d215cf3550092e9833a3f540caca905b73460f9b0ea0f97637aea5301e9389f7

Analysis

max time kernel
92s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2024, 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$PROGRAMFILES/Funshion Online/Funshion/m.exe
Size

100KB
MD5

ffa9a7df6480ff67b5492f7a118e1b4b
SHA1

2fdd98953d7dbff5f027cdff4b34f33c90374101
SHA256

9f68c06375e0c5b624e81938ad8df51ea3053b7100c7e96adeee5e5207d2d5c3
SHA512

c90cac6640b7f104903003f3d2adfd7a64aea23e6465e951e155b5616b884b536227ba6b4d8be95bf9f788e607a098606c82e9925136e9397f7fe330f171fb60
SSDEEP

1536:WyZMSZFvknTePMZd4k4kJJM4Romu/5M7HVtfVt+gTXBUZ0qeUxVzef6i0lixG/HZ:xZMJnTeM4cJJM45DjVhDOZzxVayrrdZp

Score

8^/10

adware discovery evasion persistence stealer upx

Malware Config

Signatures

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
3768	attrib.exe
2868	attrib.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Commdlg\ImagePath = "system\\COMMDLG.DRV"	regedit.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral6/files/0x0007000000023cc6-28.dat	acprotect

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	m.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
4184	MediaCenter.exe

Executes dropped EXE 1 IoCs

pid	Process
4184	MediaCenter.exe

Loads dropped DLL 1 IoCs

pid	Process
3920	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE7C3CF0-4B15-11D1-ABED-709549C10000}	regsvr32.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\userinit.bat	m.exe
File created	C:\Windows\SysWOW64\IEHelper.dll	m.exe
File opened for modification	C:\Windows\SysWOW64\GROUPPOLICY\MACHINE\SCRIPTS\SCRIPTS.INI	cmd.exe
File opened for modification	C:\Windows\SysWOW64\GROUPPOLICY\MACHINE\SCRIPTS\SCRIPTS.INI	attrib.exe
File created	C:\Windows\SysWOW64\GROUPPOLICY\MACHINE\SCRIPTS\SHUTDOWN\QWERT.BAT	cmd.exe
File opened for modification	C:\Windows\SysWOW64\GROUPPOLICY\MACHINE\SCRIPTS\SHUTDOWN\QWERT.BAT	attrib.exe
File created	C:\Windows\SysWOW64\userinit.vbs	m.exe
File opened for modification	C:\Windows\SysWOW64\GROUPPOLICY\MACHINE\SCRIPTS	attrib.exe
File created	C:\Windows\SysWOW64\GROUPPOLICY\MACHINE\SCRIPTS\SCRIPTS.INI	cmd.exe
File opened for modification	C:\Windows\SysWOW64\GROUPPOLICY\MACHINE\SCRIPTS\SHUTDOWN\QWERT.BAT	cmd.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral6/files/0x0007000000023cc6-28.dat	upx
behavioral6/files/0x0007000000023cc9-58.dat	upx
behavioral6/memory/3920-164-0x0000000010000000-0x000000001001A000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\2.ico	m.exe
File created	C:\Program Files (x86)\WindowsPlayer\Media\MediaCenter.exe	m.exe

Drops file in Windows directory 23 IoCs

description	ioc	Process
File created	C:\Windows\1	m.exe
File created	C:\Windows\2	m.exe
File created	C:\Windows\3	m.exe
File created	C:\Windows\¡¡¡¡	m.exe
File created	C:\Windows\KB924270.log	m.exe
File opened for modification	C:\Windows\IEHelper	m.exe
File created	C:\Windows\init.bat	m.exe
File opened for modification	C:\Windows\System\COMMDLG.DRV	m.exe
File created	C:\Windows\KB611568.log	m.exe
File opened for modification	C:\Windows\¡¡	m.exe
File created	C:\Windows\Iesy1	m.exe
File created	C:\Windows\r	m.exe
File created	C:\Windows\System\COMMDLG.DRV	m.exe
File opened for modification	C:\Windows\r	m.exe
File created	C:\Windows\¡¡	m.exe
File created	C:\Windows\KB611565.log	m.exe
File opened for modification	C:\Windows\2	m.exe
File opened for modification	C:\Windows\3	m.exe
File opened for modification	C:\Windows\init.bat	m.exe
File opened for modification	C:\Windows\Iesy1	m.exe
File opened for modification	C:\Windows\¡¡¡¡	m.exe
File created	C:\Windows\IEHelper	m.exe
File opened for modification	C:\Windows\1	m.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MediaCenter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	m.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main	regedit.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.135118.com/?index"	regedit.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10000}\VersionIndependentProgID\ = "IEHlprObj.IEHlprObj"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ovfile\shell\open	m.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ocfile\shell\open	m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\omfile\shell\open\command\ = "C:\\Program Files (x86)\\internet explorer\\iexplore.exe"	m.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\omfile	m.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\omfile\shell	m.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE7C3CE2-4B15-11D1-ABED-709549C10000}\1.1\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000}\TypeLib\Version = "1.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10000}\ = "IEHlprObj Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE7C3CE2-4B15-11D1-ABED-709549C10000}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000}\TypeLib\Version = "1.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ov\ = "ovfile"	m.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ocfile\shell	m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\ = "IEHlprObj Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer\ = "IEHlprObj.IEHlprObj.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\omfile\shell\open	m.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.om	m.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10000}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE7C3CE2-4B15-11D1-ABED-709549C10000}\1.1\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ovfile\shell	m.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ocfile	m.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	m.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10000}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10000}\ProgID\ = "IEHlprObj.IEHlprObj.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10000}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE7C3CE2-4B15-11D1-ABED-709549C10000}\1.1\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ovfile\shell\open\command	m.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ovfile	m.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE7C3CE2-4B15-11D1-ABED-709549C10000}\1.1\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10000}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE7C3CE2-4B15-11D1-ABED-709549C10000}\1.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\omfile\shell\open\command	m.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID\ = "{CE7C3CF0-4B15-11D1-ABED-709549C10000}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10000}\InprocServer32\ = "C:\\Windows\\SysWow64\\IEHelper.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE7C3CE2-4B15-11D1-ABED-709549C10000}\1.1\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000}\ = "IIEHlprObj"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.om\ = "omfile"	m.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000}\TypeLib\ = "{CE7C3CE2-4B15-11D1-ABED-709549C10000}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10000}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ov	m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.oc\ = "ocfile"	m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000}\ = "IIEHlprObj"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ocfile\shell\open\command\ = "C:\\Program Files (x86)\\internet explorer\\iexplore.exe"	m.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE7C3CE2-4B15-11D1-ABED-709549C10000}\1.1\ = "IEHelper 1.01 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10000}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE7C3CE2-4B15-11D1-ABED-709549C10000}\1.1\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000}\TypeLib\ = "{CE7C3CE2-4B15-11D1-ABED-709549C10000}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ovfile\shell\open\command\ = "C:\\Program Files (x86)\\internet explorer\\iexplore.exe"	m.exe

Runs .reg file with regedit 3 IoCs

pid	Process
1776	regedit.exe
1940	regedit.exe
448	regedit.exe

Runs regedit.exe 1 IoCs

pid	Process
1824	regedit.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4184	MediaCenter.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 1824	1524	m.exe	83
PID 1524 wrote to memory of 1824	1524	m.exe	83
PID 1524 wrote to memory of 1824	1524	m.exe	83
PID 1524 wrote to memory of 1712	1524	m.exe	86
PID 1524 wrote to memory of 1712	1524	m.exe	86
PID 1524 wrote to memory of 1712	1524	m.exe	86
PID 1524 wrote to memory of 4184	1524	m.exe	87
PID 1524 wrote to memory of 4184	1524	m.exe	87
PID 1524 wrote to memory of 4184	1524	m.exe	87
PID 1712 wrote to memory of 4612	1712	WScript.exe	89
PID 1712 wrote to memory of 4612	1712	WScript.exe	89
PID 1712 wrote to memory of 4612	1712	WScript.exe	89
PID 4612 wrote to memory of 1184	4612	cmd.exe	91
PID 4612 wrote to memory of 1184	4612	cmd.exe	91
PID 4612 wrote to memory of 1184	4612	cmd.exe	91
PID 4612 wrote to memory of 1852	4612	cmd.exe	92
PID 4612 wrote to memory of 1852	4612	cmd.exe	92
PID 4612 wrote to memory of 1852	4612	cmd.exe	92
PID 4612 wrote to memory of 3768	4612	cmd.exe	93
PID 4612 wrote to memory of 3768	4612	cmd.exe	93
PID 4612 wrote to memory of 3768	4612	cmd.exe	93
PID 4612 wrote to memory of 4884	4612	cmd.exe	94
PID 4612 wrote to memory of 4884	4612	cmd.exe	94
PID 4612 wrote to memory of 4884	4612	cmd.exe	94
PID 4612 wrote to memory of 3304	4612	cmd.exe	95
PID 4612 wrote to memory of 3304	4612	cmd.exe	95
PID 4612 wrote to memory of 3304	4612	cmd.exe	95
PID 4612 wrote to memory of 2868	4612	cmd.exe	96
PID 4612 wrote to memory of 2868	4612	cmd.exe	96
PID 4612 wrote to memory of 2868	4612	cmd.exe	96
PID 4612 wrote to memory of 1776	4612	cmd.exe	97
PID 4612 wrote to memory of 1776	4612	cmd.exe	97
PID 4612 wrote to memory of 1776	4612	cmd.exe	97
PID 4612 wrote to memory of 1940	4612	cmd.exe	98
PID 4612 wrote to memory of 1940	4612	cmd.exe	98
PID 4612 wrote to memory of 1940	4612	cmd.exe	98
PID 4612 wrote to memory of 448	4612	cmd.exe	99
PID 4612 wrote to memory of 448	4612	cmd.exe	99
PID 4612 wrote to memory of 448	4612	cmd.exe	99
PID 4612 wrote to memory of 3664	4612	cmd.exe	100
PID 4612 wrote to memory of 3664	4612	cmd.exe	100
PID 4612 wrote to memory of 3664	4612	cmd.exe	100
PID 4612 wrote to memory of 3920	4612	cmd.exe	101
PID 4612 wrote to memory of 3920	4612	cmd.exe	101
PID 4612 wrote to memory of 3920	4612	cmd.exe	101

Views/modifies file attributes 1 TTPs 5 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1184	attrib.exe
1852	attrib.exe
3768	attrib.exe
3304	attrib.exe
2868	attrib.exe

C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\Funshion Online\Funshion\m.exe
"C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\Funshion Online\Funshion\m.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe -s C:\Windows\r
  2⤵
  - Sets service image path in registry
  - System Location Discovery: System Language Discovery
  - Runs regedit.exe
  PID:1824
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\SYSTEM32\userinit.vbs"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\WINDOWS\system32\userinit.bat" "
    3⤵
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4612
  - - C:\Windows\SysWOW64\attrib.exe
      ATTRIB -R -H -S C:\Windows\SYSTEM32\GROUPPOLICY\MACHINE\SCRIPTS /S /D
      4⤵
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1184
  - - C:\Windows\SysWOW64\attrib.exe
      ATTRIB C:\Windows\SYSTEM32\GROUPPOLICY\MACHINE\SCRIPTS\SCRIPTS.INI -S -R -H
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1852
  - - C:\Windows\SysWOW64\attrib.exe
      ATTRIB C:\Windows\SYSTEM32\GROUPPOLICY\MACHINE\SCRIPTS\SCRIPTS.INI +S +R +H
      4⤵
      Sets file to hidden
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:3768
  - - C:\Windows\SysWOW64\gpupdate.exe
      GPUPDATE /FORCE
      4⤵
      System Location Discovery: System Language Discovery
      PID:4884
  - - C:\Windows\SysWOW64\attrib.exe
      ATTRIB C:\Windows\SYSTEM32\GROUPPOLICY\MACHINE\SCRIPTS\SHUTDOWN\QWERT.BAT -S -H -R
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:3304
  - - C:\Windows\SysWOW64\attrib.exe
      ATTRIB C:\Windows\SYSTEM32\GROUPPOLICY\MACHINE\SCRIPTS\SHUTDOWN\QWERT.BAT +S +H +R
      4⤵
      Sets file to hidden
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2868
  - - C:\Windows\SysWOW64\regedit.exe
      REGEDIT.EXE /S C:\Users\Admin\AppData\Local\Temp\SETIE.reg
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Modifies Internet Explorer start page
      Runs .reg file with regedit
      PID:1776
  - - C:\Windows\SysWOW64\regedit.exe
      REGEDIT.EXE /S C:\Users\Admin\AppData\Local\Temp\HCMD.reg
      4⤵
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:1940
  - - C:\Windows\SysWOW64\regedit.exe
      REGEDIT.EXE /S C:\Users\Admin\AppData\Local\Temp\IEqwert.reg
      4⤵
      System Location Discovery: System Language Discovery
      Runs .reg file with regedit
      PID:448
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command" /v "" /d "C:\Program Files\Internet Explorer\IEXPLORE.EXE "http://www.135118.com/?index"" /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:3664
  - - C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\SYSTEM32\REGSVR32.EXE /S C:\Windows\SYSTEM32\IEHelper.dll
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:3920
- C:\Program Files (x86)\WindowsPlayer\Media\MediaCenter.exe
  "C:\Program Files (x86)\WindowsPlayer\Media\MediaCenter.exe" C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\Funshion Online\Funshion\m.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPlayer\Media\MediaCenter.exe

Filesize
20KB

MD5
47c714dd58ec8d0beaa1893bc94c30d8

SHA1
aa1a06b7b0aea4a8f518bc1e92f53610bf5a3b2c

SHA256
bfe09d763cb3d63ead982f1d0986d5105c1a0082dd494c8c4fbd2212ac377662

SHA512
5ab074072b24adb17ce71b59521df2b68e5570863dae348c952e8e11ea2780781a73e5699a371b07f7baf704436478565687f72d5c18024e5ae30dd37eff8395

Download Submit
C:\Users\Admin\AppData\Local\Temp\HCMD.reg

Filesize
267B

MD5
cda2ea37e36f761b0b9e012ad8276d6d

SHA1
0e6c9063ba90f738a66d105eae33535eed4ba501

SHA256
290589f13b16b02a7d5bc6716d1abd59e1de0a7e6dc1270264d9ecffa576a063

SHA512
2106258417a3425c5c4802527a29a7c4a0290c785e6c0d8679e4afd6b73eb320ebb085450edc95c84b798c696b74577164d9565e2615c54537d7662d80498c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEqwert.reg

Filesize
40B

MD5
d103d2ea528b2688dfa736cdf95d4c26

SHA1
11916b760f19dc805582d0ab6500a73087b68745

SHA256
5acb839e4b05429aacc7fc33ba63a375a0532601d8b86317c8629979085b8ee1

SHA512
923cb20b14005d04de83a50d13bb119770df5dd3322fe360906e172245139f4ff8ac56806382d31cee433366cba6b04cfa2cd79b4c79714269c7f4503b482102

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEqwert.reg

Filesize
1KB

MD5
bfb73618d22dab32c03e166c6cd97661

SHA1
971999e1cbf40d080b57d54801a6ed6273c0eb02

SHA256
d1e34cec5841b77cfe98f5046507feb25e5ab3151a48162a596bcaa6a80ab35e

SHA512
bfed6b4364331f28e2f15e2531d90ba47b0449f99fb8a3d7a176dc9c8522e2cf266a638d1bbd21f11690be0bc75e618e6524e02991f8655094c97d98157e5b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETIE.reg

Filesize
150B

MD5
31800eb10f4806bdce38e1059acb7519

SHA1
7825de9e30a52b81a04c3f70d1cfaadfabfe580c

SHA256
55474d27e7a0bb64014b87473bb245a6676f7fcb1a05c6a8f71b3375236ef6ee

SHA512
677da3c07d20b850f69ec2b9da5ce24f26b2ebf45fd91e44a11d0fdedfbcff9682303bd0318792d938e57c200e77ca3b04e5c49e9b0c3d5d2f486c4a9e1e9d4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETIEQWERT.BAT

Filesize
232B

MD5
313d621b5b31449f6963bb238e26eb3d

SHA1
17351a27e4bbd3a2f12beba3934e7826696aa600

SHA256
5039377073079bc30768fed03f6f4fb0630319d38483ed0fb378aa45ed0790d5

SHA512
4cf20c956914f11f1bd4bca4ee7c4667f353bdce8ea6a63919039a925c98101054a57840c4a94c9b412575108e629880e6d4b692cb5944f1627ee2320a4597ea

Download Submit
C:\Windows\1

Filesize
294B

MD5
b3da6c958962a5d9ea13e8a67415680b

SHA1
bdcb4a598f4782c6130d602cbd3a2d71ec98af35

SHA256
8b23d79b96401a92548ca2adf1f3e8fda5371fc3c07937ac295617d8a65600bc

SHA512
72818b870c61ed9060640cfad397ab9228f08f5c06c3f9a6b1b6d9b83e1c88788f2c7fd5e4725e091d8e7cf414e81a703d97ddd1decb0d12fd7cccc8e13f1835

Download Submit
C:\Windows\2

Filesize
9KB

MD5
f08f5e65141be235580b9b6784f9f78a

SHA1
9786b4e68a6a3d1377e066f0ee7703e71d129597

SHA256
e53da24fa53cd24b98848eb45a59e95f7872717d5ec400061c89aece4498b282

SHA512
ed99259a77da36e14da3a1163fdb9a677135f52cacd44a4a6268f6af63e5320aa67146d81abf7b41e67921a0961189f3f510a2b97e3196dcbea354de0982e772

Download Submit
C:\Windows\3

Filesize
25KB

MD5
83669aebc401dac229a6644c62b5dfb6

SHA1
9904bb4e9e64c927f84777c3250fb37d33924e6d

SHA256
ae4a1cce633ccd31d4605d46c8af308c99aae25355580662e941a3d3ec275f51

SHA512
a6a276d5a517a383c99a56a37cdaa02de08b8f614b08ece1fe15db645a4f2808fe763f002f34435bb4b6398d73154a407b119813a89dc04e8bb43dc80ffb6de1

Download Submit
C:\Windows\IEHelper

Filesize
25KB

MD5
fe7c00acee71a7c95e0296b09eae86cf

SHA1
72788f2393cb6d870350386ba08155f22019336c

SHA256
53d674c1f2997a7d80392301b450d256668591d52a4900c660c84615ad668617

SHA512
a477821d1d39e8a3ca42b59e261a66f7ade8d99c370cee58c838413b36ee828bb1d61ed3bdcf5c6b5ebbedce3fe3fbde74a516e038b6625370fa1f4f56c44f8e

Download Submit
C:\Windows\Iesy1

Filesize
3KB

MD5
e6675b96beafa719b6789d1a7cf4a17a

SHA1
be012f7f22c006edb44b7288c67308a4010030e6

SHA256
60f7afa0df6805e5fed8f31943a3fd1f6cdca9638defee9f99b28cf549f5834c

SHA512
08e7f07e0bd49d5779fc927e3f3c34f58845878a2e163a653153bd09beef1a612a6a2d1d042674652df16645452516a7fe392212953d0a3445dddad97950e36a

Download Submit
C:\Windows\SysWOW64\GROUPPOLICY\MACHINE\SCRIPTS\SCRIPTS.INI

Filesize
103B

MD5
d3d77f0ec0d0112582cedf5c61fd74c1

SHA1
fe5c76f453f38597a231e3999c6d4c390a2977a9

SHA256
29dc54b0d040e8c9dbca525f67e180bddbdc629c5fe8dae48d0af38f35f48c5a

SHA512
d74788d539f6f4a134320d3c7570974d0d880d5d2eebad5d3ddc955bc1c9e570512a00175ea43f77bec678460fe3752b9045f1deebd4c3f9f8545b9793104dee

Download Submit
C:\Windows\init.bat

Filesize
5KB

MD5
fe4840ece6f2045678545b8a4b9575a6

SHA1
9ec7bc018241cc4966e5668185d0c86c0777e100

SHA256
b54eccc0323d725353df9afecf585dd565ae2be8112f0c6d8ae69c08d23ab3cc

SHA512
967a228d71d35de15468d99d4f144675fdeb631c1bfca3c3aafbb8dd405dd8adfbd1cfc220ab2784594a870c8b57b43f73af4337e3d115083cbb95e9d0a6f079

Download Submit
C:\Windows\r

Filesize
720B

MD5
1e4a364d62af7ca2e848641f96dfbd9e

SHA1
6cdc070edfc1311e745e81f154f1b5fc0036c3cc

SHA256
6ba029de625ee359e9a92e5c6275aa64fa033f6bfd0ea82e1400b9fd9df46d3b

SHA512
ae4f52dda7728e0f4b76368cde650d5afba955a95b85f7bcf11388b63b721a4d51a4eb1b266fb9d94179331e27e8e486b5407b40b47f168644717a59edabe6a0

Download Submit
memory/3920-164-0x0000000010000000-0x000000001001A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads