291f9c3704031a78b0bd66900e3abf9b5c9a0ad67fd9de1f3f350f430a2e6d46

Analysis

max time kernel
446s
max time network
450s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
05/08/2024, 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Internet Download Manager 6.42 Build 18/Setup/idman642build18.exe
Size

11.7MB
MD5

80e2b37abc2aab663ce237e1b5a1bd06
SHA1

0abd1cbe5fbd34d258ae319633ded83286c40b37
SHA256

10175f8480a170eea40c1cf31c3b6dfde6da63ddfd59383c661acba7723bc8b2
SHA512

31a8436e1faabd4befd8c826ab267cf4593d5bd4f2d2872f3d60c44d38cd49588da1bae61ada483fd070296ee02aba16c474c057b226905f4e4ad677e6949bb3
SSDEEP

196608:jr5pZdpmRFqnCsnyHkUCzXVWuNdr+08UCcgCBrvZfCNpN4ZuiZh0D2peVT+qTZwZ:h1sRF0CkyEU8fUNK1vApiZsKpOS8ZwZ

Score

4^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1080	IDM1.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	idman642build18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IDM1.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 780 wrote to memory of 1080	780	idman642build18.exe	82
PID 780 wrote to memory of 1080	780	idman642build18.exe	82
PID 780 wrote to memory of 1080	780	idman642build18.exe	82

C:\Users\Admin\AppData\Local\Temp\Internet Download Manager 6.42 Build 18\Setup\idman642build18.exe
"C:\Users\Admin\AppData\Local\Temp\Internet Download Manager 6.42 Build 18\Setup\idman642build18.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:780
- C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp
  "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp" -d "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp

Filesize
162KB

MD5
1229943ec58e8bd8cf3b1673dcbd4760

SHA1
65d8b26a4b9b5762241f7d5393101f8b43065298

SHA256
ff3ce8900cc246ab15bbf6e2b418c08de39845735f47b724a59765ffeed66643

SHA512
fc2f5d4ee2e2498b0df5bcb6cef355dc8a11e37eed58dd88b0a306648639b47a3e5a4ea758c0911f9dd8e93c51f0c90938ca64f985a5c5dd8e5f62d946df6f42

Download Submit
memory/1080-1-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1080-2-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download