61b72c1df71bec3e8c2e3e047b2d5b6c41600447c16137611f9ff6837e7773e3

Analysis

max time kernel
144s
max time network
132s
platform
windows7_x64
resource
win7-20231130-en
resource tags

arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system
submitted
10-12-2023 20:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tuc3.exe
Size

6.9MB
MD5

f0f8e4290323039b6e8e03d06d4c2347
SHA1

65a9589c4cdbd0c8d08a0d46732e2b405074d4c8
SHA256

61b72c1df71bec3e8c2e3e047b2d5b6c41600447c16137611f9ff6837e7773e3
SHA512

3773bb662fa17e599cbd1939742282940be6969e0946557208b452f58459015a607dc257bcd10e7904e56a6a3b2519c27505743c3792b9f55c3491056bbe4141
SSDEEP

196608:/K2+nNevvWstwr2m5BmycyEbSfasepd5e4x6+AjZ6mjxzj:/DY6tiP3myRfzepXe4ny8gxzj

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2052	tuc3.tmp
2324	crtgame.exe
2008	crtgame.exe

Loads dropped DLL 6 IoCs

pid	Process
1080	tuc3.exe
2052	tuc3.tmp
2052	tuc3.tmp
2052	tuc3.tmp
2052	tuc3.tmp
2052	tuc3.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	81.31.197.38

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 63 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\CRTGame\stuff\is-LE121.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-8E3II.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-U3LQO.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-J4SFL.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-UJVJK.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-PV5V5.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\stuff\is-8HGAF.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-5DKLI.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-4QP25.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-8SI3I.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-M2TAU.tmp	tuc3.tmp
File opened for modification	C:\Program Files (x86)\CRTGame\crtgame.exe	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-1JIA3.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-4FDJP.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-HEUNK.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-KL8G7.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-3DC1L.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-650NE.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-B8P56.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-UHH63.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\lessmsi\is-NMRGJ.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\stuff\is-1N19H.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-7RQ6J.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-SDKBL.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-1PMID.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\is-N8SB2.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-BJKMB.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-96LFC.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-S8JMI.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-AU59N.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\is-3FLA1.tmp	tuc3.tmp
File opened for modification	C:\Program Files (x86)\CRTGame\uninstall\unins000.dat	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-DT1GJ.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\uninstall\unins000.dat	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-93EAQ.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\is-1QIU9.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-GSD1H.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-KR76U.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-2R190.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-PG6UJ.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-0FC8P.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-H9NBE.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-LVBK1.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\stuff\is-1EUER.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-8TGSC.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-4ODF3.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-049FV.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-UCJ91.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\uninstall\is-RGM0A.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-0JOO9.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-L22HG.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-VRCPV.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-P8VOQ.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-TC54M.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-FM4UU.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-GGKM7.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-0QJE1.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-SVTE3.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-6E1QJ.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-J81QA.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-4QIC4.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-U7P48.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-KMKSS.tmp	tuc3.tmp

Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2052	tuc3.tmp

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 2052	1080	tuc3.exe	17
PID 1080 wrote to memory of 2052	1080	tuc3.exe	17
PID 1080 wrote to memory of 2052	1080	tuc3.exe	17
PID 1080 wrote to memory of 2052	1080	tuc3.exe	17
PID 1080 wrote to memory of 2052	1080	tuc3.exe	17
PID 1080 wrote to memory of 2052	1080	tuc3.exe	17
PID 1080 wrote to memory of 2052	1080	tuc3.exe	17
PID 2052 wrote to memory of 1708	2052	tuc3.tmp	30
PID 2052 wrote to memory of 1708	2052	tuc3.tmp	30
PID 2052 wrote to memory of 1708	2052	tuc3.tmp	30
PID 2052 wrote to memory of 1708	2052	tuc3.tmp	30
PID 2052 wrote to memory of 2324	2052	tuc3.tmp	28
PID 2052 wrote to memory of 2324	2052	tuc3.tmp	28
PID 2052 wrote to memory of 2324	2052	tuc3.tmp	28
PID 2052 wrote to memory of 2324	2052	tuc3.tmp	28
PID 2052 wrote to memory of 2784	2052	tuc3.tmp	35
PID 2052 wrote to memory of 2784	2052	tuc3.tmp	35
PID 2052 wrote to memory of 2784	2052	tuc3.tmp	35
PID 2052 wrote to memory of 2784	2052	tuc3.tmp	35
PID 2052 wrote to memory of 2008	2052	tuc3.tmp	34
PID 2052 wrote to memory of 2008	2052	tuc3.tmp	34
PID 2052 wrote to memory of 2008	2052	tuc3.tmp	34
PID 2052 wrote to memory of 2008	2052	tuc3.tmp	34
PID 2784 wrote to memory of 1912	2784	net.exe	32
PID 2784 wrote to memory of 1912	2784	net.exe	32
PID 2784 wrote to memory of 1912	2784	net.exe	32
PID 2784 wrote to memory of 1912	2784	net.exe	32

C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Users\Admin\AppData\Local\Temp\is-E0481.tmp\tuc3.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-E0481.tmp\tuc3.tmp" /SL5="$500F8,6991381,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Program Files (x86)\CRTGame\crtgame.exe
    "C:\Program Files (x86)\CRTGame\crtgame.exe" -i
    3⤵
    - Executes dropped EXE
    PID:2324
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Query
    3⤵
    PID:1708
- - C:\Program Files (x86)\CRTGame\crtgame.exe
    "C:\Program Files (x86)\CRTGame\crtgame.exe" -s
    3⤵
    - Executes dropped EXE
    PID:2008
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 10
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2784

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 10
1⤵
PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\CRTGame\crtgame.exe

Filesize
76KB

MD5
7184e9bfc57c5729a447a29d5c3cba52

SHA1
8908538c59901e69ee157d1b2c2a94f26909c0ab

SHA256
6548a3971db8030ce4cdb8b6e4bd26f9fed701e1aeed6deceae47d2c3d573d41

SHA512
4a9b3d01b6cefc8e04b14d139471c49ecebf5d70cc219c4b7fc20398f08aa613bd00acf3809172d6ad27d72fb0ff82247a7c318473816ad49c87b11ed42c9048

Download Submit
C:\Program Files (x86)\CRTGame\crtgame.exe

Filesize
31KB

MD5
d550a581a79f98018d858f7888450a37

SHA1
bbf4d717f2bd16ca9c29f91483e2ba66d3aed42a

SHA256
8dbeada64ac0fc3f037a1ad376d694a765f8b0e426bfc2cf46d3c887b5cb316f

SHA512
df6303d73e704449ddc881b25e4b768c44f59b299e4fdc770c2408d42a3091eeadc23b713ffb40646c8e18881833a3006e06c40fccb7ab0f6950cec5eadc343d

Download Submit
C:\Program Files (x86)\CRTGame\crtgame.exe

Filesize
113KB

MD5
88e640ed61ec7315585875307cb2f46f

SHA1
34b3b5d9fa4e6a533ec1cc6253cd8d455a40ced6

SHA256
0a7f873c2fc887284457a09be68b68d23aa893cb69d4858676e3a12e2c63ddd4

SHA512
d13abdf39fc4426021cebeba2140d9477f85cc03c45f2e1541208567e61c700f630cf8aef80f9650a83b408e3839ad31d5fd34b671784bea4f53813b18134978

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-E0481.tmp\tuc3.tmp

Filesize
1KB

MD5
14d083317674748d4cb8e3384484c890

SHA1
6b8c9037700f569ae228d1c8998b1d9faea21a48

SHA256
199e49960b2cc64da68cc9822271d7a667112c42703f976d38258f8c83a78a67

SHA512
f3d093902aa2d158e726ac6dfd689036352fdef5c6345941cc747fc175701ccc4e0215567e9620abfd17fa3f84cab07e1654957ce56c2fce4a6b898faf253de2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-E0481.tmp\tuc3.tmp

Filesize
31KB

MD5
568e756bdf7105c212e508b41bdf6189

SHA1
a2614eb6b1f10a67e25fa857775cdf45846f09af

SHA256
990ac5122e9073d6c52b9f835fe9a0604ca775fea1ff85400f8c1b7a1557486d

SHA512
2b97bb4e2d2615bc55b3292d9ab3eca1c1d403d1f6656728cbc366cbe235df54754d58e3fca4fb627bf786c53cad29e396eeeefaa8378c7233346e9ab11869d7

Download Submit
\Program Files (x86)\CRTGame\crtgame.exe

Filesize
41KB

MD5
58fdc8bcf37e0241b546d728d58866ca

SHA1
e608b07812c8be78fe5febd789d84778f51bfc07

SHA256
b6e25442da8c96c55cddb43285a58b6265a59a2b925a72ee45c46679ce45faca

SHA512
e49ae7109bf173837f081421d5e6673fb834cb007bfe3649cf60f1f8a7b1b4633364bbeccdff7e81a6e7828e9815d97eb321b3a1bc80533184f5ad648a77bb0d

Download Submit
\Users\Admin\AppData\Local\Temp\is-E0481.tmp\tuc3.tmp

Filesize
46KB

MD5
d1c7cf7686b5663ef6a0fa19e3d528ad

SHA1
379d186df728426a83d1ea31deee13e33abf39aa

SHA256
4f0c6a6da33cffbcc4ba74998aea9461129967bf4d8aaccbef85cbb25324df0b

SHA512
6e322533a834079d7b9dc230ea79fc94d93ebdff621166af5ad5de15e45e619fda9cf2555188f4773bec63f190d690312ee65ed1b509e8172402ead1f88c4207

Download Submit
\Users\Admin\AppData\Local\Temp\is-PEBQU.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-PEBQU.tmp\_isetup\_shfoldr.dll

Filesize
1KB

MD5
b153f8dfe895cfbb5b3840e17257851a

SHA1
257c80dd04f3e7650ce58856dc8d8bfd94b45efb

SHA256
fcea99e38cf910dfbdf6426b70eb6c3e9de9035da07c6f458eb6e8b057b23ee3

SHA512
260b16396738504664960e4287b500b84d770043e6ca8b841f1288bab913e20f3ad3cf3a16584ef330561419765d085b79aca30bfbacd0e75de3cba7556b3374

Download Submit
memory/1080-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1080-163-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1080-2-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2008-200-0x0000000000400000-0x000000000061C000-memory.dmp

Filesize
2.1MB

Download
memory/2008-165-0x0000000000400000-0x000000000061C000-memory.dmp

Filesize
2.1MB

Download
memory/2008-203-0x0000000000400000-0x000000000061C000-memory.dmp

Filesize
2.1MB

Download
memory/2008-190-0x0000000000400000-0x000000000061C000-memory.dmp

Filesize
2.1MB

Download
memory/2008-206-0x0000000000400000-0x000000000061C000-memory.dmp

Filesize
2.1MB

Download
memory/2008-197-0x0000000000400000-0x000000000061C000-memory.dmp

Filesize
2.1MB

Download
memory/2008-162-0x0000000000400000-0x000000000061C000-memory.dmp

Filesize
2.1MB

Download
memory/2008-210-0x0000000000400000-0x000000000061C000-memory.dmp

Filesize
2.1MB

Download
memory/2008-213-0x0000000000400000-0x000000000061C000-memory.dmp

Filesize
2.1MB

Download
memory/2008-160-0x0000000000400000-0x000000000061C000-memory.dmp

Filesize
2.1MB

Download
memory/2008-194-0x0000000002920000-0x00000000029C2000-memory.dmp

Filesize
648KB

Download
memory/2008-193-0x0000000000400000-0x000000000061C000-memory.dmp

Filesize
2.1MB

Download
memory/2008-170-0x0000000000400000-0x000000000061C000-memory.dmp

Filesize
2.1MB

Download
memory/2008-171-0x0000000000400000-0x000000000061C000-memory.dmp

Filesize
2.1MB

Download
memory/2008-174-0x0000000000400000-0x000000000061C000-memory.dmp

Filesize
2.1MB

Download
memory/2008-177-0x0000000000400000-0x000000000061C000-memory.dmp

Filesize
2.1MB

Download
memory/2008-180-0x0000000000400000-0x000000000061C000-memory.dmp

Filesize
2.1MB

Download
memory/2008-183-0x0000000000400000-0x000000000061C000-memory.dmp

Filesize
2.1MB

Download
memory/2008-184-0x0000000002920000-0x00000000029C2000-memory.dmp

Filesize
648KB

Download
memory/2008-187-0x0000000002920000-0x00000000029C2000-memory.dmp

Filesize
648KB

Download
memory/2052-164-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2052-169-0x0000000003830000-0x0000000003A4C000-memory.dmp

Filesize
2.1MB

Download
memory/2052-166-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2052-152-0x0000000003830000-0x0000000003A4C000-memory.dmp

Filesize
2.1MB

Download
memory/2052-15-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2324-154-0x0000000000400000-0x000000000061C000-memory.dmp

Filesize
2.1MB

Download
memory/2324-157-0x0000000000400000-0x000000000061C000-memory.dmp

Filesize
2.1MB

Download
memory/2324-158-0x0000000000400000-0x000000000061C000-memory.dmp

Filesize
2.1MB

Download
memory/2324-153-0x0000000000400000-0x000000000061C000-memory.dmp

Filesize
2.1MB

Download