8d5c5c64a07f32acc32a73e2435e03ff6d0c49d3082f79a40e56675643ffa326

Analysis

max time kernel
1538s
max time network
1508s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
18/08/2024, 22:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Internet Download Manager 6.42 Build 19 Multilingual + Retail/idman642build19.exe
Size

11.7MB
MD5

192103bacef3a33b70cecb80a1460acf
SHA1

0e3ee8140234fe328a1ba397a937237acdf3aab3
SHA256

25095f71f564f688bbbcedad14a192a7ad47cc4d8b14b3734423c0a955b5e8d7
SHA512

cf3422b0f0baf9f985009497d28e4a03292b2fb75830fa4f17467bf0d328680c04d5d468b203d1170673443fab7daeede8fa094c3f68e1159e97ce41c6467198
SSDEEP

196608:QP5pFarqiXVd99yuqWCNM5dI+UB2HEs1rS9fHNt/XZEZrAtVD2peog+cE+of:ebauiXVdLGnK22HVBSbt/ZWCKp77l+2

Score

4^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1984	IDM1.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	idman642build19.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IDM1.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 404 wrote to memory of 1984	404	idman642build19.exe	82
PID 404 wrote to memory of 1984	404	idman642build19.exe	82
PID 404 wrote to memory of 1984	404	idman642build19.exe	82

C:\Users\Admin\AppData\Local\Temp\Internet Download Manager 6.42 Build 19 Multilingual + Retail\idman642build19.exe
"C:\Users\Admin\AppData\Local\Temp\Internet Download Manager 6.42 Build 19 Multilingual + Retail\idman642build19.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:404
- C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp
  "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp" -d "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp

Filesize
162KB

MD5
1229943ec58e8bd8cf3b1673dcbd4760

SHA1
65d8b26a4b9b5762241f7d5393101f8b43065298

SHA256
ff3ce8900cc246ab15bbf6e2b418c08de39845735f47b724a59765ffeed66643

SHA512
fc2f5d4ee2e2498b0df5bcb6cef355dc8a11e37eed58dd88b0a306648639b47a3e5a4ea758c0911f9dd8e93c51f0c90938ca64f985a5c5dd8e5f62d946df6f42

Download Submit
memory/1984-1-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1984-2-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download