Analysis
-
max time kernel
93s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08-11-2024 18:11
Static task
static1
Behavioral task
behavioral1
Sample
IDM6.42һü/idman642build20.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
IDM6.42һü/idman642build20.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
IDM6.42һü/жع/geek.exe
Resource
win7-20241023-en
Behavioral task
behavioral4
Sample
IDM6.42һü/жع/geek.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
IDM6.42һü//IDM_6.4x_Crack_v19.7.exe
Resource
win7-20240903-en
General
-
Target
IDM6.42һü/жع/geek.exe
-
Size
6.7MB
-
MD5
ef78997488e6121971404a3f25686fee
-
SHA1
53a260990106e5271cb525f87be008e299beaa85
-
SHA256
d96df1051e62aa40baefd51235be45f8038745582a5d3428b63123fd2ced60db
-
SHA512
8a021950ae41a76659cacdba57d4a090b839dc9a39866b1ca3b6efc533d2542cdb40dbf5004c58d1793329a60126052d7372b0b3d4e9165cfa48938f0e77e573
-
SSDEEP
98304:jo2mCHer41qIJVUR0LRn2ufOFL//bHAKYmg77UQ1mfa/ews4VOp9mD:U4wIY0LRnHfq37g7oQcfa/ewsWOpsD
Malware Config
Signatures
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Executes dropped EXE 1 IoCs
pid Process 2652 geek64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language geek.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 3728 geek.exe 2652 geek64.exe 2652 geek64.exe 2652 geek64.exe 2652 geek64.exe 2652 geek64.exe 2652 geek64.exe 2652 geek64.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3728 wrote to memory of 2652 3728 geek.exe 85 PID 3728 wrote to memory of 2652 3728 geek.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\IDM6.42һü\жع\geek.exe"C:\Users\Admin\AppData\Local\Temp\IDM6.42һü\жع\geek.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Users\Admin\AppData\Local\Temp\geek64.exeC:\Users\Admin\AppData\Local\Temp\geek64.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2652
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.7MB
MD5c84a3c776bf83d55f901288db3b8b8a0
SHA1515df2a9fb35beef25d070b688d692646f0a1c8f
SHA256b8d968872fe7ed8de7eeb89ff6e1ce2029521f7c744c088ae2c4807b396d28ae
SHA512e471e4ffa1511b5239474577eda92ccb98918eb1633284af20ed80a3cd8366dc4b3ecbe2482b9325e6c543b1acf07731973290265b0ac3c94ea6c436b12e9064