Overview
overview
7Static
static
7JaffaCakes...c0.exe
windows7-x64
7JaffaCakes...c0.exe
windows10-2004-x64
7$LOCALAPPD...ds.exe
windows7-x64
7$LOCALAPPD...ds.exe
windows10-2004-x64
7$PLUGINSDI...Ex.dll
windows7-x64
3$PLUGINSDI...Ex.dll
windows10-2004-x64
3$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...ad.dll
windows7-x64
3$PLUGINSDI...ad.dll
windows10-2004-x64
3$PLUGINSDI...dl.dll
windows7-x64
3$PLUGINSDI...dl.dll
windows10-2004-x64
3$PLUGINSDI...es.dll
windows7-x64
3$PLUGINSDI...es.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/Time.dll
windows7-x64
3$PLUGINSDIR/Time.dll
windows10-2004-x64
3$PLUGINSDI...fo.dll
windows7-x64
3$PLUGINSDI...fo.dll
windows10-2004-x64
3$PLUGINSDI...ef.dll
windows7-x64
3$PLUGINSDI...ef.dll
windows10-2004-x64
3$PLUGINSDIR/mt.dll
windows7-x64
3$PLUGINSDIR/mt.dll
windows10-2004-x64
3$PLUGINSDI...os.dll
windows7-x64
3$PLUGINSDI...os.dll
windows10-2004-x64
3FM4ffx.exe
windows7-x64
7FM4ffx.exe
windows10-2004-x64
7$PLUGINSDI...dl.dll
windows7-x64
3$PLUGINSDI...dl.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
15/01/2025, 16:42
Behavioral task
behavioral1
Sample
JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$LOCALAPPDATA/funmoods.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
$LOCALAPPDATA/funmoods.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/ExtractDLLEx.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/ExtractDLLEx.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/IEFunctions.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/IEFunctions.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/InetLoad.dll
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/InetLoad.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/NSISdl.dll
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/NSISdl.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/Processes.dll
Resource
win7-20240729-en
Behavioral task
behavioral14
Sample
$PLUGINSDIR/Processes.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
$PLUGINSDIR/System.dll
Resource
win7-20241010-en
Behavioral task
behavioral16
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
$PLUGINSDIR/Time.dll
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
$PLUGINSDIR/Time.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
$PLUGINSDIR/chrmPref.dll
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
$PLUGINSDIR/chrmPref.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
$PLUGINSDIR/mt.dll
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
$PLUGINSDIR/mt.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
$PLUGINSDIR/nsisos.dll
Resource
win7-20240729-en
Behavioral task
behavioral26
Sample
$PLUGINSDIR/nsisos.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
FM4ffx.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
FM4ffx.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
$PLUGINSDIR/NSISdl.dll
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
$PLUGINSDIR/NSISdl.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240729-en
Behavioral task
behavioral32
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
General
-
Target
$LOCALAPPDATA/funmoods.exe
-
Size
1.6MB
-
MD5
e10aa65bc9f094483b45ee6745e89606
-
SHA1
f69007d78c2636c53afe608f9eb8d116603652f7
-
SHA256
5211d85e3d577f54134a8ab8c5c9f23bd3b7332825dcab75a19258b25790b37f
-
SHA512
b7c55c05f53bcac6d077cdd69c37459f3e3a39c719489d7027d16d87eea96479f7baaedb31f4a7b2e0a39aba872b6435be6dd7fcdce66d42a94c87ed2b49cba6
-
SSDEEP
24576:MYl7Umdm6GUyZ2WmMFUxOWjgS0doedK+sSJBtQ2YJqrNzyWNxhxgj:5UQm6GUym0UR3tenXEYN+Wkj
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2704 FM4ie.exe 2956 FM4ffx.exe 1900 funmoodssrv.exe -
Loads dropped DLL 64 IoCs
pid Process 2740 funmoods.exe 2740 funmoods.exe 2740 funmoods.exe 2740 funmoods.exe 2740 funmoods.exe 2740 funmoods.exe 2740 funmoods.exe 2740 funmoods.exe 2740 funmoods.exe 2740 funmoods.exe 2740 funmoods.exe 2740 funmoods.exe 2740 funmoods.exe 2740 funmoods.exe 2740 funmoods.exe 2740 funmoods.exe 2740 funmoods.exe 2740 funmoods.exe 2740 funmoods.exe 2740 funmoods.exe 2740 funmoods.exe 2740 funmoods.exe 2740 funmoods.exe 2740 funmoods.exe 2740 funmoods.exe 2740 funmoods.exe 2740 funmoods.exe 2740 funmoods.exe 2740 funmoods.exe 2704 FM4ie.exe 2704 FM4ie.exe 2704 FM4ie.exe 2704 FM4ie.exe 2704 FM4ie.exe 2704 FM4ie.exe 2956 FM4ffx.exe 2956 FM4ffx.exe 2956 FM4ffx.exe 2956 FM4ffx.exe 1900 funmoodssrv.exe 2704 FM4ie.exe 2704 FM4ie.exe 2704 FM4ie.exe 2956 FM4ffx.exe 2956 FM4ffx.exe 2956 FM4ffx.exe 2956 FM4ffx.exe 2956 FM4ffx.exe 2956 FM4ffx.exe 2956 FM4ffx.exe 2956 FM4ffx.exe 2956 FM4ffx.exe 2956 FM4ffx.exe 2956 FM4ffx.exe 2956 FM4ffx.exe 2956 FM4ffx.exe 2956 FM4ffx.exe 2956 FM4ffx.exe 2956 FM4ffx.exe 2956 FM4ffx.exe 2956 FM4ffx.exe 2956 FM4ffx.exe 2956 FM4ffx.exe 2956 FM4ffx.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 4 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ = "Funmoods Helper Object" FM4ie.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\NoExplorer = "1" FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} FM4ie.exe -
Drops file in Program Files directory 7 IoCs
description ioc Process File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\bh\funmoods.dll FM4ie.exe File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsApp.dll FM4ie.exe File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsEng.dll FM4ie.exe File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsTlbr.dll FM4ie.exe File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe FM4ie.exe File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsoem.crx FM4ie.exe File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\uninstall.exe FM4ie.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language funmoods.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FM4ie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FM4ffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language funmoodssrv.exe -
NSIS installer 6 IoCs
resource yara_rule behavioral3/files/0x00050000000195c1-138.dat nsis_installer_1 behavioral3/files/0x00050000000195c1-138.dat nsis_installer_2 behavioral3/files/0x0014000000015e9a-142.dat nsis_installer_1 behavioral3/files/0x0014000000015e9a-142.dat nsis_installer_2 behavioral3/files/0x000500000001a4ff-537.dat nsis_installer_1 behavioral3/files/0x000500000001a4ff-537.dat nsis_installer_2 -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppPath = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.1" FM4ie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar\ FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} = "Funmoods Toolbar" FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A} FM4ie.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\Policy = "3" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppName = "funmoodssrv.exe" FM4ie.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\ = "escortApp" FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\VersionIndependentProgID FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\InprocServer32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.1\\funmoodsTlbr.dll" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\ProgID\ = "esrv.funmoodsESrvc.1" funmoodssrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\ = "IXtrnlBsc" FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\TypeLib FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.dskBnd\ = "CDskBnd Object" FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\VersionIndependentProgID funmoodssrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191} FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\ = "esrv" funmoodssrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036} FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8} FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\ = "IEHostWnd" FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\TypeLib FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\ = "IxpEmphszr" FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1} FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\ProxyStubClsid32 FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\ = "Funmoods Toolbar" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\VersionIndependentProgID\ = "funmoodsApp.appCore" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\TypeLib\Version = "1.0" FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9} FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\ = "IwebAtrbts" FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\ProgID FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\afltId = "orgnl" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr\ = "CescrtHlpr Object" FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr\CurVer FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\TypeLib\Version = "1.0" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\ = "IXtrnlBsc" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1} FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\ProxyStubClsid32 FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\instl\data FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0\FLAGS funmoodssrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ProgID FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\ProxyStubClsid32 FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347} FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\VersionIndependentProgID\ = "f" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\AppID = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane\ = "escortIEPane Object" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ = "Funmoods Helper Object" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\FLAGS\ = "0" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\TypeLib\Version = "1.0" FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}\ProxyStubClsid32 FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\ = "IesrvXtrnl" FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\ProxyStubClsid32 FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.dskBnd FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\TypeLib\ = "{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\f\CurVer\ = "f" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\TypeLib FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\TypeLib\ = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\InprocServer32\ThreadingModel = "apartment" FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\TypeLib FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\esrv.EXE\AppID = "{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}" funmoodssrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\LocalServer32 funmoodssrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0\ = "esrv 1.0 Type Library" funmoodssrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr.1 FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\funmoodsApp.appCore\CLSID FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.dskBnd.1\CLSID\ = "{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.dskBnd\CurVer\ = "funmoods.dskBnd.1" FM4ie.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2740 funmoods.exe 2740 funmoods.exe 2740 funmoods.exe 2740 funmoods.exe 2740 funmoods.exe 2740 funmoods.exe 2740 funmoods.exe 2740 funmoods.exe 2740 funmoods.exe 2740 funmoods.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2740 wrote to memory of 2704 2740 funmoods.exe 30 PID 2740 wrote to memory of 2704 2740 funmoods.exe 30 PID 2740 wrote to memory of 2704 2740 funmoods.exe 30 PID 2740 wrote to memory of 2704 2740 funmoods.exe 30 PID 2740 wrote to memory of 2956 2740 funmoods.exe 31 PID 2740 wrote to memory of 2956 2740 funmoods.exe 31 PID 2740 wrote to memory of 2956 2740 funmoods.exe 31 PID 2740 wrote to memory of 2956 2740 funmoods.exe 31 PID 2704 wrote to memory of 1900 2704 FM4ie.exe 32 PID 2704 wrote to memory of 1900 2704 FM4ie.exe 32 PID 2704 wrote to memory of 1900 2704 FM4ie.exe 32 PID 2704 wrote to memory of 1900 2704 FM4ie.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe"C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe"C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe"C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe" /RegServer3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1900
-
-
-
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exeC:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2956
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
130KB
MD5345e32c7a9584757123ea67bf2ff07c8
SHA1125d5c8e973c0628a85135e760243a26af1b503a
SHA256c27fd7cfd14f41f9abc8ca5a5a8f3174ca111a31e12a24434425c5dbc37d9e3d
SHA51246b5ec65facbae54d9a7200ca809c6f449fad901e7571c2b43571ff8e13ecb5b14e081d877b073387199b11cf7865bed4cd396baaf33efd6e213815c196c0d36
-
Filesize
728B
MD53dc6fc0b4bc9519436fbd57784b9f6ae
SHA1eed787c05224b4afc25cf7442a368353172a4697
SHA25635d63a35bc7fba5039eb1d7495e4c2c16e413f4105efeff563cc2093b3d0da31
SHA51227659caaba74c5b4093e064b08b921f4df16e84b818a14dd9a290798f749bb85b25417fef7395cfdcdc851df82b3ca5ed2dc8337093d35d2f68fe4d9ad0bf99f
-
Filesize
926B
MD58b2e3630af1e0a6facb2916b74f694d4
SHA178ecee758e49f4152be6e0711bd7a83a6b1b0568
SHA2563a19bf09e1a6bfabe612d245d1ef01072f1befdf0f870aed7f6c9cafcb3ae93e
SHA51253b031052676acc4c21fafc75f975e8a3328f979c4bc7b9f0090ca2b6e08689bed5a0204b4db382a3914bc12b1cc5ccca047d23d371ea898ab4b685e35d54ecc
-
Filesize
978B
MD5b19e5bf70d70fb4f34a158b44f36c583
SHA155fb2af2bf4981a5de4c854070759c271872059f
SHA25674d9301f2eb611e98c372c16db9533e42d2354c35001e66109b2a5b2ba23f25c
SHA51211aaab1296a5222882de1f8acbeaaa86f5be3a438ae1eccc7cfe083846bf103404cb268d5bb73dc58f524453f015a76b5feb632a708b298110bd26cb51b9f023
-
Filesize
822B
MD504ca2dd3138640490e6cc1ad85944ab6
SHA10bc4d73490e3e6ace3897514d37049e8815f42e5
SHA25644da703460a0b76ee393452221fcecd388e460c958b18893299fcfaa7fd48e8b
SHA5123e6ce79de90da7b6c661ddb9942b432e5d5edc2167cce5d178b73d9193b3f51744b3eee38b9752323631a8d8a41072c50f469c2324f7458bb36f0cd5bbd97040
-
Filesize
873B
MD53fdca31fdb5dea71ebeea098eaa899d7
SHA128b39036e6d8ea1af44643e40cd7edeb8fad2264
SHA2568dd4b3295efada1de1eb4e4b71b0ecfedcd494d36c327f136782a1f1f5c1fc1f
SHA51294a6cf89bffc00ad5fae674aa3c5b15aac1c257133ef406e3e710dd9bb981a0d139e03f655dc4b00eaf009e646aefc95f6ab3cdae19ba8fcd08b3781817c7a9f
-
Filesize
1KB
MD55fbb5afaefc7e409bbd162e8e19d4b6d
SHA1aff0d979f6257095b914dbf96a8718da808877f3
SHA256f2527ad5bc31fa7f7727d8b7c23d130a5f4b217b3d4fe9d700aa89ca2bd439f8
SHA51254bad00997be3f3068a21f962876e636488bad2f7766cf8898ed54e9c86b1f9bb787dbd02d75a9192d2f5b24d8a8c822c5684ec1fb227fda7a2c325ef2356723
-
Filesize
232B
MD56135c76deb66535d5258b3f1f8137532
SHA1145b8cec41181d08a1d0b87468d9896fc82f63e1
SHA256d044359ac175299d13b07bd11227a738947b9a19625ee6c6479512abe93ea517
SHA5126f6fd72a19e9c2c2d7997a8c671d62fc9c6ef12e6898707383c9187af74e3650b3da58e0b5b3e1cb3e965c4b5bb194d12badbb834c9f36a24823db0aa3468338
-
Filesize
1KB
MD54fc9d286e3fde00a7ebc6e1f15ff57fd
SHA18f9db532a3a52a7190e7984ba8d6cf79ab080fd2
SHA256eab3ba297eda2a40c5887a16e91d9367089221cc662e25b9cf2c9887492e9586
SHA512c91e24d04f5e7df8b0950246859a4c7be792c5e74a8164bc2f2fed096c1939b0f277c11f33d15d17b91e15f2ec711b7f7390ec1f4a211d11f729f4f726b2173f
-
Filesize
14KB
MD5a5f8399a743ab7f9c88c645c35b1ebb5
SHA1168f3c158913b0367bf79fa413357fbe97018191
SHA256dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9
SHA512824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977
-
Filesize
537B
MD5a4c2abfbea2a0df941fa23201ebdbdd6
SHA1ecf8a30774a8195b4208bb22d9eab06c8d436b05
SHA256120bfbedad4e1d85d0d093b3b2bd5759e2e631b29aeb6acb654bb6628fcf7626
SHA5122023f3100c35a902f48b35dbaa8a31c3f725f013c818723d4b29e828babb8827df53afe0cf1dc9bbb705b544877ef424d87511978a8e37c7f979ea5d5c5c3dd1
-
Filesize
646B
MD57ada0e563adf850139e2d73523473380
SHA1e6972aab8431239a2d9682f3ec8977cd8103a677
SHA2569f6267f08e2d26743c3b8563e287a1d56f0dc3f77dad187cd4ff0d99f6e6a083
SHA512775faedf92603f32d15a207038dc7af89fa011989d447e49a7590929c773a7fb298d3491664587473d37e6151ef5f0be15a6dacd4f0b8d5a5fda98c52cb0df1d
-
Filesize
767B
MD530255cd17cb28ce1ab18d0f936e00848
SHA168af5eccd3e369905f3a91a59b6b55825cc47575
SHA25656f883a9279a948056f2aa5e905681ff6009cde12afbd122bbffc936e87c4433
SHA5124ef93afab7c746355530b6f6e5bad1f0fa3518d5817f7376a1dc3d03ab77b8d8414484f914b7238e36a2350f51bd7df2e24bc47e920f71e19d1795c38d35d334
-
Filesize
460B
MD556e13ce1355c76ff2314a76d8bd35b2e
SHA1ce866817876b7be757d1ea7ae2b7c53ebfdfb1cb
SHA256dad72bfea56e9c79666ff5e00528e178c4341b003d8c353865c27c581e9a337c
SHA512f471e4598dfba8041f53b5ec4031cf5f0e3b2bac390c93aa540f0da037547b45786424cf45841d8b56bdce619bf7742bf716f59f81eb96b8ee618327dd57358c
-
Filesize
572B
MD5ee414f9552ae0e9de9e333a8c56c5faf
SHA12f0daf73f9077c3af676ce24e169d9697130f378
SHA2560b3267ddaf175fb2023dfa9da3345a564b728ab218c5990928ce17778e7f526d
SHA512149c8f2ad3558fc22fe1e6c276281232176560d1d2910915349bfb275c0326671764829397de6acc9664f0006e24a25b546493b3067be57ee53ceb584d65e956
-
Filesize
623B
MD575fc45f6f02db12f332caa49817db106
SHA1ccdc593148c318fda4de37290096150a28dca63a
SHA256005828cd1c5e71d4308f54390eb88e8205b1140e7ccff368ea0434fc8a9c0180
SHA512671ab7b5d20b7b4bf17a9aef22b99e578cdac86431f22fb04d960afeaecae0ba487bd0e2a8cd4170fff892962e6716f4e4068ff52763cbda477fd8f1c3eda86a
-
Filesize
827B
MD5609708741ccb7fe2b7ee032ed676d0cd
SHA1d09dbdaca730a4652aea37375b1db9257e9bc8b1
SHA256147b94de28e8bb82915ed7e80ec89a2828a188aac80997b21eb1c5fdb6bf7469
SHA512aef7318a01ef89790f317fe47460ad79883c84e82354885aca05e37b3dcfdb18a09ba11ab4b8c2dce0a09e0c4e394362c2e108282885ca5225328855b8694240
-
Filesize
235KB
MD5e51b884e8074fa7cdbeaeee9aee10c18
SHA1c12e825456ffc981d6dfc5d561b82c3ecf2ba251
SHA256ed9d73bf47b8b00d5df2d39d35ef4b82a5c1adc6aa3b97e576b6735a510c50ba
SHA5122657848d148adf943f9ff99b7853d0743b1d8210cb4dbdc7418c5edb5578f362f9a3e2ea628a345b470ad83587d65aaaa1d511e4267c3382e9a51f482092487e
-
Filesize
328KB
MD5f95617b082693af8490edb28b771870e
SHA1e6e7ffa25aa1acfa07888fd388af8dfaf28da656
SHA2567352aaebffcaf4293bfcc66b4b3af0d9a20ea9cf5746e3fc6d548ed2d31a6b0f
SHA51272bec0ad4efc4508b3720ed47e45da49b2c92d49878524dd1245d066788e4c508c96866b16ef8d984a8031fe8d5be6a4388acb46ed80c8b35e5a7b56f9a22508
-
Filesize
534KB
MD59001188b424b2c2fa40368ee2b1df506
SHA16ac9d3d3e42acc49524bf9bf80ff3a473c90212b
SHA2565809a200cc0524511e3769e2a8be748404eb75b317cec3fac3ebcc4bae850cea
SHA5129d7b793a5fbec2311f7c2ab11b15fa641286d1bfd5d04df78ae535002ea693edbdaefa30fb0fd3b288ce0f8045d743fd1bd1eba8c5f8f5a6f53dfc51260e8906
-
Filesize
243KB
MD5ac557d58c73411da1d2aa66109182dfa
SHA1d464184873099e2f3f1700bcb74284b8ca7959ed
SHA25601f196deedc9c921e810e083f8f593695596718af1a216df25c4b9b8bfdb662e
SHA512ceeb8705cda49ef5b17d30cfb8264a57cbecd1fa799906246e2e2ac82575be28547b4bd96953518504067a7538affc570205ee22914945a3f41c0a729eda8617
-
Filesize
396KB
MD5a39180ce5d32d60c104990288a91e3a7
SHA14cd1d8a3ecb34997cae7d5d4a50555afeefccdb6
SHA256d4d434cef3654987ba48f5ec24840457793eb13d7384051050feaba6138d47ef
SHA512e9bd06ff8d1da315b70351d84bdd176bfbf5dd336b58b4fcb10c0cefaa9e20f80cd8d39ca3101f886e4e7ad680b23de78b4a3aaa04e7d54ce87d8567d676cd55
-
Filesize
314KB
MD5a6ea8baf987c05383013259a3a96b221
SHA1dc1f3df6abd8b9fa1a3d364e9021cd5f62590f9f
SHA256d978712e92d634c150493e35f7dab39483559350914c1a302c0b2c0aaf1c47a3
SHA5120e6200677efff5a9e2babd8ebac1aba3c32a1f4de0251ba2036b6bd0996170777de40ba5df6e933e0b89fbdf8cc4709d09cd077016c83018d9e338a37b63b277
-
Filesize
1.1MB
MD5ce86ace6982b9f2d8836ff204c592dd2
SHA160ed4aeb4cf23e043e19d3746a1bcd9afa58a3ac
SHA2563d808021dfa4617de80d49c7aa6620868577cf573b7a88ed24b7de30a1d4736a
SHA512c95f53b180ef67fa74c892dcb3b878a6a722716708387b13153d6b660b3111fbfaf9aeb9381c444ebf28166a66923817d0ad57acf076e23650b1ca4496348caa
-
Filesize
7KB
MD5ba4063f437abb349aa9120e9c320c467
SHA1b045d785f6041e25d6be031ae2af4d4504e87b12
SHA25673acba7dd477dfd6cf4249911f4e3c781196c7cf6b28425761dcb2d4f90c36c5
SHA51248a813f55834069f8c6b90740de3df01564a136b0fe637f9f85cc1a19d7f32b1f70205ff2462526508fe3c1962d7c1e8e384c40463e328538aeba28e8d0fb92a
-
Filesize
18KB
MD5994669c5737b25c26642c94180e92fa2
SHA1d8a1836914a446b0e06881ce1be8631554adafde
SHA256bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c
SHA512d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563
-
Filesize
56KB
MD5cc0bd4f5a79107633084471dbd4af796
SHA109dfcf182b1493161dec8044a5234c35ee24c43a
SHA2563b5388e13dab53d53e08791f492ed7d3094a0cee51e9841af83ce02534e0621c
SHA51267ba90ec04366e07d0922ffb4dbbb4f12f90b6785b87700adaae29327db9ec2a03d750b229f858db0594f439499d6346fbf1ebc17c77162bf8da027515219ee3
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
10KB
MD538977533750fe69979b2c2ac801f96e6
SHA174643c30cda909e649722ed0c7f267903558e92a
SHA256b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35
SHA512e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53
-
Filesize
4KB
MD57579ade7ae1747a31960a228ce02e666
SHA18ec8571a296737e819dcf86353a43fcf8ec63351
SHA256564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b
-
Filesize
193KB
MD557d63d48f0bb2fe9b3751342e1b0cc67
SHA165afbce77b4990f7f5efb5251e90bd9cc744583c
SHA25672753db55778180ebd90cb10173c7a87d8d919c6b34a07962e7e1fff80092eab
SHA5125766ff289869a252a9d08fe826e9e7df70796b2faddb470898e4f710aa33ed19094bd73e6637c9c720da417e7f5b9ca7645fa7cd36a8fae2b0718ced10892cf8
-
Filesize
5KB
MD5aac69f856c4540edd4ef7ce6c8571639
SHA12860f55ea9774d631219e66604051e90a43258b7
SHA2566dc2644a389feeef9e0ac65e2c8b01fc18ca6e53b253f10efffcb117e0a852dd
SHA512ebacc8117c44d298ae519705510285c576932761b3c7b697eeb91cb7620150ebe551102d1ab83d68f4c78e1496b191a55ad8f78c491f5b4af456c4de6ad72dcd
-
Filesize
5KB
MD569806691d649ef1c8703fd9e29231d44
SHA1e2193fcf5b4863605eec2a5eb17bf84c7ac00166
SHA256ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6
SHA5125e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb