c2074e7e73c076707b2bd2723f3576cd2e9395de232b0c76c1857b0b6e01e96c

Analysis

max time kernel
93s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28-09-2024 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$LOCALAPPDATA/funmoods.exe
Size

1.6MB
MD5

badf0b8e9bc8d7352fb084951255ee4f
SHA1

e584634b5565fd81d7258fca86c632c9d3e1cd14
SHA256

73db5f6b89963d6692e3c43c8f3e5265ec4512ce87fe652e9ec3a4a0bb036db8
SHA512

3b704e3b0d440f1e580cc277c3c68223139f35156b00250ebf9a231f03d5f74bd19bbf948061e7b8be13b9c08aca9f30a0929cfce5a9d5cc3558cd187a05d53e
SSDEEP

24576:VtxBMupYpmZICsiWuu0uFYBimEuDYYmTj67rRXFO6BbwZTdNFtr6Ps7QOWxQ6NVN:p6HmZICsfujIvGmTW7rRQakZpt+xQON

Score

7^/10

adware discovery spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	funmoods.exe

Executes dropped EXE 3 IoCs

pid	Process
5044	FM4ie.exe
4312	FM4ffx.exe
3116	funmoodssrv.exe

Loads dropped DLL 64 IoCs

pid	Process
4664	funmoods.exe
4664	funmoods.exe
4664	funmoods.exe
4664	funmoods.exe
4664	funmoods.exe
4664	funmoods.exe
4664	funmoods.exe
4664	funmoods.exe
4664	funmoods.exe
4664	funmoods.exe
4664	funmoods.exe
4664	funmoods.exe
4664	funmoods.exe
4664	funmoods.exe
4664	funmoods.exe
4664	funmoods.exe
4664	funmoods.exe
4664	funmoods.exe
4664	funmoods.exe
4664	funmoods.exe
4664	funmoods.exe
4664	funmoods.exe
4664	funmoods.exe
4664	funmoods.exe
4664	funmoods.exe
4664	funmoods.exe
4664	funmoods.exe
4664	funmoods.exe
4664	funmoods.exe
4664	funmoods.exe
4664	funmoods.exe
4664	funmoods.exe
4664	funmoods.exe
5044	FM4ie.exe
5044	FM4ie.exe
5044	FM4ie.exe
5044	FM4ie.exe
5044	FM4ie.exe
5044	FM4ie.exe
4312	FM4ffx.exe
4312	FM4ffx.exe
4312	FM4ffx.exe
4312	FM4ffx.exe
4312	FM4ffx.exe
4312	FM4ffx.exe
4312	FM4ffx.exe
4312	FM4ffx.exe
4312	FM4ffx.exe
4312	FM4ffx.exe
4312	FM4ffx.exe
4312	FM4ffx.exe
4312	FM4ffx.exe
4312	FM4ffx.exe
4312	FM4ffx.exe
4312	FM4ffx.exe
4312	FM4ffx.exe
4312	FM4ffx.exe
4312	FM4ffx.exe
4312	FM4ffx.exe
4312	FM4ffx.exe
4312	FM4ffx.exe
4312	FM4ffx.exe
4312	FM4ffx.exe
4312	FM4ffx.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ = "Funmoods Helper Object"	FM4ie.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\NoExplorer = "1"	FM4ie.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\uninstall.exe	FM4ie.exe
File created	C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\bh\funmoods.dll	FM4ie.exe
File created	C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsApp.dll	FM4ie.exe
File created	C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsEng.dll	FM4ie.exe
File created	C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsTlbr.dll	FM4ie.exe
File created	C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe	FM4ie.exe
File created	C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsOEM.crx	FM4ie.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	funmoods.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FM4ie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FM4ffx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	funmoodssrv.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral4/files/0x000700000002349e-152.dat	nsis_installer_1
behavioral4/files/0x000700000002349e-152.dat	nsis_installer_2
behavioral4/files/0x000700000002349d-160.dat	nsis_installer_1
behavioral4/files/0x000700000002349d-160.dat	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar\	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} = "Funmoods Toolbar"	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}	FM4ie.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\Policy = "3"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppName = "funmoodssrv.exe"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppPath = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16"	FM4ie.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\ = "IescrtSrvc"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\ProgID\ = "f"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\ = "escorTlbr 1.0 Type Library"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\esrv.funmoodsESrvc.1\CLSID\ = "{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}"	funmoodssrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\TypeLib	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\TypeLib\Version = "1.0"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\ProgID\ = "escort.escortIEPane.1"	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\Programmable	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\TypeLib\Version = "1.0"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\tlbrSrchUrl = "http://start.funmoods.com/results.php?f=3&a=orgnl&q="	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.dskBnd.1\CLSID\ = "{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}"	FM4ie.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\instlDay = "19994"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}\ = "Ixtrnlmain"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\ = "IXmlCnfg"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}"	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0\0\win32	funmoodssrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\InprocServer32\ThreadingModel = "apartment"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\ = "IXtrnlBsc"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}\ = "escort"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}"	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\InprocServer32	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\ = "escortApp 1.0 Type Library"	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\ProxyStubClsid32	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\InprocServer32\ThreadingModel = "apartment"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.dskBnd\CLSID\ = "{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\esrv.funmoodsESrvc\ = "escrtSrvc Object"	funmoodssrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}	funmoodssrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\FLAGS	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}	funmoodssrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\funmoodsApp.appCore.1\CLSID\ = "{A9DB719C-7156-415E-B49D-BAD039DE4F13}"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\ = "IRegmapDisp"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\Programmable	funmoodssrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\TypeLib\Version = "1.0"	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\ProxyStubClsid32	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\ProgID\ = "funmoodsApp.appCore.1"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\TypeLib\ = "{D7EE8177-D51E-4F89-92B6-83EA2EC40800}"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\FLAGS\ = "0"	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\ProxyStubClsid32	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\ = "IesrvXtrnl"	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\0	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0\0\win32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16\\funmoodssrv.exe"	funmoodssrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane\CLSID	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\vrsnTs = "1.5.11.162:54:04"	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}\ = "escortEng"	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\VersionIndependentProgID	funmoodssrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\ = "IEvntCntr"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}"	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}\TypeLib\Version = "1.0"	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\TypeLib\Version = "1.0"	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\TypeLib	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\TypeLib	FM4ie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\InprocServer32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.16\\funmoodsApp.dll"	FM4ie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\TypeLib	FM4ie.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4664	funmoods.exe
4664	funmoods.exe
4664	funmoods.exe
4664	funmoods.exe
4664	funmoods.exe
4664	funmoods.exe
4664	funmoods.exe
4664	funmoods.exe
4664	funmoods.exe
4664	funmoods.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4664 wrote to memory of 5044	4664	funmoods.exe	82
PID 4664 wrote to memory of 5044	4664	funmoods.exe	82
PID 4664 wrote to memory of 5044	4664	funmoods.exe	82
PID 4664 wrote to memory of 4312	4664	funmoods.exe	83
PID 4664 wrote to memory of 4312	4664	funmoods.exe	83
PID 4664 wrote to memory of 4312	4664	funmoods.exe	83
PID 5044 wrote to memory of 3116	5044	FM4ie.exe	84
PID 5044 wrote to memory of 3116	5044	FM4ie.exe	84
PID 5044 wrote to memory of 3116	5044	FM4ie.exe	84

C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe
"C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe
  "C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5044
- - C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe
    "C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe" /RegServer
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:3116
- C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
  C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsApp.dll

Filesize
329KB

MD5
12be59f427297e54fef41f9bb32d4233

SHA1
0088967a4ed52f491976136c95d43e0e1b06cc31

SHA256
e4b3df5ead761fe83da367d5e2ae1d416d0f89a572480deecc20c4b4295f17eb

SHA512
0f8f3826e8a9205771863c042a8386315784927e260ca8617c44f83b5f3f3a501500d6d39ae732da11c0621dbd6c8c6d75ac7af660a46bb70acac9c12991d2db

Download Submit
C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsEng.dll

Filesize
535KB

MD5
d5e0f923b3ee640efd6a58ec0c70cbdc

SHA1
74f62a9acdb9f9dd0580d69450c062ba8870deea

SHA256
3d1b55bbb46e5788ca3e8ce68e515f52bdf63c0f53ceaad7236964eedf97f281

SHA512
471eca5adb43ba82cfed4fdb395471414301e3eeb602ba4fa6cccb9721869847a06bd8096d7eb15cbdcab908d6dfc47d48d293e1f77b881271f6d7dd4f54f3f0

Download Submit
C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodsTlbr.dll

Filesize
245KB

MD5
7f8be790b6614f46adeafd59761abbeb

SHA1
a1be7d513d40b1a0af1aa1fd73c2c2b6173ac700

SHA256
b1fa4dacf9656e31588eebeca1f831c72a33d9affca07ede0d5f5d113ec14aaf

SHA512
4d17c74368543092a8e7604208689bc6a5fc5bcc46c60cfb9255622d031a4265adaa13d7c0b5f410ababed802f29cb89c2dd7d7b1adc1af33fbb5f55e4a8a5ca

Download Submit
C:\Program Files (x86)\Funmoods\funmoods\1.5.11.16\funmoodssrv.exe

Filesize
398KB

MD5
ffba0384096f7a6c2189009b3c54c8db

SHA1
e1e883b9345bd74b0c7e158751c60b0ee2139677

SHA256
93587b81f4e717b25a6e5fd2fb7158d7fb825f79af1c02ed0a61d5de15b6327b

SHA512
7ea59cd57a0b6ecb1258af1d271dcb68236d0b95fca0d5905d177dd8df980771b0a182a459a6a6f01cb4789433d193306324fa178b88b6ec3677aa5c589571dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ffx.exe

Filesize
319KB

MD5
fe768a6b82ed2a59c58254eae67b8cf9

SHA1
3dad9bf5011fb73b9be2fe6c601bb6281a3ceaf6

SHA256
3ac3c700060a0487060724f3fd22faf70d5f633e69401641964d7ba4d6e6e570

SHA512
3d8caadc61ea127bd0e3d01f35274a2ebfa34a0ac12b0932988300d011347f74a09c2bf3c85e58bfbe5200288c6e6f100b4f08916d23e56d7b52a70130aad14b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\FM4ie.exe

Filesize
1.1MB

MD5
ddcada8c66d56df6e4ef2bbedf2bb865

SHA1
059a7f8bb8ed2e99d5153d26ecf986e91c24df19

SHA256
abcde03656f4c6f51d4d4c788ece555581b8c7b52bfe1c18ef70678cb3a2e872

SHA512
63a3ca5d733cef71cc4ff61d6b5b3dd74613d57bac2b5d41efffbbf64ab6031bde66c0cd7058bf50c047e64e4ee0ef87dff3c7864a18c118521f5711ab69cc91

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsiB455.tmp

Filesize
769B

MD5
4853611b3f356246298e035a2a3ef301

SHA1
52f30313f6a0095723a88589ce1adce30922485a

SHA256
8678e5750d15f7e2907cbad038b94df1394a987f54a0f2fe9a104e9243ae691c

SHA512
d9a5a5b8bdc8a3f63a5936779482d0496c356839ed95af28f27adb30f2644b2a050f1050e293f60f278e782ad6c9d67be264fa140035d9df94886fbe6d5be2f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsiB4A6.tmp

Filesize
928B

MD5
aaa47ce43a35b608660b2e0b8216c0d1

SHA1
0eadf8d70ba2e4c8d30e85032253cb55bdceb633

SHA256
92b210b9dfad98cf94365efb0fbb295aff143b171ad9cb5953160a4df6d79825

SHA512
b48b1c33b131324e2687c45984c17151284333dc0a066063a00d3aec7e89123cd2c24d5dcb1a8d91e9ff809271bd68fb505f880b1f20c1f8e114d6902c96ad27

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsiB545.tmp

Filesize
1KB

MD5
e8c8e520eeb9b188234cee89c87de8dc

SHA1
535a81deb620172b7a73cc13c32b37d01cc1406d

SHA256
ad132901a91edad03a007784f7162b89d3b0709e88050b0fa96bf4321bfc295e

SHA512
e6535f0200380cb7c6e91c40ed16aa03e53b33362df0a23583090958b0923cedf67b7ddc2b52f55e3c2fb91bb4abb301cde6d0bb8627068dfe52939c3e22f86a

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsjB5E5.tmp

Filesize
232B

MD5
202f64e0f721b10412716f39032f54cc

SHA1
636354759cc591ffb61943bb876e39605e155ad3

SHA256
a61946e154ddf19f4c6fbbef01889d3cc87176a52bae0528a360ace734e2ebe9

SHA512
8ef7cf6d8d1fe8a31a1a8077385b048497d8aa86a8b7e68d19b3e09c4c34fbadd946d4f768f8ccf081f192299130efadb21d7e2092c68a347e66fb717c58c28a

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsoB608.tmp

Filesize
462B

MD5
0dd4f2ffc398c8906d3976cdd56ae899

SHA1
d05f23483958026458d1d4362ec6d7ca255d1a5b

SHA256
3d5a7e9deb047d5eafbd89631cc6d0352aec12f729eb2ddc622f7c95c7daf7e5

SHA512
360531fc60304cb6f7084983c8bd8bb67c1e109862c99e11e99ed129df5a71e30390ac02aeb603a4b0957455b713a2b7a3d96b4f94dc10ff2cc18e9b9be08bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nssB3F2.tmp

Filesize
482B

MD5
12f9364a51ad3ff981256b5479b73ac7

SHA1
64066bab59c981ee730071d2477d22f9f61ac5e7

SHA256
707c89a5b9eda8ccfa64d3dd6f0b39b2a2ea6d3d1ae657a52b05e4520c916a0d

SHA512
bbad1ace448b2cde88d0ce2e6a0d5247aa56e8ecef8ddc4db06e6db5a5295e4dd9076026c3584f74d1b7d4ffb95661750bff4b00cef86c071fc5d94c5b2e9286

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nstB629.tmp

Filesize
574B

MD5
fef6a96cd9e6d492aba04df90923e018

SHA1
28938fd7885b72558a98b9d3f5a8c1cc69548733

SHA256
9786f564b1551224b02185c1cc033bfe8f4aa642a07beae46db1c62041ed7851

SHA512
f694ea54e8b2a5e92bfe9734e28e2f3c52cfe44dab77b6558511702788c700bb1639829702182ce4b4196ff92e5a5f2b802656df6120bd74e5cf2f48820af8a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsyB5F5.tmp

Filesize
287B

MD5
36b6c7e9cadb7b36a25fc63a6fa8ef3f

SHA1
ec98af6dd7ae78e5e50a7d244a16b0c12bab9662

SHA256
065daacc0eac6de73b49d15048359eeba44ff92653f3fffc825ff539145656f7

SHA512
d3c932d8425cd1e9c639ff771beb703d2746898ccf09b97d76e61a78e39a3b9d965e3fdc5a00237ce56deeb703eccb46e95aaa0dfeb991caa1fb410de1d9ef7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsyB5F6.tmp

Filesize
342B

MD5
8b0cc542aee3bfb902a72d8b192fa40c

SHA1
39e33fcf5cc4c2cd1b32700722f9e4abb0f447e7

SHA256
61d2f2ad932e02cd3a2b6dcf4d6ea425c54a6a404cc30adb8e25facdef0067b5

SHA512
78adebf12c4bc2c3fc8211d23f3f626136d2bc291556a9411f3766652f4647e347182c7fd5c803b29fd72ef89e536dc81b33b55e9bfcd8bab23242042ceb9e8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.16\nsyB64A.tmp

Filesize
678B

MD5
cb6ca76ce233f990f527991e2fda5539

SHA1
900498ace91d6f23161eb98259aaac9f7007814a

SHA256
c85290e85eec8ec297207408825f1929466dd82d976ecb9a40ce0ed050710500

SHA512
b339cee04330fe21aa445f5d181e70d3a32b1150be9b150fafa175291d13c7d896c031480e95a697cf351d0e9f958ae407b8d736fdcfddaf78506946d00a6aa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmB027.tmp\ExtractDLLEx.dll

Filesize
7KB

MD5
ba4063f437abb349aa9120e9c320c467

SHA1
b045d785f6041e25d6be031ae2af4d4504e87b12

SHA256
73acba7dd477dfd6cf4249911f4e3c781196c7cf6b28425761dcb2d4f90c36c5

SHA512
48a813f55834069f8c6b90740de3df01564a136b0fe637f9f85cc1a19d7f32b1f70205ff2462526508fe3c1962d7c1e8e384c40463e328538aeba28e8d0fb92a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmB027.tmp\InetLoad.dll

Filesize
18KB

MD5
994669c5737b25c26642c94180e92fa2

SHA1
d8a1836914a446b0e06881ce1be8631554adafde

SHA256
bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c

SHA512
d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmB027.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmB027.tmp\Processes.dll

Filesize
56KB

MD5
cc0bd4f5a79107633084471dbd4af796

SHA1
09dfcf182b1493161dec8044a5234c35ee24c43a

SHA256
3b5388e13dab53d53e08791f492ed7d3094a0cee51e9841af83ce02534e0621c

SHA512
67ba90ec04366e07d0922ffb4dbbb4f12f90b6785b87700adaae29327db9ec2a03d750b229f858db0594f439499d6346fbf1ebc17c77162bf8da027515219ee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmB027.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmB027.tmp\Time.dll

Filesize
10KB

MD5
38977533750fe69979b2c2ac801f96e6

SHA1
74643c30cda909e649722ed0c7f267903558e92a

SHA256
b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35

SHA512
e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmB027.tmp\UserInfo.dll

Filesize
4KB

MD5
7579ade7ae1747a31960a228ce02e666

SHA1
8ec8571a296737e819dcf86353a43fcf8ec63351

SHA256
564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

SHA512
a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmB027.tmp\chrmPref.dll

Filesize
194KB

MD5
6845d147b88de1f005d9c6ebb6596574

SHA1
64523302e2b1e2ee7a31580d2acac852db3c7e45

SHA256
c9ccc486c3353bad0d2819a42203c0db7ba98b4826b6a2b8d4deee832e4d3d8e

SHA512
cd4caa6669b5f90ead60579a2e5b01a9cd2d17fd2919651cecda6327acb32e2eb3b9953412c085d50dee89779d2f60df658236fb4c3cc54bed4ae66929590606

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmB027.tmp\mt.dll

Filesize
5KB

MD5
aac69f856c4540edd4ef7ce6c8571639

SHA1
2860f55ea9774d631219e66604051e90a43258b7

SHA256
6dc2644a389feeef9e0ac65e2c8b01fc18ca6e53b253f10efffcb117e0a852dd

SHA512
ebacc8117c44d298ae519705510285c576932761b3c7b697eeb91cb7620150ebe551102d1ab83d68f4c78e1496b191a55ad8f78c491f5b4af456c4de6ad72dcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmB027.tmp\nsisos.dll

Filesize
5KB

MD5
69806691d649ef1c8703fd9e29231d44

SHA1
e2193fcf5b4863605eec2a5eb17bf84c7ac00166

SHA256
ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6

SHA512
5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8ldjzjqt.Admin\user.js

Filesize
406B

MD5
0d7889a328bf4c6b506dd87507ae693e

SHA1
21928a20080bb3bdef6457f0ffa1def8f35a14a0

SHA256
1164c9ded36dbae9752329f8833729cb6b9ee0177abb8d00d1efeede0baf8ff4

SHA512
2342d33faee44e84698e543d85798cd724123d7291e46d7df5f2bbf497353b2d8b7f8dabab515602177d4ff7892c19f1ebae099698e1dd046bb1da90b8b60dce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8ldjzjqt.Admin\user.js

Filesize
712B

MD5
a372ec5c06f6dfcfc62fc9bd14c02523

SHA1
56bb9c8af8bf95c8ff3023c7dca4dce96a4e9f36

SHA256
d21ceb76aa87380a6c4353d842fc78102dab2a53f63f0c0076fccfb634c91650

SHA512
7253fb8e403d03ea627538ba001aba6bfcce6f1acb65307b741d13859697ceb6b1f9b8be61f4973fc56a1fb27de37a13d0b5a9b297be4d7121f9c67fc4eb36e5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8ldjzjqt.Admin\user.js

Filesize
875B

MD5
2bfcc377ad1360dde8c096f15b5e6d9c

SHA1
bd5be9c3ef9ba0f75a5325a236a947c9eaef14ff

SHA256
7f98923b173f03d729f32853b1b085ec0a0177cb4eb846edbc5cfcaac44196d8

SHA512
3f87709eb6d71bfa27b0d8efc571b0175e0de110158dbb97912871a4639d93b15da28c725c11c82d204e4b2d7c753e371a28435ebf9cc714a288269c27b5e0f1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8ldjzjqt.Admin\user.js

Filesize
980B

MD5
7bc33b606515ec984c3d137a2480a1da

SHA1
86dcbcdf6db1be747b3fdd832e679ed82ff5ff70

SHA256
0d932f828514ceafa497266b5425dc2e5d9340d0f0e783c8d808b6b2dde9a9b1

SHA512
67e2024b36b6a81aaaaba19d59fc57d52a12ac8f1ac1535fbcb4942471be4387d294ec6a57f25fe179c386ac30a1df49f31f63391b5a04640dd6a58c90dd6de0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\user.js

Filesize
398B

MD5
2d05d73492a4372344cea2ea3e2dd33d

SHA1
28e9b78f525411d47bb17eb4a9ae9163e56b0e47

SHA256
792ed7984c6b7ca0862b71dbb6983e6f4850c022d7e26140128564dc16016fa3

SHA512
45047b9ac18d5279d42377e913e07b13341670b86b8239de5eb3e79fa4c4adb1afaa2015df2905324f4679cf5b7ff092fc8095fe0dbae4879e63b232321d7f03

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\user.js

Filesize
625B

MD5
2c281440531d8ba3a3a0a74cbf838007

SHA1
b693f7c73f6f381edcc64dcc16f99e5ae2dcc34a

SHA256
da5602b2156b1edc00b3fbd5a487b913f7d8c01cc3e51fb7ab1b3319e5249e99

SHA512
f81992150571e68ad2a6bfdde98a226f95e32a7da230da54333c835d3ed2256294a8438cb672f747621fe447c8870933b0470a9a8fa084fa153cf95b023384c2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\user.js

Filesize
780B

MD5
28e1891eff8099293ff544f1b35288a2

SHA1
f8a3b319e774a2ad6770fec98f0f015262fc1c95

SHA256
64ef0334c868fba29dcf8f497da9eb141107879ab14e3dd1f09cac93e5ec9260

SHA512
9e0e44732008033b7e3ed26a867d09c39e410eb571cd0f843aaf88707b1269460665442c00c6713d5eff843e64012b943f3c06a0495a00f454e8f20f23b19ca8

Download Submit
memory/4664-84-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/4664-1600-0x0000000003B50000-0x0000000003B62000-memory.dmp

Filesize
72KB

Download