86812eaf4cfc634f78fc757e5bd92a1562679f892a4c3afe87c673bc2d3dfa2e

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03-02-2024 04:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe
Size

7.3MB
MD5

6cd1d2e97532ba4b38930fdb67cc0e36
SHA1

9c79f624643117c71cdcd8203b2bd530339dd3c4
SHA256

86812eaf4cfc634f78fc757e5bd92a1562679f892a4c3afe87c673bc2d3dfa2e
SHA512

271cbe2c8a88f0b8935b831541e97996596eee31b976759e85dc9bbf7bfc0aef89836e7538ce73c245d451eed86322732d44ab8b77e592f7ddd906e65a2199d3
SSDEEP

196608:FEthOxzH3FY4gA/yN8eA+QDt3BcE24PJP1ruUl:FEKzH1YPAJ/5B+4XZl

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
3060	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\funshion.ini	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe
File opened for modification	C:\Windows\SysWOW64\funshion.ini	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B87BEB7B-8D29-423F-AE4D-6582C10175AC}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{E436EB85-524F-11CE-9F53-0020AF0BA770}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DA08500-9EDC-11CF-BC10-00AA00AC74F6}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A2-7548-11CF-A520-0080C77EF58A}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{336475D0-942A-11CE-A870-00AA002FEAB5}\FriendlyName = "MPEG-I Stream Splitter"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF49D4E0-1115-11CE-B03A-0020AF0BA770}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4444AC9E-242E-471B-A3C7-45DCD46352BC}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{1DA08500-9EDC-11CF-BC10-00AA00AC74F6}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{33FACFE0-A9BE-11D0-A520-00A0D10129C0}\FriendlyName = "SAMI (CC) Parser"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{E436EB84-524F-11CE-9F53-0020AF0BA770}	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E4206432-01A1-4BEE-B3E1-3702C8EDC574}\FilterData = 02000000020060000200000000000000307069330000000000000000010000000000000000000000307479330000000060000000700000003170693308000000000000000100000000000000000000003074793300000000800000007000000080ea0a67823ad011b79b00aa003767a7000000000000000000000000000000007669647300001000800000aa00389b71	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{D51BD5A3-7548-11CF-A520-0080C77EF58A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33D9A760-90C8-11D0-BD43-00A0C911CE86}\Instance\MJPEG Compressor	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33D9A760-90C8-11D0-BD43-00A0C911CE86}\Instance\MJPEG Compressor\FriendlyName = "MJPEG Compressor"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{99D54F63-1A69-41AE-AA4D-C976EB3F0713}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{51B4ABF3-748F-4E3B-A276-C828330E926A}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{48025243-2D39-11CE-875D-00608CB78066}\CLSID = "{48025243-2D39-11CE-875D-00608CB78066}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{07B65360-C445-11CE-AFDE-00AA006C14F4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D51BD5A3-7548-11CF-A520-0080C77EF58A}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E436EBB6-524F-11CE-9F53-0020AF0BA770}\FriendlyName = "File Source (URL)"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A888DF60-1E90-11CF-AC98-00AA004C0FA9}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{944D4C00-DD52-11CE-BF0E-00AA0055595A}\InprocServer32	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D3588AB0-0781-11CE-B03A-0020AF0BA770}\FilterData = 02000000000040000200000000000000307069330d0000000000000001000000000000000000000030747933000000006000000070000000317069330d00000000000000010000000000000000000000307479330000000080000000700000007669647300001000800000aa00389b71000000000000000000000000000000006175647300001000800000aa00389b71	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48025243-2D39-11CE-875D-00608CB78066}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{51B4ABF3-748F-4E3B-A276-C828330E926A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{E436EB89-524F-11CE-9F53-0020AF0BA770}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E436EBB6-524F-11CE-9F53-0020AF0BA770}\InprocServer32	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{FEB50740-7BEF-11CE-9BD9-0000E202599C}\FilterData = 020000000100004002000000000000003070693300000000000000000200000000000000000000003074793300000000700000008000000031747933000000007000000090000000317069330800000000000000010000000000000000000000307479330000000070000000a00000007669647300001000800000aa00389b7180eb36e44f52ce119f530020af0ba77081eb36e44f52ce119f530020af0ba77000000000000000000000000000000000	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A1-7548-11CF-A520-0080C77EF58A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79376820-07D0-11CF-A24D-0020AFD79767}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\Source Filter = "{E436EBB6-524F-11CE-9F53-0020AF0BA770}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{1643E180-90F5-11CE-97D5-00AA0055595A}\FriendlyName = "Color Space Converter"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{1DA08500-9EDC-11CF-BC10-00AA00AC74F6}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{6BC1CFFA-8FC1-4261-AC22-CFB4CC38DB50}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E436EBB5-524F-11CE-9F53-0020AF0BA770}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A1-7548-11CF-A520-0080C77EF58A}\CLSID = "{D51BD5A1-7548-11CF-A520-0080C77EF58A}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E436EBB2-524F-11CE-9F53-0020AF0BA770}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79376820-07D0-11CF-A24D-0020AFD79767}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D51BD5A5-7548-11CF-A520-0080C77EF58A}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E4206432-01A1-4BEE-B3E1-3702C8EDC574}\FriendlyName = "Line 21 Decoder 2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{E436EB88-524F-11CE-9F53-0020AF0BA770}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A8DFB9A0-8A20-479F-B538-9387C5EEBA2B}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E436EBB6-524F-11CE-9F53-0020AF0BA770}	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E436EBB6-524F-11CE-9F53-0020AF0BA770}\FilterData = 020000000000400001000000000000003070693308000000000000000100000000000000000000003074793300000000380000004800000083eb36e44f52ce119f530020af0ba77000000000000000000000000000000000	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{6A08CF80-0E18-11CF-A24D-0020AFD79767}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A888DF60-1E90-11CF-AC98-00AA004C0FA9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{418AFB70-F8B8-11CE-AAC6-0020AF0B99A3}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{4A2286E0-7BEF-11CE-9BD9-0000E202599C}\FriendlyName = "MPEG Audio Decoder"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A1-7548-11CF-A520-0080C77EF58A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{6A08CF80-0E18-11CF-A24D-0020AFD79767}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59CE6880-ACF8-11CF-B56E-0080C7C4B68A}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D3588AB0-0781-11CE-B03A-0020AF0BA770}\CLSID = "{D3588AB0-0781-11CE-B03A-0020AF0BA770}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E436EBB5-524F-11CE-9F53-0020AF0BA770}\CLSID = "{E436EBB5-524F-11CE-9F53-0020AF0BA770}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CDBD8D00-C193-11D0-BD4E-00A0C911CE86}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D51BD5A2-7548-11CF-A520-0080C77EF58A}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{4A2286E0-7BEF-11CE-9BD9-0000E202599C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{336475D0-942A-11CE-A870-00AA002FEAB5}\CLSID = "{336475D0-942A-11CE-A870-00AA002FEAB5}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A3ECBC41-581A-4476-B693-A63340462D8B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6BC1CFFA-8FC1-4261-AC22-CFB4CC38DB50}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{05589FAF-C356-11CE-BF01-00AA0055595A}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E436EBB5-524F-11CE-9F53-0020AF0BA770}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59CE6880-ACF8-11CF-B56E-0080C7C4B68A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37E92A92-D9AA-11D2-BF84-8EF2B1555AED}	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{336475D0-942A-11CE-A870-00AA002FEAB5}\FilterData = 020000000000600003000000000000003070693300000000000000000400000000000000000000003074793300000000d8000000e80000003174793300000000d8000000f80000003274793300000000d8000000080100003374793300000000d8000000180100003170693309000000000000000200000000000000000000003074793300000000280100003801000031747933000000002801000048010000327069330900000000000000020000000000000000000000307479330000000058010000380100003174793300000000580100006801000083eb36e44f52ce119f530020af0ba77084eb36e44f52ce119f530020af0ba77085eb36e44f52ce119f530020af0ba77086eb36e44f52ce119f530020af0ba77087eb36e44f52ce119f530020af0ba7706175647300001000800000aa00389b7180eb36e44f52ce119f530020af0ba7705000000000001000800000aa00389b717669647300001000800000aa00389b7181eb36e44f52ce119f530020af0ba770	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3060	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe
3060	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe
3060	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe
3060	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe
3060	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe
3060	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe
3060	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe
3060	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe
3060	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe
3060	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe
3060	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe
3060	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe
3060	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 2656	3060	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe	28
PID 3060 wrote to memory of 2656	3060	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe	28
PID 3060 wrote to memory of 2656	3060	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe	28
PID 3060 wrote to memory of 2656	3060	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe	28
PID 3060 wrote to memory of 2656	3060	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe	28
PID 3060 wrote to memory of 2656	3060	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe	28
PID 3060 wrote to memory of 2656	3060	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe	28
PID 3060 wrote to memory of 2812	3060	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe	29
PID 3060 wrote to memory of 2812	3060	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe	29
PID 3060 wrote to memory of 2812	3060	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe	29
PID 3060 wrote to memory of 2812	3060	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe	29
PID 3060 wrote to memory of 2812	3060	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe	29
PID 3060 wrote to memory of 2812	3060	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe	29
PID 3060 wrote to memory of 2812	3060	2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe	29

C:\Users\Admin\AppData\Local\Temp\2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-03_6cd1d2e97532ba4b38930fdb67cc0e36_mafia_magniber.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Windows\system32\quartz.dll"
  2⤵
  - Modifies registry class
  PID:2656
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /u /s "C:\Program Files (x86)\Funshion Online\2.8.6.75\funoictl.dll"
  2⤵
  PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\funshion.ini

Filesize
108B

MD5
333cee257d52364e0a736638f1e65e36

SHA1
80c1d9844eaa948d720b43e86bb149e3747da9b3

SHA256
128f4a6ddd7377ab553a7794add0146402040b4caac8575e71b6e1d36825f36f

SHA512
fddf05bd742564d79aa363c061519cfcfe836ade0747858bbd19f5690d10db245a9d434e9febd855376ded499e5514904202464348905cdf2b66f8cdce52ea68

Download Submit
C:\Windows\SysWOW64\funshion.ini

Filesize
37B

MD5
2ea4451d2bf7de019dd5e92341c94660

SHA1
ec5817fbdfe097aadd9bfa26bea6195310162beb

SHA256
b6f729f1e203f8065a783c9b6d5a4cb9e84f42228c4ab28869f26af003fcdc22

SHA512
10c11ce16a8d22b22814513282a3fce9b0ce3499e3f04bc5d41fe9d0ee784ecddd974a262c706edcc0fc3b9744118d88f0b05598213822629ccd105a7c8182a3

Download Submit
\Users\Admin\AppData\Local\Temp\SetupFiles\Funshion\gma.dll

Filesize
484KB

MD5
62266ab38841a6161ed3680553b44c4c

SHA1
ee1f981e1ffb3c234ddf06643b26cd24d46556f5

SHA256
ca8b14774d35c88115417154411e70fbe5c6677fee77f059fbd236b36f0cba0e

SHA512
b82327aa29dd2a7f97867aaa91c821094d94495e8364aceef71e957e84eeec9a1b259cb51be68df330adbe2ed6b7f8fc4ea7816abb120a4ae4be3bd548732321

Download Submit