Analysis
-
max time kernel
92s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
23-05-2022 20:56
Static task
static1
Behavioral task
behavioral1
Sample
013dc3972c67585749e962b4caebeaf6e4e9592b3d1027601abe43eb314823be.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
013dc3972c67585749e962b4caebeaf6e4e9592b3d1027601abe43eb314823be.exe
Resource
win10v2004-20220414-en
General
-
Target
013dc3972c67585749e962b4caebeaf6e4e9592b3d1027601abe43eb314823be.exe
-
Size
1.1MB
-
MD5
49c82d258a5fd1f9c63f429a467bb3b9
-
SHA1
52716ade1a03abb9896f538ca904f4336259ca06
-
SHA256
013dc3972c67585749e962b4caebeaf6e4e9592b3d1027601abe43eb314823be
-
SHA512
18ae3b139170eab0d3b0e5bf3e06e908cfad9cbf2b99798374280f3f8ee363620fa717deed8f8274ad396652e35f7514228f5cce2e301bdcc76114062f0b7167
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 4 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\SDM143\resourceDll.dll acprotect C:\Users\Admin\AppData\Local\Temp\SDM143\resourceDll.dll acprotect C:\Users\Admin\AppData\Local\Temp\SDM143\resourceDll.dll acprotect C:\Users\Admin\AppData\Local\Temp\SDM143\resourceDll.dll acprotect -
Executes dropped EXE 2 IoCs
Processes:
Free Ride Games.execmhelper.exepid process 4540 Free Ride Games.exe 3328 cmhelper.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe upx C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe upx C:\Users\Admin\AppData\Local\Temp\SDM143\resourceDll.dll upx C:\Users\Admin\AppData\Local\Temp\SDM143\resourceDll.dll upx C:\Users\Admin\AppData\Local\Temp\SDM143\resourceDll.dll upx C:\Users\Admin\AppData\Local\Temp\SDM143\resourceDll.dll upx -
Loads dropped DLL 5 IoCs
Processes:
013dc3972c67585749e962b4caebeaf6e4e9592b3d1027601abe43eb314823be.exeFree Ride Games.exepid process 2996 013dc3972c67585749e962b4caebeaf6e4e9592b3d1027601abe43eb314823be.exe 2996 013dc3972c67585749e962b4caebeaf6e4e9592b3d1027601abe43eb314823be.exe 4540 Free Ride Games.exe 4540 Free Ride Games.exe 4540 Free Ride Games.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Free Ride Games.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exent_SDM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SDM143\\Free Ride Games.exe \"l 'Startup' u 'http://www.freeridegames.com/spdo/feeds/sdmConfig?camp=%s&serviceId=143&gameId=%d' p '143' c '830950' m playfincom\"" Free Ride Games.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Free Ride Games.exedescription ioc process File opened (read-only) \??\A: Free Ride Games.exe File opened (read-only) \??\B: Free Ride Games.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
Free Ride Games.exedescription ioc process File opened for modification \??\PhysicalDrive0 Free Ride Games.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Free Ride Games.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Free Ride Games.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Free Ride Games.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
Free Ride Games.exepid process 4540 Free Ride Games.exe 4540 Free Ride Games.exe 4540 Free Ride Games.exe 4540 Free Ride Games.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
013dc3972c67585749e962b4caebeaf6e4e9592b3d1027601abe43eb314823be.exeFree Ride Games.exedescription pid process target process PID 2996 wrote to memory of 4540 2996 013dc3972c67585749e962b4caebeaf6e4e9592b3d1027601abe43eb314823be.exe Free Ride Games.exe PID 2996 wrote to memory of 4540 2996 013dc3972c67585749e962b4caebeaf6e4e9592b3d1027601abe43eb314823be.exe Free Ride Games.exe PID 2996 wrote to memory of 4540 2996 013dc3972c67585749e962b4caebeaf6e4e9592b3d1027601abe43eb314823be.exe Free Ride Games.exe PID 4540 wrote to memory of 3328 4540 Free Ride Games.exe cmhelper.exe PID 4540 wrote to memory of 3328 4540 Free Ride Games.exe cmhelper.exe PID 4540 wrote to memory of 3328 4540 Free Ride Games.exe cmhelper.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\013dc3972c67585749e962b4caebeaf6e4e9592b3d1027601abe43eb314823be.exe"C:\Users\Admin\AppData\Local\Temp\013dc3972c67585749e962b4caebeaf6e4e9592b3d1027601abe43eb314823be.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe"C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe" "u 'http://www.freeridegames.com/spdo/feeds/sdmConfig?camp=%s&serviceId=143&gameId=%d' p '143' c '830950' m 'playfincom' t '0' l 'Default'"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exeread3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Temp\ietemp1.datFilesize
23B
MD54174cb800274e3c271f7e53ae1b9ae35
SHA16ac0ca77eef3b68c8db3349f1ceb0c8083450642
SHA256d5e0a12b015868fdafdbdcef807fee6bf17e326db04c64079833e829bf34112e
SHA512c73823299a4706ad1feec4497c1e01c598beebe5679a1bbae2cfa6305b282f719c5c14c1fbc3d982db111cda6cdcc7721f22880391155ae9112f6b5f1cdb7cdd
-
C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exeFilesize
484KB
MD5309db45f13ce00636a6be758f2918fb3
SHA135b7e774c65921dd462adedca86b69318d9caf7e
SHA2560f49b2c46f7e4ce36f51b404e88ebc7ae4f2c39e8341616b950c847e175d1607
SHA512ad0cd74c6b6f49aa313aa31dd403373f123de5e50fcb1f38cd4ef0e8395b7e34b824df9e9941ca26791c6ff34b39d5b7eef6e989f6e9bf826243977091e07f9d
-
C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exeFilesize
484KB
MD5309db45f13ce00636a6be758f2918fb3
SHA135b7e774c65921dd462adedca86b69318d9caf7e
SHA2560f49b2c46f7e4ce36f51b404e88ebc7ae4f2c39e8341616b950c847e175d1607
SHA512ad0cd74c6b6f49aa313aa31dd403373f123de5e50fcb1f38cd4ef0e8395b7e34b824df9e9941ca26791c6ff34b39d5b7eef6e989f6e9bf826243977091e07f9d
-
C:\Users\Admin\AppData\Local\Temp\SDM143\Splasher.dllFilesize
469KB
MD5a6a8f89250cdc734a163868a0f5cccea
SHA16ab06aaf1e795bc1a72c8095708568cf2d3bed38
SHA2567868cec689ba10bb6d8a5a1abc0508183b817e5814fc504e090e104dd7d37483
SHA5127991d28467ee0a896e304d18c7fc4caac9e9ac2f57198313d5688ddc68e22ae80447c92a097b5e4ed6ff86a90df607ff1ffa61c07082f85b5f222b07aa4a7ca2
-
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exeFilesize
188KB
MD56d6f40b115a06e567d7afd9bcb9c8768
SHA110ed638c6f21776b765903d55af5d221d6cd31eb
SHA25604a3855742de174620275974086c8210302e423e2fd0dbf9c79108331847480d
SHA51280199f62b0b0de27209f76ab08819d4f3352d6ce27849220b6ea000268d8ef52eb466dbdabc094a0dd8a735cd13c518ecea67dc2db14a38ff451fb9ae1130938
-
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exeFilesize
188KB
MD56d6f40b115a06e567d7afd9bcb9c8768
SHA110ed638c6f21776b765903d55af5d221d6cd31eb
SHA25604a3855742de174620275974086c8210302e423e2fd0dbf9c79108331847480d
SHA51280199f62b0b0de27209f76ab08819d4f3352d6ce27849220b6ea000268d8ef52eb466dbdabc094a0dd8a735cd13c518ecea67dc2db14a38ff451fb9ae1130938
-
C:\Users\Admin\AppData\Local\Temp\SDM143\resourceDll.dllFilesize
169KB
MD527ba023f02e33e673b935d9dc7200f7e
SHA19797b23f3bf148128e7f3db3734c3cbb41d0fb7c
SHA2564c1850aec3e50a0a76f2f99cc4b4b888b0fb771076f3cc0e3c897026db2b8a6a
SHA51241cc768ee41c4c02b04aab81a3b37d1733e74397d362d01aedc41f453378ba4fe230cc1e313e79cb4e24c16b693bcf5fdc7fd386ce75e715c4cf21c445155288
-
C:\Users\Admin\AppData\Local\Temp\SDM143\resourceDll.dllFilesize
169KB
MD527ba023f02e33e673b935d9dc7200f7e
SHA19797b23f3bf148128e7f3db3734c3cbb41d0fb7c
SHA2564c1850aec3e50a0a76f2f99cc4b4b888b0fb771076f3cc0e3c897026db2b8a6a
SHA51241cc768ee41c4c02b04aab81a3b37d1733e74397d362d01aedc41f453378ba4fe230cc1e313e79cb4e24c16b693bcf5fdc7fd386ce75e715c4cf21c445155288
-
C:\Users\Admin\AppData\Local\Temp\SDM143\resourceDll.dllFilesize
169KB
MD527ba023f02e33e673b935d9dc7200f7e
SHA19797b23f3bf148128e7f3db3734c3cbb41d0fb7c
SHA2564c1850aec3e50a0a76f2f99cc4b4b888b0fb771076f3cc0e3c897026db2b8a6a
SHA51241cc768ee41c4c02b04aab81a3b37d1733e74397d362d01aedc41f453378ba4fe230cc1e313e79cb4e24c16b693bcf5fdc7fd386ce75e715c4cf21c445155288
-
C:\Users\Admin\AppData\Local\Temp\SDM143\resourceDll.dllFilesize
169KB
MD527ba023f02e33e673b935d9dc7200f7e
SHA19797b23f3bf148128e7f3db3734c3cbb41d0fb7c
SHA2564c1850aec3e50a0a76f2f99cc4b4b888b0fb771076f3cc0e3c897026db2b8a6a
SHA51241cc768ee41c4c02b04aab81a3b37d1733e74397d362d01aedc41f453378ba4fe230cc1e313e79cb4e24c16b693bcf5fdc7fd386ce75e715c4cf21c445155288
-
C:\Users\Admin\AppData\Local\Temp\nsh31B0.tmp\System.dllFilesize
11KB
MD5a436db0c473a087eb61ff5c53c34ba27
SHA165ea67e424e75f5065132b539c8b2eda88aa0506
SHA25675ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49
SHA512908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d
-
memory/3328-139-0x0000000000000000-mapping.dmp
-
memory/4540-132-0x0000000000000000-mapping.dmp