Overview
overview
7Static
static
7cf3e09bef6...cs.exe
windows7-x64
7cf3e09bef6...cs.exe
windows10-2004-x64
7$PLUGINSDI...el.dll
windows7-x64
7$PLUGINSDI...el.dll
windows10-2004-x64
7$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3$TEMP/SDM1...er.dll
windows7-x64
7$TEMP/SDM1...er.dll
windows10-2004-x64
7$TEMP/SDM1...es.exe
windows7-x64
7$TEMP/SDM1...es.exe
windows10-2004-x64
7$TEMP/SDM1...er.dll
windows7-x64
1$TEMP/SDM1...er.dll
windows10-2004-x64
3$TEMP/SDM1...er.exe
windows7-x64
1$TEMP/SDM1...er.exe
windows10-2004-x64
1$TEMP/SDM1...ll.dll
windows7-x64
7$TEMP/SDM1...ll.dll
windows10-2004-x64
7Analysis
-
max time kernel
142s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
15/05/2024, 11:14
Behavioral task
behavioral1
Sample
cf3e09bef6f2edc09d019ae7ae23ca60_NeikiAnalytics.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
cf3e09bef6f2edc09d019ae7ae23ca60_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/SelfDel.dll
Resource
win7-20240419-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/SelfDel.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240220-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
$TEMP/SDM143/ExentCtlInstaller.dll
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
$TEMP/SDM143/ExentCtlInstaller.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
$TEMP/SDM143/Free Ride Games.exe
Resource
win7-20240508-en
Behavioral task
behavioral12
Sample
$TEMP/SDM143/Free Ride Games.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
$TEMP/SDM143/Splasher.dll
Resource
win7-20240508-en
Behavioral task
behavioral14
Sample
$TEMP/SDM143/Splasher.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
$TEMP/SDM143/cmhelper.exe
Resource
win7-20240220-en
Behavioral task
behavioral16
Sample
$TEMP/SDM143/cmhelper.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
$TEMP/SDM143/resourceDll.dll
Resource
win7-20240508-en
Behavioral task
behavioral18
Sample
$TEMP/SDM143/resourceDll.dll
Resource
win10v2004-20240426-en
General
-
Target
cf3e09bef6f2edc09d019ae7ae23ca60_NeikiAnalytics.exe
-
Size
1.2MB
-
MD5
cf3e09bef6f2edc09d019ae7ae23ca60
-
SHA1
1a14b7d2639dd79c9e994d0b0b50154533051cf9
-
SHA256
283cdf597f0f1956b187870443ba3354efea512d72a52f56c535c61334c21b6a
-
SHA512
841f18b0f9157f580a5eef4224d5d9350300b8d1f9d45f9c5583065fe3ade296b8895e38a046d37ca5d3f898c96b2a948a0ca8d9a8f5bf989e412579a1a4c596
-
SSDEEP
24576:vsX2vzpbZGaKBVlEn+f3VgikCFkJ9k4i/izgNwMqfQN+Qfsqr:EGvz7GfY+f3VOCiJS46iwwMqqB0qr
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x0006000000015e6d-47.dat acprotect -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x0006000000015d44-40.dat upx behavioral1/memory/2672-45-0x0000000000400000-0x0000000000564000-memory.dmp upx behavioral1/memory/2072-44-0x0000000003580000-0x00000000036E4000-memory.dmp upx behavioral1/files/0x0006000000015e6d-47.dat upx behavioral1/memory/2672-51-0x0000000010000000-0x000000001009F000-memory.dmp upx behavioral1/memory/2672-53-0x0000000010000000-0x000000001009F000-memory.dmp upx behavioral1/memory/2672-153-0x0000000000400000-0x0000000000564000-memory.dmp upx behavioral1/memory/2672-156-0x0000000000400000-0x0000000000564000-memory.dmp upx behavioral1/memory/2672-157-0x0000000000400000-0x0000000000564000-memory.dmp upx behavioral1/memory/2672-159-0x0000000000400000-0x0000000000564000-memory.dmp upx behavioral1/memory/2672-161-0x0000000000400000-0x0000000000564000-memory.dmp upx behavioral1/memory/2672-163-0x0000000000400000-0x0000000000564000-memory.dmp upx behavioral1/memory/2672-165-0x0000000000400000-0x0000000000564000-memory.dmp upx behavioral1/memory/2672-167-0x0000000000400000-0x0000000000564000-memory.dmp upx behavioral1/memory/2672-169-0x0000000000400000-0x0000000000564000-memory.dmp upx behavioral1/memory/2672-171-0x0000000000400000-0x0000000000564000-memory.dmp upx behavioral1/memory/2672-173-0x0000000000400000-0x0000000000564000-memory.dmp upx behavioral1/memory/2672-175-0x0000000000400000-0x0000000000564000-memory.dmp upx behavioral1/memory/2672-177-0x0000000000400000-0x0000000000564000-memory.dmp upx behavioral1/memory/2672-179-0x0000000000400000-0x0000000000564000-memory.dmp upx behavioral1/memory/2672-181-0x0000000000400000-0x0000000000564000-memory.dmp upx -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: Free Ride Games.exe File opened (read-only) \??\B: Free Ride Games.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 Free Ride Games.exe -
Executes dropped EXE 13 IoCs
pid Process 2672 Free Ride Games.exe 2960 cmhelper.exe 2620 cmhelper.exe 2760 cmhelper.exe 2812 cmhelper.exe 2280 cmhelper.exe 1752 cmhelper.exe 908 cmhelper.exe 2708 cmhelper.exe 2616 cmhelper.exe 788 cmhelper.exe 1440 cmhelper.exe 2440 cmhelper.exe -
Loads dropped DLL 18 IoCs
pid Process 2072 cf3e09bef6f2edc09d019ae7ae23ca60_NeikiAnalytics.exe 2072 cf3e09bef6f2edc09d019ae7ae23ca60_NeikiAnalytics.exe 2072 cf3e09bef6f2edc09d019ae7ae23ca60_NeikiAnalytics.exe 2672 Free Ride Games.exe 2672 Free Ride Games.exe 2672 Free Ride Games.exe 2672 Free Ride Games.exe 2672 Free Ride Games.exe 2620 cmhelper.exe 2672 Free Ride Games.exe 2672 Free Ride Games.exe 2280 cmhelper.exe 2672 Free Ride Games.exe 2672 Free Ride Games.exe 2708 cmhelper.exe 2672 Free Ride Games.exe 2672 Free Ride Games.exe 1440 cmhelper.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Free Ride Games.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Free Ride Games.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main Free Ride Games.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2672 Free Ride Games.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2672 Free Ride Games.exe 2672 Free Ride Games.exe 2672 Free Ride Games.exe 2672 Free Ride Games.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2072 wrote to memory of 2672 2072 cf3e09bef6f2edc09d019ae7ae23ca60_NeikiAnalytics.exe 28 PID 2072 wrote to memory of 2672 2072 cf3e09bef6f2edc09d019ae7ae23ca60_NeikiAnalytics.exe 28 PID 2072 wrote to memory of 2672 2072 cf3e09bef6f2edc09d019ae7ae23ca60_NeikiAnalytics.exe 28 PID 2072 wrote to memory of 2672 2072 cf3e09bef6f2edc09d019ae7ae23ca60_NeikiAnalytics.exe 28 PID 2672 wrote to memory of 2960 2672 Free Ride Games.exe 29 PID 2672 wrote to memory of 2960 2672 Free Ride Games.exe 29 PID 2672 wrote to memory of 2960 2672 Free Ride Games.exe 29 PID 2672 wrote to memory of 2960 2672 Free Ride Games.exe 29 PID 2620 wrote to memory of 2760 2620 cmhelper.exe 31 PID 2620 wrote to memory of 2760 2620 cmhelper.exe 31 PID 2620 wrote to memory of 2760 2620 cmhelper.exe 31 PID 2620 wrote to memory of 2760 2620 cmhelper.exe 31 PID 2672 wrote to memory of 2812 2672 Free Ride Games.exe 32 PID 2672 wrote to memory of 2812 2672 Free Ride Games.exe 32 PID 2672 wrote to memory of 2812 2672 Free Ride Games.exe 32 PID 2672 wrote to memory of 2812 2672 Free Ride Games.exe 32 PID 2280 wrote to memory of 1752 2280 cmhelper.exe 34 PID 2280 wrote to memory of 1752 2280 cmhelper.exe 34 PID 2280 wrote to memory of 1752 2280 cmhelper.exe 34 PID 2280 wrote to memory of 1752 2280 cmhelper.exe 34 PID 2672 wrote to memory of 908 2672 Free Ride Games.exe 35 PID 2672 wrote to memory of 908 2672 Free Ride Games.exe 35 PID 2672 wrote to memory of 908 2672 Free Ride Games.exe 35 PID 2672 wrote to memory of 908 2672 Free Ride Games.exe 35 PID 2708 wrote to memory of 2616 2708 cmhelper.exe 37 PID 2708 wrote to memory of 2616 2708 cmhelper.exe 37 PID 2708 wrote to memory of 2616 2708 cmhelper.exe 37 PID 2708 wrote to memory of 2616 2708 cmhelper.exe 37 PID 2672 wrote to memory of 788 2672 Free Ride Games.exe 38 PID 2672 wrote to memory of 788 2672 Free Ride Games.exe 38 PID 2672 wrote to memory of 788 2672 Free Ride Games.exe 38 PID 2672 wrote to memory of 788 2672 Free Ride Games.exe 38 PID 1440 wrote to memory of 2440 1440 cmhelper.exe 40 PID 1440 wrote to memory of 2440 1440 cmhelper.exe 40 PID 1440 wrote to memory of 2440 1440 cmhelper.exe 40 PID 1440 wrote to memory of 2440 1440 cmhelper.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf3e09bef6f2edc09d019ae7ae23ca60_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\cf3e09bef6f2edc09d019ae7ae23ca60_NeikiAnalytics.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe"C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe" "u 'http://www.freeridegames.com/spdo/feeds/sdmConfig?camp=%s&serviceId=143&gameId=%d' p '143' c '585550' m 'seoDD' t '0' l 'Default'"2⤵
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exeUPR3⤵
- Executes dropped EXE
PID:2960
-
-
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exeUPW3⤵
- Executes dropped EXE
PID:2812
-
-
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exeUPW3⤵
- Executes dropped EXE
PID:908
-
-
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exeUPW3⤵
- Executes dropped EXE
PID:788
-
-
-
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe"C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe" PR1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exeR2⤵
- Executes dropped EXE
PID:2760
-
-
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe"C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe" PW1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exeW2⤵
- Executes dropped EXE
PID:1752
-
-
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe"C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe" PW1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exeW2⤵
- Executes dropped EXE
PID:2616
-
-
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe"C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exe" PW1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Users\Admin\AppData\Local\Temp\SDM143\cmhelper.exeW2⤵
- Executes dropped EXE
PID:2440
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23B
MD54174cb800274e3c271f7e53ae1b9ae35
SHA16ac0ca77eef3b68c8db3349f1ceb0c8083450642
SHA256d5e0a12b015868fdafdbdcef807fee6bf17e326db04c64079833e829bf34112e
SHA512c73823299a4706ad1feec4497c1e01c598beebe5679a1bbae2cfa6305b282f719c5c14c1fbc3d982db111cda6cdcc7721f22880391155ae9112f6b5f1cdb7cdd
-
Filesize
115B
MD5cfa86d99a63e54128204fbb4a3c036cf
SHA1b7ed81965e78e5383aa7ae73c0a6130a5658af38
SHA25652d4d76788999a904252d8049a335c7e78b789f6ec639fc57d9242c69012db98
SHA5126fe2576626b5336d90b9a2f10e85e2df4a23f2cd6683f5ed2d51e4735880eac0af91fa3e92bea2f944aed145e74e9372e3dcbebf2974bbb038102557491c38cc
-
Filesize
232B
MD59b793375c56020539f12ee1f1793b480
SHA112c73c14d0eb5df529b5d157d6073529fb8dc2e6
SHA256b5372f6dfb0bacdad7c0c9dfdc53f1224b5c01accabc374ad141c5402d21aba8
SHA512496eec1aa1b4009ed595ca1752e5382ba3312a77617de101c5338843a101a38d82df8742780852ec200aa4e9e7f1ed9a239f2aab8d6960b466728e9a9162205a
-
Filesize
347B
MD5c4aa297f6d02e0da61a7e4201f557a7f
SHA17f34db9aec9af5554aa84de354b5b42a918ce80d
SHA256db75832984370a33ca7dbe580f57f9cc65f34d45b4e75f608564410644eafaae
SHA5123252f8ac8421416bc4d33b71c087fc43c0256e2d7856783fdb74427d76bf6bfae340b7e19ee47d577faa221cb3d2009a7822e6545b5e7912db72027778dfcf69
-
Filesize
234KB
MD551d301714c7361192d6305f6c46d90d1
SHA1f546aac6dfab1187228df393e0db2c21e4fee1d0
SHA256c9245047b86f8359a7f313434b85af481008e8cdf9579fd55aff8b8fbfb5ebcb
SHA5129b6149c9c099f9cea3d574723d9ff6678d4f91ae7408349738a999d4986ce3cb7b4886f2972f6f1d3b27f7f7453a764f05c50d383f7054234b4ae55437d369b6
-
Filesize
320B
MD5bb5cbfae59df24dd68f287e4b1578b4a
SHA141249166e72b98c987df868f3a4c28fb64ef25a0
SHA256ea35ade3193938f8da18a6e7b8963115d534f4fa4010869f0dc4819061203b8c
SHA512dde49626ac89d8119460524a65d8487a207eb5243650439f745fb745672179ce802f7340123e60a0230a5670ce3b80c1246d4ec525f55623a36253e755076525
-
Filesize
519KB
MD52db35d715864b8846f21dc95756171e0
SHA1ed9030449256bd21e4f041961fb27bbbeddd7fff
SHA256854bb62475a4b700a7ec49651610d050f1651491d0148c4bd4928b18bdc0436b
SHA51265b62a0450a60f736af6ac42d6bec252160feac0681cc6319cbd32e76d631a4ea6d206dd62cee5cc00dd22e3de8dbf042024caa22d4288f8b932276f7b93898f
-
Filesize
475KB
MD541d94c8eb8cb17e04f8ec6e14132f9ca
SHA1add92b031eb36b26335763780df88bca58636ed7
SHA2562e522a4da2c291ebcde484b4a04a6ef0691a732b9db454f12399d3e577327c96
SHA5120561594d671cc64717463d59e2f076453614584ccdd47b4a39cd347e9999ba63463233c75dd9972102a2634b1abfe6c97fa8f682d944bc5cf129724b7595faa7
-
Filesize
171KB
MD55cf0fba9e8775382233c8e63e52c838a
SHA1b2a092f71eff0f6916652d7f3bfde9204eda5636
SHA2567d940af8950b106227539cd4bdfb62f2d37a4abeaf568ebe2275fd31058c2ca5
SHA51273489e3638b98ffd7bd516bfed519cfd48758aaaedc11cb202d11822cad609caf9af95e9e864bd8a992be826945e6d018ce081f3970511fd49d7757ca6affd25
-
Filesize
11KB
MD5a436db0c473a087eb61ff5c53c34ba27
SHA165ea67e424e75f5065132b539c8b2eda88aa0506
SHA25675ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49
SHA512908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d