2395645b8d7cafa8f2562341110ed10c08e9bb9e4809abc24d8f7325bc14a8e9

Analysis

max time kernel
144s
max time network
128s
platform
windows7_x64
resource
win7-20231201-en
resource tags

arch:x64arch:x86image:win7-20231201-enlocale:en-usos:windows7-x64system
submitted
10/12/2023, 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tuc3.exe
Size

6.9MB
MD5

57548a76c5779bab0715d87ecafa6c03
SHA1

8f032a9207f95b3bfafafcb6f7f5513543b4319f
SHA256

2395645b8d7cafa8f2562341110ed10c08e9bb9e4809abc24d8f7325bc14a8e9
SHA512

45542f23c2e975085bbf150420351078ad8cde2aef0612e768207b84145ad629ffadad61562c7c95615d5266dceda8035264630d24cbef212c2f20926854e883
SSDEEP

196608:iK2+nNevvWstwr2m5BmycyEbSfasepd5e4x6+AjZ6mjxzj:iDY6tiP3myRfzepXe4ny8gxzj

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2140	tuc3.tmp
2408	crtgame.exe
948	crtgame.exe

Loads dropped DLL 6 IoCs

pid	Process
320	tuc3.exe
2140	tuc3.tmp
2140	tuc3.tmp
2140	tuc3.tmp
2140	tuc3.tmp
2140	tuc3.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	152.89.198.214

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 63 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-UJC9R.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-S5FNC.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\is-LDKU3.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-AI6RR.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-NBLR2.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-46OIK.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-PRDV5.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-G9GVM.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-27SUR.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-4B5T3.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-0IFE3.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-2CUKR.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-961TH.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-CBQ9K.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-QJ0AQ.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-BRULH.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-IN0EA.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-7FKEV.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-C26A6.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-49T93.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-MTMIN.tmp	tuc3.tmp
File opened for modification	C:\Program Files (x86)\CRTGame\crtgame.exe	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\uninstall\unins000.dat	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-UG43C.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-A8N8K.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\lessmsi\is-SHGCM.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-927R7.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-LV7GM.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-84SN6.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-RJ0EU.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-A4HV9.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\stuff\is-OBT9G.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\stuff\is-RH707.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-IVO3T.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-QMGOD.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-UKITL.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-75QF4.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-JQ98O.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-4UQPR.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-GML3A.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\stuff\is-0SAV0.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-GT5EB.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-L2J8O.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-3L74F.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-L76AA.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-AOUHF.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-HVFFS.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-M5T4U.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-IRON4.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-DMQ70.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-54O78.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\is-2DR0U.tmp	tuc3.tmp
File opened for modification	C:\Program Files (x86)\CRTGame\uninstall\unins000.dat	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-QTG5K.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-55KQM.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-PVNQ7.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\is-O3KQP.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-5DKNT.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\uninstall\is-DSKTL.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\stuff\is-63HP5.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-NNVCU.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-NJB7H.tmp	tuc3.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-SGCLJ.tmp	tuc3.tmp

Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2140	tuc3.tmp

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 320 wrote to memory of 2140	320	tuc3.exe	28
PID 320 wrote to memory of 2140	320	tuc3.exe	28
PID 320 wrote to memory of 2140	320	tuc3.exe	28
PID 320 wrote to memory of 2140	320	tuc3.exe	28
PID 320 wrote to memory of 2140	320	tuc3.exe	28
PID 320 wrote to memory of 2140	320	tuc3.exe	28
PID 320 wrote to memory of 2140	320	tuc3.exe	28
PID 2140 wrote to memory of 628	2140	tuc3.tmp	31
PID 2140 wrote to memory of 628	2140	tuc3.tmp	31
PID 2140 wrote to memory of 628	2140	tuc3.tmp	31
PID 2140 wrote to memory of 628	2140	tuc3.tmp	31
PID 2140 wrote to memory of 2408	2140	tuc3.tmp	29
PID 2140 wrote to memory of 2408	2140	tuc3.tmp	29
PID 2140 wrote to memory of 2408	2140	tuc3.tmp	29
PID 2140 wrote to memory of 2408	2140	tuc3.tmp	29
PID 2140 wrote to memory of 1708	2140	tuc3.tmp	35
PID 2140 wrote to memory of 1708	2140	tuc3.tmp	35
PID 2140 wrote to memory of 1708	2140	tuc3.tmp	35
PID 2140 wrote to memory of 1708	2140	tuc3.tmp	35
PID 2140 wrote to memory of 948	2140	tuc3.tmp	34
PID 2140 wrote to memory of 948	2140	tuc3.tmp	34
PID 2140 wrote to memory of 948	2140	tuc3.tmp	34
PID 2140 wrote to memory of 948	2140	tuc3.tmp	34
PID 1708 wrote to memory of 1996	1708	net.exe	32
PID 1708 wrote to memory of 1996	1708	net.exe	32
PID 1708 wrote to memory of 1996	1708	net.exe	32
PID 1708 wrote to memory of 1996	1708	net.exe	32

C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:320
- C:\Users\Admin\AppData\Local\Temp\is-52KBP.tmp\tuc3.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-52KBP.tmp\tuc3.tmp" /SL5="$400F8,6991381,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Program Files (x86)\CRTGame\crtgame.exe
    "C:\Program Files (x86)\CRTGame\crtgame.exe" -i
    3⤵
    - Executes dropped EXE
    PID:2408
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Query
    3⤵
    PID:628
- - C:\Program Files (x86)\CRTGame\crtgame.exe
    "C:\Program Files (x86)\CRTGame\crtgame.exe" -s
    3⤵
    - Executes dropped EXE
    PID:948
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 10
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1708

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 10
1⤵
PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\CRTGame\crtgame.exe

Filesize
437KB

MD5
19e5e1a27ffafb3fadd4cef303793372

SHA1
c415fa80c8b7c2b5971bfb308d0b97bcca8fa8f7

SHA256
399f06c7cb5cc1607832b00fd446b3ddf63b35f24c2045b9cb78a4cee83f8716

SHA512
a2680e23173f02d859cc9718a42b4bd6c1232925a844708be4fd617c9e6f62333b1c7f678e0a0c677a4738b8fa9991cf8e92b1f4029b211aefec36a26f490555

Download Submit
C:\Program Files (x86)\CRTGame\crtgame.exe

Filesize
535KB

MD5
109d8e603869494a4a7f8f852b2a012b

SHA1
3ec725e054aa9b2fb2eec845162f5efac7c0dd8c

SHA256
719f49f614f8f80c02130f2d702dc773dd1e920a1962b5147c689e6161fe090a

SHA512
124b8d8632d9b8544805039a8a1ccc76d975ec7393ed108c22483fe4f09d666fa833d1a9c53dd99d4326e871622990743ac5af6fc18760a8e985060018afe348

Download Submit
C:\Program Files (x86)\CRTGame\crtgame.exe

Filesize
568KB

MD5
30da5a3f26faaa01a3e2322333ebd18c

SHA1
32da81e2fc67c29767adbfe393801f2e861bcdf3

SHA256
c1befef6268f1c26218cb6cac907365b6961daaf32a2ff9d08a1e723c7aef6ca

SHA512
69e38e26c6ad863bb9db1f52500e1cab83295de333aed9e9af457c9ddb3a9edb7187d13769bd7138ad88827458a414e40c985d9b087e362718bc492a1c37c446

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-52KBP.tmp\tuc3.tmp

Filesize
595KB

MD5
f5ff1456058d744c4a537f056f7df184

SHA1
a72dffc924e15f5ac83370a69c03757d25e1c73a

SHA256
437e75a5ec54ba49edc487c94b1ce2b14f98870207cc6e1406b2d593e05d600d

SHA512
d4d953926daa1aa50af9c045431d35b9e48b636f4dea47e6877aa0eec8636512f05d8e721264af288209bfd31af08d4d182803c15912736391dce45c88a5a43a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-52KBP.tmp\tuc3.tmp

Filesize
687KB

MD5
f448d7f4b76e5c9c3a4eaff16a8b9b73

SHA1
31808f1ffa84c954376975b7cdb0007e6b762488

SHA256
7233b85eb0f8b3aa5cae3811d727aa8742fec4d1091c120a0fe15006f424cc49

SHA512
f8197458cd2764c0b852dac34f9bf361110a7dc86903024a97c7bcd3f77b148342bf45e3c2b60f6af8198ae3b83938dbaad5e007d71a0f88006f3a0618cf36f4

Download Submit
\Program Files (x86)\CRTGame\crtgame.exe

Filesize
492KB

MD5
c088fa50813a7c177ed39cd5a5aa56e5

SHA1
9a5cddd729ad941b6fcc2f1a5a7ec0a10b508d30

SHA256
55af2b341a1aaac90a6229cc90b345e761c6402bfa14ef9848989ae0e9c924ff

SHA512
2f96005d85c072acfe68666466aab8e1b05f3e6ad537caaadeaee2f37989f529ac49a031cd7b78b0f9998f49b619ef4e58e606ceff0ceb76bdf5f2e5f8e4a019

Download Submit
\Users\Admin\AppData\Local\Temp\is-52KBP.tmp\tuc3.tmp

Filesize
684KB

MD5
0fdd61f7df0a17478e238c7f63aa8048

SHA1
125e7c9e84cebcb834d8926872e44f8611139f5a

SHA256
bf329262db1947b6ae9da16b375b84b7fc53d22af04675a9a11e490d02f4c644

SHA512
84e7b2e11726725cfc0b65fa0c1b05cdfc34b51401de3dc29467e5c97c30b1b68ba91916a6c6c984abcb9b0688608d8a1c3662dbf09a2105dbb34575f545bd0f

Download Submit
\Users\Admin\AppData\Local\Temp\is-S9UHJ.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-S9UHJ.tmp\_isetup\_isdecmp.dll

Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
\Users\Admin\AppData\Local\Temp\is-S9UHJ.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/320-163-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/320-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/320-2-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/948-187-0x0000000002910000-0x00000000029B2000-memory.dmp

Filesize
648KB

Download
memory/948-165-0x0000000000400000-0x000000000061C000-memory.dmp

Filesize
2.1MB

Download
memory/948-160-0x0000000000400000-0x000000000061C000-memory.dmp

Filesize
2.1MB

Download
memory/948-213-0x0000000000400000-0x000000000061C000-memory.dmp

Filesize
2.1MB

Download
memory/948-210-0x0000000000400000-0x000000000061C000-memory.dmp

Filesize
2.1MB

Download
memory/948-206-0x0000000000400000-0x000000000061C000-memory.dmp

Filesize
2.1MB

Download
memory/948-162-0x0000000000400000-0x000000000061C000-memory.dmp

Filesize
2.1MB

Download
memory/948-203-0x0000000000400000-0x000000000061C000-memory.dmp

Filesize
2.1MB

Download
memory/948-180-0x0000000000400000-0x000000000061C000-memory.dmp

Filesize
2.1MB

Download
memory/948-190-0x0000000000400000-0x000000000061C000-memory.dmp

Filesize
2.1MB

Download
memory/948-200-0x0000000000400000-0x000000000061C000-memory.dmp

Filesize
2.1MB

Download
memory/948-197-0x0000000000400000-0x000000000061C000-memory.dmp

Filesize
2.1MB

Download
memory/948-170-0x0000000000400000-0x000000000061C000-memory.dmp

Filesize
2.1MB

Download
memory/948-171-0x0000000000400000-0x000000000061C000-memory.dmp

Filesize
2.1MB

Download
memory/948-194-0x0000000002910000-0x00000000029B2000-memory.dmp

Filesize
648KB

Download
memory/948-193-0x0000000000400000-0x000000000061C000-memory.dmp

Filesize
2.1MB

Download
memory/948-174-0x0000000000400000-0x000000000061C000-memory.dmp

Filesize
2.1MB

Download
memory/948-183-0x0000000000400000-0x000000000061C000-memory.dmp

Filesize
2.1MB

Download
memory/948-184-0x0000000002910000-0x00000000029B2000-memory.dmp

Filesize
648KB

Download
memory/948-177-0x0000000000400000-0x000000000061C000-memory.dmp

Filesize
2.1MB

Download
memory/2140-164-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2140-152-0x0000000003860000-0x0000000003A7C000-memory.dmp

Filesize
2.1MB

Download
memory/2140-169-0x0000000003860000-0x0000000003A7C000-memory.dmp

Filesize
2.1MB

Download
memory/2140-166-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2140-16-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2408-158-0x0000000000400000-0x000000000061C000-memory.dmp

Filesize
2.1MB

Download
memory/2408-153-0x0000000000400000-0x000000000061C000-memory.dmp

Filesize
2.1MB

Download
memory/2408-154-0x0000000000400000-0x000000000061C000-memory.dmp

Filesize
2.1MB

Download
memory/2408-157-0x0000000000400000-0x000000000061C000-memory.dmp

Filesize
2.1MB

Download