7c1451058696840ebd0f24909b58bf0dd7ebaea72888903761c1a03f7cda3a4b

Analysis

max time kernel
148s
max time network
152s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
10-12-2023 20:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tuc5.exe
Size

6.9MB
MD5

310cdb63637621d845c3afc9107fba90
SHA1

4144640a076f46184bee539aa49bf2bec20e2e62
SHA256

7c1451058696840ebd0f24909b58bf0dd7ebaea72888903761c1a03f7cda3a4b
SHA512

bff6c566d8a567cba397b38b69a688df2cf94fbbf3cb7446881211946ee4d450c3a01c445ff8c017769596ff9a92d101a3db771527df867f2345247d86bd3822
SSDEEP

196608:YxnTNzjsOzc7TGHscDgcXbIdslX38dgFYJzj:QNztzQlcDPXus98d9Jzj

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1656	tuc5.tmp
1932	crtgame.exe
760	crtgame.exe

Loads dropped DLL 6 IoCs

pid	Process
2032	tuc5.exe
1656	tuc5.tmp
1656	tuc5.tmp
1656	tuc5.tmp
1656	tuc5.tmp
1656	tuc5.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	152.89.198.214

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 63 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-AD2GK.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-RBSQ4.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-Q7HIK.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\is-D2FN4.tmp	tuc5.tmp
File opened for modification	C:\Program Files (x86)\CRTGame\crtgame.exe	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-PBP8G.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\lessmsi\is-VJSU0.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\stuff\is-OIQPU.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-M2FTP.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-M9NUV.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\stuff\is-LI1JV.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-NFRJG.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-G0Q59.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-A9J18.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-IFGBU.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-RDS0L.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-AC8GV.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-NO70V.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-R2SMN.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\stuff\is-3VQDI.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-UGPLQ.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-P1UM9.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-V3BO1.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-8372L.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-TRGKR.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-1IGGO.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-MH8AO.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-IV5H4.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-4L3UP.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-883B0.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-HI131.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-S4EE5.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\uninstall\unins000.dat	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\uninstall\is-NQD7H.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-J0PR7.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-NS8MO.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-M81F9.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-KVJKH.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-759TV.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-OPMQ0.tmp	tuc5.tmp
File opened for modification	C:\Program Files (x86)\CRTGame\uninstall\unins000.dat	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-D6C2G.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-B940I.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-H23KR.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\stuff\is-6H7T8.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-9D0H4.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-ERA53.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-2VJNF.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-ASJ41.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-1O2K9.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-JKHE1.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-42R3C.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-6FRQL.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-AFBJI.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-UCUNQ.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-8VCI0.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-TQV69.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-1257S.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-HA6B4.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-M50QF.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\is-J1HOG.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\is-E7BHM.tmp	tuc5.tmp
File created	C:\Program Files (x86)\CRTGame\bin\x86\is-GPJIB.tmp	tuc5.tmp

Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1656	tuc5.tmp

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 1656	2032	tuc5.exe	28
PID 2032 wrote to memory of 1656	2032	tuc5.exe	28
PID 2032 wrote to memory of 1656	2032	tuc5.exe	28
PID 2032 wrote to memory of 1656	2032	tuc5.exe	28
PID 2032 wrote to memory of 1656	2032	tuc5.exe	28
PID 2032 wrote to memory of 1656	2032	tuc5.exe	28
PID 2032 wrote to memory of 1656	2032	tuc5.exe	28
PID 1656 wrote to memory of 2712	1656	tuc5.tmp	29
PID 1656 wrote to memory of 2712	1656	tuc5.tmp	29
PID 1656 wrote to memory of 2712	1656	tuc5.tmp	29
PID 1656 wrote to memory of 2712	1656	tuc5.tmp	29
PID 1656 wrote to memory of 1932	1656	tuc5.tmp	31
PID 1656 wrote to memory of 1932	1656	tuc5.tmp	31
PID 1656 wrote to memory of 1932	1656	tuc5.tmp	31
PID 1656 wrote to memory of 1932	1656	tuc5.tmp	31
PID 1656 wrote to memory of 268	1656	tuc5.tmp	34
PID 1656 wrote to memory of 268	1656	tuc5.tmp	34
PID 1656 wrote to memory of 268	1656	tuc5.tmp	34
PID 1656 wrote to memory of 268	1656	tuc5.tmp	34
PID 1656 wrote to memory of 760	1656	tuc5.tmp	33
PID 1656 wrote to memory of 760	1656	tuc5.tmp	33
PID 1656 wrote to memory of 760	1656	tuc5.tmp	33
PID 1656 wrote to memory of 760	1656	tuc5.tmp	33
PID 268 wrote to memory of 1164	268	net.exe	35
PID 268 wrote to memory of 1164	268	net.exe	35
PID 268 wrote to memory of 1164	268	net.exe	35
PID 268 wrote to memory of 1164	268	net.exe	35

C:\Users\Admin\AppData\Local\Temp\tuc5.exe
"C:\Users\Admin\AppData\Local\Temp\tuc5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\Local\Temp\is-LC933.tmp\tuc5.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-LC933.tmp\tuc5.tmp" /SL5="$70124,7025884,54272,C:\Users\Admin\AppData\Local\Temp\tuc5.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Query
    3⤵
    PID:2712
- - C:\Program Files (x86)\CRTGame\crtgame.exe
    "C:\Program Files (x86)\CRTGame\crtgame.exe" -i
    3⤵
    - Executes dropped EXE
    PID:1932
- - C:\Program Files (x86)\CRTGame\crtgame.exe
    "C:\Program Files (x86)\CRTGame\crtgame.exe" -s
    3⤵
    - Executes dropped EXE
    PID:760
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 10
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:268
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 helpmsg 10
      4⤵
      PID:1164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\CRTGame\crtgame.exe

Filesize
276KB

MD5
49dbcca0ce00d533b70bea230f2541bc

SHA1
383b79301e23b976f85cdf36adbaa9dcfb73861a

SHA256
d4267573c616ecee9b17ea0b7dac9b1888a0a32ed3fcd5e58c330f9f5de40854

SHA512
9d19338f7fce74409ee3181e103e4de75a2dac8b5bdc4676a0c73bd15c6092dd22bf01e7e85127f8aa142b8b4ff46f67522684109caeea25435798f3673888c7

Download Submit
C:\Program Files (x86)\CRTGame\crtgame.exe

Filesize
516KB

MD5
b47537a5f63e35e8e8aac50d9bf684c3

SHA1
704c68a4f99b823b9102a347103e441b0fcae154

SHA256
af774bf4c5487a32c147ddc7c1da979d1ec82e89a9187913ac292a17db5fe11a

SHA512
6dda21520f64bfbcc3adf5d49513d385ba6d7069ad894c9638a7940eeb41815fb72e5a022ffdea709a638ac6c6a00198f4866a7460e9bf10fc34eaddc4efae9c

Download Submit
C:\Program Files (x86)\CRTGame\crtgame.exe

Filesize
356KB

MD5
d7c20e4b71ab228f8b9331b623ed4a34

SHA1
3bf1a197a5e90e8e8c168753143d119213baf67a

SHA256
fbc31476fe0f8db2c11610f7f246fd18fba6ca705e2f9e5651e98d0599355e2c

SHA512
c67272fb488035fe68c2c1cddf6fc4c0cbeb3cfa94801341d488a2e2e52ce72f2d43994b52382339bc93b8e860c22b9e4705c20f5f4372d3f52b6a8e0cb99a37

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LC933.tmp\tuc5.tmp

Filesize
687KB

MD5
f448d7f4b76e5c9c3a4eaff16a8b9b73

SHA1
31808f1ffa84c954376975b7cdb0007e6b762488

SHA256
7233b85eb0f8b3aa5cae3811d727aa8742fec4d1091c120a0fe15006f424cc49

SHA512
f8197458cd2764c0b852dac34f9bf361110a7dc86903024a97c7bcd3f77b148342bf45e3c2b60f6af8198ae3b83938dbaad5e007d71a0f88006f3a0618cf36f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LC933.tmp\tuc5.tmp

Filesize
146KB

MD5
35c2dd0af1f7abe2f0d1b0c0f4753d24

SHA1
6cd9e34f3efcbbc71281d095ba509b2e316b6614

SHA256
299b54eb44e672baa6219db4ddd106784ef819887547160bd4462fc6d2e0ba7a

SHA512
4497eac980fff41fcfb43c12da19db56190112461d1ed012b58390eed42d466d3676db1247596c444fb7eb829da3ed3c52f4634ce88637226e6532b61fab817f

Download Submit
\Program Files (x86)\CRTGame\crtgame.exe

Filesize
1020KB

MD5
1ce86192abe99e7d0dfb7feb6ea26a44

SHA1
c2e64f0dccec5655cc82624ef0353e624cb158ce

SHA256
649c08db6b92518b558d4ed204d60539594c18e27456c4ebce0c0c1bc671117e

SHA512
645ce088afaa417ec78ca2c860ec4f4cae2e86226eb4c03471f8917f276f90067f2fda24c8227e03cce8f1e002c8d964c597a4a7b7b8ba95d0cb08f48325bf2f

Download Submit
\Users\Admin\AppData\Local\Temp\is-B4BOI.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-B4BOI.tmp\_isetup\_isdecmp.dll

Filesize
1KB

MD5
db6184777f072d8f3d28804aa99da162

SHA1
b62f98de6ac12318bb03da9a5329dc7930a474b4

SHA256
04d109206044de4c8c52eb3bf17bb335b195f181d7740d18e89b5deb3e0e48cf

SHA512
f530c401a202aab567d956a8ea40e76339421408ffbe663672736356e83de4e10992960a644097e4e9f20449be62be9eafa3cde50d6e8c7cd2026c7dde4baec7

Download Submit
\Users\Admin\AppData\Local\Temp\is-B4BOI.tmp\_isetup\_shfoldr.dll

Filesize
5KB

MD5
c073b44391363a97958b6144464c4c5a

SHA1
356fea513c2c3de30d37116669a4206de6e2f8c2

SHA256
7a24597c7d479d640345725466c221bc294e0b1d4e32294d1c6ee71839000e23

SHA512
d9bc79d2dc1496164f8a5deffa7c6cb4786b46e1adfe65b34445859a6f1604166086192b2936a5a5081e8dee344582a57f87d93a12db02cfba47f642574da1ae

Download Submit
\Users\Admin\AppData\Local\Temp\is-B4BOI.tmp\_isetup\_shfoldr.dll

Filesize
1KB

MD5
b153f8dfe895cfbb5b3840e17257851a

SHA1
257c80dd04f3e7650ce58856dc8d8bfd94b45efb

SHA256
fcea99e38cf910dfbdf6426b70eb6c3e9de9035da07c6f458eb6e8b057b23ee3

SHA512
260b16396738504664960e4287b500b84d770043e6ca8b841f1288bab913e20f3ad3cf3a16584ef330561419765d085b79aca30bfbacd0e75de3cba7556b3374

Download Submit
\Users\Admin\AppData\Local\Temp\is-LC933.tmp\tuc5.tmp

Filesize
439KB

MD5
1b3ab774c7a166b038756ab2818d41d5

SHA1
b5e77e3b149ff7308296be1bfd96a2b52f940953

SHA256
51e526b23b32a4d57e8569d77a2a18c69d592cda1b0efa4d7da1c4fc20c89df5

SHA512
6cbdc8b5075b9c331d6786d74a2ab737ce62b13fe9aef252492f1cfe48781e09eed9f712edc71e2745a9bd99c72f2f870947da5308c158d2d8bcd72abfb0547c

Download Submit
memory/760-187-0x00000000026E0000-0x0000000002782000-memory.dmp

Filesize
648KB

Download
memory/760-194-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/760-214-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/760-211-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/760-207-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/760-204-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/760-201-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/760-198-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/760-160-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/760-197-0x00000000026E0000-0x0000000002782000-memory.dmp

Filesize
648KB

Download
memory/760-191-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/760-164-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/760-189-0x00000000026E0000-0x0000000002782000-memory.dmp

Filesize
648KB

Download
memory/760-184-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/760-167-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/760-170-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/760-171-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/760-174-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/760-175-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/760-178-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/760-181-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1656-166-0x0000000003590000-0x00000000037AE000-memory.dmp

Filesize
2.1MB

Download
memory/1656-165-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1656-151-0x0000000003590000-0x00000000037AE000-memory.dmp

Filesize
2.1MB

Download
memory/1656-163-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1656-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1932-158-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1932-155-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1932-154-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/1932-153-0x0000000000400000-0x000000000061E000-memory.dmp

Filesize
2.1MB

Download
memory/2032-2-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2032-162-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2032-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download