General
-
Target
internet_download_manager_6.42.25.zip
-
Size
16.4MB
-
Sample
241119-j6yr7axmbn
-
MD5
6e477e05a33ac4ac475fec8674746ab5
-
SHA1
e46c96f8d6364bf27be619854e996b8bed609516
-
SHA256
e982c59b70fae4d269dd4c34b502a81f26668bad00f7dccd372d50ec71d939ae
-
SHA512
13ead1b86ff15b912d42ae25b70166260b9c561fb47631dcd8955358faa104fd1e82accf6b5ce71cee3268adc0e6ab5b1711ccfe0d9bb6695d2bee3183de3d55
-
SSDEEP
393216:to4LWMO1me6vO1ZBqdqiPYLNdTzcwARwp6JDLt3mr+Ccv:tPWwvEDqdq+MjPcwARu6JN3mCCcv
Malware Config
Targets
-
-
Target
Internet Download Manager 6.42.25.exe
-
Size
14.7MB
-
MD5
a3ae34f70ab6fbb98311cc63987cf992
-
SHA1
d6e9877aa8bfc6d424e45f9fe4669d803b112259
-
SHA256
fba64680753a00dc87be32341847f87cab5d33875cb2b9ae7d0b417b72a8af57
-
SHA512
7dc491991103b96f80a041cd602d2e97e2987b2dd0db7fe6c3807522fa9cfb8107bbb0db0d1afadc408e75784033fb40a318084b75924e1424992f7167d06fea
-
SSDEEP
393216:QIBmgubvcMCnwxBdsvRCbAlzLvSQAR0vQ9moBNKrJ:BmBynsXsvRiYfvSQAREQ9ZNKd
Score8/10-
Drops file in Drivers directory
-
A potential corporate email address has been identified in the URL: [email protected]
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Installs/modifies Browser Helper Object
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
_Create installation script.cmd
-
Size
1KB
-
MD5
d96183ad20b7152c83c1455d0e98116c
-
SHA1
905a8317a8892ae2170c2aabbcf3846fd7244272
-
SHA256
b276580e201b8e46386e0203a5c9ac9ebc6c9b9a68ff8890f78c18e20c9bfa82
-
SHA512
b1e993d843222afdc71939d8f92ab77faae21cee7cc56718033ecbf730e9df0b792dff0505d09cfe046ae72b3417aa9d6d1c6430a13bc3da8043582f718ae859
Score8/10-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Drops file in System32 directory
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
_Silent Install.cmd
-
Size
1KB
-
MD5
9e7f1703ee2f6d680cb3459a0104f6e9
-
SHA1
28d0d1554d4e24f07a320c96b3843e5adcbaa0fd
-
SHA256
2d1b03d2e214271cb7ab1981517152a61a162a23b6f2c5bedcbaaa2ecfe8ce0b
-
SHA512
cd946b274310fcf319adfdeb9003dffba13e50fd740f87565ae9cebdfad0609e167bc0c0920195995430ac1fc08f72a1e68d817d61ed9721fd2effba4f0a5960
Score8/10-
Drops file in Drivers directory
-
A potential corporate email address has been identified in the URL: [email protected]
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Installs/modifies Browser Helper Object
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
-
-
Target
_Silent Update.cmd
-
Size
1KB
-
MD5
9add192714f7645e21ca939f159d595d
-
SHA1
b7aeb23abbb7795917943cf11af634d645cbef35
-
SHA256
1d433ad24bd7efbfcee720496cb557fa36bcbf6d50ad57968e988e413b359c57
-
SHA512
aa671e8f820e2ba3c791f5bbdcbec92be58d6b0c1373c8aae42aa2b631b124255183d86ba216a4d1b23e366c3d0474b734aa963e23fb2d9aad022dba75f7c2bd
Score7/10-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object
BHOs are DLL modules which act as plugins for Internet Explorer.
-
-
-
Target
_Silent scripted installation.cmd
-
Size
1KB
-
MD5
f562c57050ec95e598937f2392a070af
-
SHA1
7c6b7dbb4baa68b9de24760a1d59ce1828b4d17a
-
SHA256
ad27b38f2e56226bfb720b722993eb1cbf752ff15dcd2d7c59ffae07cfa0a56d
-
SHA512
9ca92b23f0b067aa04f097c3af6e390e2512a96e29b3c5f61661cfd1a6b9f72721cb149a28be11973634f8015c8104ea185ec190b6debc7fa4572ff1d36cd027
Score8/10-
Drops file in Drivers directory
-
A potential corporate email address has been identified in the URL: [email protected]
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Installs/modifies Browser Helper Object
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Browser Extensions
1Event Triggered Execution
1Component Object Model Hijacking
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1