Analysis
-
max time kernel
164s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-05-2022 15:51
Static task
static1
Behavioral task
behavioral1
Sample
5e99b7bb205fc75e2d68c2e8e014813f858beacb39af583e58a29adee8e1937e.exe
Resource
win7-20220414-en
General
-
Target
5e99b7bb205fc75e2d68c2e8e014813f858beacb39af583e58a29adee8e1937e.exe
-
Size
2.0MB
-
MD5
1911db6208686820c73a57471921f04b
-
SHA1
23a9cea3c8f2575def0676fb5d7b435705ed8369
-
SHA256
5e99b7bb205fc75e2d68c2e8e014813f858beacb39af583e58a29adee8e1937e
-
SHA512
1298c2f63bc127effb64b03cbed6662960e477322d5d6cba4b0f7db91da8c99a9d5b61bd88529a61509162dbe44bc6d5dc20e84348d4d1ca3d84d1888033dac1
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
IDMan.exepid process 3500 IDMan.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5e99b7bb205fc75e2d68c2e8e014813f858beacb39af583e58a29adee8e1937e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation 5e99b7bb205fc75e2d68c2e8e014813f858beacb39af583e58a29adee8e1937e.exe -
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Drops file in Program Files directory 6 IoCs
Processes:
5e99b7bb205fc75e2d68c2e8e014813f858beacb39af583e58a29adee8e1937e.exedescription ioc process File created C:\Program Files (x86)\Internet Download Manager\RegKey.reg 5e99b7bb205fc75e2d68c2e8e014813f858beacb39af583e58a29adee8e1937e.exe File opened for modification C:\Program Files (x86)\Internet Download Manager\RegKey.reg 5e99b7bb205fc75e2d68c2e8e014813f858beacb39af583e58a29adee8e1937e.exe File opened for modification C:\Program Files (x86)\Internet Download Manager 5e99b7bb205fc75e2d68c2e8e014813f858beacb39af583e58a29adee8e1937e.exe File created C:\Program Files (x86)\Internet Download Manager\__tmp_rar_sfx_access_check_240597765 5e99b7bb205fc75e2d68c2e8e014813f858beacb39af583e58a29adee8e1937e.exe File created C:\Program Files (x86)\Internet Download Manager\IDMan.exe 5e99b7bb205fc75e2d68c2e8e014813f858beacb39af583e58a29adee8e1937e.exe File opened for modification C:\Program Files (x86)\Internet Download Manager\IDMan.exe 5e99b7bb205fc75e2d68c2e8e014813f858beacb39af583e58a29adee8e1937e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
IDMan.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager" IDMan.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM IDMan.exe Set value (int) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download all links with IDM\contexts = "243" IDMan.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A} IDMan.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe" IDMan.exe Set value (int) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3" IDMan.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager" IDMan.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" IDMan.exe Set value (int) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM\contexts = "243" IDMan.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4} IDMan.exe Set value (int) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3" IDMan.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop IDMan.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006} IDMan.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "IDMan.exe" IDMan.exe Set value (int) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3" IDMan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" IDMan.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel IDMan.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM\ = "C:\\Program Files (x86)\\Internet Download Manager\\IEExt.htm" IDMan.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Program Files (x86)\\Internet Download Manager" IDMan.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy IDMan.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "IDMan.exe" IDMan.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download all links with IDM IDMan.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download all links with IDM\ = "C:\\Program Files (x86)\\Internet Download Manager\\IEGetAll.htm" IDMan.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Low Rights IDMan.exe -
Modifies registry class 12 IoCs
Processes:
IDMan.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID IDMan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan.CIDMLinkTransmitter" IDMan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan" IDMan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\RunAs = "Interactive User" IDMan.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ROTFlags = "1" IDMan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter IDMan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID\ = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" IDMan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4} IDMan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\AppID = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" IDMan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32 IDMan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32\ = "C:\\Program Files (x86)\\Internet Download Manager\\IDMan.exe" IDMan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4} IDMan.exe -
Runs .reg file with regedit 1 IoCs
Processes:
regedit.exepid process 812 regedit.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
IDMan.exedescription pid process Token: SeRestorePrivilege 3500 IDMan.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
IDMan.exepid process 3500 IDMan.exe 3500 IDMan.exe 3500 IDMan.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
5e99b7bb205fc75e2d68c2e8e014813f858beacb39af583e58a29adee8e1937e.exedescription pid process target process PID 4340 wrote to memory of 812 4340 5e99b7bb205fc75e2d68c2e8e014813f858beacb39af583e58a29adee8e1937e.exe regedit.exe PID 4340 wrote to memory of 812 4340 5e99b7bb205fc75e2d68c2e8e014813f858beacb39af583e58a29adee8e1937e.exe regedit.exe PID 4340 wrote to memory of 812 4340 5e99b7bb205fc75e2d68c2e8e014813f858beacb39af583e58a29adee8e1937e.exe regedit.exe PID 4340 wrote to memory of 3500 4340 5e99b7bb205fc75e2d68c2e8e014813f858beacb39af583e58a29adee8e1937e.exe IDMan.exe PID 4340 wrote to memory of 3500 4340 5e99b7bb205fc75e2d68c2e8e014813f858beacb39af583e58a29adee8e1937e.exe IDMan.exe PID 4340 wrote to memory of 3500 4340 5e99b7bb205fc75e2d68c2e8e014813f858beacb39af583e58a29adee8e1937e.exe IDMan.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e99b7bb205fc75e2d68c2e8e014813f858beacb39af583e58a29adee8e1937e.exe"C:\Users\Admin\AppData\Local\Temp\5e99b7bb205fc75e2d68c2e8e014813f858beacb39af583e58a29adee8e1937e.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /S RegKey.reg2⤵
- Runs .reg file with regedit
-
C:\Program Files (x86)\Internet Download Manager\IDMan.exe"C:\Program Files (x86)\Internet Download Manager\IDMan.exe"2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Internet Download Manager\IDMan.exeFilesize
5.2MB
MD5125cc32631054d876373fe701f66a140
SHA1812d740f9da1bac61cb1a4bddcd934170ae27425
SHA256989154ed476c58d29fe03af8bdbbe839dc1de24b60f29ac1e61a284420ffabfa
SHA5129b400925dc88f49076bbd48876d893bce96000561323a932a0ae53002a5669baa319391a552f71b845b49db9b59634cff8abfcf089153d6b7d34a1b3a65a904d
-
C:\Program Files (x86)\Internet Download Manager\IDMan.exeFilesize
5.2MB
MD5125cc32631054d876373fe701f66a140
SHA1812d740f9da1bac61cb1a4bddcd934170ae27425
SHA256989154ed476c58d29fe03af8bdbbe839dc1de24b60f29ac1e61a284420ffabfa
SHA5129b400925dc88f49076bbd48876d893bce96000561323a932a0ae53002a5669baa319391a552f71b845b49db9b59634cff8abfcf089153d6b7d34a1b3a65a904d
-
C:\Program Files (x86)\Internet Download Manager\RegKey.regFilesize
1KB
MD5406c71cece27fc28fde620b448ca52cb
SHA1f44d0a79b6809ac4e00e94cd31213bf51370cc70
SHA256be8794dcbf0071a2d6f4fc5e953cd4371da58500d0325f0c45674416ec7d8b23
SHA51264df44f1857e162e7ea069c5619ef98ff3f6c54636ca88238ae9b364112fb083cc74e022694d415a095c9074f677b1d30348b5070be72ae86e9cbda17905310f
-
memory/812-130-0x0000000000000000-mapping.dmp
-
memory/3500-131-0x0000000000000000-mapping.dmp