| File name: | IDM_v6.42_B3_KiNGHaZe.zip |
| Full analysis: | https://app.any.run/tasks/d46e4e03-6be5-4876-ab2a-ca78140eab93 |
| Verdict: | Malicious activity |
| Analysis date: | March 23, 2024, 04:31:32 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v1.0 to extract, compression method=store |
| MD5: | F32B1AD38894FC026B319C8A01D625B5 |
| SHA1: | 4E8E20EB83EC12D267B126546E2FA742C9E57428 |
| SHA256: | D060507AA4BD24193BDAA97DF21553C5BBA501B4BB13BAF13623489BA0F6A903 |
| SSDEEP: | 98304:YDQPuum20W4oY/nyG9mr/YoeTpTJQSVqpRc9E8NFeDTPWShq6E0hsWaTPzoAWPqg:MSpuTOXHsyCIp2LxmyK9E92 |
MALICIOUS
Drops the executable file immediately after the start
- WinRAR.exe (PID: 3500)
- Internet Download Manager 6.42 Build 3.exe (PID: 3488)
SUSPICIOUS
Reads security settings of Internet Explorer
- Kur.exe (PID: 1972)
- Internet Download Manager 6.42 Build 3.exe (PID: 1692)
- WinRAR.exe (PID: 3500)
- Internet Download Manager 6.42 Build 3.exe (PID: 3488)
- IDMan.exe (PID: 2240)
- IDM1.tmp (PID: 1308)
Application launched itself
- Internet Download Manager 6.42 Build 3.exe (PID: 1692)
- cmd.exe (PID: 2960)
Reads the Internet Settings
- Internet Download Manager 6.42 Build 3.exe (PID: 1692)
- Internet Download Manager 6.42 Build 3.exe (PID: 3488)
- Kur.exe (PID: 1972)
- IDM1.tmp (PID: 1308)
Process drops legitimate windows executable
- Internet Download Manager 6.42 Build 3.exe (PID: 3488)
Executable content was dropped or overwritten
- Internet Download Manager 6.42 Build 3.exe (PID: 3488)
Uses TASKKILL.EXE to kill process
- cmd.exe (PID: 2960)
Executing commands from a ".bat" file
- Kur.exe (PID: 1972)
Starts CMD.EXE for commands execution
- cmd.exe (PID: 2960)
- Kur.exe (PID: 1972)
Identifying current user with WHOAMI command
- cmd.exe (PID: 2168)
Starts application with an unusual extension
- Kur.exe (PID: 1972)
Checks Windows Trust Settings
- IDMan.exe (PID: 2240)
The process creates files with name similar to system file names
- IDM1.tmp (PID: 1308)
Creates a software uninstall entry
- IDM1.tmp (PID: 1308)
Creates/Modifies COM task schedule object
- IDM1.tmp (PID: 1308)
Uses REG/REGEDIT.EXE to modify registry
- cmd.exe (PID: 2960)
INFO
Checks supported languages
- Internet Download Manager 6.42 Build 3.exe (PID: 1692)
- Internet Download Manager 6.42 Build 3.exe (PID: 3488)
- Kur.exe (PID: 1972)
- IDM1.tmp (PID: 1308)
- idmBroker.exe (PID: 980)
- IDMan.exe (PID: 2240)
Reads the computer name
- Internet Download Manager 6.42 Build 3.exe (PID: 1692)
- Internet Download Manager 6.42 Build 3.exe (PID: 3488)
- Kur.exe (PID: 1972)
- IDMan.exe (PID: 2240)
- IDM1.tmp (PID: 1308)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 3500)
Reads mouse settings
- Kur.exe (PID: 1972)
Checks Windows language
- Kur.exe (PID: 1972)
Create files in a temporary directory
- IDM1.tmp (PID: 1308)
Reads the machine GUID from the registry
- IDM1.tmp (PID: 1308)
- IDMan.exe (PID: 2240)
- Kur.exe (PID: 1972)
Creates files in the program directory
- Kur.exe (PID: 1972)
- IDM1.tmp (PID: 1308)
Reads Environment values
- Kur.exe (PID: 1972)
Creates files or folders in the user directory
- IDM1.tmp (PID: 1308)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 10 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | None |
| ZipModifyDate: | 2024:01:17 08:47:34 |
| ZipCRC: | 0x2297fbbc |
| ZipCompressedSize: | 9808913 |
| ZipUncompressedSize: | 9808913 |
| ZipFileName: | Internet Download Manager 6.42 Build 3.exe |
Total processes
456
Monitored processes
415
Malicious processes
6
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 116 | reg import none.reg | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 268 | reg query "HKCU\Software\Classes\CLSID\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}" | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 296 | REG DELETE "HKLM\Software\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" /f | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 316 | reg query "HKLM\Software\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 324 | reg query "HKCU\Software\Download Manager" | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 392 | reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 448 | reg query "HKLM\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 448 | reg query "HKU\.DEFAULT\Software\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}" | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 452 | reg query "HKLM\Software\Download Manager" | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 480 | REG DELETE "HKLM\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" /f | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
22 555
Read events
22 419
Write events
127
Delete events
9
Modification events
| (PID) Process: | (3500) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (3500) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (3500) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3500) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (3500) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (3500) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (3500) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\IDM_v6.42_B3_KiNGHaZe.zip | |||
| (PID) Process: | (3500) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3500) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (3500) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
Executable files
49
Suspicious files
33
Text files
172
Unknown types
6
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3500 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3500.28884\Internet Download Manager 6.42 Build 3.exe | executable | |
MD5:EA7CB9561AE28EA39AB4A228C5C7974B | SHA256:4933C1BB9EB88F3A5B8A410519A23CA951996A4CFF25225CCCD5ABBDFFCE0DEF | |||
| 3488 | Internet Download Manager 6.42 Build 3.exe | C:\Kinghaze\Kur\IDM10.tmp | html | |
MD5:648E7B2602158D2FF9197D664F59B28B | SHA256:47937F8F34BA56718D4BD3B97BFD9E42468D6B7615C745B7841272A2E3D39E57 | |||
| 3500 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3500.28884\Full indir - Full İndir.Cafe - Program, Oyun, Film, Apk, Full İndirme Sitesi.url | url | |
MD5:D446418FAEC2843665CA84DB896A0B56 | SHA256:92C4D784BBCF578674808C596C17F73B7733F2E846818CBEBC88C15E897AA522 | |||
| 3500 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3500.28884\Full Program İndir Full Programlar İndir - Oyun İndir.url | url | |
MD5:7FCAE6AD0933E2EE9E39F2E99199CB95 | SHA256:F082F1A50DA8CC06A741387DB441AC6BB8676C9A1F90C7299B165F5150470189 | |||
| 3488 | Internet Download Manager 6.42 Build 3.exe | C:\Kinghaze\Kur\IDM109.tmp | text | |
MD5:07A324E23BB33CE824A539CFA499BDA0 | SHA256:9619F587E3EF863B7FD69650DCBC1D655D6062C3F73EAF52ACA59754AD856B83 | |||
| 3488 | Internet Download Manager 6.42 Build 3.exe | C:\Kinghaze\Kur\IDM106.tmp | executable | |
MD5:97569D4E2F159B0CB1B203D510749104 | SHA256:58FD2D7B428640395D09778394231EE5AACC74726580C67A69020B698865B5C9 | |||
| 3488 | Internet Download Manager 6.42 Build 3.exe | C:\Kinghaze\Kur\IDM107.tmp | text | |
MD5:21E7664F87E16AB82452D6F01713D54E | SHA256:84C92BD8AE5A90294D836851385FBF054B7AF4D78744F4542147AC436A2A2644 | |||
| 3488 | Internet Download Manager 6.42 Build 3.exe | C:\Kinghaze\Kur\IDM11.tmp | text | |
MD5:88DBA7E850C1A4E13E78322136A61C49 | SHA256:BDC81DB3E7CAB8D8022697065D5B1D328BC47423EDEF9530E3EB8DB60C75A245 | |||
| 3488 | Internet Download Manager 6.42 Build 3.exe | C:\Kinghaze\Kur\IDM108.tmp | text | |
MD5:3DA98A953BCBCC9F1E9D143542437C20 | SHA256:14D51E3B9F5E68E97ED01A6BB1C598E3E09F9E330A90DBE363D6659AC725F679 | |||
| 3488 | Internet Download Manager 6.42 Build 3.exe | C:\Kinghaze\Kur\IDM105.tmp | text | |
MD5:748C5590939571E92A7C16AC702A74CA | SHA256:9145CFE47D32CF3E45840CE0344DA1D29810EF9D756ECDDAEBB803C59869E945 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 224.0.0.252:5355 | — | — | — | unknown |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |