Analysis Overview
SHA256
a1529718abd47ec55ddf826be7046343df9dbb9624e535ad68a52f7c6392ac6a
Threat Level: Shows suspicious behavior
The file a1529718abd47ec55ddf826be7046343df9dbb9624e535ad68a52f7c6392ac6aN was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Checks computer location settings
Deletes itself
Executes dropped EXE
ACProtect 1.3x - 1.4x DLL software
Loads dropped DLL
Adds Run key to start application
UPX packed file
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-25 21:48
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-25 21:48
Reported
2024-10-25 21:50
Platform
win7-20240903-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exent_SDM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SDM143\\Free Ride Games.exe \"l 'Startup' u 'http://www.freeridegames.com/do/SDMGW?action=config&type=seoDD&contentId=%d' p '143' c '695650'\"" | C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a1529718abd47ec55ddf826be7046343df9dbb9624e535ad68a52f7c6392ac6aN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a1529718abd47ec55ddf826be7046343df9dbb9624e535ad68a52f7c6392ac6aN.exe
"C:\Users\Admin\AppData\Local\Temp\a1529718abd47ec55ddf826be7046343df9dbb9624e535ad68a52f7c6392ac6aN.exe"
C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe
"C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe" "u 'http://www.freeridegames.com/do/SDMGW?action=config&type=seoDD&contentId=%d' p '143' c '695650' l 'Installer'"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.freeridegames.com | udp |
| US | 104.19.182.100:80 | www.freeridegames.com | tcp |
| US | 104.19.182.100:443 | www.freeridegames.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | img.exent.com | udp |
| US | 104.16.149.233:443 | img.exent.com | tcp |
| US | 8.8.8.8:53 | dts1.freeridegames.com | udp |
| US | 104.19.183.100:80 | dts1.freeridegames.com | tcp |
| US | 8.8.8.8:53 | cdn.exent.com | udp |
| US | 8.8.8.8:53 | images.scanalert.com | udp |
| US | 104.16.149.233:80 | cdn.exent.com | tcp |
| US | 104.16.149.233:80 | cdn.exent.com | tcp |
| GB | 3.162.20.116:80 | images.scanalert.com | tcp |
| US | 8.8.8.8:53 | b.scorecardresearch.com | udp |
| GB | 18.165.160.126:80 | b.scorecardresearch.com | tcp |
| GB | 142.250.180.14:80 | www.google-analytics.com | tcp |
| US | 104.16.149.233:80 | cdn.exent.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.18.190.135:80 | crl.microsoft.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\SDM143\ExentCtlInstaller.dll
| MD5 | 6b2044ea77b46bc03c4addd9400b4368 |
| SHA1 | 5640cc06fae6410deafc61db5412d053c2a76c93 |
| SHA256 | 7fb20aa347d5e2ef38e00c751306c6929766f69f53c9a5c4f30980a48e4caada |
| SHA512 | 65c79f432f3c087385253f6968b7542a50cdc3d9739fbbbaf7dc0cc8960a01a0cd6819c65a24b5daad0f0163cb4e035a0235b113a21a334c1f21a5519cd7a590 |
memory/2276-8-0x0000000010000000-0x0000000010060000-memory.dmp
\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe
| MD5 | cf1101b04dbd53e9034ea91e8c45c530 |
| SHA1 | 5b4f3272905924005e01af6f072ed031f5ca91e8 |
| SHA256 | 1baadc3b930973f0784bab0aadbd727a1c2fbfa2145d0430aaa9f68a7a67954e |
| SHA512 | d7aed0da5bcc5d09deddc149522e1cf6129c34fae416a74912203e5620013725bd78530342d018b2661de70b7c4b58629709a2c3d19eacca5f07ca335501dd15 |
memory/2276-12-0x0000000003FB0000-0x00000000040B9000-memory.dmp
memory/2276-22-0x0000000003FB0000-0x00000000040B9000-memory.dmp
memory/2472-32-0x0000000000400000-0x0000000000509000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uninsep.bat
| MD5 | a17d97b03fb8499a051214494abb065f |
| SHA1 | bfcc6006018ba9fa44d12f7adf18b72fa3fdc735 |
| SHA256 | 06b0feea86b87216384e2f3915aac8145e9ce0738b2d8a96b1827dadd9ab69a9 |
| SHA512 | 8fad4cb9cde03c0dbd5fc4d31f456b427d2f29511ad300f84a5b76eb111fbddcaaa5d6c8e7f717cff613950d1d64076b87bc25c6e494e9d9d229c9fc339fed5d |
C:\Users\Admin\AppData\Local\Temp\SDM143\resourceDll.dll
| MD5 | 0a05daecdacd937c3af053a994a9fae3 |
| SHA1 | 773398736b3d70486e6a8c42cf36b17bd3802e9a |
| SHA256 | cb083188b612e549ad5b4bd2d2001059a2883d6e58c48be66423e4a999460a39 |
| SHA512 | d4b3b10a36805e9ea448097cb280f86de80b05c0436b8d5eca1908d210177d69db3fda1dd150a20b1f13ca77e62fce8432d9123443dfb03f0b97bc9a81bba8c6 |
memory/2472-36-0x0000000010000000-0x0000000010055000-memory.dmp
memory/2472-40-0x0000000010000000-0x0000000010055000-memory.dmp
memory/2472-145-0x0000000000400000-0x0000000000509000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-25 21:48
Reported
2024-10-25 21:50
Platform
win10v2004-20241007-en
Max time kernel
112s
Max time network
116s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a1529718abd47ec55ddf826be7046343df9dbb9624e535ad68a52f7c6392ac6aN.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a1529718abd47ec55ddf826be7046343df9dbb9624e535ad68a52f7c6392ac6aN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exent_SDM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SDM143\\Free Ride Games.exe \"l 'Startup' u 'http://www.freeridegames.com/do/SDMGW?action=config&type=seoDD&contentId=%d' p '143' c '695650'\"" | C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a1529718abd47ec55ddf826be7046343df9dbb9624e535ad68a52f7c6392ac6aN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a1529718abd47ec55ddf826be7046343df9dbb9624e535ad68a52f7c6392ac6aN.exe
"C:\Users\Admin\AppData\Local\Temp\a1529718abd47ec55ddf826be7046343df9dbb9624e535ad68a52f7c6392ac6aN.exe"
C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe
"C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe" "u 'http://www.freeridegames.com/do/SDMGW?action=config&type=seoDD&contentId=%d' p '143' c '695650' l 'Installer'"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.108.222.173.in-addr.arpa | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.freeridegames.com | udp |
| US | 104.19.182.100:80 | www.freeridegames.com | tcp |
| US | 104.19.182.100:443 | www.freeridegames.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 100.182.19.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | img.exent.com | udp |
| US | 104.16.148.233:443 | img.exent.com | tcp |
| US | 8.8.8.8:53 | 233.148.16.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.108.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\SDM143\ExentCtlInstaller.dll
| MD5 | 6b2044ea77b46bc03c4addd9400b4368 |
| SHA1 | 5640cc06fae6410deafc61db5412d053c2a76c93 |
| SHA256 | 7fb20aa347d5e2ef38e00c751306c6929766f69f53c9a5c4f30980a48e4caada |
| SHA512 | 65c79f432f3c087385253f6968b7542a50cdc3d9739fbbbaf7dc0cc8960a01a0cd6819c65a24b5daad0f0163cb4e035a0235b113a21a334c1f21a5519cd7a590 |
memory/2216-9-0x0000000010000000-0x0000000010060000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SDM143\Free Ride Games.exe
| MD5 | cf1101b04dbd53e9034ea91e8c45c530 |
| SHA1 | 5b4f3272905924005e01af6f072ed031f5ca91e8 |
| SHA256 | 1baadc3b930973f0784bab0aadbd727a1c2fbfa2145d0430aaa9f68a7a67954e |
| SHA512 | d7aed0da5bcc5d09deddc149522e1cf6129c34fae416a74912203e5620013725bd78530342d018b2661de70b7c4b58629709a2c3d19eacca5f07ca335501dd15 |
memory/4616-20-0x0000000000400000-0x0000000000509000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uninsep.bat
| MD5 | a17d97b03fb8499a051214494abb065f |
| SHA1 | bfcc6006018ba9fa44d12f7adf18b72fa3fdc735 |
| SHA256 | 06b0feea86b87216384e2f3915aac8145e9ce0738b2d8a96b1827dadd9ab69a9 |
| SHA512 | 8fad4cb9cde03c0dbd5fc4d31f456b427d2f29511ad300f84a5b76eb111fbddcaaa5d6c8e7f717cff613950d1d64076b87bc25c6e494e9d9d229c9fc339fed5d |
C:\Users\Admin\AppData\Local\Temp\SDM143\resourceDll.dll
| MD5 | 0a05daecdacd937c3af053a994a9fae3 |
| SHA1 | 773398736b3d70486e6a8c42cf36b17bd3802e9a |
| SHA256 | cb083188b612e549ad5b4bd2d2001059a2883d6e58c48be66423e4a999460a39 |
| SHA512 | d4b3b10a36805e9ea448097cb280f86de80b05c0436b8d5eca1908d210177d69db3fda1dd150a20b1f13ca77e62fce8432d9123443dfb03f0b97bc9a81bba8c6 |
memory/4616-27-0x0000000010000000-0x0000000010055000-memory.dmp
memory/4616-30-0x0000000010000000-0x0000000010055000-memory.dmp
memory/4616-32-0x0000000010000000-0x0000000010055000-memory.dmp
memory/4616-82-0x0000000000400000-0x0000000000509000-memory.dmp
memory/4616-83-0x0000000010000000-0x0000000010055000-memory.dmp