ea4b8c48a3e7917050c64c8224a397853acdf22603c8fbe3a9e8c14b25553463

Analysis

max time kernel
90s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2024, 21:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$LOCALAPPDATA/funmoods.exe
Size

1.6MB
MD5

badf0b8e9bc8d7352fb084951255ee4f
SHA1

e584634b5565fd81d7258fca86c632c9d3e1cd14
SHA256

73db5f6b89963d6692e3c43c8f3e5265ec4512ce87fe652e9ec3a4a0bb036db8
SHA512

3b704e3b0d440f1e580cc277c3c68223139f35156b00250ebf9a231f03d5f74bd19bbf948061e7b8be13b9c08aca9f30a0929cfce5a9d5cc3558cd187a05d53e
SSDEEP

24576:VtxBMupYpmZICsiWuu0uFYBimEuDYYmTj67rRXFO6BbwZTdNFtr6Ps7QOWxQ6NVN:p6HmZICsfujIvGmTW7rRQakZpt+xQON

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	funmoods.exe

Executes dropped EXE 3 IoCs

pid	Process
2764	FM4ie.exe
4400	FM4ffx.exe
1348	funmoodssrv.exe

Loads dropped DLL 64 IoCs

pid	Process
4152	funmoods.exe
4152	funmoods.exe
4152	funmoods.exe
4152	funmoods.exe
4152	funmoods.exe
4152	funmoods.exe
4152	funmoods.exe
4152	funmoods.exe
4152	funmoods.exe
4152	funmoods.exe
4152	funmoods.exe
4152	funmoods.exe
4152	funmoods.exe
4152	funmoods.exe
4152	funmoods.exe
4152	funmoods.exe
4152	funmoods.exe
4152	funmoods.exe
4152	funmoods.exe
4152	funmoods.exe
4152	funmoods.exe
4152	funmoods.exe
4152	funmoods.exe
4152	funmoods.exe
4152	funmoods.exe
4152	funmoods.exe
4152	funmoods.exe
4152	funmoods.exe
4152	funmoods.exe
4152	funmoods.exe
4152	funmoods.exe
4152	funmoods.exe
4152	funmoods.exe
2764	FM4ie.exe
2764	FM4ie.exe
2764	FM4ie.exe
2764	FM4ie.exe
2764	FM4ie.exe
4400	FM4ffx.exe
2764	FM4ie.exe
4400	FM4ffx.exe
4400	FM4ffx.exe
4400	FM4ffx.exe
4400	FM4ffx.exe
4400	FM4ffx.exe
4400	FM4ffx.exe
4400	FM4ffx.exe
4400	FM4ffx.exe
4400	FM4ffx.exe
4400	FM4ffx.exe
4400	FM4ffx.exe
4400	FM4ffx.exe
4400	FM4ffx.exe
4400	FM4ffx.exe
4400	FM4ffx.exe
4400	FM4ffx.exe
4400	FM4ffx.exe
4400	FM4ffx.exe
4400	FM4ffx.exe
4400	FM4ffx.exe
4400	FM4ffx.exe
4400	FM4ffx.exe
4400	FM4ffx.exe
4400	FM4ffx.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ = "Funmoods Helper Object"	FM4ie.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\NoExplorer = "1"	FM4ie.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe	FM4ie.exe
File created	C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsOEM.crx	FM4ie.exe
File created	C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\uninstall.exe	FM4ie.exe
File created	C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\bh\funmoods.dll	FM4ie.exe
File created	C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsApp.dll	FM4ie.exe
File created	C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsEng.dll	FM4ie.exe
File created	C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsTlbr.dll	FM4ie.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral4/files/0x000700000002346d-152.dat	nsis_installer_1
behavioral4/files/0x000700000002346d-152.dat	nsis_installer_2
behavioral4/files/0x000700000002346c-160.dat	nsis_installer_1
behavioral4/files/0x000700000002346c-160.dat	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppPath = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16"	FM4ie.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar\	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} = "Funmoods Toolbar"	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}	FM4ie.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\Policy = "3"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppName = "funmoodssrv.exe"	FM4ie.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\InprocServer32\ThreadingModel = "apartment"	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr.1	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\ = "IXmlCnfg"	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\LocalServer32	funmoodssrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\ProxyStubClsid32	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\ProxyStubClsid32	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\esrv.funmoodsESrvc.1\CLSID	funmoodssrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\InprocServer32\ThreadingModel = "apartment"	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16"	funmoodssrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr\ = "CescrtHlpr Object"	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\0	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\funmoodsApp.appCore\CLSID	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\ = "IEvntCntr"	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\Programmable	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\funmoodsApp.appCore.1	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\InprocServer32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16\\funmoodsApp.dll"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\0\win32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16\\funmoodsTlbr.dll"	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane.1	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\TypeLib\Version = "1.0"	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\TypeLib	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\escortEng.DLL\AppID = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\ = "escortApp 1.0 Type Library"	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\TypeLib	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\0\win32	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}"	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\ProxyStubClsid32	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\smplGrp = "none"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane\CLSID\ = "{965B9DBE-B104-44AC-950A-8A5F97AFF439}"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\ProgID\ = "escort.escortIEPane.1"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}"	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\VersionIndependentProgID	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\TypeLib\ = "{09C554C3-109B-483C-A06B-F14172F1A947}"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\TypeLib\Version = "1.0"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane\ = "escortIEPane Object"	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}\TypeLib\Version = "1.0"	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\TypeLib	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\f	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.dskBnd.1\CLSID\ = "{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}"	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\esrv.funmoodsESrvc.1	funmoodssrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\TypeLib	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\0\win32	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}\ProxyStubClsid32	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}\TypeLib\Version = "1.0"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\ = "IxpEmphszr"	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\ProxyStubClsid32	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\TypeLib	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\VersionIndependentProgID\ = "funmoods.dskBnd"	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}\TypeLib	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\InprocServer32	FM4ie.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4152	funmoods.exe
4152	funmoods.exe
4152	funmoods.exe
4152	funmoods.exe
4152	funmoods.exe
4152	funmoods.exe
4152	funmoods.exe
4152	funmoods.exe
4152	funmoods.exe
4152	funmoods.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4152 wrote to memory of 2764	4152	funmoods.exe	89
PID 4152 wrote to memory of 2764	4152	funmoods.exe	89
PID 4152 wrote to memory of 2764	4152	funmoods.exe	89
PID 4152 wrote to memory of 4400	4152	funmoods.exe	90
PID 4152 wrote to memory of 4400	4152	funmoods.exe	90
PID 4152 wrote to memory of 4400	4152	funmoods.exe	90
PID 2764 wrote to memory of 1348	2764	FM4ie.exe	91
PID 2764 wrote to memory of 1348	2764	FM4ie.exe	91
PID 2764 wrote to memory of 1348	2764	FM4ie.exe	91

C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe
"C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4152
- C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe
  "C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe
    "C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe" /RegServer
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:1348
- C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
  C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsApp.dll

Filesize
329KB

MD5
12be59f427297e54fef41f9bb32d4233

SHA1
0088967a4ed52f491976136c95d43e0e1b06cc31

SHA256
e4b3df5ead761fe83da367d5e2ae1d416d0f89a572480deecc20c4b4295f17eb

SHA512
0f8f3826e8a9205771863c042a8386315784927e260ca8617c44f83b5f3f3a501500d6d39ae732da11c0621dbd6c8c6d75ac7af660a46bb70acac9c12991d2db

Download Submit
C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsEng.dll

Filesize
535KB

MD5
d5e0f923b3ee640efd6a58ec0c70cbdc

SHA1
74f62a9acdb9f9dd0580d69450c062ba8870deea

SHA256
3d1b55bbb46e5788ca3e8ce68e515f52bdf63c0f53ceaad7236964eedf97f281

SHA512
471eca5adb43ba82cfed4fdb395471414301e3eeb602ba4fa6cccb9721869847a06bd8096d7eb15cbdcab908d6dfc47d48d293e1f77b881271f6d7dd4f54f3f0

Download Submit
C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsTlbr.dll

Filesize
245KB

MD5
7f8be790b6614f46adeafd59761abbeb

SHA1
a1be7d513d40b1a0af1aa1fd73c2c2b6173ac700

SHA256
b1fa4dacf9656e31588eebeca1f831c72a33d9affca07ede0d5f5d113ec14aaf

SHA512
4d17c74368543092a8e7604208689bc6a5fc5bcc46c60cfb9255622d031a4265adaa13d7c0b5f410ababed802f29cb89c2dd7d7b1adc1af33fbb5f55e4a8a5ca

Download Submit
C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe

Filesize
398KB

MD5
ffba0384096f7a6c2189009b3c54c8db

SHA1
e1e883b9345bd74b0c7e158751c60b0ee2139677

SHA256
93587b81f4e717b25a6e5fd2fb7158d7fb825f79af1c02ed0a61d5de15b6327b

SHA512
7ea59cd57a0b6ecb1258af1d271dcb68236d0b95fca0d5905d177dd8df980771b0a182a459a6a6f01cb4789433d193306324fa178b88b6ec3677aa5c589571dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe

Filesize
319KB

MD5
fe768a6b82ed2a59c58254eae67b8cf9

SHA1
3dad9bf5011fb73b9be2fe6c601bb6281a3ceaf6

SHA256
3ac3c700060a0487060724f3fd22faf70d5f633e69401641964d7ba4d6e6e570

SHA512
3d8caadc61ea127bd0e3d01f35274a2ebfa34a0ac12b0932988300d011347f74a09c2bf3c85e58bfbe5200288c6e6f100b4f08916d23e56d7b52a70130aad14b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe

Filesize
1.1MB

MD5
ddcada8c66d56df6e4ef2bbedf2bb865

SHA1
059a7f8bb8ed2e99d5153d26ecf986e91c24df19

SHA256
abcde03656f4c6f51d4d4c788ece555581b8c7b52bfe1c18ef70678cb3a2e872

SHA512
63a3ca5d733cef71cc4ff61d6b5b3dd74613d57bac2b5d41efffbbf64ab6031bde66c0cd7058bf50c047e64e4ee0ef87dff3c7864a18c118521f5711ab69cc91

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsc73D6.tmp

Filesize
1KB

MD5
ac0a10ef473b1ec200210e84ce91b09a

SHA1
b7c59a0fb708f7db2880e70184630fab8b86c5a3

SHA256
bdee1141c55d734534beac41ae9c33b6a3f4a40873bc206a65cc036d99004309

SHA512
8224a041a3fd365fe44b7504fb35438cdceb966c4409f1350c5fb96268f336f8d150ba47e8c63a93bf2abca3fcfdb7676ea5114fd83eac10291cbab20cd2ea80

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsd74D0.tmp

Filesize
830B

MD5
8be0610c034a7613cfe9e075ca90a920

SHA1
be925b500742b0a0701e16f10b68725885d00308

SHA256
9423a88125bffa1b42442f81c143d9ccec2086f59a089c412c9ed9ab5bb98dfa

SHA512
f5ac54e2a9ab98fecbd9389d39ac759372d6a1233e1bb43612b145a8a1ee6ce54a8425a83da41aa3acb80d7f450bf5dec6983a552cfbced61adc04e224ad3b05

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsh7355.tmp

Filesize
825B

MD5
68243fc837a230a1cd33a0aa1503e9cf

SHA1
4a55cb4d8348927fc9c0c749532bd4239852995c

SHA256
2de32bf750d5210fc06f855c08fc272aa3174cdb12e44846ba542fbe04a1ce64

SHA512
7953961c6ca29f0e9e5632f819075f68498ebcffc3b752732003be7549d19e8ee55b98ad6f6f21285eed18f47474f3aa1a1964ae811deb4a15af3c22f2f3f653

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsi744A.tmp

Filesize
342B

MD5
353f1d1ec67fc2ecdc3ef3b0d6e2319f

SHA1
c5daf45e685ce58393286f3a23fe63dcd724d013

SHA256
87c8a721c580858cc0d9b091c0a32a664b7d3237f7e22edd0c86e87bcdb8f6cc

SHA512
e024343ce33cf618ebd4a88375dee0a4e188734455c2e1ae63d7ae89624603d4d7eb4ab9bc931e2cab68b70a936f9c91bd9af52637c1cf3eb090888578893c1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsn7325.tmp

Filesize
713B

MD5
d99bf85d0dfb987575363e57d284fc24

SHA1
7030e7e35e09bc18d33a8ae9c53e19ab11ba6bcb

SHA256
650f2d877a9511089ff53994c1369c0b82b3d7321744d57587829176e57a1eb0

SHA512
c05c5fab2f1ef01b5ede1488f467147e12a635e357ba208192403adc84bb863fa864a625485477bc91a7c1acfdbb75fa1e3f11082459f7126da0d4e360902763

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsn746D.tmp

Filesize
575B

MD5
9ebd895fbad8d290473235509bed46f2

SHA1
4665b9de38b14e0e9df327258074b0b99066e2de

SHA256
6d868764f962010bb2b7f8d644bf7427301b315535be30324cd49e2136fd9a28

SHA512
3f840832b3c94dc3bcd146697f6bb820cf71cd529ab4119164fe8e6fdacc720b926e94bab193110808afd841527c1ba5fa142351c60d0bece0e77f58cb0ad951

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsn74BF.tmp

Filesize
781B

MD5
b4ca70eb8aab12f6de7b44a26d0f6990

SHA1
10c79809fe0d83633f73c8f4aff5744ade6c0c09

SHA256
31bb51be42affce186c75993f8342d43fe462964d56b887a50cd66a89fa5dd82

SHA512
5060fdaad5061ab5e02b7403328eb599221b28b3b555012003517e6b75e5035f5f515c6eb78829d1597490e30cef00b286338fe43285c689ea77a75b78dfa15d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nss73E7.tmp

Filesize
1KB

MD5
aeadf7cc1704ad2e2ddba3c3d81b8d88

SHA1
547b9320bdb15bf7e3e559e1e3b8c580af289e8c

SHA256
fe1b584d1a5836d1b2dd56f2ab86618777a1e090cd95868d0c77c191e9f13800

SHA512
07f69f9ce969d5ff1f53c856c93e81b7abf8c073390b36cd230283f613b6b77825d2b084959b328b68e7a1171dcd9e636c5fec611cc6069bb62a6183f47fa4dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nss7438.tmp

Filesize
232B

MD5
952e43ce08e6665489a4b83e60b9c14d

SHA1
e55290c339fa3c278ad11bf5dd6c7396b55ef786

SHA256
a5793be435d97bcb7e365c7c614147220452d60ecba4f79604ac808cc3a4c514

SHA512
ffa3e4ef2ef60453a66a28331205eb7741ed09b422e8f8b2b6caab898ca0cade31db99f1ecb98e7eaa48ab860edddff84af3b8a6ab46edd4edc2081d9c071569

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nss7439.tmp

Filesize
287B

MD5
f92c2448c93f6b6761054314f8fc0eb5

SHA1
a584dffa1e7ea5794a6f6871bfa3189f41b14afb

SHA256
78d4f826eb320eab476a39afe2e9c4a712706b8671fd77fa5639c486f93d9971

SHA512
59d91159e606ecd7fef60db06f19ab7193b974a59c3305a272563fa3ea90d9ce6746727df131b4ff4d0905290769f7ba5e25837ba2233ed84e532aea2b1f77e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsx72C3.tmp

Filesize
482B

MD5
d3c243f5f65be1392495df7db62a1eb9

SHA1
838fbd4242e19a6f1c34ec4ae1b1832db9b6d907

SHA256
ffaeeca3ef605ced6108c75fc1f2bc4aeed308c028da7152e30a6f77c6f8b6dc

SHA512
927b081901f1b79363ed60854953a1148f74049f0892b781f951daebde0c01f6e4e653772159495ceb0343c47c5b6de2bf4672c09f31de5f4637a95ba6d5eca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsx7314.tmp

Filesize
648B

MD5
b079294f2107482815dd2b837f6bf6c8

SHA1
d4edb6fb2d1e09e2c88d0b90092377470ed4a80a

SHA256
04362d6f0fa42179de80e3cfe4fdd51d6c65c61e993a67b3fa2ca197929de026

SHA512
8c33d68ba279baae6ce2c72fa01e526bda4595f8b335c6fba3dd03e46ab07efd73fe4a13ecd13c959f2b74c10cd38433b986f52bae922613ab7af1953002d961

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsx73B6.tmp

Filesize
981B

MD5
5f0ce47b1fdf65d5ce6ca524ee2a13ad

SHA1
944ee1b9314e5c436484b1c1dbd4c828a90bb6b6

SHA256
6f8b0834c595c4d5942c77d98cde34b380676e2aadc2f075da26e71cda4dce2a

SHA512
7096a3e64efa1cf848ed48b6a6d677ddfbecdd7383e87805c233b400a80ad57d69f963c452d26e339a1e9f8747fe2d88f83a557a6d045f8a1e09703d97b39fe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb6F84.tmp\ExtractDLLEx.dll

Filesize
7KB

MD5
ba4063f437abb349aa9120e9c320c467

SHA1
b045d785f6041e25d6be031ae2af4d4504e87b12

SHA256
73acba7dd477dfd6cf4249911f4e3c781196c7cf6b28425761dcb2d4f90c36c5

SHA512
48a813f55834069f8c6b90740de3df01564a136b0fe637f9f85cc1a19d7f32b1f70205ff2462526508fe3c1962d7c1e8e384c40463e328538aeba28e8d0fb92a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb6F84.tmp\InetLoad.dll

Filesize
18KB

MD5
994669c5737b25c26642c94180e92fa2

SHA1
d8a1836914a446b0e06881ce1be8631554adafde

SHA256
bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c

SHA512
d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb6F84.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb6F84.tmp\Processes.dll

Filesize
56KB

MD5
cc0bd4f5a79107633084471dbd4af796

SHA1
09dfcf182b1493161dec8044a5234c35ee24c43a

SHA256
3b5388e13dab53d53e08791f492ed7d3094a0cee51e9841af83ce02534e0621c

SHA512
67ba90ec04366e07d0922ffb4dbbb4f12f90b6785b87700adaae29327db9ec2a03d750b229f858db0594f439499d6346fbf1ebc17c77162bf8da027515219ee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb6F84.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb6F84.tmp\Time.dll

Filesize
10KB

MD5
38977533750fe69979b2c2ac801f96e6

SHA1
74643c30cda909e649722ed0c7f267903558e92a

SHA256
b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35

SHA512
e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb6F84.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb6F84.tmp\chrmPref.dll

Filesize
194KB

MD5
6845d147b88de1f005d9c6ebb6596574

SHA1
64523302e2b1e2ee7a31580d2acac852db3c7e45

SHA256
c9ccc486c3353bad0d2819a42203c0db7ba98b4826b6a2b8d4deee832e4d3d8e

SHA512
cd4caa6669b5f90ead60579a2e5b01a9cd2d17fd2919651cecda6327acb32e2eb3b9953412c085d50dee89779d2f60df658236fb4c3cc54bed4ae66929590606

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb6F84.tmp\mt.dll

Filesize
5KB

MD5
aac69f856c4540edd4ef7ce6c8571639

SHA1
2860f55ea9774d631219e66604051e90a43258b7

SHA256
6dc2644a389feeef9e0ac65e2c8b01fc18ca6e53b253f10efffcb117e0a852dd

SHA512
ebacc8117c44d298ae519705510285c576932761b3c7b697eeb91cb7620150ebe551102d1ab83d68f4c78e1496b191a55ad8f78c491f5b4af456c4de6ad72dcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb6F84.tmp\nsisos.dll

Filesize
5KB

MD5
69806691d649ef1c8703fd9e29231d44

SHA1
e2193fcf5b4863605eec2a5eb17bf84c7ac00166

SHA256
ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6

SHA512
5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uvtmiwql.Admin\user.js

Filesize
592B

MD5
9da6397d40e0e6efbbd4c940b99003f9

SHA1
b0aa78dc7dbac70e85167902cdda7cdcde58c056

SHA256
fb7ce2e9389b7b630338fa1dddc2404227b3e95c5dc6a76d147399ebd8c94887

SHA512
855b6ec004cc5342bba19f76b5e91b2885c961480374752b6dea081864b87df1cab18b247bd801c72492a625fec98606d6b58e762adedd9170fecbd9b016b692

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uvtmiwql.Admin\user.js

Filesize
929B

MD5
a112c8612fc9715e7a52a405ac94527f

SHA1
7f15099fa574bd3a0a1e61d4c0ab8ad919086b24

SHA256
cdc0ad86229ada93542bd36560d9ace5c5706030d23f03dbeaf8c2841e1089cd

SHA512
80f56b194dbae8ebd3f09ea8427e5155296d65712a8832efe04b72a2b16592a68064e7b835e402df80d2da7174ec33321365c2b7ba134074d149d54125e5239d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xgut1z79.default-release\user.js

Filesize
520B

MD5
14ae297fd21695f913eaec8a09e63fcb

SHA1
eb6cbc9b5595483e9dac674a5d386e2e96012697

SHA256
6fed2535b4155b69ddc9bffbcdbe8752f2777bbeb20ebf30d3423ea8c1efeb66

SHA512
4a4e3129fa123d869dfd300692f9ef3971eed06ee3952fba2b12d483eeca4b7086a30948e8ee2924232c02acc3c3d4ee5d7a25e3687d3628c771deb008131a78

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xgut1z79.default-release\user.js

Filesize
679B

MD5
fc066634dde464ae17cc48363da599da

SHA1
f8120767321a51235f65efdfe4343af1cb6c6268

SHA256
912485300f26e8d5698ec0abc33a3edef546d885229b8e04f42a80ef098d6af9

SHA512
f4657a5a8851b5d66ebd71aa7901f9db0893a4951b572db7f72cf46fe6c0e874682d2b3c4906256841ac16ff8eefc3786a4d90cfadfb89521d9ed021a5f3c47f

Download Submit
memory/4152-1600-0x0000000003B50000-0x0000000003B62000-memory.dmp

Filesize
72KB

Download
memory/4152-84-0x00000000022F0000-0x0000000002302000-memory.dmp

Filesize
72KB

Download