Overview

overview

7

Static

static

1

IDMan.exe

windows7-x64

7

IDMan.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    48s
  • max time network
    35s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    22-04-2024 19:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    IDMan.exe

  • Size

    5.6MB

  • MD5

    bb6c540ccad4386c7d88dd71cb539d10

  • SHA1

    d446c9a5d0432dd94f3d78a728274e63469dd0b8

  • SHA256

    9ad69452e768c6b36ae222253141eece96c9031103afa06a9cecccd7567523d0

  • SHA512

    52d69543a2b2edaaea59f506a550c578e76fdcefe1b953cf6026c862acc88228b8bf7b54391bb4705e4b161f7ae22648178643649769c0c109da6273fb649171

  • SSDEEP

    98304:97ocqxlQpPAEgIrTx5P4NS18frP3wbzWFimaI7dlZX:ZbqYpPFg3bgbzWFimaI7dlZ

Score
7/10
adwareevasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 14 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 58 IoCs
    adwarespyware
  • Modifies registry class 17 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\IDMan.exe
    "C:\Users\Admin\AppData\Local\Temp\IDMan.exe"
    1⤵
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Installs/modifies Browser Helper Object
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2276
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"
      2⤵
        PID:2540
      • C:\Windows\SysWOW64\regsvr32.exe
        "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"
        2⤵
          PID:2156
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMIECC64.dll"
          2⤵
            PID:2600
          • C:\Windows\SysWOW64\regsvr32.exe
            "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMGetAll64.dll"
            2⤵
              PID:2608
            • C:\Windows\SysWOW64\regsvr32.exe
              "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\downlWithIDM64.dll"
              2⤵
                PID:2664
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe" https://www.internetdownloadmanager.com/welcome.html?v=641b10
                2⤵
                • Modifies Internet Explorer settings
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:2680
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2680 CREDAT:275457 /prefetch:2
                  3⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:1728
              • C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
                "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE" -c IPM.Note /m "mailto:?subject=Internet%20Download%20Manager%20-%20very%20cool%20application!!!&body=download%20from%20https://www.internetdownloadmanager.com"
                2⤵
                • Drops file in System32 directory
                • Drops file in Windows directory
                • Modifies Internet Explorer settings
                • Suspicious behavior: AddClipboardFormatListener
                PID:2572

            Network

            MITRE ATT&CK Matrix ATT&CK v13

            Initial Access

            Execution

            Persistence

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Browser Extensions

            1
            T1176

            Privilege Escalation

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Defense Evasion

            Modify Registry

            3
            T1112

            Credential Access

            Unsecured Credentials

            1
            T1552

            Credentials In Files

            1
            T1552.001

            Discovery

            System Information Discovery

            2
            T1082

            Lateral Movement

            Collection

            Data from Local System

            1
            T1005

            Exfiltration

            Command and Control

            Impact

            Resource Development

            Reconnaissance

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
              Filesize

              68KB

              MD5

              29f65ba8e88c063813cc50a4ea544e93

              SHA1

              05a7040d5c127e68c25d81cc51271ffb8bef3568

              SHA256

              1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

              SHA512

              e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

              Download Submit
            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
              Filesize

              344B

              MD5

              f75584f7a74d46664f72739810d7c3c1

              SHA1

              747a90b5056b69c612f38c65e247257a2d9ceb62

              SHA256

              676f192b5676d05ea4b30afa78aa65b98213474847723d5ade0d11a5d5259793

              SHA512

              b4d4051e976a93de6958ae2cfcba6efc53103ff31d1572076b938049f66d801b4f81fe5a25a3e00bb319f40313af635a57144b599e47960950def25f99e13271

              Download Submit
            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
              Filesize

              344B

              MD5

              eb92256423d8be8e6b29773367d637f3

              SHA1

              837316fffc18e52ac236e16779fcec8018fa687c

              SHA256

              e7a4e06675ea84dbe8177a687a2d5329710b2c0452b394bbc004503f9d29aeb7

              SHA512

              43a7411a3e69acd82411247f0fdc7c4de026eb53b195a1ac93b2c31eecc63e7c42fe16ebd242a9758cf4ad9ba2dfbf08129c6ee6b8f961b73eff193988529a82

              Download Submit
            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
              Filesize

              344B

              MD5

              9eb0d05d23bfd6d106f28bcf81b88f2f

              SHA1

              873bc57e2f5a6df5051309d3d555517830c44684

              SHA256

              33af866d23c9ca9b7c649264c1385abb1f6e7559d8dcda714366ad09e2ff8732

              SHA512

              cc2635f8a7e078d3a5dbea9565afa02480e0d92705512ce4189b5e72735b3b1cb0812675ba5619817dab2a8780a1fc5d9836c1a67c9cc68097e1c3d9c776a1bd

              Download Submit
            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
              Filesize

              344B

              MD5

              c9c408e412dfc9bebd0df97a1009c484

              SHA1

              084c3631dbe1a03e5128a7ae86032db940227f0c

              SHA256

              9ee60af4735f8899dc391fca0b4b6413b0d1ccd7332bc077d4cbeb8067cfd7fe

              SHA512

              d39313ef5ddc14e6845d6ef4e64ebf13b3b72685c9fec0e62d9c503f3d5c3b8e94000f3fa91d79ddf6ff652a9d5a6f7f68a177060cd734a66b48bb2dfb55ca7e

              Download Submit
            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
              Filesize

              344B

              MD5

              a345ed7f144c84bbee9dd2b20de3bdd2

              SHA1

              78b1d1a3462a0dd32b9cfdbae4165bff83b2ebde

              SHA256

              fb562047b07fc135c8d5002492ddc6fce47b374f780b7c7459c528c700ebe421

              SHA512

              9e4ae3caca5d786c70f3226332e4e356d20e7a6035304b8097eeb55d803b5cd1f8921ff60d2f543b034e33818e5fa2d5e5a22ae34d4e01fd0f1f4f604175cbe8

              Download Submit
            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
              Filesize

              344B

              MD5

              20aa28791538ef28525fd18affee04e8

              SHA1

              efa4c3031ecf0a1c56f422b5604ac0c542e0b92a

              SHA256

              e89ffadad8f341fc64c3d433afb7559e8889a518967036260b3359187ad751d7

              SHA512

              787edba8e103244d92f8444ee29cb6b418be45906eb58bd86098dc0a52a3630b1fc661abd7546069c79c3390a8b697d5d1731ad7da4897528cf90b735e741e56

              Download Submit
            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
              Filesize

              344B

              MD5

              798c77662107fb862b1d79c7d1d32dd6

              SHA1

              98074f1f1bdc689ce1b44d9f430bbc77c3e1d478

              SHA256

              62eb4eb08ac6882442f9b526182367c6be763e05daac8e1574beb68f0c4642df

              SHA512

              60b000fae3373a3c6c0ea214982a24e70ffee14d6d88c2dd5a57fa68ccf7078484e586fc3d0e0f48d775972477b688f0c3d3d126dcd58b1bdbe08880b0ff24a6

              Download Submit
            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
              Filesize

              344B

              MD5

              abffe9ae7ec1e844b9d81ae5b146fa5b

              SHA1

              dd56172d60c6cca654368d5e135d70d02e696375

              SHA256

              7a34326e2f5de80ff21bb17166fb1da14362b2f9a507af501f8298f674045093

              SHA512

              82dcc8d142de5ff4f9cbd4acbf32a18fe5a96722f23b6d0bc78220e4cb9d4ca39166b4e2a34f2787a7387bf0eaf6c679b0a752af53599b9104aa8a91c4c77b95

              Download Submit
            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
              Filesize

              344B

              MD5

              71bcb91322f93b53087359a4a999ec17

              SHA1

              0958d3be32558097d0288ebc6e028974d1eb3135

              SHA256

              7df71ba51bcf60967fcb4d69e3119eb37648f0b5d290a941f6c939a2c69f0254

              SHA512

              ecae224a3fe049ede59decefa391dbea27a056cda11994d191c09a154c9177a4365ba6b5289e70bb537e0eeed4e3a67b7f86eee31f8ad447516cbd4a44b0af2e

              Download Submit
            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
              Filesize

              344B

              MD5

              69eaea31491af5f33bfdff9b6f02fcae

              SHA1

              324bc44d1eb06e9ffc9332f36d3d269a43bbf8c5

              SHA256

              3fcab014457b7e56d236b22c65bc0e16b970e858703b8cf6aa25fd03ceae0a92

              SHA512

              774a0b4cef94de50f7860978aa0aa97b89a441ddfc54b94138d644c086a19ba3c7dd7722ca6728bd670713d05f1b647b90e7d93edf5422c587be8e73fa893c7b

              Download Submit
            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
              Filesize

              344B

              MD5

              88e3ecac82dbd4da0b7573c83b8a9442

              SHA1

              a200ecf6314ba131d94f2f54c15a9ce2b99bea5e

              SHA256

              79c073062586ab83f5641677c73f2590607989ca94583b94f314d967105c157c

              SHA512

              4ecbc044955a95f07411b3fcb8f0e4b4091f458e12af95930246eca34048a7b96f3f561829d8edb6e0a17a41f3150ab144b45523babc1db110fb317b46b0a2da

              Download Submit
            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
              Filesize

              344B

              MD5

              a0a89f1eeca8f41ba66c9db03afa4b44

              SHA1

              629ed60849b35d6017eb30004c6e30fd1e4492ae

              SHA256

              46fcbfa2e94e9a4f2adaa29aab0123b764e17dda2d62557138973eb9f1675029

              SHA512

              16f472f6daa40b143c278f5978be427db136c99fd1b1723b8ee2a4f418dea6131ea61d961ca0d67d9d514fb6dada61434edbde57015bac9828e70a757a7ef305

              Download Submit
            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
              Filesize

              344B

              MD5

              81de25b2b0617937daafabdd64cbdb04

              SHA1

              bc52cc49b5f6966ac53aded44474b5eaa05141d4

              SHA256

              aa8f9d72f57ed58b8f2e5e36d5c1a622da2d8dae62fd926cb3a71f70c65c3276

              SHA512

              c0106cb0824a73b9477126636b14687e98a590bdb895fe2a1ab290ff8fa421171a169a58a3feeab50bddbfe2ef20dae856a4111b28fe29c55d2fcfdc29329fd1

              Download Submit
            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
              Filesize

              344B

              MD5

              a84dbd1c50a3b5d0799f52ebb782eff6

              SHA1

              5ddb8ca3a5c1c5a5411f3b54416dfd5ea71fecf3

              SHA256

              9841e2148805d866539d18047f69b9369c8482dea261280b2e52ee6f4b886d48

              SHA512

              80e2e5b3999a77c545ecf4d27d53860d6b59cdee14fa86ef8dd68b8730505b491eab3056a423f0228819f1fb9562603dc9544d6e15057d29e2faea3c83983fed

              Download Submit
            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
              Filesize

              344B

              MD5

              9586d386cfd7d87e011b1b6150a2af94

              SHA1

              cac5d98ffd8a911d74eef8068b430b027974830b

              SHA256

              a3557fd762abd2cb9ca3ccc644f7b9394da78ed678be939298b28d1b1a5a50ca

              SHA512

              81bb34db91aeddafa221331d37d7a4b05377f22a8939a92bbb763af59da8b74039cf620dd21d8af7d0dcfe3d3df6df31fd5ec788396484254afd259b5d525565

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT
              Filesize

              240KB

              MD5

              dad5aa58ef8b878b32e6d4920f4d6499

              SHA1

              79af75e17c102662f516e5af3146b288a37a7b27

              SHA256

              8a5ad7187dbd9deaad243cc678d4806869eb6003f5674d9d74ec5ace1405869e

              SHA512

              5239fcafc21c145b36c9aed7473258de7e0dd08c53157e7de02d2a94fe0259ffaa6c699079ca78b236bf034305bc7bf62cafc2263a5d6ab5b25d2fd25a850233

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT
              Filesize

              240KB

              MD5

              ca60eb102364e34371c0e9bf97cfb78d

              SHA1

              2aa6a6cebeb1c4240a0823f2f2da3e04fc9c0a27

              SHA256

              774729409346119b4e4c76725194d65c9f992d4975f2126860ab9c91fabce06f

              SHA512

              a07e1f18a74a2cd07c445aa245574659ce782ecc41f966a4dec1f6a253f508bdbbb0df9d3ad98b5133373964e55451d5f458a49e19a7565b1209224014d7d57b

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf
              Filesize

              1KB

              MD5

              48dd6cae43ce26b992c35799fcd76898

              SHA1

              8e600544df0250da7d634599ce6ee50da11c0355

              SHA256

              7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

              SHA512

              c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\Cab58BA.tmp
              Filesize

              65KB

              MD5

              ac05d27423a85adc1622c714f2cb6184

              SHA1

              b0fe2b1abddb97837ea0195be70ab2ff14d43198

              SHA256

              c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

              SHA512

              6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\Tar5DB3.tmp
              Filesize

              177KB

              MD5

              435a9ac180383f9fa094131b173a2f7b

              SHA1

              76944ea657a9db94f9a4bef38f88c46ed4166983

              SHA256

              67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

              SHA512

              1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

              Download Submit
            • memory/2572-813-0x000000005FFF0000-0x0000000060000000-memory.dmp
              Filesize

              64KB

              Download
            • memory/2572-814-0x000000007141D000-0x0000000071428000-memory.dmp
              Filesize

              44KB

              Download
            • memory/2572-1045-0x000000005FFF0000-0x0000000060000000-memory.dmp
              Filesize

              64KB

              Download
            • memory/2572-1046-0x000000007141D000-0x0000000071428000-memory.dmp
              Filesize

              44KB

              Download