Analysis

  • max time kernel
    95s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/01/2025, 16:42

General

  • Target

    $LOCALAPPDATA/funmoods.exe

  • Size

    1.6MB

  • MD5

    e10aa65bc9f094483b45ee6745e89606

  • SHA1

    f69007d78c2636c53afe608f9eb8d116603652f7

  • SHA256

    5211d85e3d577f54134a8ab8c5c9f23bd3b7332825dcab75a19258b25790b37f

  • SHA512

    b7c55c05f53bcac6d077cdd69c37459f3e3a39c719489d7027d16d87eea96479f7baaedb31f4a7b2e0a39aba872b6435be6dd7fcdce66d42a94c87ed2b49cba6

  • SSDEEP

    24576:MYl7Umdm6GUyZ2WmMFUxOWjgS0doedK+sSJBtQ2YJqrNzyWNxhxgj:5UQm6GUym0UR3tenXEYN+Wkj

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in Program Files directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • NSIS installer 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 6 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe
    "C:\Users\Admin\AppData\Local\Temp\$LOCALAPPDATA\funmoods.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe
      "C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4148
      • C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe
        "C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodssrv.exe" /RegServer
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:5092
    • C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe
      C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2504

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsApp.dll

          Filesize

          328KB

          MD5

          f95617b082693af8490edb28b771870e

          SHA1

          e6e7ffa25aa1acfa07888fd388af8dfaf28da656

          SHA256

          7352aaebffcaf4293bfcc66b4b3af0d9a20ea9cf5746e3fc6d548ed2d31a6b0f

          SHA512

          72bec0ad4efc4508b3720ed47e45da49b2c92d49878524dd1245d066788e4c508c96866b16ef8d984a8031fe8d5be6a4388acb46ed80c8b35e5a7b56f9a22508

        • C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsEng.dll

          Filesize

          534KB

          MD5

          9001188b424b2c2fa40368ee2b1df506

          SHA1

          6ac9d3d3e42acc49524bf9bf80ff3a473c90212b

          SHA256

          5809a200cc0524511e3769e2a8be748404eb75b317cec3fac3ebcc4bae850cea

          SHA512

          9d7b793a5fbec2311f7c2ab11b15fa641286d1bfd5d04df78ae535002ea693edbdaefa30fb0fd3b288ce0f8045d743fd1bd1eba8c5f8f5a6f53dfc51260e8906

        • C:\Program Files (x86)\Funmoods\funmoods\1.5.11.1\funmoodsTlbr.dll

          Filesize

          243KB

          MD5

          ac557d58c73411da1d2aa66109182dfa

          SHA1

          d464184873099e2f3f1700bcb74284b8ca7959ed

          SHA256

          01f196deedc9c921e810e083f8f593695596718af1a216df25c4b9b8bfdb662e

          SHA512

          ceeb8705cda49ef5b17d30cfb8264a57cbecd1fa799906246e2e2ac82575be28547b4bd96953518504067a7538affc570205ee22914945a3f41c0a729eda8617

        • C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ffx.exe

          Filesize

          314KB

          MD5

          a6ea8baf987c05383013259a3a96b221

          SHA1

          dc1f3df6abd8b9fa1a3d364e9021cd5f62590f9f

          SHA256

          d978712e92d634c150493e35f7dab39483559350914c1a302c0b2c0aaf1c47a3

          SHA512

          0e6200677efff5a9e2babd8ebac1aba3c32a1f4de0251ba2036b6bd0996170777de40ba5df6e933e0b89fbdf8cc4709d09cd077016c83018d9e338a37b63b277

        • C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\FM4ie.exe

          Filesize

          1.1MB

          MD5

          ce86ace6982b9f2d8836ff204c592dd2

          SHA1

          60ed4aeb4cf23e043e19d3746a1bcd9afa58a3ac

          SHA256

          3d808021dfa4617de80d49c7aa6620868577cf573b7a88ed24b7de30a1d4736a

          SHA512

          c95f53b180ef67fa74c892dcb3b878a6a722716708387b13153d6b660b3111fbfaf9aeb9381c444ebf28166a66923817d0ad57acf076e23650b1ca4496348caa

        • C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsdC0EE.tmp

          Filesize

          1KB

          MD5

          7ff58acd61479e45ec30172e3dcc21bf

          SHA1

          3b0d8bcb16a15a3bbef91d814fa40a12d37046a5

          SHA256

          663c46d33d12b521aa717c0e3520852eed199b697eda458ab65db971e2cf87ad

          SHA512

          38e32dd10448faf22ccd04e0502354acf7355bee96d7b60cf1323891cfdfbea035f1a8b93860fb8fd2a84d41278c97a978c96bac8dd2df5d5fa79e91e203b34a

        • C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsdC190.tmp

          Filesize

          396B

          MD5

          b2872927dbd3897c21b032afa5729ffe

          SHA1

          1acdfb1cebf384d78f032d4267d72fbc82962ad6

          SHA256

          c9ea2c167f7329d0c547382ef97f13e4f87faa588bdd5521210ef458107134ce

          SHA512

          65ef9b2a76be968f55b4570e2e88d951d3f18c8dd20072b23bcf5b997b88538b25e541d4237e15f6c26bc6c6140136d97ec7e49a1e1c29529117d7abe6c4e7cb

        • C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsdC191.tmp

          Filesize

          460B

          MD5

          87d8fa84521ceaf4ad49873e852366d4

          SHA1

          ecde848d61884879442378764128fdd5f39f141d

          SHA256

          0aea2d4cf44486f26e571200a18f7a19e1992b0bbc04fbf069c3d8acefbba9a4

          SHA512

          fbfa689eded7bb328ee12ee5ed437d72c66ed154eb9cc8efa40bbc640682c872e0cf604824efab8695438fb1231727cc66a22525fb1ed704baea2ded3fc2a808

        • C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsdC1E3.tmp

          Filesize

          676B

          MD5

          ea63c872919417f8cf9d00e35ea056e7

          SHA1

          4fe71ac12b2da8c1cee141430b43e3ce910e3d22

          SHA256

          e24f41e607040f778414f706826471686def64aef6111efb83d947a58f689f30

          SHA512

          f5106337d4292b67a129350eadc9281416a708996202a37f2e036a10d0a7fec62b299d0f2993f2ebee5ea75259b8bcbac66c110b85fb8ee3cf133f5c9091f18d

        • C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsiC203.tmp

          Filesize

          728B

          MD5

          456688a268164631f9c4fe9b6a420f4e

          SHA1

          5f738ac84c6005b8d4f9f56c418d89560287d637

          SHA256

          93abc7fb98ddbcaeefb064e357a81cbba71962d8688e35838e63c95a82201688

          SHA512

          22123a06a87a35253fca58d608daa0b1b5a8c93e6f3f146a85e239db55652067134aaf6c32aa732c2a897b857bfac0591d92d0047598e1f190132efab37e8284

        • C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsnBFEC.tmp

          Filesize

          646B

          MD5

          d1a4af83f16f9306e527465025c70d40

          SHA1

          8fe8f54b4628ab26d6f0cb1ebad6c4568aa92419

          SHA256

          9c47d5c54f66e6276a25966f2b3ac647b389772a3b5214b3ccabc3a3c9af9232

          SHA512

          4a47a2c1d2bc579c771200d8af5a5bcb76eb5f3b7b27172cf50c477ce15b04480c2766bf42d5cb7a8a27cfb1c4591c9e1c735922989ca34420c0fddbd5f80c19

        • C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsnC17D.tmp

          Filesize

          232B

          MD5

          b70a3ae702a94f63b4c8d2342ca94425

          SHA1

          a621b40b4f513834a6703c5fda8671c352d181c4

          SHA256

          fb8d54caf0b0e3e46756967a92f07f17489402614352df9812aac60026f22114

          SHA512

          e3a75fe6f133878ea1a6953e04ecbf0cb043e2d131979573f9c4e31b4cfad4af20656b20f9fde0d134f8608874551f95f84369f2ed370afa52d88466631d6b11

        • C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsnC17F.tmp

          Filesize

          341B

          MD5

          8cc1d03d3559f97300866ea644872cb8

          SHA1

          0acfad913038b4a9684911a42e58e45392e32fe7

          SHA256

          d9f52daad3006b1d0e31ebb44f5ff45392675e71e6f1c9085326254a3a3ad333

          SHA512

          e3ed34a9b28a05c6898aa8fb491e69001df73b0f477ace98168540369ba050793782a6ed426327b1793ed528db604ff7613e6d819dfd02b9a3fbe13adb62c1fb

        • C:\Users\Admin\AppData\Local\Temp\FNMD\FM\1.5.11.1\nsxBFDB.tmp

          Filesize

          591B

          MD5

          9b797f1bb4a24566963b77332796ebf7

          SHA1

          4fe25da60d189457b7e8c6759af57e10674460e5

          SHA256

          8a620c47db43eef8ebcb4616c6b058765306b47921f915016f425f9d8bcf9bb7

          SHA512

          97a133915cd3a8639b35d48b0f193126496bb0a03f62d2985c4ad4c465d3c6bde5c4494d4f569f94aa90f2dcb3db82fe5eaec9540019446d6bda39213100d7d4

        • C:\Users\Admin\AppData\Local\Temp\nsbBBFE.tmp\ExtractDLLEx.dll

          Filesize

          7KB

          MD5

          ba4063f437abb349aa9120e9c320c467

          SHA1

          b045d785f6041e25d6be031ae2af4d4504e87b12

          SHA256

          73acba7dd477dfd6cf4249911f4e3c781196c7cf6b28425761dcb2d4f90c36c5

          SHA512

          48a813f55834069f8c6b90740de3df01564a136b0fe637f9f85cc1a19d7f32b1f70205ff2462526508fe3c1962d7c1e8e384c40463e328538aeba28e8d0fb92a

        • C:\Users\Admin\AppData\Local\Temp\nsbBBFE.tmp\InetLoad.dll

          Filesize

          18KB

          MD5

          994669c5737b25c26642c94180e92fa2

          SHA1

          d8a1836914a446b0e06881ce1be8631554adafde

          SHA256

          bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c

          SHA512

          d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563

        • C:\Users\Admin\AppData\Local\Temp\nsbBBFE.tmp\NSISdl.dll

          Filesize

          14KB

          MD5

          a5f8399a743ab7f9c88c645c35b1ebb5

          SHA1

          168f3c158913b0367bf79fa413357fbe97018191

          SHA256

          dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

          SHA512

          824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

        • C:\Users\Admin\AppData\Local\Temp\nsbBBFE.tmp\Processes.dll

          Filesize

          56KB

          MD5

          cc0bd4f5a79107633084471dbd4af796

          SHA1

          09dfcf182b1493161dec8044a5234c35ee24c43a

          SHA256

          3b5388e13dab53d53e08791f492ed7d3094a0cee51e9841af83ce02534e0621c

          SHA512

          67ba90ec04366e07d0922ffb4dbbb4f12f90b6785b87700adaae29327db9ec2a03d750b229f858db0594f439499d6346fbf1ebc17c77162bf8da027515219ee3

        • C:\Users\Admin\AppData\Local\Temp\nsbBBFE.tmp\System.dll

          Filesize

          11KB

          MD5

          c17103ae9072a06da581dec998343fc1

          SHA1

          b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

          SHA256

          dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

          SHA512

          d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

        • C:\Users\Admin\AppData\Local\Temp\nsbBBFE.tmp\Time.dll

          Filesize

          10KB

          MD5

          38977533750fe69979b2c2ac801f96e6

          SHA1

          74643c30cda909e649722ed0c7f267903558e92a

          SHA256

          b4a95a455e53372c59f91bc1b5fb9e5c8e4a10a506fa04aaf7be27048b30ae35

          SHA512

          e17069395ad4a17e24f7cd3c532670d40244bd5ae3887c82e3b2e4a68c250cd55e2d8b329d6ff0e2d758955ab7470534e6307779e49fe331c1fd2242ea73fd53

        • C:\Users\Admin\AppData\Local\Temp\nsbBBFE.tmp\UserInfo.dll

          Filesize

          4KB

          MD5

          7579ade7ae1747a31960a228ce02e666

          SHA1

          8ec8571a296737e819dcf86353a43fcf8ec63351

          SHA256

          564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5

          SHA512

          a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

        • C:\Users\Admin\AppData\Local\Temp\nsbBBFE.tmp\chrmPref.dll

          Filesize

          193KB

          MD5

          57d63d48f0bb2fe9b3751342e1b0cc67

          SHA1

          65afbce77b4990f7f5efb5251e90bd9cc744583c

          SHA256

          72753db55778180ebd90cb10173c7a87d8d919c6b34a07962e7e1fff80092eab

          SHA512

          5766ff289869a252a9d08fe826e9e7df70796b2faddb470898e4f710aa33ed19094bd73e6637c9c720da417e7f5b9ca7645fa7cd36a8fae2b0718ced10892cf8

        • C:\Users\Admin\AppData\Local\Temp\nsbBBFE.tmp\mt.dll

          Filesize

          5KB

          MD5

          aac69f856c4540edd4ef7ce6c8571639

          SHA1

          2860f55ea9774d631219e66604051e90a43258b7

          SHA256

          6dc2644a389feeef9e0ac65e2c8b01fc18ca6e53b253f10efffcb117e0a852dd

          SHA512

          ebacc8117c44d298ae519705510285c576932761b3c7b697eeb91cb7620150ebe551102d1ab83d68f4c78e1496b191a55ad8f78c491f5b4af456c4de6ad72dcd

        • C:\Users\Admin\AppData\Local\Temp\nsbBBFE.tmp\nsisos.dll

          Filesize

          5KB

          MD5

          69806691d649ef1c8703fd9e29231d44

          SHA1

          e2193fcf5b4863605eec2a5eb17bf84c7ac00166

          SHA256

          ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6

          SHA512

          5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1hvy0a28.Admin\user.js

          Filesize

          537B

          MD5

          50a190a643f231c8d6817b22cf411c2a

          SHA1

          0a4f5748c2b9ef29dfc1dddc3a307d5833125852

          SHA256

          8e66f4f6b90976466e96f228edee8e019501777aad93431ae610335c645441b4

          SHA512

          b46847a99b2143ff7079331321de6013e89c3fdb76a071c6e47115670ad1f1448214c761fe16705614b68112c0360ac9451af5908bf70b922208c29c8e3eb9cd

        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1hvy0a28.Admin\user.js

          Filesize

          822B

          MD5

          24afdf39dffc976aef20905665d91b08

          SHA1

          774d60192ce2ba59bd7d4ee9f14efe7af131b0b0

          SHA256

          31de9666b1fb5736ca76e586b6ff467b328a303ea7fc7b394fecb1b24522e743

          SHA512

          05af78fbd9f372f5ec4a94eccecfbbd170b14231397d3d5f6e096eb61785c0eef0fedb113b43257b4d444902a87e2a1d6296d4a04c57cc3833224f01891dfb6f

        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1hvy0a28.Admin\user.js

          Filesize

          873B

          MD5

          109071e4292964007e4e8dcf3b918b1b

          SHA1

          67385d2e5dc8e2f640ed4f42c248ee4a23ff6da8

          SHA256

          8c8aa83638a005bb116cb2e9cc8665b193d529fcae2340f3e0b961a94f77832c

          SHA512

          e1f4a5c0fa21aa8e42f9e1ec0abdac20ce2898985945fd45ae75dcb753598807a9a19813f2a2915b606c8feeb1c3f15da3662948a1aad64440b9e8f37598390c

        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1hvy0a28.Admin\user.js

          Filesize

          1KB

          MD5

          f6bb4c41a5c723bdbfa7f2538547145d

          SHA1

          10a21cca7a8e1dadb7d592bb6487591640756dd9

          SHA256

          cda69d4d4ac25cc36df161ac6b6fadeffa388c1a0010fe505ab493c12f8b0766

          SHA512

          fcaea3fd47669e3bb55d6c6bcda9aef0bb0aa4b466aaa70981c3870d129c11aacae9f7d85943dbef6860d63a124cc680a62ab5a92c917d32c77b119f8a79b165

        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\user.js

          Filesize

          517B

          MD5

          e2db0b9ed33fb3ffafa6d26a83d035f7

          SHA1

          525d6979bde80c9863498bc03aecb353cc9d2a70

          SHA256

          ca92c777b1ead7d94f7f7bb72bc1609c1b2c3bf86a65aa7cc8f24ce946fb61de

          SHA512

          a942dad45716d83d8cabe7c47da30ab9db4a0495f9e788d14fd656356bcfdad4798ae7866d46bd85ffc296fa998e4b2c0f225b7f0407ee25b99fd41ca3427b98

        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\user.js

          Filesize

          623B

          MD5

          7d3751e4f32177ee986ad47afa4977e5

          SHA1

          a71e9a06f35bfeddcd2c8dd01edc401e5500f515

          SHA256

          9ddf9abc626345ab926a108bc939a4e37c1863301c6bbcfdf1dd2f9d0ac46286

          SHA512

          6351e4b26f3b6e7d875f65f1be7254dd2f622089eb9a286bec484451cc6a1f3c37d639f406f359beeb6c5347e30a042b7d2bbf759c02fbef66b9c2a6f4fe9b6c

        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\user.js

          Filesize

          827B

          MD5

          6a9f18f328c7045a301cf9618c3210cf

          SHA1

          31a24acbfffdbfef12a8076ec10200c7686de2ee

          SHA256

          f468ec7a07eacec92e6e55deb108cdbcfdbea04a89adebd9268f6ac2a7e6ce10

          SHA512

          309ef953b3b61eb9cd11b6c1c9012717b8229fc0c6c813a791c86d679d56fa7700ccd3cbf2cb2d93c4a9f74477adbdb5dfb6a1bce332826b3dc3fe9532dd33b1

        • memory/2000-84-0x0000000002420000-0x0000000002432000-memory.dmp

          Filesize

          72KB

        • memory/2000-1600-0x0000000003A10000-0x0000000003A22000-memory.dmp

          Filesize

          72KB