| File name: | IDM_v6.42_B3_KiNGHaZe.zip |
| Full analysis: | https://app.any.run/tasks/d46e4e03-6be5-4876-ab2a-ca78140eab93 |
| Verdict: | Malicious activity |
| Analysis date: | March 23, 2024, 04:31:32 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v1.0 to extract, compression method=store |
| MD5: | F32B1AD38894FC026B319C8A01D625B5 |
| SHA1: | 4E8E20EB83EC12D267B126546E2FA742C9E57428 |
| SHA256: | D060507AA4BD24193BDAA97DF21553C5BBA501B4BB13BAF13623489BA0F6A903 |
| SSDEEP: | 98304:YDQPuum20W4oY/nyG9mr/YoeTpTJQSVqpRc9E8NFeDTPWShq6E0hsWaTPzoAWPqg:MSpuTOXHsyCIp2LxmyK9E92 |
MALICIOUS
Drops the executable file immediately after the start
- WinRAR.exe (PID: 3500)
- Internet Download Manager 6.42 Build 3.exe (PID: 3488)
SUSPICIOUS
Reads the Internet Settings
- Internet Download Manager 6.42 Build 3.exe (PID: 1692)
- Internet Download Manager 6.42 Build 3.exe (PID: 3488)
- Kur.exe (PID: 1972)
- IDM1.tmp (PID: 1308)
Reads security settings of Internet Explorer
- Internet Download Manager 6.42 Build 3.exe (PID: 1692)
- WinRAR.exe (PID: 3500)
- Internet Download Manager 6.42 Build 3.exe (PID: 3488)
- Kur.exe (PID: 1972)
- IDMan.exe (PID: 2240)
- IDM1.tmp (PID: 1308)
Application launched itself
- Internet Download Manager 6.42 Build 3.exe (PID: 1692)
- cmd.exe (PID: 2960)
Executable content was dropped or overwritten
- Internet Download Manager 6.42 Build 3.exe (PID: 3488)
Process drops legitimate windows executable
- Internet Download Manager 6.42 Build 3.exe (PID: 3488)
Starts CMD.EXE for commands execution
- Kur.exe (PID: 1972)
- cmd.exe (PID: 2960)
Executing commands from a ".bat" file
- Kur.exe (PID: 1972)
Starts application with an unusual extension
- Kur.exe (PID: 1972)
Identifying current user with WHOAMI command
- cmd.exe (PID: 2168)
Uses TASKKILL.EXE to kill process
- cmd.exe (PID: 2960)
The process creates files with name similar to system file names
- IDM1.tmp (PID: 1308)
Creates a software uninstall entry
- IDM1.tmp (PID: 1308)
Checks Windows Trust Settings
- IDMan.exe (PID: 2240)
Uses REG/REGEDIT.EXE to modify registry
- cmd.exe (PID: 2960)
Creates/Modifies COM task schedule object
- IDM1.tmp (PID: 1308)
INFO
Executable content was dropped or overwritten
- WinRAR.exe (PID: 3500)
Checks supported languages
- Internet Download Manager 6.42 Build 3.exe (PID: 1692)
- Internet Download Manager 6.42 Build 3.exe (PID: 3488)
- Kur.exe (PID: 1972)
- IDM1.tmp (PID: 1308)
- IDMan.exe (PID: 2240)
- idmBroker.exe (PID: 980)
Reads the computer name
- Internet Download Manager 6.42 Build 3.exe (PID: 1692)
- Internet Download Manager 6.42 Build 3.exe (PID: 3488)
- Kur.exe (PID: 1972)
- IDM1.tmp (PID: 1308)
- IDMan.exe (PID: 2240)
Reads mouse settings
- Kur.exe (PID: 1972)
Checks Windows language
- Kur.exe (PID: 1972)
Create files in a temporary directory
- IDM1.tmp (PID: 1308)
Reads the machine GUID from the registry
- IDM1.tmp (PID: 1308)
- IDMan.exe (PID: 2240)
- Kur.exe (PID: 1972)
Creates files or folders in the user directory
- IDM1.tmp (PID: 1308)
Creates files in the program directory
- IDM1.tmp (PID: 1308)
- Kur.exe (PID: 1972)
Reads Environment values
- Kur.exe (PID: 1972)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 10 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | None |
| ZipModifyDate: | 2024:01:17 08:47:34 |
| ZipCRC: | 0x2297fbbc |
| ZipCompressedSize: | 9808913 |
| ZipUncompressedSize: | 9808913 |
| ZipFileName: | Internet Download Manager 6.42 Build 3.exe |
Total processes
456
Monitored processes
415
Malicious processes
6
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 116 | reg import none.reg | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 268 | reg query "HKCU\Software\Classes\CLSID\{C950922F-897A-4E13-BA38-66C8AF2E0BF7}" | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 296 | REG DELETE "HKLM\Software\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" /f | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 316 | reg query "HKLM\Software\Classes\CLSID\{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 324 | reg query "HKCU\Software\Download Manager" | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 392 | reg query "HKCU\Software\Classes\Wow6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}" | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 448 | reg query "HKLM\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 448 | reg query "HKU\.DEFAULT\Software\Classes\CLSID\{52F6F7BD-DF73-44B3-AE13-89E1E1FB8F6A}" | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 452 | reg query "HKLM\Software\Download Manager" | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 480 | REG DELETE "HKLM\Software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}" /f | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
22 555
Read events
22 419
Write events
127
Delete events
9
Modification events
| (PID) Process: | (3500) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (3500) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (3500) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3500) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (3500) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (3500) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (3500) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\IDM_v6.42_B3_KiNGHaZe.zip | |||
| (PID) Process: | (3500) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3500) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (3500) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
Executable files
49
Suspicious files
33
Text files
172
Unknown types
6
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3500 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3500.28884\Internet Download Manager 6.42 Build 3.exe | executable | |
MD5:EA7CB9561AE28EA39AB4A228C5C7974B | SHA256:4933C1BB9EB88F3A5B8A410519A23CA951996A4CFF25225CCCD5ABBDFFCE0DEF | |||
| 3500 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3500.28884\Full indir - Full İndir.Cafe - Program, Oyun, Film, Apk, Full İndirme Sitesi.url | url | |
MD5:D446418FAEC2843665CA84DB896A0B56 | SHA256:92C4D784BBCF578674808C596C17F73B7733F2E846818CBEBC88C15E897AA522 | |||
| 3488 | Internet Download Manager 6.42 Build 3.exe | C:\Kinghaze\Kur\IDM1.tmp | executable | |
MD5:B9BE2BB9B8141B80903CC2FE83BFE30B | SHA256:AB22A282915750E9D07DDBE300A7D4A3B23B69074A0311A1A5BA4FA2BEA48E7F | |||
| 3488 | Internet Download Manager 6.42 Build 3.exe | C:\Kinghaze\Kur\IDM101.tmp | text | |
MD5:F50ACF2F4AF9EA575B643576F3A190EF | SHA256:EA297E912D0CF36F2D973B9259BF8FABF622195D5481A11E7BD30967F213D950 | |||
| 3488 | Internet Download Manager 6.42 Build 3.exe | C:\Kinghaze\Kur\IDM105.tmp | text | |
MD5:748C5590939571E92A7C16AC702A74CA | SHA256:9145CFE47D32CF3E45840CE0344DA1D29810EF9D756ECDDAEBB803C59869E945 | |||
| 3488 | Internet Download Manager 6.42 Build 3.exe | C:\Kinghaze\Fixer.bat | text | |
MD5:78ABE55D9C080E77673D3606084638FE | SHA256:D97CE135813A9518DA60B431010D1CA9A2C6DA619E5C8B33AEAE841EDA75A1F2 | |||
| 3488 | Internet Download Manager 6.42 Build 3.exe | C:\Kinghaze\Kur\IDM0.tmp | html | |
MD5:72F74DFF454C0699064AFFB0C83F2C4D | SHA256:5D33C887646E950545772F37BB8A3518B1929B435655303D9DD22D5F936A5CD1 | |||
| 3488 | Internet Download Manager 6.42 Build 3.exe | C:\Kinghaze\Kur\IDM103.tmp | text | |
MD5:16E2DAB5D2473C59DEA2B2BD316517E8 | SHA256:07C8896550FBAA6E8FEC792E15D240DED0BCFFA258A928C1EFD8542FF0385511 | |||
| 3488 | Internet Download Manager 6.42 Build 3.exe | C:\Kinghaze\Kur\IDM102.tmp | text | |
MD5:A5F24E957E1C79AE5F0EDD0BB932A3D0 | SHA256:F02E6C6F71D07D992FF20F8E74A28AA5F89C8DEB6244B796DC897529BAE9EDF6 | |||
| 3500 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3500.28884\Full Program İndir Full Programlar İndir - Oyun İndir.url | url | |
MD5:7FCAE6AD0933E2EE9E39F2E99199CB95 | SHA256:F082F1A50DA8CC06A741387DB441AC6BB8676C9A1F90C7299B165F5150470189 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 224.0.0.252:5355 | — | — | — | unknown |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |