30cf1838b2a95a360b4be837313d9449a55c5213c9874bda179e61b9a3f4f175

Analysis

max time kernel
102s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/09/2024, 10:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IDMƽ V6.40 Build8 ƽ/idman640build8.exe
Size

10.7MB
MD5

80fab5f13a6a1686c9591881cdc364e0
SHA1

290fe176055e805cea43e4270f85634173faa7c6
SHA256

bc4ddda7c4fabe5091e961b166280afeeaf8de617348757fc68d65dc5752a975
SHA512

da3517478b6c3e0f75cd6552c5b79daed3100fa5265a67cbca739f6d2c364c25849e0c56db318e1773a513c2cd1b59320fcff343f5cff748edcef674e021633c
SSDEEP

196608:c9m5pSSrrli+3sjuBezMol78WLN5ppWmU4+nLHrb0fsnm0LORZCkXbZ5oD2pemxl:cWQSv3s+kMVo5Lj+nHb77kZ5boKppD

Score

4^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2824	IDM1.tmp

Loads dropped DLL 1 IoCs

pid	Process
2716	idman640build8.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	idman640build8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IDM1.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2824	IDM1.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 2824	2716	idman640build8.exe	29
PID 2716 wrote to memory of 2824	2716	idman640build8.exe	29
PID 2716 wrote to memory of 2824	2716	idman640build8.exe	29
PID 2716 wrote to memory of 2824	2716	idman640build8.exe	29
PID 2716 wrote to memory of 2824	2716	idman640build8.exe	29
PID 2716 wrote to memory of 2824	2716	idman640build8.exe	29
PID 2716 wrote to memory of 2824	2716	idman640build8.exe	29

C:\Users\Admin\AppData\Local\Temp\IDMƽ V6.40 Build8 ƽ\idman640build8.exe
"C:\Users\Admin\AppData\Local\Temp\IDMƽ V6.40 Build8 ƽ\idman640build8.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp
  "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp" -d "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp

Filesize
162KB

MD5
2e47a4c84ab3261533a15b078f71ddf2

SHA1
e6599529b7b02255ed52e8767db3611fdef5d25d

SHA256
34be308198364b9068b0a95d79465405b0639fb07d2f026b65e9df3507180c78

SHA512
186b36373040bea54e3a8e6e9239fc9f946a1e0cf7547e47351211fc427ea21aafa7c4b817695cd309ae46bfccba15a3bef4b2c728531792ed4c9e7b117b00ec

Download Submit
memory/2716-0-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2716-2-0x0000000000290000-0x00000000002B9000-memory.dmp

Filesize
164KB

Download
memory/2716-4-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2824-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download