092d282470defe0c44845e0c5f677e87439405581901450a0181303ae3408389

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20231130-en
resource tags

arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system
submitted
11/12/2023, 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tuc5.exe
Size

6.9MB
MD5

f2247ab1f3b27c2c4cda1312aae4d225
SHA1

ce4e3839b7c1100eac3ffc15c1cecffaad2d2e0f
SHA256

092d282470defe0c44845e0c5f677e87439405581901450a0181303ae3408389
SHA512

b468cf4805f9db8333cb1af2c2931f7198aeec4a03e4dbfd95a4fde4ea51b44d5fcc1cc16af8144f5c9287100e9f39d285d73268aef11cec834ade284677df7a
SSDEEP

196608:8xOlhkHxfDumIwWJfU1IzKkGjAqiuGIqOg9zj:HjkHxfKTnJjzKkRtF9zj

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2220	tuc5.tmp
1904	wmaconvert.exe
1908	wmaconvert.exe

Loads dropped DLL 6 IoCs

pid	Process
2360	tuc5.exe
2220	tuc5.tmp
2220	tuc5.tmp
2220	tuc5.tmp
2220	tuc5.tmp
2220	tuc5.tmp

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	81.31.197.38
Destination IP	152.89.198.214
Destination IP	194.49.94.194

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 63 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ConvertWMA\stuff\is-8KE47.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-MQ2Q0.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-VQHE4.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-9BRBT.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-M7LJU.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-SSQ7C.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-J8B38.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-EAE0I.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\lessmsi\is-G9F5S.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\plugins\internal\is-0C14H.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-E5EG5.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-F04MK.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-2D06B.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-VB34H.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-A0482.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-OJICQ.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-1N3F7.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\stuff\is-8U7F3.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-2GN87.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-9KL3J.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-7HDJU.tmp	tuc5.tmp
File opened for modification	C:\Program Files (x86)\ConvertWMA\uninstall\unins000.dat	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\stuff\is-VUJ93.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-70GCD.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-5A274.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-C8BFT.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-QJG2K.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-3F1K9.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-1UKBG.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-9NGGN.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-U6M68.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\stuff\is-AQ08U.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-H2NIQ.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-V0N14.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-55R5H.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-9ATM7.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-FT1LM.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\uninstall\is-MGQMO.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-AA857.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-HAEOJ.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\plugins\internal\is-9B5ND.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-T9DLJ.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-GEN9A.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-J65EH.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-70LRS.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-SIEJB.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\is-HDCCO.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\uninstall\unins000.dat	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-VMU2D.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-RFN1N.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-CVA8T.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-649FP.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-HE9DF.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-K98DI.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-Q63J0.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-S0MTT.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-ADVK0.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-8V4BB.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-U11EL.tmp	tuc5.tmp
File opened for modification	C:\Program Files (x86)\ConvertWMA\wmaconvert.exe	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-JQRI0.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-DPFO1.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-M55FF.tmp	tuc5.tmp

Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2220	tuc5.tmp

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2220	2360	tuc5.exe	19
PID 2360 wrote to memory of 2220	2360	tuc5.exe	19
PID 2360 wrote to memory of 2220	2360	tuc5.exe	19
PID 2360 wrote to memory of 2220	2360	tuc5.exe	19
PID 2360 wrote to memory of 2220	2360	tuc5.exe	19
PID 2360 wrote to memory of 2220	2360	tuc5.exe	19
PID 2360 wrote to memory of 2220	2360	tuc5.exe	19
PID 2220 wrote to memory of 1136	2220	tuc5.tmp	29
PID 2220 wrote to memory of 1136	2220	tuc5.tmp	29
PID 2220 wrote to memory of 1136	2220	tuc5.tmp	29
PID 2220 wrote to memory of 1136	2220	tuc5.tmp	29
PID 2220 wrote to memory of 1904	2220	tuc5.tmp	30
PID 2220 wrote to memory of 1904	2220	tuc5.tmp	30
PID 2220 wrote to memory of 1904	2220	tuc5.tmp	30
PID 2220 wrote to memory of 1904	2220	tuc5.tmp	30
PID 2220 wrote to memory of 2424	2220	tuc5.tmp	35
PID 2220 wrote to memory of 2424	2220	tuc5.tmp	35
PID 2220 wrote to memory of 2424	2220	tuc5.tmp	35
PID 2220 wrote to memory of 2424	2220	tuc5.tmp	35
PID 2220 wrote to memory of 1908	2220	tuc5.tmp	34
PID 2220 wrote to memory of 1908	2220	tuc5.tmp	34
PID 2220 wrote to memory of 1908	2220	tuc5.tmp	34
PID 2220 wrote to memory of 1908	2220	tuc5.tmp	34
PID 2424 wrote to memory of 776	2424	net.exe	32
PID 2424 wrote to memory of 776	2424	net.exe	32
PID 2424 wrote to memory of 776	2424	net.exe	32
PID 2424 wrote to memory of 776	2424	net.exe	32

C:\Users\Admin\AppData\Local\Temp\tuc5.exe
"C:\Users\Admin\AppData\Local\Temp\tuc5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Local\Temp\is-KO47P.tmp\tuc5.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-KO47P.tmp\tuc5.tmp" /SL5="$70122,6950053,68096,C:\Users\Admin\AppData\Local\Temp\tuc5.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Query
    3⤵
    PID:1136
- - C:\Program Files (x86)\ConvertWMA\wmaconvert.exe
    "C:\Program Files (x86)\ConvertWMA\wmaconvert.exe" -i
    3⤵
    - Executes dropped EXE
    PID:1904
- - C:\Program Files (x86)\ConvertWMA\wmaconvert.exe
    "C:\Program Files (x86)\ConvertWMA\wmaconvert.exe" -s
    3⤵
    - Executes dropped EXE
    PID:1908
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 11
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2424

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 11
1⤵
PID:776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ConvertWMA\wmaconvert.exe

Filesize
113KB

MD5
fedcf88df5e126e34cf0e67b1d86f4a7

SHA1
655425f1cb5703de2cce02e323a143e01e79e31b

SHA256
d9f908cf117608dfd9b83b663fa7ece700a816a172f3f55a4a0d028330307a75

SHA512
c2ef75690622d49b8aef1c7030af5037c7dd4f96f1ae64b8478455538dd97fca9cab7f26c849e58927018051d524e79a8621ff7d591ec08bf8bf6cc682f659bf

Download Submit
C:\Program Files (x86)\ConvertWMA\wmaconvert.exe

Filesize
150KB

MD5
3b9390fab4a2deb0f81cf93f839d36ab

SHA1
bdd4c1fd79519dd7fe09068a3d796f347d040508

SHA256
666184853dfa9afe0e2fe4719c1578af7e037399ed82a55d53566ff741835a4f

SHA512
89db9960239d61075e435ed55dc170bbaaad9518837645d005994d803760bcbc235ad4dd75361578f0ec4be58e65429db97c95c3e4277f4cd3fc2728abf736a5

Download Submit
C:\Program Files (x86)\ConvertWMA\wmaconvert.exe

Filesize
48KB

MD5
97caf528cf25449ebd3fb301c42c1862

SHA1
8f91cb68b0d7ba4218542cb48edc5dca6571d27b

SHA256
3cb5e33f9c08fec1709dfdc662733023c7903cbe59c94dd261f33deb64f21206

SHA512
bbd6f3105e04cf0e476f0efe8ad2e81cc06ded9b8003886ba0d96b031a72db289ed4e571445f3105d75f143b2ab160d1dec5dd75958d5695a93d241ffd4e2664

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KO47P.tmp\tuc5.tmp

Filesize
257KB

MD5
8546f36f8230bbd90736204426d02a20

SHA1
24cf96a784038a8444c586695414edf75623da6d

SHA256
5690eef67be70bae14ad95dee7dc4d358addd03926a32937712ba5d4fd5f35f2

SHA512
21b9f1cca9e3c23fc85d10d11846be577b90a3a99647308331b19f8080d83ccbbf7ca6892ca5122121a668d9970c18c07034c0c0c6a77426e5c6c4c0a053c696

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KO47P.tmp\tuc5.tmp

Filesize
384KB

MD5
81fba66d143960b868e67316de44ca72

SHA1
e900b39e0dd96df9c04383a5bfe6e333c994f113

SHA256
6dda04ed820323ef6fa69d62abf4f2ae33221249c55f2902192519986afc03dc

SHA512
6e451a58565acf8a8f3cac4e2c31521a886ba05c580f8446c77e98daa0055ec0fe5e9ccd28406e5da416c15631a659249185c5dfbec7d2ef4316f507232a2de9

Download Submit
\Program Files (x86)\ConvertWMA\wmaconvert.exe

Filesize
122KB

MD5
784d6658aaa27d5c3ae3ee153f3ed908

SHA1
fb3a9c9da67940e97bfba468647075c21bcd3912

SHA256
77f2e4c46b12c9bb5830a7c39c03ddc92a885e80f3dd650dd53f123285562879

SHA512
23656e33a53478c9fe382ea02a791349ae02f2e99048fc88932d03f1dad7bc1e9d12fcf19d79f7cc18b0dbeef8d4e2297c92eb672aa6c314a90606e3b80f4e31

Download Submit
\Users\Admin\AppData\Local\Temp\is-KO47P.tmp\tuc5.tmp

Filesize
480KB

MD5
94e351300928f5328c055fbc2ed46aec

SHA1
d213dfd209fd3128c5ba81dbe806ab49766e5c34

SHA256
cb9dba9849e93bacef1c810f9b8a81171541a4417d2cd67fcc4f4f4adf622983

SHA512
6f5eaf26b4581a1ca364ebe4f71183c1a493f1c794208fcc3d7f506883abacf399aae70c17228ac9d8c64f1530aede8eb71438dc66308ea02a67b5efa9e8cf39

Download Submit
\Users\Admin\AppData\Local\Temp\is-V1VAC.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-V1VAC.tmp\_isetup\_isdecmp.dll

Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
\Users\Admin\AppData\Local\Temp\is-V1VAC.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/1904-153-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/1904-158-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/1904-157-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/1904-154-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/1908-183-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/1908-190-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/1908-160-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/1908-212-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/1908-209-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/1908-162-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/1908-206-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/1908-203-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/1908-165-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/1908-200-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/1908-197-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/1908-170-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/1908-171-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/1908-174-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/1908-177-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/1908-180-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/1908-194-0x0000000002940000-0x00000000029DE000-memory.dmp

Filesize
632KB

Download
memory/1908-184-0x0000000002940000-0x00000000029DE000-memory.dmp

Filesize
632KB

Download
memory/1908-186-0x0000000002940000-0x00000000029DE000-memory.dmp

Filesize
632KB

Download
memory/1908-193-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2220-152-0x0000000003790000-0x000000000395F000-memory.dmp

Filesize
1.8MB

Download
memory/2220-166-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2220-167-0x0000000003790000-0x000000000395F000-memory.dmp

Filesize
1.8MB

Download
memory/2220-164-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2220-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2360-2-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2360-163-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2360-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download