fcd543fca24df3c849ddd7c28c225335d97c2c8d678409eb5865a7e04548e19d

Analysis

max time kernel
143s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20231201-en
resource tags

arch:x64arch:x86image:win10v2004-20231201-enlocale:en-usos:windows10-2004-x64system
submitted
10/12/2023, 18:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tuc7.exe
Size

6.9MB
MD5

8cdc35abbc8f012285fa8ada42cd1854
SHA1

27184eee999841e6c589d90fd4f2db92abb21255
SHA256

fcd543fca24df3c849ddd7c28c225335d97c2c8d678409eb5865a7e04548e19d
SHA512

5ec7a6672a3f633d9561d21b48e2af99a8cab035f7f42aa0afb3054967ed38fac7e9677a539e73f66eef2dcbea3a86922ae40768a120cbe59dd79a53d00f12e7
SSDEEP

196608:aA89BmaeXRdyXFnlUrU7o7Bz3HzNNn1jnNnTfMImG0zj:CBmakyVnlUQ7Wz3Tv1jNTh0zj

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2808	tuc7.tmp
372	crtgame.exe
1364	crtgame.exe

Loads dropped DLL 3 IoCs

pid	Process
2808	tuc7.tmp
2808	tuc7.tmp
2808	tuc7.tmp

Unexpected DNS network traffic destination 2 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	152.89.198.214
Destination IP	194.49.94.194

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 63 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-UVL3E.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\is-VRU9E.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-MOVJ1.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-NC03A.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-17BH5.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-R58BC.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-0OK3E.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-85B6J.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-Q2HBP.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-NUIME.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-N2N6R.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-34K0C.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-H48D3.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-AR3Q2.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-E015D.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\uninstall\is-T0OLT.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-D13JG.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-9TI46.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\uninstall\unins000.dat	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-DPEVV.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-7ERNL.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\stuff\is-O3GT1.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-AO5UT.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-VF94C.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-SB823.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-17SSD.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-TGNB9.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-O7FHT.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-OUJU6.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-2LO91.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\stuff\is-ENVPL.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\stuff\is-J850D.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-8O5LU.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-L8BJ1.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-11URR.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-NGUNH.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-RHRHB.tmp	tuc7.tmp
File opened for modification	C:\Program Files (x86)\CRTGame\crtgame.exe	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-3322F.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-L7MFJ.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-SE8DK.tmp	tuc7.tmp
File opened for modification	C:\Program Files (x86)\CRTGame\uninstall\unins000.dat	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-2BK2E.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-NIMS3.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\lessmsi\is-A2UP3.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-76MRB.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\is-83BQ7.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-6U5TR.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-7OQTF.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-DNF93.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-57J6O.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-QRU3O.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-3SUTH.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\is-VV5NL.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-0U22G.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\stuff\is-JH15O.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-JIG0A.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-G37H1.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-835GP.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-RV29F.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-TS99M.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-DUETB.tmp	tuc7.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-RALGN.tmp	tuc7.tmp

Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2808	tuc7.tmp

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 2808	1544	tuc7.exe	22
PID 1544 wrote to memory of 2808	1544	tuc7.exe	22
PID 1544 wrote to memory of 2808	1544	tuc7.exe	22
PID 2808 wrote to memory of 3644	2808	tuc7.tmp	41
PID 2808 wrote to memory of 3644	2808	tuc7.tmp	41
PID 2808 wrote to memory of 3644	2808	tuc7.tmp	41
PID 2808 wrote to memory of 372	2808	tuc7.tmp	39
PID 2808 wrote to memory of 372	2808	tuc7.tmp	39
PID 2808 wrote to memory of 372	2808	tuc7.tmp	39
PID 2808 wrote to memory of 1136	2808	tuc7.tmp	38
PID 2808 wrote to memory of 1136	2808	tuc7.tmp	38
PID 2808 wrote to memory of 1136	2808	tuc7.tmp	38
PID 2808 wrote to memory of 1364	2808	tuc7.tmp	37
PID 2808 wrote to memory of 1364	2808	tuc7.tmp	37
PID 2808 wrote to memory of 1364	2808	tuc7.tmp	37
PID 1136 wrote to memory of 636	1136	net.exe	36
PID 1136 wrote to memory of 636	1136	net.exe	36
PID 1136 wrote to memory of 636	1136	net.exe	36

C:\Users\Admin\AppData\Local\Temp\tuc7.exe
"C:\Users\Admin\AppData\Local\Temp\tuc7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Users\Admin\AppData\Local\Temp\is-GPT1V.tmp\tuc7.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-GPT1V.tmp\tuc7.tmp" /SL5="$11005E,6977575,54272,C:\Users\Admin\AppData\Local\Temp\tuc7.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Program Files (x86)\CRTGame\crtgame.exe
    "C:\Program Files (x86)\CRTGame\crtgame.exe" -s
    3⤵
    - Executes dropped EXE
    PID:1364
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 10
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1136
- - C:\Program Files (x86)\CRTGame\crtgame.exe
    "C:\Program Files (x86)\CRTGame\crtgame.exe" -i
    3⤵
    - Executes dropped EXE
    PID:372
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Query
    3⤵
    PID:3644

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 10
1⤵
PID:636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\CRTGame\crtgame.exe

Filesize
73KB

MD5
79f676c33ebf214c307bc9124fbcae6b

SHA1
fb2a7db44c273f45549f92bfa8f35bbaf3b99711

SHA256
ed6c02d3019c24e6420024e5687859f4c2b4a44654c5f8ee5dfa6d1f7c3587eb

SHA512
d00c7b867aef177e1e04b8599ebc2a3730e16f2e80b01f3e995a93a4aa2dada0f4c91f11d86d92a1004668ce48878d9b2cd2679adbf75caef16d2e997ff1a7a7

Download Submit
C:\Program Files (x86)\CRTGame\crtgame.exe

Filesize
58KB

MD5
b87546cd6e85d11e595c19a2e5fd12f5

SHA1
132325da1ac3ea6d8797f751b6c1d33ebfeab3a8

SHA256
3a6594561e684d5e3b6c564e05360760734f1cd0b17a53741cccacf47a8a87e8

SHA512
0226b5047625d1553973c7b53ed185fa403616191593d1ba940eac0ec8ea3343d95cfac5344a260ebb40b9a06a6ec528149f9c30b15a8b486ae9888636f0bc18

Download Submit
C:\Program Files (x86)\CRTGame\crtgame.exe

Filesize
57KB

MD5
ae2fa5c69b4da1ea8fdd0ac55fce693b

SHA1
071822d82d476bcf887d645d4256cda15ba1ccfb

SHA256
67532650c6392b2326d7c14cdd2bc9f7111fdc0d09c37393121d4117c8d63792

SHA512
7a0ba52619cfbffabff0f1215e81fed493171f8f4cc2f97b95bdfdc95e04e8a488bc7ed2f69b1c401698b5b3283e3f454bd2280794851399b6418a02e9a49d03

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GPT1V.tmp\tuc7.tmp

Filesize
16KB

MD5
c581fea6346f1f5510c2e1d3c5fee3df

SHA1
e5ff36d94287c5803ffe097e699d31265e6602f1

SHA256
cb1c526ed6a3107d9f65f481e3706c87c21dbd7dce739693259fbdd3927282ef

SHA512
2d4f8edb01d30d15b12f3f158f62b5deded23a209fb0c196cf53a96577437c5d17b090e3ada3cb09752a20cf09145e8e13ce3b836f0fdf5a5ad3eb2117c191fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GPT1V.tmp\tuc7.tmp

Filesize
91KB

MD5
ac90ebbc6339523a6c312e289d77e503

SHA1
646c64258860769d8f633623b1fecf86d5fb91b2

SHA256
ea3aeb3f6bb9513981cbd9ab73a72847eda201ae13e334f9d1a0e8d9f2138f4d

SHA512
90db86b3874993bcc45f39a6775104e6e7bb29655a495c61445552942fb5d89b0dd6279a87da60a3e986c01f26d7cfb3a3a36f74b3c4765534b56eb880351814

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TGPD6.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TGPD6.tmp\_isetup\_isdecmp.dll

Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
memory/372-151-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/372-152-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/372-155-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/372-154-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1364-185-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1364-192-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1364-208-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1364-204-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1364-201-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1364-198-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1364-161-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1364-195-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1364-165-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1364-166-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1364-169-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1364-172-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1364-175-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1364-176-0x00000000007B0000-0x0000000000852000-memory.dmp

Filesize
648KB

Download
memory/1364-181-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1364-182-0x00000000007B0000-0x0000000000852000-memory.dmp

Filesize
648KB

Download
memory/1364-158-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1364-188-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1364-189-0x00000000007B0000-0x0000000000852000-memory.dmp

Filesize
648KB

Download
memory/1544-2-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1544-159-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1544-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2808-162-0x00000000021F0000-0x00000000021F1000-memory.dmp

Filesize
4KB

Download
memory/2808-160-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2808-8-0x00000000021F0000-0x00000000021F1000-memory.dmp

Filesize
4KB

Download