b27843c513b9af7e52ea7bd8bc0c501749afa1beeaa051e34005c612c9eb55a0

Analysis

max time kernel
54s
max time network
54s
platform
windows7_x64
resource
win7-20240705-ja
resource tags

arch:x64arch:x86image:win7-20240705-jalocale:ja-jpos:windows7-x64systemwindows
submitted
23-07-2024 13:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FunshionInstall_C1_P33.exe
Size

11.5MB
MD5

cf2ed442dd89d9beeaea95f50f9ab97a
SHA1

912c0c1fd64ccccc552380c63bcbca817720a7ff
SHA256

b27843c513b9af7e52ea7bd8bc0c501749afa1beeaa051e34005c612c9eb55a0
SHA512

e5e582ccc2b1bdf5fb4069ee7c1712e6d455bbd6386f1f46e3c50b171218031226c53351dc44d1c9c37752d75a8e2523eb544e2195705df5344ff0505b03f447
SSDEEP

196608:8SuavcveanSa3P62kfFv4in/98aUD1zA+fiNe2Dd9ofHiaWYsgjW9aka3j:YveaSSP62iFVH82Dd9onsgj/fj

Score

5^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\funshion.ini	FunshionInstall_C1_P33.exe
File opened for modification	C:\Windows\SysWOW64\funshion.ini	FunshionInstall_C1_P33.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 48 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\CrashReport.exe	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\fpvddec.ax	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\lua\socket\http.lua	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\socket\core.dll	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\lang\FunshionUpgrade.en_US	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\mime\core.dll	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\windows.lua	FunshionInstall_C1_P33.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\3.0.6.106\gma.dll	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\avcodec-55.dll	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\cook.dll	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\CoreAVC.ax	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\lua\socket\ftp.lua	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\lua\socket.lua	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\pncrt.dll	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\swscale-2.dll	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\cjson.dll	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\FunshionUpgrade.exe	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\gma.dll	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\lang\FunshionUpgrade.zh_CN	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\lua\mime.lua	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\lua51.dll	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\Uninstall.exe	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\FunshionWeb.exe	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\icon\FunshionGame2.ico	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\icon\Funshop4.ico	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\lang\Funshion.en_US.bak	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\SimpleIE.dll	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\atrc.dll	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\CoreAAC.ax	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\drvc.dll	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\lang\Funshion.zh_CN.bak	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\lua\socket\smtp.lua	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\lua5.1.dll	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\Funshion.exe	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\funshionplugin2.dll	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\lang\Funshion.zh_CN	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\lua\ltn12.lua	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\skin\upgradedefault.skin	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\Funshion.lnk	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\lua\socket\tp.lua	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\lua\socket\url.lua	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\avutil-52.dll	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\FunBob.exe	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\FunshionService.exe	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\icon\MP4.ico	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\icon\RMVB.ico	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\lang\Funshion.en_US	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\skin\default.skin	FunshionInstall_C1_P33.exe

Executes dropped EXE 4 IoCs

pid	Process
1040	Funshion.exe
2228	FunshionWeb.exe
1660	Funshion.exe
3052	Funshion.exe

Loads dropped DLL 20 IoCs

pid	Process
2404	FunshionInstall_C1_P33.exe
2404	FunshionInstall_C1_P33.exe
2404	FunshionInstall_C1_P33.exe
2404	FunshionInstall_C1_P33.exe
2404	FunshionInstall_C1_P33.exe
2404	FunshionInstall_C1_P33.exe
2404	FunshionInstall_C1_P33.exe
2404	FunshionInstall_C1_P33.exe
2404	FunshionInstall_C1_P33.exe
2404	FunshionInstall_C1_P33.exe
1040	Funshion.exe
2404	FunshionInstall_C1_P33.exe
2404	FunshionInstall_C1_P33.exe
1040	Funshion.exe
2404	FunshionInstall_C1_P33.exe
2404	FunshionInstall_C1_P33.exe
2404	FunshionInstall_C1_P33.exe
2404	FunshionInstall_C1_P33.exe
1660	Funshion.exe
3052	Funshion.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\file	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{E436EB84-524F-11CE-9F53-0020AF0BA770}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{33FACFE0-A9BE-11D0-A520-00A0D10129C0}\CLSID = "{33FACFE0-A9BE-11D0-A520-00A0D10129C0}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E436EBB1-524F-11CE-9F53-0020AF0BA770}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4A2286E0-7BEF-11CE-9BD9-0000E202599C}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D51BD5A5-7548-11CF-A520-0080C77EF58A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{060AF76C-68DD-11D0-8FC1-00C04FD9189D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{1643E180-90F5-11CE-97D5-00AA0055595A}\CLSID = "{1643E180-90F5-11CE-97D5-00AA0055595A}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{6BC1CFFA-8FC1-4261-AC22-CFB4CC38DB50}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E436EBB3-524F-11CE-9F53-0020AF0BA770}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99D54F63-1A69-41AE-AA4D-C976EB3F0713}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{1B544C20-FD0B-11CE-8C63-00AA0044B51E}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{33FACFE0-A9BE-11D0-A520-00A0D10129C0}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{33FACFE0-A9BE-11D0-A520-00A0D10129C0}	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A1-7548-11CF-A520-0080C77EF58A}\FilterData = 0200000000004000020000000000000030706933000000000000000003000000000000000000000030747933000000008000000090000000317479330000000080000000a0000000327479330000000080000000b00000003170693308000000000000000100000000000000000000003074793300000000c0000000d000000083eb36e44f52ce119f530020af0ba7708beb36e44f52ce119f530020af0ba7708ceb36e44f52ce119f530020af0ba7708deb36e44f52ce119f530020af0ba7706175647300001000800000aa00389b7100000000000000000000000000000000	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.fsp	FunshionInstall_C1_P33.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D51BD5A2-7548-11CF-A520-0080C77EF58A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{48025243-2D39-11CE-875D-00608CB78066}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{E436EB88-524F-11CE-9F53-0020AF0BA770}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1643E180-90F5-11CE-97D5-00AA0055595A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4444AC9E-242E-471B-A3C7-45DCD46352BC}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{FEB50740-7BEF-11CE-9BD9-0000E202599C}\CLSID = "{FEB50740-7BEF-11CE-9BD9-0000E202599C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2D2E24CB-0CD5-458F-86EA-3E6FA22C8E64}\InprocServer32	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{1643E180-90F5-11CE-97D5-00AA0055595A}\FilterData = 020000000100400002000000000000003070693300000000000000000600000000000000000000003074793300000000000100001001000031747933000000000001000020010000327479330000000000010000300100003374793300000000000100004001000034747933000000000001000050010000357479330000000000010000600100003170693308000000000000000600000000000000000000003074793300000000000100001001000031747933000000000001000020010000327479330000000000010000300100003374793300000000000100004001000034747933000000000001000050010000357479330000000000010000600100007669647300001000800000aa00389b717aeb36e44f52ce119f530020af0ba7707ceb36e44f52ce119f530020af0ba7707beb36e44f52ce119f530020af0ba7707deb36e44f52ce119f530020af0ba7707eeb36e44f52ce119f530020af0ba770c09a3c777432d011b72400aa006c1a01	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6F26A6CD-967B-47FD-874A-7AED2C9D25A2}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\fsp	FunshionInstall_C1_P33.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E436EBB2-524F-11CE-9F53-0020AF0BA770}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E436EBB1-524F-11CE-9F53-0020AF0BA770}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D3588AB0-0781-11CE-B03A-0020AF0BA770}\FriendlyName = "AVI/WAV File Source"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{CF49D4E0-1115-11CE-B03A-0020AF0BA770}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A1-7548-11CF-A520-0080C77EF58A}	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11D0-BD43-00A0C911CE86}\Instance\MJPEG Compressor\FilterData = 02000000000020000000000000000000	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3588AB0-0781-11CE-B03A-0020AF0BA770}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{E436EB85-524F-11CE-9F53-0020AF0BA770}\0 = "0, 4, , 52494646, 8, 8, , 43445841666D7420, 36, 20, FFFFFFFF00000000FFFFFFFFFFFFFFFFFFFFFFFF, 646174610000000000FFFFFFFFFFFFFFFFFFFF00"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{336475D0-942A-11CE-A870-00AA002FEAB5}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gopher\Source Filter = "{E436EBB6-524F-11CE-9F53-0020AF0BA770}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E436EBB2-524F-11CE-9F53-0020AF0BA770}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4A2286E0-7BEF-11CE-9BD9-0000E202599C}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8670C736-F614-427B-8ADA-BBADC587194B}	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A2-7548-11CF-A520-0080C77EF58A}\FilterData = 02000000000040000200000000000000307069330000000000000000010000000000000000000000307479330000000060000000700000003170693308000000000000000100000000000000000000003074793300000000700000008000000083eb36e44f52ce119f530020af0ba7706d69647300001000800000aa00389b7100000000000000000000000000000000	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{E06D8022-DB46-11CF-B4D1-00805F6CBBEA}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A3ECBC41-581A-4476-B693-A63340462D8B}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{59CE6880-ACF8-11CF-B56E-0080C7C4B68A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{56A868B0-0AD4-11CE-B03A-0020AF0BA770}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E651CC0-B199-11D0-8212-00C04FC32C45}	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{48025243-2D39-11CE-875D-00608CB78066}\FilterData = 020000000100800001000000000000003070693302000000000000000200000000000000000000003074793300000000480000005800000031747933000000006800000058000000646d637300001000800000aa00389b71000000000000000000000000000000007478747300001000800000aa00389b71	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.fc!	FunshionInstall_C1_P33.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A1-7548-11CF-A520-0080C77EF58A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{70E102B0-5556-11CE-97C0-00AA0055595A}\CLSID = "{70E102B0-5556-11CE-97C0-00AA0055595A}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Funshion	FunshionInstall_C1_P33.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A888DF60-1E90-11CF-AC98-00AA004C0FA9}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A3-7548-11CF-A520-0080C77EF58A}\CLSID = "{D51BD5A3-7548-11CF-A520-0080C77EF58A}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{E436EB8D-524F-11CE-9F53-0020AF0BA770}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{1643E180-90F5-11CE-97D5-00AA0055595A}\FriendlyName = "Color Space Converter"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{51B4ABF3-748F-4E3B-A276-C828330E926A}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33D9A760-90C8-11D0-BD43-00A0C911CE86}\Instance\MJPEG Compressor\CLSID = "{B80AB0A0-7416-11D2-9EEB-006008039E37}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E4979309-7A32-495E-8A92-7B014AAD4961}	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D3588AB0-0781-11CE-B03A-0020AF0BA770}\FilterData = 02000000000040000200000000000000307069330d0000000000000001000000000000000000000030747933000000006000000070000000317069330d00000000000000010000000000000000000000307479330000000080000000700000007669647300001000800000aa00389b71000000000000000000000000000000006175647300001000800000aa00389b71	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{301056D0-6DFF-11D2-9EEB-006008039E37}\FriendlyName = "MJPEG Decompressor"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E436EBB2-524F-11CE-9F53-0020AF0BA770}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{37E92A92-D9AA-11D2-BF84-8EF2B1555AED}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E436EBB2-524F-11CE-9F53-0020AF0BA770}\InprocServer32	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2404	FunshionInstall_C1_P33.exe
2404	FunshionInstall_C1_P33.exe
2404	FunshionInstall_C1_P33.exe
2404	FunshionInstall_C1_P33.exe
2404	FunshionInstall_C1_P33.exe
2404	FunshionInstall_C1_P33.exe
2404	FunshionInstall_C1_P33.exe
2404	FunshionInstall_C1_P33.exe
2404	FunshionInstall_C1_P33.exe
2404	FunshionInstall_C1_P33.exe
2404	FunshionInstall_C1_P33.exe
2404	FunshionInstall_C1_P33.exe
2404	FunshionInstall_C1_P33.exe
2404	FunshionInstall_C1_P33.exe
2404	FunshionInstall_C1_P33.exe
2404	FunshionInstall_C1_P33.exe
2404	FunshionInstall_C1_P33.exe
2404	FunshionInstall_C1_P33.exe
2404	FunshionInstall_C1_P33.exe
2404	FunshionInstall_C1_P33.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 1696	2404	FunshionInstall_C1_P33.exe	30
PID 2404 wrote to memory of 1696	2404	FunshionInstall_C1_P33.exe	30
PID 2404 wrote to memory of 1696	2404	FunshionInstall_C1_P33.exe	30
PID 2404 wrote to memory of 1696	2404	FunshionInstall_C1_P33.exe	30
PID 2404 wrote to memory of 1696	2404	FunshionInstall_C1_P33.exe	30
PID 2404 wrote to memory of 1696	2404	FunshionInstall_C1_P33.exe	30
PID 2404 wrote to memory of 1696	2404	FunshionInstall_C1_P33.exe	30
PID 2404 wrote to memory of 1388	2404	FunshionInstall_C1_P33.exe	31
PID 2404 wrote to memory of 1388	2404	FunshionInstall_C1_P33.exe	31
PID 2404 wrote to memory of 1388	2404	FunshionInstall_C1_P33.exe	31
PID 2404 wrote to memory of 1388	2404	FunshionInstall_C1_P33.exe	31
PID 2404 wrote to memory of 1388	2404	FunshionInstall_C1_P33.exe	31
PID 2404 wrote to memory of 1388	2404	FunshionInstall_C1_P33.exe	31
PID 2404 wrote to memory of 1388	2404	FunshionInstall_C1_P33.exe	31
PID 2404 wrote to memory of 1040	2404	FunshionInstall_C1_P33.exe	35
PID 2404 wrote to memory of 1040	2404	FunshionInstall_C1_P33.exe	35
PID 2404 wrote to memory of 1040	2404	FunshionInstall_C1_P33.exe	35
PID 2404 wrote to memory of 1040	2404	FunshionInstall_C1_P33.exe	35
PID 1040 wrote to memory of 2228	1040	Funshion.exe	36
PID 1040 wrote to memory of 2228	1040	Funshion.exe	36
PID 1040 wrote to memory of 2228	1040	Funshion.exe	36
PID 1040 wrote to memory of 2228	1040	Funshion.exe	36

C:\Users\Admin\AppData\Local\Temp\FunshionInstall_C1_P33.exe
"C:\Users\Admin\AppData\Local\Temp\FunshionInstall_C1_P33.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe /s "C:\Windows\system32\quartz.dll"
  2⤵
  - Modifies registry class
  PID:1696
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s "C:\Windows\system32\quartz.dll"
  2⤵
  - Modifies registry class
  PID:1388
- C:\Program Files (x86)\Funshion Online\3.0.6.106\Funshion.exe
  startbyinstall tray
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1040
- - C:\Program Files (x86)\Funshion Online\3.0.6.106\FunshionWeb.exe
    460,456
    3⤵
    - Executes dropped EXE
    PID:2228

C:\Program Files (x86)\Funshion Online\3.0.6.106\Funshion.exe
"C:\Program Files (x86)\Funshion Online\3.0.6.106\Funshion.exe" COMMONLINK
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1660

C:\Program Files (x86)\Funshion Online\3.0.6.106\Funshion.exe
"C:\Program Files (x86)\Funshion Online\3.0.6.106\Funshion.exe" COMMONLINK
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Funshion Online\3.0.6.106\Funshion.lnk

Filesize
1KB

MD5
717fe80466cc2cdd914c16ebdeb385ad

SHA1
5e050a36cc1b966df1ebed8c0d52f7e7c21c2544

SHA256
e66cfa75f1d2b421893919e4d9f3be757e7521b0c2bb6017e809602be2e349c1

SHA512
ddc4d46df9379ad8994202adb979de80330b4144a3de071fa0bd2223bf7f03de1976e174e61e5938b7c382399ea29b1a26b7a9febc149144e4844bd0cbf9e92b

Download Submit
C:\Program Files (x86)\Funshion Online\3.0.6.106\FunshionService.exe

Filesize
3.7MB

MD5
bc6d00e2716392909441e04b175b5c1f

SHA1
53dbadbd7d53d0c0f212d089e0bdf192a3c6869d

SHA256
13fb4f71a45bb2be80a84769c4281b94daca3e59c6093f1ba840f30ae6983e02

SHA512
4462fe1db9cdf141197b6692420b0a0b598b39dfc9b4fb2ed680b0d59521b3e337cd0d631c42e9389388aeedb421d4af48b6bd9d68eba9a83b769820f1185831

Download Submit
C:\Program Files (x86)\Funshion Online\3.0.6.106\FunshionWeb.exe

Filesize
710KB

MD5
0b0cfcf49cfae1b6a62cfdce5fd2dcc6

SHA1
dc6766cbf2c03a0a81a447ae1a012b662b740cea

SHA256
d5a69aae4a19f1db5690daae59ee71b24907b6117e79fbadcb8b1d99f80f3a42

SHA512
356cdcab64a0ced57a7d2ea4acaa6e5f60984a50004419b344093835f3af759a2430eedc2f63836136329379c6a55ccebd6e191a5a4659bce55117a4b9498017

Download Submit
C:\Program Files (x86)\Funshion Online\3.0.6.106\Uninstall.exe

Filesize
818KB

MD5
db3e352861bd6664fb037006efd685b7

SHA1
4ddf7e5131d497f86d36ce672405377404568401

SHA256
31ef9e6c69e2f8d6a2220444f6f78dafa31f232f63401acee13b0afa7a2b8914

SHA512
72dfc76ff8c9e05fd94e26fe53e936797afda2761be52e7675ec4b4b2a15417753c09ac462df703df4a0b7139aedf59019e1ac5e355096936c6dbf269bef96a9

Download Submit
C:\Program Files (x86)\Funshion Online\3.0.6.106\lang\Funshion.en_US

Filesize
18KB

MD5
2786a2dd7c838beff30dc1f5164436b1

SHA1
2b524af60cd2362849cf3cbdaddcabb133a023ec

SHA256
04901481e74d4c2b0717853f188947b4d89641e738c9b10a33f1fbb3d09141d8

SHA512
3d5a94f0466cb3a3923ca8140c5261b4203d54550dc37c11f3fa47306597b3309a6bdc20149e414a167761d5f651231ae3592f7e262d0ed995bd4c26b4e7e04a

Download Submit
C:\Program Files (x86)\Funshion Online\3.0.6.106\lua5.1.dll

Filesize
168KB

MD5
f46994557504f90314a9a61edc6541a3

SHA1
1f3879830657c1272e7b8a0c0eb04c560da7c08f

SHA256
ecf6d2f76f049bede8731e81773aa0b3e4ae3e6c5298e3d6af6c45286334d7e7

SHA512
3d3e4d8ada9209e02ac0f671b3930cfb72e795f42b8ba057ea7ca4576d6f18d44c3563225ae5fbb4ff6711f5a574cae2301fe22086268b3146322c4fa8d759be

Download Submit
C:\Program Files (x86)\Funshion Online\3.0.6.106\skin\default.skin

Filesize
3.5MB

MD5
c39b823c328e72926bf2ad48bf85faff

SHA1
a517a14bd033229f11b37557467404219cba37c9

SHA256
3428a66bb70a8adbc326dafe58ba77882b8b9e0d5257a2b82db54660f866f837

SHA512
3e2b41dafd90e05c4de912635ef84082089e8999f626e1b9ee149c31dcae787f551e64e86544e4b4ff474a8ab4b77daf19a8d6dec4de4fb77d5abf14f5e57549

Download Submit
C:\Users\Admin\AppData\Local\Temp\SetupFiles\3.0.6.106\funshion.ini

Filesize
335B

MD5
6cbd3b1e3627f1fc087397aafc3fffaa

SHA1
971bf4948ac5492aff49b9988b788a2a3f4cc6e5

SHA256
5100467b6b5dc160fe9ff51f913f47e4545912cd6b2a61275546882913400eb8

SHA512
fad9a174c20f50107df357f1ac17b3977035c8b9a4b476d8b13380aeb7781c515936dc0effe474fea9646a2fde89c267765e3bd845bd48bcc30afe5d2ead2fc4

Download Submit
C:\Users\Admin\Funshion\Funshion.ini

Filesize
252B

MD5
cbd6fe16009c90f215ed82dd93d735ba

SHA1
9d5c7c2be5d788f4ed860339ff3e799ee934dfc9

SHA256
1840e711bed46c2e619acca91a46da7ed89e187a4b4754d235fee4a4989855d1

SHA512
87e1d29122f6b1aa2a4ee15a07e2f959065a14b6a7eb083d80ef4e7f5858d8eefb453f6c26b655437fe43eff55688cc71310b6e8a86e62b5bd1c2cb2b74531d1

Download Submit
C:\Users\Admin\Funshion\Funshion.ini

Filesize
94B

MD5
b6b586d181b391a6f8d5341f883aad4e

SHA1
a64dfbcdc0535d186f2f319201b0cde18628c032

SHA256
5409736d429bdf9ded7e053ede2d3ae90047d0effca97adab4ea1c5e46ef1bc8

SHA512
417bd78b9e403759033d81af1e310736a5b99bf0e5639ce610cc7c6a78fdc7610d433b8f0321c5f4d3d7c6e935af7628ffa708b5462f3d36ea9ee773ed1e2f63

Download Submit
C:\Users\Admin\Funshion\Funshion.ini

Filesize
503B

MD5
6c54db9c6d0dd25608bbfb523f1d1ddf

SHA1
babbee3ba501acb4ea6fdccf38505ac952c92927

SHA256
59f6556e10a4b8d4679a3120d7544e50a32f3a02390c913aea60fd1905b0b8c9

SHA512
edc9c3774c4dba82334ec71a87a90fa471222dc24edec7b98f2c126a4939b0818c139d15ef6ba634f491347acd4d4a7b21944e1a3f677b2be83a2f11a9c73e22

Download Submit
C:\Users\Admin\Funshion\Funshion.ini

Filesize
544B

MD5
de6b29878e3e47fa79b51ead68f38f5f

SHA1
78d9ac85da921ce44053bde2eee482e689188153

SHA256
9f2cfbe2db82e925f696a1bf6c3803560feb64e482d8d951afb909d4915c0773

SHA512
40d00b731e55eba2d809c4a686626e7777511a7ca1f1ab2ade04e7d56410fa18b3d79085b28b0f71180d38aa12687756fea69ffdc7094bca538f1e4c170aa355

Download Submit
C:\Users\Admin\Funshion\Funshion.ini

Filesize
656B

MD5
83464031f3eb10d3e1f76f5d7800ff93

SHA1
a82dc9fc6e1f62195fb983d48ddd824fcd45c798

SHA256
6177eb6c32f014bd3d793fdb1b429e38e35977bd465b088480767a07a341e3bf

SHA512
87ac75677c7139a581282cb2708a06d2657402d3f57fec5a273e27035b32e1e78722e8ddc2ea3b7bd72d5a176892d3c11a8ef7feeae3b3ccb635bab93fd6b6fe

Download Submit
C:\Users\Admin\Funshion\Funshion.ini

Filesize
656B

MD5
3714eb654d05efc64d5ac9d701c4d75b

SHA1
3f2882cdcc604ca95d49a930ca25edc335b1e118

SHA256
fc9b8e91390aafef166850d8dedebcbb6c5b195cd2c6d08bbb77cc4c33115b93

SHA512
c419427362f18e0abd6c206889d752279e4e13b1ef39595722bc6cf5bc87566e3c6cff0ab28e74dcfc51b4f430b214cdaeea1a6751336b598a9d9e327db7619f

Download Submit
C:\Users\Admin\Funshion\Funshion.ini

Filesize
656B

MD5
81850d32011d1bbe5bdb48e9c8849a16

SHA1
7fe3f52deed36ee21adf4c5d3dd3e3cc5742bee8

SHA256
9af4dd6c0bc9b029c6982297d458beea8625106f0bfe9de800b583d5b092e424

SHA512
3f0268bd27683193d0f9de9b96148640b0fa4e01ecb27406a186681d13a463bc9a156fcc4636018bbbf0d94328e7130cdabe2c9dfdb920356978ecec8e8a2df7

Download Submit
C:\Users\Admin\funshion\funshion.ini

Filesize
673B

MD5
4317db4d5afa1d28ee3d1e0549bbbf28

SHA1
20df305d4c9944619aa180e109031cf3ff8aea2a

SHA256
1a7afb150dc0ac49cf410b241fef02ecbe03d8af6dbda675957d9baf1fc4654b

SHA512
eec7340825987f69d23c6356798b0db74a3afa94dbee4ffc86a3d94aefd0dd53e415705e7c350ae083616c78c34599717b375e1eb6cc8f3b591e1965b45e0700

Download Submit
C:\Windows\SysWOW64\funshion.ini

Filesize
460B

MD5
803ceda7ec825b17355ae5018bb5ff30

SHA1
3a2576fa20a481a9fdb4bcfca13b3fc004aa32cf

SHA256
af5fe09114a85c09fbd7cdd988347afc67eaddb34dd8703051d92a4ef66ada79

SHA512
05b1279cc328262f6e6d5b9890bcfae9ceb6616e956f01e0951114dc69edbe89c7bea9395173e4cd5f276f7b39fb28fd7bd77c711d6cfdff0fd4d3e68cd51573

Download Submit
C:\Windows\SysWOW64\funshion.ini

Filesize
548B

MD5
74b4bd28118025bbbddf7eb0c1defce6

SHA1
10050867cdbc666c056bccfbfeee5247568f838d

SHA256
e63f71f0c75937e570e75061a8a8f9208e85071c8299d3b08b9d9a2e9df69259

SHA512
4200cc407bfa55d214832c31da5f9d95b29e4ae25b0eca6a50c32188235a787b4d454926543b0c0662c4ff22f4fdf698a1c5836d19076bc2ab31bf19381cac83

Download Submit
C:\Windows\SysWOW64\funshion.ini

Filesize
332B

MD5
7a4e68b2b5ee7c675d1993a524769fea

SHA1
f9c262732954326233efd1293d59b1324ae74e40

SHA256
1db0b72a039370c057ba004fbf090333e1ebaeff5ee989a240814d6af7258097

SHA512
80de6fcd617a62b5cf1d9d61a328de75a613132d6af98cc2f2f450cfa0fbaf5287e0927cbf085f13b1543a99b5a9629e3a037db33335666118b2febc90bbb67d

Download Submit
\Program Files (x86)\Funshion Online\3.0.6.106\Funshion.exe

Filesize
3.4MB

MD5
425e23134d816abfcc0095e80c5077f7

SHA1
8003720cc10ad55d9c82a8584eefc5bae304755e

SHA256
a4229b4b1dc1a72a5dd064f12fcc05af251650e78c91959c32590211f8290256

SHA512
80a9af6fbf663f38c68caa33c016001ec791b7017bd2789b6660c7021f836718d29df9c8987356e7f28b66b773d387e668c2035de6e1f187c98b1fd368953bb2

Download Submit
\Users\Admin\AppData\Local\Temp\tools\gma.dll

Filesize
484KB

MD5
0f35c14ffe3f0425e77099b618d6ebae

SHA1
6261ef267c3ea44a3698b73f207bc1f78f98c89d

SHA256
5a5a180569b9dc51e0a80405ee875e202a464cbe2ed712c86f3e79c0b61599ea

SHA512
7a166e8c79fb24e9b02f7f9e464d75c05dbfc6a428ce6067475520afaa84b999c4f9b701be91193b302eb3f024d6a2390c0fa4af5ec635ab6812aeb834dbde4f

Download Submit
memory/2228-408-0x0000000035880000-0x0000000035890000-memory.dmp

Filesize
64KB

Download