Overview

overview

8

Static

static

1

InternetDo...le.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    51s
  • max time network
    59s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-11-2022 18:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    InternetDownloadManagerPortable.exe

  • Size

    71KB

  • MD5

    1d9b7bb85e74cabafaac8baf2fc3db99

  • SHA1

    c14e9a55a308b92bc4631e8aed3a24d34801bebc

  • SHA256

    c1dbfcd749baa5a588e5ecc9cd05c14b6d224b7c0867117c519f9f1ea13811e0

  • SHA512

    2a433f0ff84ba48676957ddc253df4d26d1c17b95f6928320758758af91bf6e85e31112b1370ce9d5d2768689998be915b3879b421266ff3deb5cc1267eb2099

  • SSDEEP

    1536:YdnREfs9ke7FggdycW64fUX808MRwadzJaAwo+zo:YdRGsvFggQcWhcX8swa94Awo+zo

Score
8/10
adwarepersistencestealer

Malware Config

Signatures

  • Drops file in Drivers directory 3 IoCs
  • Registers COM server for autorun 1 TTPs 58 IoCs
    persistence
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 24 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Runs net.exe
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\InternetDownloadManagerPortable.exe
    "C:\Users\Admin\AppData\Local\Temp\InternetDownloadManagerPortable.exe"
    1⤵
    • Sets service image path in registry
    • Loads dropped DLL
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1792
    • C:\Users\Admin\AppData\Local\Temp\App\IDM\IDMan.exe
      C:\Users\Admin\AppData\Local\Temp\App\IDM\IDMan.exe
      2⤵
      • Installs/modifies Browser Helper Object
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2040
      • C:\Users\Admin\AppData\Local\Temp\App\IDM\IDMIntegrator64.exe
        "C:\Users\Admin\AppData\Local\Temp\App\IDM\IDMIntegrator64.exe" -runcm
        3⤵
        • Registers COM server for autorun
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:3268
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1156
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
          4⤵
          • Checks processor information in registry
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2524
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2524.0.858700518\1767979980" -parentBuildID 20200403170909 -prefsHandle 1700 -prefMapHandle 1692 -prefsLen 1 -prefMapSize 219940 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2524 "\\.\pipe\gecko-crash-server-pipe.2524" 1788 gpu
            5⤵
              PID:2024
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2524.3.723032362\318066259" -childID 1 -isForBrowser -prefsHandle 2376 -prefMapHandle 1556 -prefsLen 112 -prefMapSize 219940 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2524 "\\.\pipe\gecko-crash-server-pipe.2524" 2396 tab
              5⤵
                PID:3252
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2524.13.1362760885\1190466487" -childID 2 -isForBrowser -prefsHandle 3636 -prefMapHandle 3684 -prefsLen 6894 -prefMapSize 219940 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2524 "\\.\pipe\gecko-crash-server-pipe.2524" 3656 tab
                5⤵
                  PID:1964
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2524.20.1495426647\1549860566" -childID 3 -isForBrowser -prefsHandle 4196 -prefMapHandle 4144 -prefsLen 6894 -prefMapSize 219940 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2524 "\\.\pipe\gecko-crash-server-pipe.2524" 4248 tab
                  5⤵
                    PID:1668
              • C:\Users\Admin\AppData\Local\Temp\App\IDM\Uninstall.exe
                "C:\Users\Admin\AppData\Local\Temp\App\IDM\Uninstall.exe" -instdriv
                3⤵
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:4592
                • C:\Windows\system32\RUNDLL32.EXE
                  "C:\Windows\Sysnative\RUNDLL32.EXE" SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 C:\Users\Admin\AppData\Local\Temp\App\IDM\idmwfp.inf
                  4⤵
                  • Drops file in Drivers directory
                  • Adds Run key to start application
                  • Suspicious use of WriteProcessMemory
                  PID:4892
                  • C:\Windows\system32\runonce.exe
                    "C:\Windows\system32\runonce.exe" -r
                    5⤵
                    • Checks processor information in registry
                    • Suspicious use of WriteProcessMemory
                    PID:4664
                    • C:\Windows\System32\grpconv.exe
                      "C:\Windows\System32\grpconv.exe" -o
                      6⤵
                        PID:4052
                  • C:\Windows\SysWOW64\net.exe
                    "C:\Windows\System32\net.exe" start IDMWFP
                    4⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4300
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 start IDMWFP
                      5⤵
                        PID:4080
                    • C:\Windows\SysWOW64\net.exe
                      "C:\Windows\System32\net.exe" start IDMWFP
                      4⤵
                      • Suspicious use of WriteProcessMemory
                      PID:3392
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 start IDMWFP
                        5⤵
                          PID:4920
                      • C:\Windows\SysWOW64\net.exe
                        "C:\Windows\System32\net.exe" start IDMWFP
                        4⤵
                          PID:1560
                          • C:\Windows\SysWOW64\net1.exe
                            C:\Windows\system32\net1 start IDMWFP
                            5⤵
                              PID:4964
                          • C:\Windows\SysWOW64\net.exe
                            "C:\Windows\System32\net.exe" start IDMWFP
                            4⤵
                              PID:4804
                              • C:\Windows\SysWOW64\net1.exe
                                C:\Windows\system32\net1 start IDMWFP
                                5⤵
                                  PID:4352
                              • C:\Windows\SysWOW64\net.exe
                                "C:\Windows\System32\net.exe" start IDMWFP
                                4⤵
                                  PID:5004
                                  • C:\Windows\SysWOW64\net1.exe
                                    C:\Windows\system32\net1 start IDMWFP
                                    5⤵
                                      PID:4476
                                  • C:\Windows\SysWOW64\net.exe
                                    "C:\Windows\System32\net.exe" start IDMWFP
                                    4⤵
                                      PID:3800
                                      • C:\Windows\SysWOW64\net1.exe
                                        C:\Windows\system32\net1 start IDMWFP
                                        5⤵
                                          PID:4440
                                      • C:\Windows\SysWOW64\regsvr32.exe
                                        "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\App\IDM\IDMShellExt64.dll"
                                        4⤵
                                          PID:3396
                                          • C:\Windows\system32\regsvr32.exe
                                            /s "C:\Users\Admin\AppData\Local\Temp\App\IDM\IDMShellExt64.dll"
                                            5⤵
                                            • Registers COM server for autorun
                                            PID:2144
                                      • C:\Windows\SysWOW64\regsvr32.exe
                                        "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\App\IDM\IDMShellExt64.dll"
                                        3⤵
                                          PID:388
                                          • C:\Windows\system32\regsvr32.exe
                                            /s "C:\Users\Admin\AppData\Local\Temp\App\IDM\IDMShellExt64.dll"
                                            4⤵
                                            • Registers COM server for autorun
                                            PID:1648
                                        • C:\Windows\SysWOW64\regsvr32.exe
                                          "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\App\IDM\IDMIECC64.dll"
                                          3⤵
                                            PID:3744
                                            • C:\Windows\system32\regsvr32.exe
                                              /s "C:\Users\Admin\AppData\Local\Temp\App\IDM\IDMIECC64.dll"
                                              4⤵
                                              • Registers COM server for autorun
                                              • Modifies registry class
                                              PID:5092
                                          • C:\Windows\SysWOW64\regsvr32.exe
                                            "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\App\IDM\IDMGetAll64.dll"
                                            3⤵
                                              PID:3604
                                              • C:\Windows\system32\regsvr32.exe
                                                /s "C:\Users\Admin\AppData\Local\Temp\App\IDM\IDMGetAll64.dll"
                                                4⤵
                                                • Registers COM server for autorun
                                                • Modifies registry class
                                                PID:5088
                                            • C:\Windows\SysWOW64\regsvr32.exe
                                              "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\App\IDM\downlWithIDM64.dll"
                                              3⤵
                                                PID:3492
                                                • C:\Windows\system32\regsvr32.exe
                                                  /s "C:\Users\Admin\AppData\Local\Temp\App\IDM\downlWithIDM64.dll"
                                                  4⤵
                                                  • Registers COM server for autorun
                                                  • Modifies registry class
                                                  PID:736

                                          Network

                                          MITRE ATT&CK Matrix ATT&CK v6

                                          Initial Access

                                          Execution

                                          Persistence

                                          Registry Run Keys / Startup Folder

                                          3
                                          T1060

                                          Browser Extensions

                                          1
                                          T1176

                                          Privilege Escalation

                                          Defense Evasion

                                          Modify Registry

                                          4
                                          T1112

                                          Credential Access

                                          Discovery

                                          System Information Discovery

                                          2
                                          T1082

                                          Query Registry

                                          1
                                          T1012

                                          Lateral Movement

                                          Collection

                                          Exfiltration

                                          Command and Control

                                          Impact

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Users\Admin\AppData\Local\Temp\IDM\idmfc.dat
                                            Filesize

                                            4KB

                                            MD5

                                            64e902a79acbef7be2a918c9cb431c6a

                                            SHA1

                                            7abe99b612eb52d57f28f1d03262b1671895d53c

                                            SHA256

                                            ca91f9e8a7bb64950656e7aafe0ca9bd5d5331986a4484aa233bb8c7a350b3d2

                                            SHA512

                                            87f98a3a6322b702094b81fc7bd1a6fc88749f2857a5c9701753217f0d82cecc5e6423cdf8472aa68814f4a4d450cb5fc53928831fff946432b477f5d3372f1d

                                            Download Submit
                                          • C:\Users\Admin\AppData\Local\Temp\IDM\urlexclist.dat
                                            Filesize

                                            3KB

                                            MD5

                                            4260b3d9b4f6b1253e11b257b4a99870

                                            SHA1

                                            2120ce717950eb42121934615cb1af7771d5100f

                                            SHA256

                                            d8e61117caecb4733fef9b3b0cefab1b29c57b5fa48cf2885c65ca9e69904afa

                                            SHA512

                                            ff7bd9e4974c6381d844644f359dcdccfe52b730f3009837f2ec77fe33b0c98d997e94ba9a1ec96ab6bb39635cb7ab9f97372df89181babc50863d401df46229

                                            Download Submit
                                          • C:\Users\Admin\AppData\Local\Temp\nswCB46.tmp\System.dll
                                            Filesize

                                            11KB

                                            MD5

                                            fbe295e5a1acfbd0a6271898f885fe6a

                                            SHA1

                                            d6d205922e61635472efb13c2bb92c9ac6cb96da

                                            SHA256

                                            a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

                                            SHA512

                                            2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

                                            Download Submit
                                          • C:\Users\Admin\AppData\Local\Temp\nswCB46.tmp\registry.dll
                                            Filesize

                                            24KB

                                            MD5

                                            2b7007ed0262ca02ef69d8990815cbeb

                                            SHA1

                                            2eabe4f755213666dbbbde024a5235ddde02b47f

                                            SHA256

                                            0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d

                                            SHA512

                                            aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca

                                            Download Submit
                                          • memory/388-158-0x0000000000000000-mapping.dmp
                                            Download
                                          • memory/736-165-0x0000000000000000-mapping.dmp
                                            Download
                                          • memory/1560-148-0x0000000000000000-mapping.dmp
                                            Download
                                          • memory/1648-160-0x0000000000000000-mapping.dmp
                                            Download
                                          • memory/1792-133-0x0000000004820000-0x0000000004834000-memory.dmp
                                            Filesize

                                            80KB

                                            Download
                                          • memory/2040-135-0x0000000000000000-mapping.dmp
                                            Download
                                          • memory/2144-157-0x0000000000000000-mapping.dmp
                                            Download
                                          • memory/3268-136-0x0000000000000000-mapping.dmp
                                            Download
                                          • memory/3392-146-0x0000000000000000-mapping.dmp
                                            Download
                                          • memory/3396-156-0x0000000000000000-mapping.dmp
                                            Download
                                          • memory/3492-164-0x0000000000000000-mapping.dmp
                                            Download
                                          • memory/3604-161-0x0000000000000000-mapping.dmp
                                            Download
                                          • memory/3744-159-0x0000000000000000-mapping.dmp
                                            Download
                                          • memory/3800-154-0x0000000000000000-mapping.dmp
                                            Download
                                          • memory/4052-143-0x0000000000000000-mapping.dmp
                                            Download
                                          • memory/4080-145-0x0000000000000000-mapping.dmp
                                            Download
                                          • memory/4300-144-0x0000000000000000-mapping.dmp
                                            Download
                                          • memory/4352-151-0x0000000000000000-mapping.dmp
                                            Download
                                          • memory/4440-155-0x0000000000000000-mapping.dmp
                                            Download
                                          • memory/4476-153-0x0000000000000000-mapping.dmp
                                            Download
                                          • memory/4592-140-0x0000000000400000-0x0000000000429000-memory.dmp
                                            Filesize

                                            164KB

                                            Download
                                          • memory/4592-139-0x0000000000000000-mapping.dmp
                                            Download
                                          • memory/4664-142-0x0000000000000000-mapping.dmp
                                            Download
                                          • memory/4804-150-0x0000000000000000-mapping.dmp
                                            Download
                                          • memory/4892-141-0x0000000000000000-mapping.dmp
                                            Download
                                          • memory/4920-147-0x0000000000000000-mapping.dmp
                                            Download
                                          • memory/4964-149-0x0000000000000000-mapping.dmp
                                            Download
                                          • memory/5004-152-0x0000000000000000-mapping.dmp
                                            Download
                                          • memory/5088-163-0x0000000000000000-mapping.dmp
                                            Download
                                          • memory/5092-162-0x0000000000000000-mapping.dmp
                                            Download