Overview

overview

8

Static

static

3

Internet D....3.exe

windows7-x64

8

Internet D....3.exe

windows10-2004-x64

7

_Create in...pt.cmd

windows7-x64

7

_Create in...pt.cmd

windows10-2004-x64

7

_Silent Install.cmd

windows7-x64

8

_Silent Install.cmd

windows10-2004-x64

8

_Silent Update.cmd

windows7-x64

7

_Silent Update.cmd

windows10-2004-x64

7

_Silent sc...on.cmd

windows7-x64

8

_Silent sc...on.cmd

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    internet_download_manager_6.42.3.zip

  • Size

    16.1MB

  • Sample

    240422-yed12afc59

  • MD5

    e53ef26ff1e3db5ef8d52b77dce2e546

  • SHA1

    66088505fa271586826eae56015e461420388638

  • SHA256

    69823ce040158d41e47f1458375b142f462f4725ff6ad1999d78034720b6449b

  • SHA512

    3d72307a2a0ad43d9e22558437f1c1e6a42c54acae8de790213b1c5ac895725e2005de466cb892fa23723c4ef546191b121469567f8a19fba523ece102247328

  • SSDEEP

    393216:SCcURApIOZfwN3W1T2d83WcukKSE0+NdE3ciOhd:SCcUIIyz2d8Gcm0GW3OD

Score
8/10
adwarebootkitdiscoveryevasionpersistencespywarestealertrojanupx

Malware Config

Targets

    • Target

      Internet Download Manager 6.42.3.exe

    • Size

      14.4MB

    • MD5

      450f6fe0632bacbe9385986ce68d5c32

    • SHA1

      48f83828eb8e8a3d47a0a678ba8903da13c08c05

    • SHA256

      3d63c703650df3770b7d762681629107b1c50dea97c60a3954e000cb4c957ebc

    • SHA512

      9e46b82750d95ec464946580475c92b381341e749f2b2f653dae411c24aab2fda07141f6f59341cdba933b2c5712d1e057adc1b889076d36581c2744e642769b

    • SSDEEP

      196608:mI+4Wx/pKO01Ms5E5Zk9bZo5hjp26Pro5Bi1X8MW37DMZ/pLWg7eN/NZWNd42on0:mIBaO65Zk9lo5B4Lih8MW+SqN7o3ZKrJ

    Score
    8/10
    adwarediscoveryevasionpersistencespywarestealertrojanupx

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Registers COM server for autorun

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

      stealeradware
    behavioral1behavioral2

    • Target

      _Create installation script.cmd

    • Size

      1KB

    • MD5

      d96183ad20b7152c83c1455d0e98116c

    • SHA1

      905a8317a8892ae2170c2aabbcf3846fd7244272

    • SHA256

      b276580e201b8e46386e0203a5c9ac9ebc6c9b9a68ff8890f78c18e20c9bfa82

    • SHA512

      b1e993d843222afdc71939d8f92ab77faae21cee7cc56718033ecbf730e9df0b792dff0505d09cfe046ae72b3417aa9d6d1c6430a13bc3da8043582f718ae859

    Score
    7/10

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral3behavioral4

    • Target

      _Silent Install.cmd

    • Size

      1KB

    • MD5

      9e7f1703ee2f6d680cb3459a0104f6e9

    • SHA1

      28d0d1554d4e24f07a320c96b3843e5adcbaa0fd

    • SHA256

      2d1b03d2e214271cb7ab1981517152a61a162a23b6f2c5bedcbaaa2ecfe8ce0b

    • SHA512

      cd946b274310fcf319adfdeb9003dffba13e50fd740f87565ae9cebdfad0609e167bc0c0920195995430ac1fc08f72a1e68d817d61ed9721fd2effba4f0a5960

    Score
    8/10
    adwarebootkitdiscoverypersistencespywarestealerupx

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Registers COM server for autorun

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

      stealeradware

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops file in System32 directory

    behavioral5behavioral6

    • Target

      _Silent Update.cmd

    • Size

      1KB

    • MD5

      9add192714f7645e21ca939f159d595d

    • SHA1

      b7aeb23abbb7795917943cf11af634d645cbef35

    • SHA256

      1d433ad24bd7efbfcee720496cb557fa36bcbf6d50ad57968e988e413b359c57

    • SHA512

      aa671e8f820e2ba3c791f5bbdcbec92be58d6b0c1373c8aae42aa2b631b124255183d86ba216a4d1b23e366c3d0474b734aa963e23fb2d9aad022dba75f7c2bd

    Score
    7/10
    adwarediscoverypersistencestealer

    • Executes dropped EXE

    • Loads dropped DLL

    • Registers COM server for autorun

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

      stealeradware
    behavioral7behavioral8

    • Target

      _Silent scripted installation.cmd

    • Size

      1KB

    • MD5

      f562c57050ec95e598937f2392a070af

    • SHA1

      7c6b7dbb4baa68b9de24760a1d59ce1828b4d17a

    • SHA256

      ad27b38f2e56226bfb720b722993eb1cbf752ff15dcd2d7c59ffae07cfa0a56d

    • SHA512

      9ca92b23f0b067aa04f097c3af6e390e2512a96e29b3c5f61661cfd1a6b9f72721cb149a28be11973634f8015c8104ea185ec190b6debc7fa4572ff1d36cd027

    Score
    8/10
    adwarediscoverypersistencespywarestealerbootkitupx

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Registers COM server for autorun

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

      stealeradware

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops file in System32 directory

    behavioral10behavioral9

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

7
T1547

Registry Run Keys / Startup Folder

7
T1547.001

Browser Extensions

4
T1176

Pre-OS Boot

2
T1542

Bootkit

2
T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

7
T1547

Registry Run Keys / Startup Folder

7
T1547.001

Defense Evasion

Modify Registry

11
T1112

Pre-OS Boot

2
T1542

Bootkit

2
T1542.003

Credential Access

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Query Registry

14
T1012

System Information Discovery

11
T1082

Peripheral Device Discovery

2
T1120

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks