b8c73276b077a35fbaad746505fc4385c47e6fd1522867e8242e1308ed49e9e2

Analysis

max time kernel
126s
max time network
130s
platform
windows7_x64
resource
win7-20231130-en
resource tags

arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system
submitted
10/12/2023, 20:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tuc5.exe
Size

6.9MB
MD5

140eeca16a7851f9399d608590d77093
SHA1

3790852ee0bdfbf51e1a1b28d6592b5abc1b0a9a
SHA256

b8c73276b077a35fbaad746505fc4385c47e6fd1522867e8242e1308ed49e9e2
SHA512

852001c6c590a8353ab54489f9f6c3d1d7442da6644e9498be854358fd43d7bb00d04a2706559d55b30ffa0a6c93874feecd41d071da0ef1cff59c9de0b26fc1
SSDEEP

196608:txnTNzjsOzc7TGHscDgcXbIdslX38dgFYJzj:TNztzQlcDPXus98d9Jzj

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2940	tuc5.tmp
1276	crtgame.exe
2716	crtgame.exe

Loads dropped DLL 6 IoCs

pid	Process
2544	tuc5.exe
2940	tuc5.tmp
2940	tuc5.tmp
2940	tuc5.tmp
2940	tuc5.tmp
2940	tuc5.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	152.89.198.214

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 63 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\CRTGame\stuff\is-D6VNH.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-PMFV2.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-MDHQI.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-5CV74.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-D6UA3.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-UELNR.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-T7OSU.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-0PJ99.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-U01QQ.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-7BVQQ.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\is-7KBK0.tmp	tuc5.tmp
File opened for modification	C:\Program Files (x86)\CRTGame\crtgame.exe	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-LCRK0.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-ROD8G.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-BBKUA.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-UNJHS.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-79N2H.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-89CVD.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-LUUG7.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-LK5JG.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-96LMS.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\uninstall\unins000.dat	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-I1EQS.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-Q9RM1.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-TQ7QC.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-JVVDP.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-DKE6I.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-13NLF.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\lessmsi\is-QQIFR.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-D0RHL.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\is-TG7HU.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-72JMI.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\uninstall\is-MDVLI.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\is-1F9U2.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-9EEAN.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-VHDJ2.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-LQN96.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-ENMR5.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-L1L8C.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-2FQAP.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-2A4ST.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-18IUF.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-LOTLP.tmp	tuc5.tmp
File opened for modification	C:\Program Files (x86)\CRTGame\uninstall\unins000.dat	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-TRH1C.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-4JD7Q.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\stuff\is-TC1OH.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-87J2S.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-IKL31.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-76T71.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-U0ARO.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-15RSR.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-4RAUU.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\stuff\is-ICSHR.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-FOCPL.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-1F6RC.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\stuff\is-PITLK.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-J83EP.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-LDN8A.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-9T3R0.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-O78SV.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-S2C2E.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-0KUPL.tmp	tuc5.tmp

Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2940	tuc5.tmp

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 2940	2544	tuc5.exe	17
PID 2544 wrote to memory of 2940	2544	tuc5.exe	17
PID 2544 wrote to memory of 2940	2544	tuc5.exe	17
PID 2544 wrote to memory of 2940	2544	tuc5.exe	17
PID 2544 wrote to memory of 2940	2544	tuc5.exe	17
PID 2544 wrote to memory of 2940	2544	tuc5.exe	17
PID 2544 wrote to memory of 2940	2544	tuc5.exe	17
PID 2940 wrote to memory of 1664	2940	tuc5.tmp	26
PID 2940 wrote to memory of 1664	2940	tuc5.tmp	26
PID 2940 wrote to memory of 1664	2940	tuc5.tmp	26
PID 2940 wrote to memory of 1664	2940	tuc5.tmp	26
PID 2940 wrote to memory of 1276	2940	tuc5.tmp	25
PID 2940 wrote to memory of 1276	2940	tuc5.tmp	25
PID 2940 wrote to memory of 1276	2940	tuc5.tmp	25
PID 2940 wrote to memory of 1276	2940	tuc5.tmp	25
PID 2940 wrote to memory of 2792	2940	tuc5.tmp	35
PID 2940 wrote to memory of 2792	2940	tuc5.tmp	35
PID 2940 wrote to memory of 2792	2940	tuc5.tmp	35
PID 2940 wrote to memory of 2792	2940	tuc5.tmp	35
PID 2940 wrote to memory of 2716	2940	tuc5.tmp	34
PID 2940 wrote to memory of 2716	2940	tuc5.tmp	34
PID 2940 wrote to memory of 2716	2940	tuc5.tmp	34
PID 2940 wrote to memory of 2716	2940	tuc5.tmp	34
PID 2792 wrote to memory of 2824	2792	net.exe	32
PID 2792 wrote to memory of 2824	2792	net.exe	32
PID 2792 wrote to memory of 2824	2792	net.exe	32
PID 2792 wrote to memory of 2824	2792	net.exe	32

C:\Users\Admin\AppData\Local\Temp\tuc5.exe
"C:\Users\Admin\AppData\Local\Temp\tuc5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Users\Admin\AppData\Local\Temp\is-J7N6V.tmp\tuc5.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-J7N6V.tmp\tuc5.tmp" /SL5="$400F4,7025884,54272,C:\Users\Admin\AppData\Local\Temp\tuc5.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Program Files (x86)\CRTGame\crtgame.exe
    "C:\Program Files (x86)\CRTGame\crtgame.exe" -i
    3⤵
    - Executes dropped EXE
    PID:1276
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Query
    3⤵
    PID:1664
- - C:\Program Files (x86)\CRTGame\crtgame.exe
    "C:\Program Files (x86)\CRTGame\crtgame.exe" -s
    3⤵
    - Executes dropped EXE
    PID:2716
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 10
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2792

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 10
1⤵
PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\CRTGame\crtgame.exe

Filesize
1KB

MD5
5db8c3a68a731dc8c5ca04dcd8c8a494

SHA1
6e30d814e8732eebc96cdab5823fe81ccbe1dffd

SHA256
5a978275185dda24307578a64888767d40cf60a85b9f1ad1fba12ce66d79c5da

SHA512
0960f84d5d1c6321d1a9ecc5229e77676e0a5abd44fc2bce760edec2dc97adcc1dfee0586ee82e0ba222a08dc9e99a940e388887746a6e7b28c99363c1dc4e6e

Download Submit
C:\Program Files (x86)\CRTGame\crtgame.exe

Filesize
163KB

MD5
4a87a975b1b38f668ae257ff5ed88f0a

SHA1
8ed548df41baa52b52aabf64b126a4c26695683c

SHA256
a7954068c5b0f3953bb42869dcce3be04ba094eb9455150e8a006e8e578b1584

SHA512
6624e52d332342952c0891b064dfeb8693c87dd384a139305cc64f990d412d186549c758e3af20b0d22011a321a71723f964db0ae4b3763d344f4b6d7d25eec4

Download Submit
C:\Program Files (x86)\CRTGame\crtgame.exe

Filesize
228KB

MD5
28a2d11316a90a3e9b7a18758bf20c6a

SHA1
ad10a54b7cd3df7d0a61f03bc6501cb7f04ed346

SHA256
e71cea057bfd26f43638a964a04f2fb57b45c7b15f42ad0c02851d43737ee981

SHA512
a95d4a796783749d572f1170cfdb3ca1aa4420b8e0438e9a16d0a055549fbe39cc18f9dc3f760dbf9aa81324f93fbacffb3152704342ff08e834102cb2748c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-J7N6V.tmp\tuc5.tmp

Filesize
1KB

MD5
14d083317674748d4cb8e3384484c890

SHA1
6b8c9037700f569ae228d1c8998b1d9faea21a48

SHA256
199e49960b2cc64da68cc9822271d7a667112c42703f976d38258f8c83a78a67

SHA512
f3d093902aa2d158e726ac6dfd689036352fdef5c6345941cc747fc175701ccc4e0215567e9620abfd17fa3f84cab07e1654957ce56c2fce4a6b898faf253de2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-J7N6V.tmp\tuc5.tmp

Filesize
80KB

MD5
59cb4a5a374d37faa9d23d3d25217c43

SHA1
57520a1cb9a0a560427dd0d469ed6f25a23f3fd0

SHA256
06a65df79b3c1303ad3523ff8f856327ee7b0f25b4c504c41d92514559983e74

SHA512
a63876cfdd68279fe9a54ce1b014c68036f50a9de8f2a7864f7a02cf7435d32205eb9bfa4cc5396b060cf2d36affadb107d2f976c07afc25945dea047277f782

Download Submit
\Program Files (x86)\CRTGame\crtgame.exe

Filesize
31KB

MD5
cb1f01c722e7f25e48af0a3dd913dcf8

SHA1
4c5b2b80b826d9c604365fda50de7394b1b70c1d

SHA256
8e90ced539946a7ead881a07dc08a64788ee4ffca64379ce91b29f37cbafe3d6

SHA512
60fb246851b146747fcaefbae3714dca0166cf92461c55a323470811158e0d794617d69a88ecd1a14d2648c506354f99b76e4dc34fe068736fc3a02e9fcd1e74

Download Submit
\Users\Admin\AppData\Local\Temp\is-AJ9KQ.tmp\_isetup\_isdecmp.dll

Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
\Users\Admin\AppData\Local\Temp\is-AJ9KQ.tmp\_isetup\_shfoldr.dll

Filesize
9KB

MD5
bb5e7b616b5c9ad9aa9e88d5eabf55b9

SHA1
a47f4f248a31ab8b7bfbb842074563e612044179

SHA256
6830e33fce2fd21034f0564b1ffca7417b27b4fedc7c3655b959f28d3b919ba2

SHA512
2d26b708ee7b05fb39335412bb9843da7c4c3856ac3b27826f1f7f99a81ecaef32ae74083844dbfce0e8372707a9d9af4b324e58fc33899556890cbf63f320d2

Download Submit
\Users\Admin\AppData\Local\Temp\is-AJ9KQ.tmp\_isetup\_shfoldr.dll

Filesize
9KB

MD5
7dab3d99391a67bf9fb3f8b6c76106df

SHA1
0033a795e083d573fe54fab680b41bc61f535e69

SHA256
787f7f1cce58ab463b19a5dbacc567e4bf03907333843f178b324d57affcde1e

SHA512
e3f8b34d26be9dbcb6b37e85869b02fde30c7f488ce75b809445ebcbc828a6946edca665395ab47061028680c51132cb51de8ca578353c2ee1e32214a76b0ac8

Download Submit
\Users\Admin\AppData\Local\Temp\is-J7N6V.tmp\tuc5.tmp

Filesize
77KB

MD5
455066da7049f1a30fe512f2d53875a5

SHA1
23c95e6775660be48353db74dddfbfd4622e7460

SHA256
5b91e186ec377d30ac2de39ded0234720d481226256ab8b6926950ab62920448

SHA512
0221faef3e78d64f5505b3b4cb8fdee37021be2e3ee1b17805dc918f812143b95a17ac87bf5f7bd96fd2e400b1b6bfcc8e083ee6c7149b62936014b67edfd682

Download Submit
memory/1276-153-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1276-157-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1276-158-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1276-154-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/2544-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2544-163-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2544-2-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2716-182-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/2716-192-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/2716-162-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/2716-212-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/2716-209-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/2716-165-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/2716-205-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/2716-169-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/2716-170-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/2716-173-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/2716-176-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/2716-179-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/2716-202-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/2716-183-0x0000000002AC0000-0x0000000002B62000-memory.dmp

Filesize
648KB

Download
memory/2716-186-0x0000000002AC0000-0x0000000002B62000-memory.dmp

Filesize
648KB

Download
memory/2716-189-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/2716-160-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/2716-193-0x0000000002AC0000-0x0000000002B62000-memory.dmp

Filesize
648KB

Download
memory/2716-196-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/2716-199-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/2940-11-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2940-166-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2940-164-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2940-152-0x0000000003770000-0x000000000398E000-memory.dmp

Filesize
2.1MB

Download