Analysis
-
max time kernel
308s -
max time network
320s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01-04-2023 22:05
Static task
static1
Behavioral task
behavioral1
Sample
IDMan.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
IDMan.exe
Resource
win10v2004-20230220-en
General
-
Target
IDMan.exe
-
Size
5.6MB
-
MD5
e0058fefc40216ebce70a63f2975204e
-
SHA1
4c77ae3b2ab4066f357e90ef59f6f05a60fab9fc
-
SHA256
7158dbcba678d6d493a75c2dce96a8f5e10a83bda77c911b9994e9c7ca0971c5
-
SHA512
2de24620b156be391593c7aee57fd633732f75be502d7830131abb041421b7aab175d25d27a8b7323579eb631789580da8ddf5cf31acb542bd73e50597961717
-
SSDEEP
98304:iqfdKBo2I2V8ABsF0sroOl11P4pQx18frP3wbzWFimaI7dlZe3:LfEBDjV8x0s0rgbzWFimaI7dl
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
IDMan.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation IDMan.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
IDMan.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDMan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDMan.exe /onboot" IDMan.exe Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows\CurrentVersion\Run IDMan.exe -
Installs/modifies Browser Helper Object 2 TTPs 8 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
IDMan.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper" IDMan.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1" IDMan.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects IDMan.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8} IDMan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper" IDMan.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1" IDMan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects IDMan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8} IDMan.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
IDMan.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Low Rights IDMan.exe Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" IDMan.exe Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe" IDMan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" IDMan.exe Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel IDMan.exe Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote IDMan.exe Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4} IDMan.exe Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "IDMan.exe" IDMan.exe Set value (int) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3" IDMan.exe Set value (int) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM\contexts = "243" IDMan.exe Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy IDMan.exe Set value (int) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3" IDMan.exe Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A} IDMan.exe Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" IDMan.exe Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "IDMan.exe" IDMan.exe Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" IDMan.exe Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM IDMan.exe Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEExt.htm" IDMan.exe Set value (int) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3" IDMan.exe Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop IDMan.exe Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006} IDMan.exe Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" IDMan.exe -
Modifies registry class 17 IoCs
Processes:
IDMan.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32 IDMan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan" IDMan.exe Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\WOW6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7} IDMan.exe Set value (int) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\WOW6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}\Model = "91" IDMan.exe Set value (int) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\WOW6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}\Therad = "1" IDMan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID IDMan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID\ = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" IDMan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4} IDMan.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ROTFlags = "1" IDMan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\AppID = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" IDMan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IDMan.exe" IDMan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\RunAs = "Interactive User" IDMan.exe Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\WOW6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD} IDMan.exe Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\WOW6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D} IDMan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter IDMan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4} IDMan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan.CIDMLinkTransmitter" IDMan.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
IDMan.exedescription pid process Token: SeRestorePrivilege 3592 IDMan.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
IDMan.exepid process 3592 IDMan.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
IDMan.exepid process 3592 IDMan.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
Processes:
IDMan.exepid process 3592 IDMan.exe 3592 IDMan.exe 3592 IDMan.exe 3592 IDMan.exe 3592 IDMan.exe 3592 IDMan.exe 3592 IDMan.exe 3592 IDMan.exe 3592 IDMan.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
IDMan.exedescription pid process target process PID 3592 wrote to memory of 1012 3592 IDMan.exe regsvr32.exe PID 3592 wrote to memory of 1012 3592 IDMan.exe regsvr32.exe PID 3592 wrote to memory of 1012 3592 IDMan.exe regsvr32.exe PID 3592 wrote to memory of 892 3592 IDMan.exe regsvr32.exe PID 3592 wrote to memory of 892 3592 IDMan.exe regsvr32.exe PID 3592 wrote to memory of 892 3592 IDMan.exe regsvr32.exe PID 3592 wrote to memory of 4828 3592 IDMan.exe regsvr32.exe PID 3592 wrote to memory of 4828 3592 IDMan.exe regsvr32.exe PID 3592 wrote to memory of 4828 3592 IDMan.exe regsvr32.exe PID 3592 wrote to memory of 676 3592 IDMan.exe regsvr32.exe PID 3592 wrote to memory of 676 3592 IDMan.exe regsvr32.exe PID 3592 wrote to memory of 676 3592 IDMan.exe regsvr32.exe PID 3592 wrote to memory of 4792 3592 IDMan.exe regsvr32.exe PID 3592 wrote to memory of 4792 3592 IDMan.exe regsvr32.exe PID 3592 wrote to memory of 4792 3592 IDMan.exe regsvr32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\IDMan.exe"C:\Users\Admin\AppData\Local\Temp\IDMan.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"2⤵
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"2⤵
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMIECC64.dll"2⤵
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMGetAll64.dll"2⤵
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\downlWithIDM64.dll"2⤵