -prefsLen 1 -prefMapSize 219537 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1500 "\\.\pipe\gecko-crash-server-pipe.1500" 1268 gpu
            4⤵
              PID:1180
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1500.3.374087541\1320210394" -childID 1 -isForBrowser -prefsHandle 1664 -prefMapHandle 1908 -prefsLen 122 -prefMapSize 219537 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1500 "\\.\pipe\gecko-crash-server-pipe.1500" 1736 tab
              4⤵
                PID:936
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1500.13.2078563672\1231936717" -childID 2 -isForBrowser -prefsHandle 2324 -prefMapHandle 2320 -prefsLen 988 -prefMapSize 219537 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1500 "\\.\pipe\gecko-crash-server-pipe.1500" 2560 tab
                4⤵
                  PID:2092
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1500.20.313213325\1111156375" -childID 3 -isForBrowser -prefsHandle 2744 -prefMapHandle 2748 -prefsLen 6979 -prefMapSize 219537 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1500 "\\.\pipe\gecko-crash-server-pipe.1500" 2732 tab
                  4⤵
                    PID:2124
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1500.27.589628337\1538563535" -childID 4 -isForBrowser -prefsHandle 3776 -prefMapHandle 3784 -prefsLen 6979 -prefMapSize 219537 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1500 "\\.\pipe\gecko-crash-server-pipe.1500" 3712 tab
                    4⤵
                      PID:2436
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1500.34.1747281676\958459835" -childID 5 -isForBrowser -prefsHandle 3872 -prefMapHandle 3868 -prefsLen 7983 -prefMapSize 219537 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1500 "\\.\pipe\gecko-crash-server-pipe.1500" 3060 tab
                      4⤵
                        PID:2844
                  • C:\Windows\SysWOW64\regsvr32.exe
                    "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"
                    2⤵
                      PID:2736
                    • C:\Windows\SysWOW64\regsvr32.exe
                      "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMIECC64.dll"
                      2⤵
                        PID:2756
                      • C:\Windows\SysWOW64\regsvr32.exe
                        "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMGetAll64.dll"
                        2⤵
                          PID:2772
                        • C:\Windows\SysWOW64\regsvr32.exe
                          "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\downlWithIDM64.dll"
                          2⤵
                            PID:2796

                        Network

                        MITRE ATT&CK Matrix ATT&CK v6

                        Initial Access

                        Execution

                        Persistence

                        Registry Run Keys / Startup Folder

                        1
                        T1060

                        Browser Extensions

                        1
                        T1176

                        Privilege Escalation

                        Defense Evasion

                        Modify Registry

                        3
                        T1112

                        Credential Access

                        Credentials in Files

                        1
                        T1081

                        Discovery

                        System Information Discovery

                        2
                        T1082

                        Query Registry

                        1
                        T1012

                        Lateral Movement

                        Collection

                        Data from Local System

                        1
                        T1005

                        Exfiltration

                        Command and Control

                        Impact

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • memory/396-55-0x0000000000000000-mapping.dmp
                          Download
                        • memory/936-64-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1088-52-0x0000000075991000-0x0000000075993000-memory.dmp
                          Filesize

                          8KB

                          Download
                        • memory/1180-59-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1204-53-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1500-88-0x000007FEB5570000-0x000007FEB557A000-memory.dmp
                          Filesize

                          40KB

                          Download
                        • memory/1500-56-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1500-87-0x000007FEF6DD0000-0x000007FEF6F13000-memory.dmp
                          Filesize

                          1.3MB

                          Download
                        • memory/2092-68-0x0000000000000000-mapping.dmp
                          Download
                        • memory/2124-71-0x0000000000000000-mapping.dmp
                          Download
                        • memory/2436-74-0x0000000000000000-mapping.dmp
                          Download
                        • memory/2736-76-0x0000000000000000-mapping.dmp
                          Download
                        • memory/2756-78-0x0000000000000000-mapping.dmp
                          Download
                        • memory/2772-80-0x0000000000000000-mapping.dmp
                          Download
                        • memory/2796-82-0x0000000000000000-mapping.dmp
                          Download
                        • memory/2844-85-0x0000000000000000-mapping.dmp
                          Download