Overview
overview
7Static
static
7JaffaCakes...c0.exe
windows7-x64
7JaffaCakes...c0.exe
windows10-2004-x64
7$LOCALAPPD...ds.exe
windows7-x64
7$LOCALAPPD...ds.exe
windows10-2004-x64
7$PLUGINSDI...Ex.dll
windows7-x64
3$PLUGINSDI...Ex.dll
windows10-2004-x64
3$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...ad.dll
windows7-x64
3$PLUGINSDI...ad.dll
windows10-2004-x64
3$PLUGINSDI...dl.dll
windows7-x64
3$PLUGINSDI...dl.dll
windows10-2004-x64
3$PLUGINSDI...es.dll
windows7-x64
3$PLUGINSDI...es.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/Time.dll
windows7-x64
3$PLUGINSDIR/Time.dll
windows10-2004-x64
3$PLUGINSDI...fo.dll
windows7-x64
3$PLUGINSDI...fo.dll
windows10-2004-x64
3$PLUGINSDI...ef.dll
windows7-x64
3$PLUGINSDI...ef.dll
windows10-2004-x64
3$PLUGINSDIR/mt.dll
windows7-x64
3$PLUGINSDIR/mt.dll
windows10-2004-x64
3$PLUGINSDI...os.dll
windows7-x64
3$PLUGINSDI...os.dll
windows10-2004-x64
3FM4ffx.exe
windows7-x64
7FM4ffx.exe
windows10-2004-x64
7$PLUGINSDI...dl.dll
windows7-x64
3$PLUGINSDI...dl.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3Analysis
-
max time kernel
95s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15/01/2025, 16:42
Behavioral task
behavioral1
Sample
JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_5c7f6d6e11f4eb14a890fd8084669bc0.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$LOCALAPPDATA/funmoods.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
$LOCALAPPDATA/funmoods.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/ExtractDLLEx.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/ExtractDLLEx.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/IEFunctions.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/IEFunctions.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/InetLoad.dll
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/InetLoad.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/NSISdl.dll
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/NSISdl.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/Processes.dll
Resource
win7-20240729-en
Behavioral task
behavioral14
Sample
$PLUGINSDIR/Processes.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
$PLUGINSDIR/System.dll
Resource
win7-20241010-en
Behavioral task
behavioral16
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
$PLUGINSDIR/Time.dll
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
$PLUGINSDIR/Time.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
$PLUGINSDIR/chrmPref.dll
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
$PLUGINSDIR/chrmPref.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
$PLUGINSDIR/mt.dll
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
$PLUGINSDIR/mt.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
$PLUGINSDIR/nsisos.dll
Resource
win7-20240729-en
Behavioral task
behavioral26
Sample
$PLUGINSDIR/nsisos.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
FM4ffx.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
FM4ffx.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
$PLUGINSDIR/NSISdl.dll
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
$PLUGINSDIR/NSISdl.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240729-en
Behavioral task
behavioral32
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
General
-
Target
$LOCALAPPDATA/funmoods.exe
-
Size
1.6MB
-
MD5
e10aa65bc9f094483b45ee6745e89606
-
SHA1
f69007d78c2636c53afe608f9eb8d116603652f7
-
SHA256
5211d85e3d577f54134a8ab8c5c9f23bd3b7332825dcab75a19258b25790b37f
-
SHA512
b7c55c05f53bcac6d077cdd69c37459f3e3a39c719489d7027d16d87eea96479f7baaedb31f4a7b2e0a39aba872b6435be6dd7fcdce66d42a94c87ed2b49cba6
-
SSDEEP
24576:MYl7Umdm6GUyZ2WmMFUxOWjgS0doedK+sSJBtQ2YJqrNzyWNxhxgj:5UQm6GUym0UR3tenXEYN+Wkj
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation funmoods.exe -
Executes dropped EXE 3 IoCs
pid Process 4148 FM4ie.exe 2504 FM4ffx.exe 5092 funmoodssrv.exe -
Loads dropped DLL 64 IoCs
pid Process 2000 funmoods.exe 2000 funmoods.exe 2000 funmoods.exe 2000 funmoods.exe 2000 funmoods.exe 2000 funmoods.exe 2000 funmoods.exe 2000 funmoods.exe 2000 funmoods.exe 2000 funmoods.exe 2000 funmoods.exe 2000 funmoods.exe 2000 funmoods.exe 2000 funmoods.exe 2000 funmoods.exe 2000 funmoods.exe 2000 funmoods.exe 2000 funmoods.exe 2000 funmoods.exe 2000 funmoods.exe 2000 funmoods.exe 2000 funmoods.exe 2000 funmoods.exe 2000 funmoods.exe 2000 funmoods.exe 2000 funmoods.exe 2000 funmoods.exe 2000 funmoods.exe 2000 funmoods.exe 2000 funmoods.exe 2000 funmoods.exe 2000 funmoods.exe 2000 funmoods.exe 4148 FM4ie.exe 2504 FM4ffx.exe 2504 FM4ffx.exe 4148 FM4ie.exe 4148 FM4ie.exe 2504 FM4ffx.exe 4148 FM4ie.exe 4148 FM4ie.exe 2504 FM4ffx.exe 2504 FM4ffx.exe 4148 FM4ie.exe 2504 FM4ffx.exe 2504 FM4ffx.exe 2504 FM4ffx.exe 2504 FM4ffx.exe 2504 FM4ffx.exe 2504 FM4ffx.exe 2504 FM4ffx.exe 2504 FM4ffx.exe 2504 FM4ffx.exe 2504 FM4ffx.exe 2504 FM4ffx.exe 2504 FM4ffx.exe 2504 FM4ffx.exe 2504 FM4ffx.exe 2504 FM4ffx.exe 2504 FM4ffx.exe 2504 FM4ffx.exe 2504 FM4ffx.exe 2504 FM4ffx.exe 2504 FM4ffx.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 4 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\ = "Funmoods Helper Object" FM4ie.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\NoExplorer = "1" FM4ie.exe -
Drops file in Program Files directory 7 IoCs
description ioc Process File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsoem.crx FM4ie.exe File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\uninstall.exe FM4ie.exe File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\bh\funmoods.dll FM4ie.exe File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsApp.dll FM4ie.exe File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsEng.dll FM4ie.exe File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsTlbr.dll FM4ie.exe File created C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe FM4ie.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FM4ie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FM4ffx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language funmoodssrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language funmoods.exe -
NSIS installer 4 IoCs
resource yara_rule behavioral4/files/0x0008000000023bfb-152.dat nsis_installer_1 behavioral4/files/0x0008000000023bfb-152.dat nsis_installer_2 behavioral4/files/0x0008000000023bcc-160.dat nsis_installer_1 behavioral4/files/0x0008000000023bcc-160.dat nsis_installer_2 -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A} FM4ie.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\Policy = "3" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppName = "funmoodssrv.exe" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}\AppPath = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.1" FM4ie.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar\ FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} = "Funmoods Toolbar" FM4ie.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\escortApp.DLL FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\HELPDIR FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036} FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\TypeLib FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}\ProxyStubClsid32 FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\escort.escortIEPane FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\Programmable FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\esrv.funmoodsESrvc.1\ = "escrtSrvc Object" funmoodssrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}\1.0\0\win32 FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\hrdId = "971d8dda0000000000007e3d785e6c2e" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\0\win32\ = "C:\\Program Files (x86)\\Funmoods\\funmoods\\1.5.11.1\\funmoodsEng.dll\\2" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\AppID = "{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}" FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8} FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}\ProxyStubClsid32 FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\TypeLib FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\ProxyStubClsid32 FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\Programmable funmoodssrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.funmoodsHlpr\CurVer FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\escortEng.DLL FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\VersionIndependentProgID\ = "f" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\funmoodsApp.appCore.1\CLSID\ = "{A9DB719C-7156-415E-B49D-BAD039DE4F13}" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\ = "IEscortFctry" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\escortEng.DLL\AppID = "{B12E99ED-69BD-437C-86BE-C862B9E5444D}" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\TypeLib\ = "{09C554C3-109B-483C-A06B-F14172F1A947}" FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\funmoodsApp.appCore.1 FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\VersionIndependentProgID FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9} FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191} FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\afltId = "orgnl" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3}\VersionIndependentProgID\ = "funmoods.dskBnd" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439}\ = "escortIEPane Object" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}\Instl\Data\vrsnTs = "1.5.11.116:42:49" FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0\0 funmoodssrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}\1.0\0\win32 funmoodssrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\VersionIndependentProgID\ = "funmoodsApp.appCore" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\FLAGS\ = "0" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}\TypeLib\Version = "1.0" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}\1.0\FLAGS\ = "0" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840}\TypeLib\ = "{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}" funmoodssrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1} FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\ = "IEvntCntr" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\ = "escrtAx Object" FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}\InprocServer32 FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\funmoods.dskBnd.1\CLSID FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}\1.0\ = "funmoodsCmn 1.0 Type Library" FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}\TypeLib FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\TypeLib\ = "{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\TypeLib\Version = "1.0" FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\TypeLib FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}\TypeLib\Version = "1.0" FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921} FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7}\VersionIndependentProgID FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}\TypeLib\Version = "1.0" FM4ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\TypeLib FM4ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}\ProxyStubClsid32 FM4ie.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2000 funmoods.exe 2000 funmoods.exe 2000 funmoods.exe 2000 funmoods.exe 2000 funmoods.exe 2000 funmoods.exe 2000 funmoods.exe 2000 funmoods.exe 2000 funmoods.exe 2000 funmoods.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2000 wrote to memory of 4148 2000 funmoods.exe 84 PID 2000 wrote to memory of 4148 2000 funmoods.exe 84 PID 2000 wrote to memory of 4148 2000 funmoods.exe 84 PID 2000 wrote to memory of 2504 2000 funmoods.exe 85 PID 2000 wrote to memory of 2504 2000 funmoods.exe 85 PID 2000 wrote to memory of 2504 2000 funmoods.exe 85 PID 4148 wrote to memory of 5092 4148 FM4ie.exe 86 PID 4148 wrote to memory of 5092 4148 FM4ie.exe 86 PID 4148 wrote to memory of 5092 4148 FM4ie.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe"C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe"C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe"C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe" /RegServer3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5092
-
-
-
C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exeC:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2504
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
328KB
MD5f95617b082693af8490edb28b771870e
SHA1e6e7ffa25aa1acfa07888fd388af8dfaf28da656
SHA2567352aaebffcaf4293bfcc66b4b3af0d9a20ea9cf5746e3fc6d548ed2d31a6b0f
SHA51272bec0ad4efc4508b3720ed47e45da49b2c92d49878524dd1245d066788e4c508c96866b16ef8d984a8031fe8d5be6a4388acb46ed80c8b35e5a7b56f9a22508
-
Filesize
534KB
MD59001188b424b2c2fa40368ee2b1df506
SHA16ac9d3d3e42acc49524bf9bf80ff3a473c90212b
SHA2565809a200cc0524511e3769e2a8be748404eb75b317cec3fac3ebcc4bae850cea
SHA5129d7b793a5fbec2311f7c2ab11b15fa641286d1bfd5d04df78ae535002ea693edbdaefa30fb0fd3b288ce0f8045d743fd1bd1eba8c5f8f5a6f53dfc51260e8906
-
Filesize
243KB
MD5ac557d58c73411da1d2aa66109182dfa
SHA1d464184873099e2f3f1700bcb74284b8ca7959ed
SHA25601f196deedc9c921e810e083f8f593695596718af1a216df25c4b9b8bfdb662e
SHA512ceeb8705cda49ef5b17d30cfb8264a57cbecd1fa799906246e2e2ac82575be28547b4bd96953518504067a7538affc570205ee22914945a3f41c0a729eda8617
-
Filesize
314KB
MD5a6ea8baf987c05383013259a3a96b221
SHA1dc1f3df6abd8b9fa1a3d364e9021cd5f62590f9f
SHA256d978712e92d634c150493e35f7dab39483559350914c1a302c0b2c0aaf1c47a3
SHA5120e6200677efff5a9e2babd8ebac1aba3c32a1f4de0251ba2036b6bd0996170777de40ba5df6e933e0b89fbdf8cc4709d09cd077016c83018d9e338a37b63b277
-
Filesize
1.1MB
MD5ce86ace6982b9f2d8836ff204c592dd2
SHA160ed4aeb4cf23e043e19d3746a1bcd9afa58a3ac
SHA2563d808021dfa4617de80d49c7aa6620868577cf573b7a88ed24b7de30a1d4736a
SHA512c95f53b180ef67fa74c892dcb3b878a6a722716708387b13153d6b660b3111fbfaf9aeb9381c444ebf28166a66923817d0ad57acf076e23650b1ca4496348caa
-
Filesize
1KB
MD57ff58acd61479e45ec30172e3dcc21bf
SHA13b0d8bcb16a15a3bbef91d814fa40a12d37046a5
SHA256663c46d33d12b521aa717c0e3520852eed199b697eda458ab65db971e2cf87ad
SHA51238e32dd10448faf22ccd04e0502354acf7355bee96d7b60cf1323891cfdfbea035f1a8b93860fb8fd2a84d41278c97a978c96bac8dd2df5d5fa79e91e203b34a
-
Filesize
396B
MD5b2872927dbd3897c21b032afa5729ffe
SHA11acdfb1cebf384d78f032d4267d72fbc82962ad6
SHA256c9ea2c167f7329d0c547382ef97f13e4f87faa588bdd5521210ef458107134ce
SHA51265ef9b2a76be968f55b4570e2e88d951d3f18c8dd20072b23bcf5b997b88538b25e541d4237e15f6c26bc6c6140136d97ec7e49a1e1c29529117d7abe6c4e7cb
-
Filesize
460B
MD587d8fa84521ceaf4ad49873e852366d4
SHA1ecde848d61884879442378764128fdd5f39f141d
SHA2560aea2d4cf44486f26e571200a18f7a19e1992b0bbc04fbf069c3d8acefbba9a4
SHA512fbfa689eded7bb328ee12ee5ed437d72c66ed154eb9cc8efa40bbc640682c872e0cf604824efab8695438fb1231727cc66a22525fb1ed704baea2ded3fc2a808
-
Filesize
676B
MD5ea63c872919417f8cf9d00e35ea056e7
SHA14fe71ac12b2da8c1cee141430b43e3ce910e3d22
SHA256e24f41e607040f778414f706826471686def64aef6111efb83d947a58f689f30
SHA512f5106337d4292b67a129350eadc9281416a708996202a37f2e036a10d0a7fec62b299d0f2993f2ebee5ea75259b8bcbac66c110b85fb8ee3cf133f5c9091f18d
-
Filesize
728B
MD5456688a268164631f9c4fe9b6a420f4e
SHA15f738ac84c6005b8d4f9f56c418d89560287d637
SHA25693abc7fb98ddbcaeefb064e357a81cbba71962d8688e35838e63c95a82201688
SHA51222123a06a87a35253fca58d608daa0b1b5a8c93e6f3f146a85e239db55652067134aaf6c32aa732c2a897b857bfac0591d92d0047598e1f190132efab37e8284
-
Filesize
646B
MD5d1a4af83f16f9306e527465025c70d40
SHA18fe8f54b4628ab26d6f0cb1ebad6c4568aa92419
SHA2569c47d5c54f66e6276a25966f2b3ac647b389772a3b5214b3ccabc3a3c9af9232
SHA5124a47a2c1d2bc579c771200d8af5a5bcb76eb5f3b7b27172cf50c477ce15b04480c2766bf42d5cb7a8a27cfb1c4591c9e1c735922989ca34420c0fddbd5f80c19
-
Filesize
232B
MD5b70a3ae702a94f63b4c8d2342ca94425
SHA1a621b40b4f513834a6703c5fda8671c352d181c4
SHA256fb8d54caf0b0e3e46756967a92f07f17489402614352df9812aac60026f22114
SHA512e3a75fe6f133878ea1a6953e04ecbf0cb043e2d131979573f9c4e31b4cfad4af20656b20f9fde0d134f8608874551f95f84369f2ed370afa52d88466631d6b11
-
Filesize
341B
MD58cc1d03d3559f97300866ea644872cb8
SHA10acfad913038b4a9684911a42e58e45392e32fe7
SHA256d9f52daad3006b1d0e31ebb44f5ff45392675e71e6f1c9085326254a3a3ad333
SHA512e3ed34a9b28a05c6898aa8fb491e69001df73b0f477ace98168540369ba050793782a6ed426327b1793ed528db604ff7613e6d819dfd02b9a3fbe13adb62c1fb
-
Filesize
591B
MD59b797f1bb4a24566963b77332796ebf7
SHA14fe25da60d189457b7e8c6759af57e10674460e5
SHA2568a620c47db43eef8ebcb4616c6b058765306b47921f915016f425f9d8bcf9bb7
SHA51297a133915cd3a8639b35d48b0f193126496bb0a03f62d2985c4ad4c465d3c6bde5c4494d4f569f94aa90f2dcb3db82fe5eaec9540019446d6bda39213100d7d4
-
Filesize
7KB
MD5ba4063f437abb349aa9120e9c320c467
SHA1b045d785f6041e25d6be031ae2af4d4504e87b12
SHA25673acba7dd477dfd6cf4249911f4e3c781196c7cf6b28425761dcb2d4f90c36c5
SHA51248a813f55834069f8c6b90740de3df01564a136b0fe637f9f85cc1a19d7f32b1f70205ff2462526508fe3c1962d7c1e8e384c40463e328538aeba28e8d0fb92a
-
Filesize
18KB
MD5994669c5737b25c26642c94180e92fa2
SHA1d8a1836914a446b0e06881ce1be8631554adafde
SHA256bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c
SHA512d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563
-
Filesize
14KB
MD5a5f8399a743ab7f9c88c645c35b1ebb5
SHA1168f3c158913b0367bf79fa413357fbe97018191
SHA256dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9
SHA512824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977
-
Filesize
56KB
MD5cc0bd4f5a79107633084471dbd4af796
SHA109dfcf182b1493161dec8044a5234c35ee24c43a
SHA2563b5388e13dab53d53e08791f492ed7d3094a0cee51e9841af83ce02534e0621c
SHA51267ba90ec04366e07d0922ffb4dbbb4f12f90b6785b87700adaae29327db9ec2a03d750b229f858db0594f439499d6346fbf1ebc17c77162bf8da027515219ee3
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
10KB
MD538977533750fe69979b2c2ac801f96e6
SHA174643c30cda909e649722ed0c7f267903558e92a
SHA256b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35
SHA512e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53
-
Filesize
4KB
MD57579ade7ae1747a31960a228ce02e666
SHA18ec8571a296737e819dcf86353a43fcf8ec63351
SHA256564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b
-
Filesize
193KB
MD557d63d48f0bb2fe9b3751342e1b0cc67
SHA165afbce77b4990f7f5efb5251e90bd9cc744583c
SHA25672753db55778180ebd90cb10173c7a87d8d919c6b34a07962e7e1fff80092eab
SHA5125766ff289869a252a9d08fe826e9e7df70796b2faddb470898e4f710aa33ed19094bd73e6637c9c720da417e7f5b9ca7645fa7cd36a8fae2b0718ced10892cf8
-
Filesize
5KB
MD5aac69f856c4540edd4ef7ce6c8571639
SHA12860f55ea9774d631219e66604051e90a43258b7
SHA2566dc2644a389feeef9e0ac65e2c8b01fc18ca6e53b253f10efffcb117e0a852dd
SHA512ebacc8117c44d298ae519705510285c576932761b3c7b697eeb91cb7620150ebe551102d1ab83d68f4c78e1496b191a55ad8f78c491f5b4af456c4de6ad72dcd
-
Filesize
5KB
MD569806691d649ef1c8703fd9e29231d44
SHA1e2193fcf5b4863605eec2a5eb17bf84c7ac00166
SHA256ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6
SHA5125e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb
-
Filesize
537B
MD550a190a643f231c8d6817b22cf411c2a
SHA10a4f5748c2b9ef29dfc1dddc3a307d5833125852
SHA2568e66f4f6b90976466e96f228edee8e019501777aad93431ae610335c645441b4
SHA512b46847a99b2143ff7079331321de6013e89c3fdb76a071c6e47115670ad1f1448214c761fe16705614b68112c0360ac9451af5908bf70b922208c29c8e3eb9cd
-
Filesize
822B
MD524afdf39dffc976aef20905665d91b08
SHA1774d60192ce2ba59bd7d4ee9f14efe7af131b0b0
SHA25631de9666b1fb5736ca76e586b6ff467b328a303ea7fc7b394fecb1b24522e743
SHA51205af78fbd9f372f5ec4a94eccecfbbd170b14231397d3d5f6e096eb61785c0eef0fedb113b43257b4d444902a87e2a1d6296d4a04c57cc3833224f01891dfb6f
-
Filesize
873B
MD5109071e4292964007e4e8dcf3b918b1b
SHA167385d2e5dc8e2f640ed4f42c248ee4a23ff6da8
SHA2568c8aa83638a005bb116cb2e9cc8665b193d529fcae2340f3e0b961a94f77832c
SHA512e1f4a5c0fa21aa8e42f9e1ec0abdac20ce2898985945fd45ae75dcb753598807a9a19813f2a2915b606c8feeb1c3f15da3662948a1aad64440b9e8f37598390c
-
Filesize
1KB
MD5f6bb4c41a5c723bdbfa7f2538547145d
SHA110a21cca7a8e1dadb7d592bb6487591640756dd9
SHA256cda69d4d4ac25cc36df161ac6b6fadeffa388c1a0010fe505ab493c12f8b0766
SHA512fcaea3fd47669e3bb55d6c6bcda9aef0bb0aa4b466aaa70981c3870d129c11aacae9f7d85943dbef6860d63a124cc680a62ab5a92c917d32c77b119f8a79b165
-
Filesize
517B
MD5e2db0b9ed33fb3ffafa6d26a83d035f7
SHA1525d6979bde80c9863498bc03aecb353cc9d2a70
SHA256ca92c777b1ead7d94f7f7bb72bc1609c1b2c3bf86a65aa7cc8f24ce946fb61de
SHA512a942dad45716d83d8cabe7c47da30ab9db4a0495f9e788d14fd656356bcfdad4798ae7866d46bd85ffc296fa998e4b2c0f225b7f0407ee25b99fd41ca3427b98
-
Filesize
623B
MD57d3751e4f32177ee986ad47afa4977e5
SHA1a71e9a06f35bfeddcd2c8dd01edc401e5500f515
SHA2569ddf9abc626345ab926a108bc939a4e37c1863301c6bbcfdf1dd2f9d0ac46286
SHA5126351e4b26f3b6e7d875f65f1be7254dd2f622089eb9a286bec484451cc6a1f3c37d639f406f359beeb6c5347e30a042b7d2bbf759c02fbef66b9c2a6f4fe9b6c
-
Filesize
827B
MD56a9f18f328c7045a301cf9618c3210cf
SHA131a24acbfffdbfef12a8076ec10200c7686de2ee
SHA256f468ec7a07eacec92e6e55deb108cdbcfdbea04a89adebd9268f6ac2a7e6ce10
SHA512309ef953b3b61eb9cd11b6c1c9012717b8229fc0c6c813a791c86d679d56fa7700ccd3cbf2cb2d93c4a9f74477adbdb5dfb6a1bce332826b3dc3fe9532dd33b1