b27843c513b9af7e52ea7bd8bc0c501749afa1beeaa051e34005c612c9eb55a0

Analysis

max time kernel
37s
max time network
42s
platform
windows10-2004_x64
resource
win10v2004-20240709-ja
resource tags

arch:x64arch:x86image:win10v2004-20240709-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
23/07/2024, 13:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FunshionInstall_C1_P33.exe
Size

11.5MB
MD5

cf2ed442dd89d9beeaea95f50f9ab97a
SHA1

912c0c1fd64ccccc552380c63bcbca817720a7ff
SHA256

b27843c513b9af7e52ea7bd8bc0c501749afa1beeaa051e34005c612c9eb55a0
SHA512

e5e582ccc2b1bdf5fb4069ee7c1712e6d455bbd6386f1f46e3c50b171218031226c53351dc44d1c9c37752d75a8e2523eb544e2195705df5344ff0505b03f447
SSDEEP

196608:8SuavcveanSa3P62kfFv4in/98aUD1zA+fiNe2Dd9ofHiaWYsgjW9aka3j:YveaSSP62iFVH82Dd9onsgj/fj

Score

5^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	FunshionInstall_C1_P33.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\funshion.ini	FunshionInstall_C1_P33.exe
File opened for modification	C:\Windows\SysWOW64\funshion.ini	FunshionInstall_C1_P33.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 48 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\lua5.1.dll	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\skin\default.skin	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\Funshion.lnk	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\cook.dll	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\FunshionService.exe	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\icon\FunshionGame2.ico	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\lua\socket\tp.lua	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\SimpleIE.dll	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\avutil-52.dll	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\funshionplugin2.dll	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\icon\Funshop4.ico	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\lua\socket\ftp.lua	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\icon\RMVB.ico	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\lua\ltn12.lua	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\lua51.dll	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\skin\upgradedefault.skin	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\lua\mime.lua	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\mime\core.dll	FunshionInstall_C1_P33.exe
File opened for modification	C:\Program Files (x86)\Funshion Online\3.0.6.106\gma.dll	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\CrashReport.exe	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\lang\Funshion.en_US.bak	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\lang\Funshion.zh_CN.bak	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\lang\FunshionUpgrade.en_US	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\Funshion.exe	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\FunshionWeb.exe	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\gma.dll	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\lang\Funshion.zh_CN	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\avcodec-55.dll	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\CoreAAC.ax	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\CoreAVC.ax	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\fpvddec.ax	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\windows.lua	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\lua\socket\url.lua	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\lua\socket.lua	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\pncrt.dll	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\swscale-2.dll	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\atrc.dll	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\lang\FunshionUpgrade.zh_CN	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\lua\socket\http.lua	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\Uninstall.exe	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\FunshionUpgrade.exe	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\icon\MP4.ico	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\lua\socket\smtp.lua	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\socket\core.dll	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\cjson.dll	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\drvc.dll	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\FunBob.exe	FunshionInstall_C1_P33.exe
File created	C:\Program Files (x86)\Funshion Online\3.0.6.106\lang\Funshion.en_US	FunshionInstall_C1_P33.exe

Executes dropped EXE 7 IoCs

pid	Process
2400	Funshion.exe
2408	FunshionWeb.exe
3612	Funshion.exe
3532	FunshionWeb.exe
4340	Funshion.exe
4180	Funshion.exe
2668	Funshion.exe

Loads dropped DLL 6 IoCs

pid	Process
3376	FunshionInstall_C1_P33.exe
2400	Funshion.exe
3612	Funshion.exe
4340	Funshion.exe
4180	Funshion.exe
2668	Funshion.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B87BEB7B-8D29-423F-AE4D-6582C10175AC}\InprocServer32	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D3588AB0-0781-11CE-B03A-0020AF0BA770}\FilterData = 02000000000040000200000000000000307069330d0000000000000001000000000000000000000030747933000000006000000070000000317069330d00000000000000010000000000000000000000307479330000000080000000700000007669647300001000800000aa00389b71000000000000000000000000000000006175647300001000800000aa00389b71	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A2-7548-11CF-A520-0080C77EF58A}\FriendlyName = "MIDI Parser"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\Source Filter = "{E436EBB6-524F-11CE-9F53-0020AF0BA770}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D51BD5A3-7548-11CF-A520-0080C77EF58A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A3ECBC41-581A-4476-B693-A63340462D8B}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A888DF60-1E90-11CF-AC98-00AA004C0FA9}	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A5-7548-11CF-A520-0080C77EF58A}\FilterData = 02000000000040000200000000000000307069330000000000000000010000000000000000000000307479330000000060000000700000003170693308000000000000000100000000000000000000003074793300000000700000007000000066696c6500001000800000aa00389b7100000000000000000000000000000000	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D51BD5A2-7548-11CF-A520-0080C77EF58A}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Funshion Task\ = "Funshion file"	FunshionInstall_C1_P33.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{05589FAF-C356-11CE-BF01-00AA0055595A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Funshion Task\shell	FunshionInstall_C1_P33.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D3588AB0-0781-11CE-B03A-0020AF0BA770}\FilterData = 02000000000040000200000000000000307069330d0000000000000001000000000000000000000030747933000000006000000070000000317069330d00000000000000010000000000000000000000307479330000000080000000700000007669647300001000800000aa00389b71000000000000000000000000000000006175647300001000800000aa00389b71	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{4A2286E0-7BEF-11CE-9BD9-0000E202599C}\CLSID = "{4A2286E0-7BEF-11CE-9BD9-0000E202599C}"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E436EBB5-524F-11CE-9F53-0020AF0BA770}\FilterData = 020000000000400001000000000000003070693308000000000000000100000000000000000000003074793300000000380000004800000083eb36e44f52ce119f530020af0ba77000000000000000000000000000000000	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E4206432-01A1-4BEE-B3E1-3702C8EDC574}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{1DA08500-9EDC-11CF-BC10-00AA00AC74F6}\CLSID = "{1DA08500-9EDC-11CF-BC10-00AA00AC74F6}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B80AB0A0-7416-11D2-9EEB-006008039E37}\InprocServer32	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{6F26A6CD-967B-47FD-874A-7AED2C9D25A2}\FilterData = 0200000000006000030000000000000030706933000000000000000001000000000000000000000030747933000000008800000098000000317069330000000000000000010000000000000000000000307479330000000088000000a8000000327069330800000000000000010000000000000000000000307479330000000088000000b80000007669647300001000800000aa00389b71406a9b5a221ad111bad900609744111a416a9b5a221ad111bad900609744111a00000000000000000000000000000000	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\fsp	FunshionInstall_C1_P33.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E436EBB2-524F-11CE-9F53-0020AF0BA770}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3588AB0-0781-11CE-B03A-0020AF0BA770}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{301056D0-6DFF-11D2-9EEB-006008039E37}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{99D54F63-1A69-41AE-AA4D-C976EB3F0713}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\Extensions\.mp3	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{33FACFE0-A9BE-11D0-A520-00A0D10129C0}	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E436EBB6-524F-11CE-9F53-0020AF0BA770}\FilterData = 020000000000400001000000000000003070693308000000000000000100000000000000000000003074793300000000380000004800000083eb36e44f52ce119f530020af0ba77000000000000000000000000000000000	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{301056D0-6DFF-11D2-9EEB-006008039E37}\FilterData = 0200000000006000020000000000000030706933000000000000000001000000000000000000000030747933000000006000000070000000317069330800000000000000010000000000000000000000307479330000000060000000800000007669647300001000800000aa00389b714d4a504700001000800000aa00389b7100000000000000000000000000000000	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{33FACFE0-A9BE-11D0-A520-00A0D10129C0}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A3-7548-11CF-A520-0080C77EF58A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{56A868B0-0AD4-11CE-B03A-0020AF0BA770}\1.0\0\win64	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E436EBB5-524F-11CE-9F53-0020AF0BA770}	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A5-7548-11CF-A520-0080C77EF58A}\FilterData = 02000000000040000200000000000000307069330000000000000000010000000000000000000000307479330000000060000000700000003170693308000000000000000100000000000000000000003074793300000000700000007000000066696c6500001000800000aa00389b7100000000000000000000000000000000	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2D2E24CB-0CD5-458F-86EA-3E6FA22C8E64}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\http	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11D0-BD43-00A0C911CE86}\Instance\MJPEG Compressor\FriendlyName = "MJPEG Compressor"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{1DA08500-9EDC-11CF-BC10-00AA00AC74F6}\FilterData = 0200000000004000020000000000000030706933000000000000000001000000000000000000000030747933000000006000000070000000317069330800000000000000010000000000000000000000307479330000000060000000800000007669647300001000800000aa00389b717aeb36e44f52ce119f530020af0ba77079eb36e44f52ce119f530020af0ba770	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A1-7548-11CF-A520-0080C77EF58A}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\fsp\shell\open\ = "open"	FunshionInstall_C1_P33.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{70E102B0-5556-11CE-97C0-00AA0055595A}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{E436EB8C-524F-11CE-9F53-0020AF0BA770}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A8DFB9A0-8A20-479F-B538-9387C5EEBA2B}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{1B544C20-FD0B-11CE-8C63-00AA0044B51E}\FriendlyName = "AVI Splitter"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E4206432-01A1-4BEE-B3E1-3702C8EDC574}\FilterData = 02000000020060000200000000000000307069330000000000000000010000000000000000000000307479330000000060000000700000003170693308000000000000000100000000000000000000003074793300000000800000007000000080ea0a67823ad011b79b00aa003767a7000000000000000000000000000000007669647300001000800000aa00389b71	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{D51BD5A3-7548-11CF-A520-0080C77EF58A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E4206432-01A1-4BEE-B3E1-3702C8EDC574}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Funshion Task\DefaultIcon\ = "\"C:\\Program Files (x86)\\Funshion Online\\3.0.6.106\\Funshion.exe\",1"	FunshionInstall_C1_P33.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{99D54F63-1A69-41AE-AA4D-C976EB3F0713}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{33FACFE0-A9BE-11D0-A520-00A0D10129C0}\CLSID = "{33FACFE0-A9BE-11D0-A520-00A0D10129C0}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CC785860-B2CA-11CE-8D2B-0000E202599C}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{6BC1CFFA-8FC1-4261-AC22-CFB4CC38DB50}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{48025243-2D39-11CE-875D-00608CB78066}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\fsp\shell\open\command	FunshionInstall_C1_P33.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{37E92A92-D9AA-11D2-BF84-8EF2B1555AED}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A3-7548-11CF-A520-0080C77EF58A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{99D54F63-1A69-41AE-AA4D-C976EB3F0713}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E436EBB5-524F-11CE-9F53-0020AF0BA770}	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{51B4ABF3-748F-4E3B-A276-C828330E926A}\FilterData = 02000000000020000100000000000000307069330200000000000000010000000000000000000000307479330000000038000000480000007669647300001000800000aa00389b7100000000000000000000000000000000	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33FACFE0-A9BE-11D0-A520-00A0D10129C0}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37E92A92-D9AA-11D2-BF84-8EF2B1555AED}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{E436EB86-524F-11CE-9F53-0020AF0BA770}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8670C736-F614-427b-8ADA-BBADC587194B}\InprocServer32	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{51B4ABF3-748F-4E3B-A276-C828330E926A}\FilterData = 02000000000020000100000000000000307069330200000000000000010000000000000000000000307479330000000038000000480000007669647300001000800000aa00389b7100000000000000000000000000000000	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{D51BD5A3-7548-11CF-A520-0080C77EF58A}\FriendlyName = "Multi-file Parser"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
3376	FunshionInstall_C1_P33.exe
3376	FunshionInstall_C1_P33.exe
3376	FunshionInstall_C1_P33.exe
3376	FunshionInstall_C1_P33.exe
3376	FunshionInstall_C1_P33.exe
3376	FunshionInstall_C1_P33.exe
3376	FunshionInstall_C1_P33.exe
3376	FunshionInstall_C1_P33.exe
3376	FunshionInstall_C1_P33.exe
3376	FunshionInstall_C1_P33.exe
3376	FunshionInstall_C1_P33.exe
3376	FunshionInstall_C1_P33.exe
3376	FunshionInstall_C1_P33.exe
3376	FunshionInstall_C1_P33.exe
3376	FunshionInstall_C1_P33.exe
3376	FunshionInstall_C1_P33.exe
3376	FunshionInstall_C1_P33.exe
3376	FunshionInstall_C1_P33.exe
3376	FunshionInstall_C1_P33.exe
3376	FunshionInstall_C1_P33.exe
3376	FunshionInstall_C1_P33.exe
3376	FunshionInstall_C1_P33.exe
3376	FunshionInstall_C1_P33.exe
3376	FunshionInstall_C1_P33.exe
3376	FunshionInstall_C1_P33.exe
3376	FunshionInstall_C1_P33.exe
3376	FunshionInstall_C1_P33.exe
3376	FunshionInstall_C1_P33.exe
3376	FunshionInstall_C1_P33.exe
3376	FunshionInstall_C1_P33.exe
3376	FunshionInstall_C1_P33.exe
3376	FunshionInstall_C1_P33.exe
3376	FunshionInstall_C1_P33.exe
3376	FunshionInstall_C1_P33.exe
3376	FunshionInstall_C1_P33.exe
3376	FunshionInstall_C1_P33.exe
3376	FunshionInstall_C1_P33.exe
3376	FunshionInstall_C1_P33.exe
3376	FunshionInstall_C1_P33.exe
3376	FunshionInstall_C1_P33.exe
3376	FunshionInstall_C1_P33.exe
3376	FunshionInstall_C1_P33.exe
3376	FunshionInstall_C1_P33.exe
3376	FunshionInstall_C1_P33.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3376 wrote to memory of 3308	3376	FunshionInstall_C1_P33.exe	84
PID 3376 wrote to memory of 3308	3376	FunshionInstall_C1_P33.exe	84
PID 3376 wrote to memory of 3012	3376	FunshionInstall_C1_P33.exe	85
PID 3376 wrote to memory of 3012	3376	FunshionInstall_C1_P33.exe	85
PID 3376 wrote to memory of 3012	3376	FunshionInstall_C1_P33.exe	85
PID 3376 wrote to memory of 2400	3376	FunshionInstall_C1_P33.exe	96
PID 3376 wrote to memory of 2400	3376	FunshionInstall_C1_P33.exe	96
PID 3376 wrote to memory of 2400	3376	FunshionInstall_C1_P33.exe	96
PID 2400 wrote to memory of 2408	2400	Funshion.exe	98
PID 2400 wrote to memory of 2408	2400	Funshion.exe	98
PID 2400 wrote to memory of 2408	2400	Funshion.exe	98
PID 3376 wrote to memory of 3612	3376	FunshionInstall_C1_P33.exe	100
PID 3376 wrote to memory of 3612	3376	FunshionInstall_C1_P33.exe	100
PID 3376 wrote to memory of 3612	3376	FunshionInstall_C1_P33.exe	100
PID 3612 wrote to memory of 3532	3612	Funshion.exe	101
PID 3612 wrote to memory of 3532	3612	Funshion.exe	101
PID 3612 wrote to memory of 3532	3612	Funshion.exe	101

C:\Users\Admin\AppData\Local\Temp\FunshionInstall_C1_P33.exe
"C:\Users\Admin\AppData\Local\Temp\FunshionInstall_C1_P33.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3376
- C:\Windows\SYSTEM32\regsvr32.exe
  regsvr32.exe /s "C:\Windows\system32\quartz.dll"
  2⤵
  - Modifies registry class
  PID:3308
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s "C:\Windows\system32\quartz.dll"
  2⤵
  - Modifies registry class
  PID:3012
- C:\Program Files (x86)\Funshion Online\3.0.6.106\Funshion.exe
  "C:\Program Files (x86)\Funshion Online\3.0.6.106\Funshion.exe" COMMONLINK
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Program Files (x86)\Funshion Online\3.0.6.106\FunshionWeb.exe
    1008,876
    3⤵
    - Executes dropped EXE
    PID:2408
- C:\Program Files (x86)\Funshion Online\3.0.6.106\Funshion.exe
  startbyinstall tray
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3612
- - C:\Program Files (x86)\Funshion Online\3.0.6.106\FunshionWeb.exe
    1148,1152
    3⤵
    - Executes dropped EXE
    PID:3532

C:\Program Files (x86)\Funshion Online\3.0.6.106\Funshion.exe
"C:\Program Files (x86)\Funshion Online\3.0.6.106\Funshion.exe" DESKTOP
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4340

C:\Program Files (x86)\Funshion Online\3.0.6.106\Funshion.exe
"C:\Program Files (x86)\Funshion Online\3.0.6.106\Funshion.exe" DESKTOP
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4180

C:\Program Files (x86)\Funshion Online\3.0.6.106\Funshion.exe
"C:\Program Files (x86)\Funshion Online\3.0.6.106\Funshion.exe" DESKTOP
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Funshion Online\3.0.6.106\Funshion.exe

Filesize
3.4MB

MD5
425e23134d816abfcc0095e80c5077f7

SHA1
8003720cc10ad55d9c82a8584eefc5bae304755e

SHA256
a4229b4b1dc1a72a5dd064f12fcc05af251650e78c91959c32590211f8290256

SHA512
80a9af6fbf663f38c68caa33c016001ec791b7017bd2789b6660c7021f836718d29df9c8987356e7f28b66b773d387e668c2035de6e1f187c98b1fd368953bb2

Download Submit
C:\Program Files (x86)\Funshion Online\3.0.6.106\Funshion.lnk

Filesize
1KB

MD5
801152a6340907867c815f3d61f65782

SHA1
9f52138800afb6f961814865f9a0498a31a48063

SHA256
d44c085baabb3c02e7c2d77872c79afdf03a7376e0a6e526edc6e6a960b1d65b

SHA512
7e7b9228e6e5b590fcc4460fceb8a300ac37faf2c802b59e34a86f615f1cbacb1cfdc91d3a2d01d07d95fda6ae57df05a86151ffa8df486f6c6ba44ad5e65baf

Download Submit
C:\Program Files (x86)\Funshion Online\3.0.6.106\FunshionService.exe

Filesize
3.7MB

MD5
bc6d00e2716392909441e04b175b5c1f

SHA1
53dbadbd7d53d0c0f212d089e0bdf192a3c6869d

SHA256
13fb4f71a45bb2be80a84769c4281b94daca3e59c6093f1ba840f30ae6983e02

SHA512
4462fe1db9cdf141197b6692420b0a0b598b39dfc9b4fb2ed680b0d59521b3e337cd0d631c42e9389388aeedb421d4af48b6bd9d68eba9a83b769820f1185831

Download Submit
C:\Program Files (x86)\Funshion Online\3.0.6.106\FunshionUpgrade.exe

Filesize
1.2MB

MD5
8f4cd37066c6ced3ded1903b48213642

SHA1
9bf3cdf04a17088b0ab79c6ad6ed85d05f7c70bf

SHA256
261473beca85a4cfc53b972ed995c77a0a567866e246cd57c1d2b00b130a68d7

SHA512
a1ee2cf0b1bc8e1a3c044702b3d7c49b92242bd2e8a13f2563fcaf99be95b0b7a40044458fbf0041c2bcba85d4de74bbdc1eb3ff8ca8fa757098aeaa70d4fc6b

Download Submit
C:\Program Files (x86)\Funshion Online\3.0.6.106\FunshionWeb.exe

Filesize
710KB

MD5
0b0cfcf49cfae1b6a62cfdce5fd2dcc6

SHA1
dc6766cbf2c03a0a81a447ae1a012b662b740cea

SHA256
d5a69aae4a19f1db5690daae59ee71b24907b6117e79fbadcb8b1d99f80f3a42

SHA512
356cdcab64a0ced57a7d2ea4acaa6e5f60984a50004419b344093835f3af759a2430eedc2f63836136329379c6a55ccebd6e191a5a4659bce55117a4b9498017

Download Submit
C:\Program Files (x86)\Funshion Online\3.0.6.106\Uninstall.exe

Filesize
818KB

MD5
db3e352861bd6664fb037006efd685b7

SHA1
4ddf7e5131d497f86d36ce672405377404568401

SHA256
31ef9e6c69e2f8d6a2220444f6f78dafa31f232f63401acee13b0afa7a2b8914

SHA512
72dfc76ff8c9e05fd94e26fe53e936797afda2761be52e7675ec4b4b2a15417753c09ac462df703df4a0b7139aedf59019e1ac5e355096936c6dbf269bef96a9

Download Submit
C:\Program Files (x86)\Funshion Online\3.0.6.106\lang\Funshion.en_US

Filesize
18KB

MD5
2786a2dd7c838beff30dc1f5164436b1

SHA1
2b524af60cd2362849cf3cbdaddcabb133a023ec

SHA256
04901481e74d4c2b0717853f188947b4d89641e738c9b10a33f1fbb3d09141d8

SHA512
3d5a94f0466cb3a3923ca8140c5261b4203d54550dc37c11f3fa47306597b3309a6bdc20149e414a167761d5f651231ae3592f7e262d0ed995bd4c26b4e7e04a

Download Submit
C:\Program Files (x86)\Funshion Online\3.0.6.106\lua5.1.dll

Filesize
168KB

MD5
f46994557504f90314a9a61edc6541a3

SHA1
1f3879830657c1272e7b8a0c0eb04c560da7c08f

SHA256
ecf6d2f76f049bede8731e81773aa0b3e4ae3e6c5298e3d6af6c45286334d7e7

SHA512
3d3e4d8ada9209e02ac0f671b3930cfb72e795f42b8ba057ea7ca4576d6f18d44c3563225ae5fbb4ff6711f5a574cae2301fe22086268b3146322c4fa8d759be

Download Submit
C:\Program Files (x86)\Funshion Online\3.0.6.106\skin\default.skin

Filesize
3.5MB

MD5
c39b823c328e72926bf2ad48bf85faff

SHA1
a517a14bd033229f11b37557467404219cba37c9

SHA256
3428a66bb70a8adbc326dafe58ba77882b8b9e0d5257a2b82db54660f866f837

SHA512
3e2b41dafd90e05c4de912635ef84082089e8999f626e1b9ee149c31dcae787f551e64e86544e4b4ff474a8ab4b77daf19a8d6dec4de4fb77d5abf14f5e57549

Download Submit
C:\Users\Admin\AppData\Local\Temp\SetupFiles\3.0.6.106\funshion.ini

Filesize
335B

MD5
6cbd3b1e3627f1fc087397aafc3fffaa

SHA1
971bf4948ac5492aff49b9988b788a2a3f4cc6e5

SHA256
5100467b6b5dc160fe9ff51f913f47e4545912cd6b2a61275546882913400eb8

SHA512
fad9a174c20f50107df357f1ac17b3977035c8b9a4b476d8b13380aeb7781c515936dc0effe474fea9646a2fde89c267765e3bd845bd48bcc30afe5d2ead2fc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tools\gma.dll

Filesize
484KB

MD5
0f35c14ffe3f0425e77099b618d6ebae

SHA1
6261ef267c3ea44a3698b73f207bc1f78f98c89d

SHA256
5a5a180569b9dc51e0a80405ee875e202a464cbe2ed712c86f3e79c0b61599ea

SHA512
7a166e8c79fb24e9b02f7f9e464d75c05dbfc6a428ce6067475520afaa84b999c4f9b701be91193b302eb3f024d6a2390c0fa4af5ec635ab6812aeb834dbde4f

Download Submit
C:\Users\Admin\Funshion\Config\webinterface.xml

Filesize
2KB

MD5
05c1d4d76c75410fa1be0e0066d57799

SHA1
84e7c5a1d1fa771e16629215fd76b5169b29a008

SHA256
e8dc8f47bdcdcd3a4dd0838fd01022acd40b61862bd882495079e46f4457eced

SHA512
a5879f0429eda26f53b3088a21408b2c56ea061423747e5ae6dc5558139bd4b9c290553fd77d0933283981d0279a4a38b3d7f631c351e9b2e9cc4e2aaed11681

Download Submit
C:\Users\Admin\Funshion\Funshion.ini

Filesize
94B

MD5
052b902c049aea7fbcf6b2326d6790a9

SHA1
5f92a1cd5203ee277b1cb133d6684922fe712cbc

SHA256
f252506cf3bd2178a1d58d8b847d32b20b1f2a1339045cd69f3fed979b6ddfac

SHA512
9ffbc205e2362bf1a5096900595d3239006ae4c6b15d67b2985b26b4624390ba31cbe2e7eb96a459f9c8224ab00fed6a3912fc5e019877e3ecd9dc582e0f7814

Download Submit
C:\Users\Admin\Funshion\Funshion.ini

Filesize
503B

MD5
7a146f51559bf6d6636bb153a1529e36

SHA1
44d34a434260b47675271b9b8f7461263efd69e3

SHA256
725f3ab2f31b29c92574831fc771e90c13238cc5c7526f034e5f386359f82680

SHA512
c448cd88c7386430cdde3a16ec47b21401f15d25f1ba9ceac0908ec5bbcc97f527b4a30959b8106c4f3d94dfe18c9da0e65044e481edd8a1e67afa8b1fc0e007

Download Submit
C:\Users\Admin\Funshion\Funshion.ini

Filesize
544B

MD5
d0d3902cb2baf709722d594ea8237d48

SHA1
110a2350ed2f9520cb3d5454aa5a2c2ff1c6666c

SHA256
f14a2daa98d71cc0b535698ec461c9fb5d2d664b45b3fbf0c0346a3648a99d45

SHA512
b256b2f0896ae044bfb8f1cd1f2e5c4d0a048b80a7449e8de18804a6f7fbfca9ec3db2d747d050699e54a15ef0a3f1aeb180fca513ac5331bec58ca9f4678749

Download Submit
C:\Users\Admin\Funshion\Funshion.ini

Filesize
656B

MD5
71c02f7b6c41314cdee9c7281c4dff1e

SHA1
94a22bd9e3c53dfb30e10815b24ab7b047b343fc

SHA256
22f3d5ef206a0b81735410aca1870529ab54366873cb6417c650c6a864e92d98

SHA512
cabe2b3b0ad072dbe45105affaea59fe448e4e25f5ffc38b4049b5b17b790ca94e7da46f66a82e8cc327a0ac1c4e0992b5439f31e315c30845f1e17b3eb43022

Download Submit
C:\Users\Admin\Funshion\Funshion.ini

Filesize
656B

MD5
70b89aa44ce153338b7a1955359c05eb

SHA1
98b3752bab593893ec0b0058500128d00a333a3c

SHA256
3e5834e361c50ad8009ad28109c123ba44154cfdfe848da5dcbeb6cbe498e7e1

SHA512
058d28e4f3f73b5f4fd37bb6f224f311fb27a19d4e5ba67d0da4285f63c3a671c75761730e8ec8511b5dd3373fc9bde4689001004e536c5b8592f0dd6012583f

Download Submit
C:\Users\Admin\Funshion\Funshion.ini

Filesize
656B

MD5
05101076d451c218467d7f4e11a35944

SHA1
6ac0d933edf94ffeaff1731e5dac1c36dfe3bf10

SHA256
fdef691917bcc8ce9c3052c0907ab70cc7a19d5220f3a6e7a39cfc20b85fe5a4

SHA512
900dd6cd637967b3ca2e170037deb9cfe9ed348ea166ce10ff24d61b5ed01c1e221d20498e4250bd07be93b21c816b85e505ea662ad16029d2fa437931e7fea0

Download Submit
C:\Users\Admin\Funshion\Funshion.ini

Filesize
656B

MD5
d3d40f4c4fbfaf2ec037dee01ff7485d

SHA1
b76b944de2e90f17c20fee2c5e055f200d1a10d2

SHA256
59783fc1bdd3f289402ecb1aa9244728867dba7501198b3221b813e461193cf4

SHA512
e063f6772a7849354597a91269a684d234e2117745bd9d0932d7cb403372ed7d0a2c9352a6b28168773f1c99f0bef923d6221b5ade842ae19c589604db7300d1

Download Submit
C:\Windows\SysWOW64\funshion.ini

Filesize
460B

MD5
95e72f0a603a9f6455fef5d62da7b00e

SHA1
0a78a66345c6ab96a3bc7fbd12b7551881615574

SHA256
58e24f60ac67b6822566331f27e6e34886c41bbe602f280ec908bef09329accf

SHA512
792bc0104941b41e47e6380436b2cb4615e1ff6a60093360eccb92be259fd4c4aa17c5b4a6fde932fb25467a83e87c9e7804cfb2492bd1403773af3e949cc03b

Download Submit
C:\Windows\SysWOW64\funshion.ini

Filesize
548B

MD5
10f3f461448c69d6a42280d5c1f2b645

SHA1
d701a812e029fc7f4cd4861e0477caa47dc579ab

SHA256
cf30c2c819d269c806f75fd10c1246c008c8de145937a2351cf37814888a8774

SHA512
1ccce8309d0db45f7e56278d8d7ccd57ace2f44127f5e2cb4e118328eaf5a32695f6a4b95cebc175837ac54772bf5bba42a5f308347c6eabef347163e0e6d931

Download Submit
C:\Windows\SysWOW64\funshion.ini

Filesize
332B

MD5
7a4e68b2b5ee7c675d1993a524769fea

SHA1
f9c262732954326233efd1293d59b1324ae74e40

SHA256
1db0b72a039370c057ba004fbf090333e1ebaeff5ee989a240814d6af7258097

SHA512
80de6fcd617a62b5cf1d9d61a328de75a613132d6af98cc2f2f450cfa0fbaf5287e0927cbf085f13b1543a99b5a9629e3a037db33335666118b2febc90bbb67d

Download Submit
memory/2408-411-0x00000000373B0000-0x00000000373C0000-memory.dmp

Filesize
64KB

Download