8d5c5c64a07f32acc32a73e2435e03ff6d0c49d3082f79a40e56675643ffa326

Analysis

max time kernel
1389s
max time network
1157s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
18/08/2024, 22:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Internet Download Manager 6.42 Build 19 Multilingual + Retail/idman642build19f.exe
Size

11.7MB
MD5

f5cd32ccaae5f0ca36d08157b0a592de
SHA1

0a863a9385209bac3d8bbccc46089e74b52c3f8c
SHA256

58579566a5f0e0febb008c68276b3b26a1220e369a4f68e897ad3a272b7c7ffa
SHA512

d404d6cc8f573229933af6cf5c437d73e6ccedd5a2243e0a78f04213974789321747d13e5aa8a499fb55178c382d567a8526d08bfd50f278e1a81e23644fe495
SSDEEP

196608:E/5pYMODgYc/RQHLyD+J0W1Njwy+MUfirEIUrY6flNtLEZrTaDC+D2perVoSEX8F:aeMs1GZiVoirh6YctAZPAKpMuHXq

Score

4^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1312	IDM1.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	idman642build19f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IDM1.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1016 wrote to memory of 1312	1016	idman642build19f.exe	82
PID 1016 wrote to memory of 1312	1016	idman642build19f.exe	82
PID 1016 wrote to memory of 1312	1016	idman642build19f.exe	82

C:\Users\Admin\AppData\Local\Temp\Internet Download Manager 6.42 Build 19 Multilingual + Retail\idman642build19f.exe
"C:\Users\Admin\AppData\Local\Temp\Internet Download Manager 6.42 Build 19 Multilingual + Retail\idman642build19f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp
  "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp" -d "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp

Filesize
162KB

MD5
1229943ec58e8bd8cf3b1673dcbd4760

SHA1
65d8b26a4b9b5762241f7d5393101f8b43065298

SHA256
ff3ce8900cc246ab15bbf6e2b418c08de39845735f47b724a59765ffeed66643

SHA512
fc2f5d4ee2e2498b0df5bcb6cef355dc8a11e37eed58dd88b0a306648639b47a3e5a4ea758c0911f9dd8e93c51f0c90938ca64f985a5c5dd8e5f62d946df6f42

Download Submit
memory/1312-1-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1312-2-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download