b0f1c932f12e4e186696f2c11a99c43680f28c84cdba84d377de662f6e283d3e

Analysis

max time kernel
144s
max time network
127s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
11/12/2023, 13:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tuc5.exe
Size

6.9MB
MD5

709bf5fb1dd46de18fd3d6494d8cdd91
SHA1

15ff2e409b3bec7be940e6f51081db6f78777a1a
SHA256

b0f1c932f12e4e186696f2c11a99c43680f28c84cdba84d377de662f6e283d3e
SHA512

24ef81b5d4b20e18ec59531098ff1894e1838fb9e6988282d2ed1086f547175e9cd625819da7a5de0ab36f5f014a43db7edfb7deca2a2a6dac7a1c1b643925d4
SSDEEP

196608:oxOlhkHxfDumIwWJfU1IzKkGjAqiuGIqOg9zj:LjkHxfKTnJjzKkRtF9zj

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2364	tuc5.tmp
2412	wmaconvert.exe
2936	wmaconvert.exe

Loads dropped DLL 6 IoCs

pid	Process
2356	tuc5.exe
2364	tuc5.tmp
2364	tuc5.tmp
2364	tuc5.tmp
2364	tuc5.tmp
2364	tuc5.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	81.31.197.38

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 63 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-DNLFP.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\plugins\internal\is-PFHS5.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-UDUIE.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-4P9M6.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-IV052.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-BVUUB.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\uninstall\is-8TSAF.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\stuff\is-MLT95.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-8RK5V.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-FC2H5.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-0JC95.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-RQ4JL.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-0JJB8.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-U3Q7M.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\is-Q4U83.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-20MAV.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-KBA18.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-U3QVJ.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-B52VD.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-DA4JB.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-3EP8O.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-GUAQL.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\stuff\is-RQOKI.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-RI1U8.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-RCSA0.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\plugins\internal\is-QQV9H.tmp	tuc5.tmp
File opened for modification	C:\Program Files (x86)\ConvertWMA\wmaconvert.exe	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-295KP.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-SKPKF.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-RIA74.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-MHUFR.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-BH78T.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-6425S.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-F49VN.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-R86EA.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-17PPP.tmp	tuc5.tmp
File opened for modification	C:\Program Files (x86)\ConvertWMA\uninstall\unins000.dat	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-HNFNF.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-JTM91.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-ACHRF.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-MCP98.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\uninstall\unins000.dat	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-CB835.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-1DGAN.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-HUT2G.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-L67OJ.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\stuff\is-78UG9.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-3FLR2.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\lessmsi\is-UVOTT.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-T3T86.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-8TM5H.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-UMDCQ.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-ALOJF.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-2PGFU.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-7LL8C.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-4MEBJ.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-2N2KP.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\stuff\is-6B6CP.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-F9N44.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-KPCOL.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-6QPHR.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-MVRCQ.tmp	tuc5.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-8FVTL.tmp	tuc5.tmp

Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2364	tuc5.tmp

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2364	2356	tuc5.exe	26
PID 2356 wrote to memory of 2364	2356	tuc5.exe	26
PID 2356 wrote to memory of 2364	2356	tuc5.exe	26
PID 2356 wrote to memory of 2364	2356	tuc5.exe	26
PID 2356 wrote to memory of 2364	2356	tuc5.exe	26
PID 2356 wrote to memory of 2364	2356	tuc5.exe	26
PID 2356 wrote to memory of 2364	2356	tuc5.exe	26
PID 2364 wrote to memory of 952	2364	tuc5.tmp	29
PID 2364 wrote to memory of 952	2364	tuc5.tmp	29
PID 2364 wrote to memory of 952	2364	tuc5.tmp	29
PID 2364 wrote to memory of 952	2364	tuc5.tmp	29
PID 2364 wrote to memory of 2412	2364	tuc5.tmp	30
PID 2364 wrote to memory of 2412	2364	tuc5.tmp	30
PID 2364 wrote to memory of 2412	2364	tuc5.tmp	30
PID 2364 wrote to memory of 2412	2364	tuc5.tmp	30
PID 2364 wrote to memory of 1828	2364	tuc5.tmp	35
PID 2364 wrote to memory of 1828	2364	tuc5.tmp	35
PID 2364 wrote to memory of 1828	2364	tuc5.tmp	35
PID 2364 wrote to memory of 1828	2364	tuc5.tmp	35
PID 2364 wrote to memory of 2936	2364	tuc5.tmp	34
PID 2364 wrote to memory of 2936	2364	tuc5.tmp	34
PID 2364 wrote to memory of 2936	2364	tuc5.tmp	34
PID 2364 wrote to memory of 2936	2364	tuc5.tmp	34
PID 1828 wrote to memory of 1680	1828	net.exe	33
PID 1828 wrote to memory of 1680	1828	net.exe	33
PID 1828 wrote to memory of 1680	1828	net.exe	33
PID 1828 wrote to memory of 1680	1828	net.exe	33

C:\Users\Admin\AppData\Local\Temp\tuc5.exe
"C:\Users\Admin\AppData\Local\Temp\tuc5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Users\Admin\AppData\Local\Temp\is-UQ2CM.tmp\tuc5.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-UQ2CM.tmp\tuc5.tmp" /SL5="$40150,6950053,68096,C:\Users\Admin\AppData\Local\Temp\tuc5.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Query
    3⤵
    PID:952
- - C:\Program Files (x86)\ConvertWMA\wmaconvert.exe
    "C:\Program Files (x86)\ConvertWMA\wmaconvert.exe" -i
    3⤵
    - Executes dropped EXE
    PID:2412
- - C:\Program Files (x86)\ConvertWMA\wmaconvert.exe
    "C:\Program Files (x86)\ConvertWMA\wmaconvert.exe" -s
    3⤵
    - Executes dropped EXE
    PID:2936
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 11
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1828

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 11
1⤵
PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ConvertWMA\wmaconvert.exe

Filesize
10KB

MD5
5c29d16c77e748f349b037b1e570849f

SHA1
066607923545498bd183f5ba1939f1624d699b64

SHA256
e7daf751cece94d5f0bc866a250fb9ae4c44282992dcf58c70e510464aab3161

SHA512
0b81ea59ad0ea9ea77cd8a78b9845659d4fd9607687939bd1204e2da8e0cffc718e520ad172b00f989ac4d19d422d2501311091fd77e7676fb66c2a4781602a6

Download Submit
C:\Program Files (x86)\ConvertWMA\wmaconvert.exe

Filesize
108KB

MD5
3e19ac94e56eb956f4525f3f48b23c31

SHA1
c34c476b6596561c890d259b7137a2bd0afb2712

SHA256
2656d940246df3a9d0c2bd676223569d970debd3b4e550cd2673b7bd34af367d

SHA512
a2b6b96ac086d54516ce5babe998d98e33896adf756e25b8312efabdb4a6abe3c1ed2cb8d2476d4c24113fc2c15e4b50d47c5fa5ecad331ea167a8e4e9ca02cd

Download Submit
C:\Program Files (x86)\ConvertWMA\wmaconvert.exe

Filesize
79KB

MD5
a455a9923e09bc9c56d2fddc53a100ad

SHA1
ac7561353b3e3a7c810015bf142b17ce8dae553c

SHA256
999ae956d8c9072b9e3e368f6269292f0ccf5e7ac66e40034b7b4b3dd25973d2

SHA512
2c8c409fa09818be312283fa95bd536805ee7fc83923952af3987235628240cf30d085180618f2d54185b65552ba29ec36f498dfd42b6e33edae0fc37edf9bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UQ2CM.tmp\tuc5.tmp

Filesize
240KB

MD5
ee8fd0f60018c03d64afbadd18b4e8d9

SHA1
4d2e501d93cfe0865dc732b4531f50d20ca573b0

SHA256
5591bc947743dd49e23135ef092ffc3ce42098bb3c5603277d32d44fb1405a4b

SHA512
86815c6eb864d4094e14954aabe49d14524c0de746c01797ccbfcdd80fba37bf1b264b7e2a588add50897ae3a835204ed81baf134f0945a43dd9cf0d8ff9c5f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UQ2CM.tmp\tuc5.tmp

Filesize
309KB

MD5
29da4bdf0f9678919a2e7780dfafec96

SHA1
c116de2bca12f7450ead2f2d90fac3c61e8f7486

SHA256
07db9f6801be153ad2fbfba49463e12dff007d26c0760dbcceca99ac944f3b76

SHA512
bff97868e5ce85416ff1a36b115fbcc05eca9f0ac88d28053f12926612124eb3bdcd68d067dd8f2a022f23453cf5399c8d518e856cfc3d49f4521a476a61e624

Download Submit
\Program Files (x86)\ConvertWMA\wmaconvert.exe

Filesize
45KB

MD5
b78ddaea21c328a661acd590b024fa30

SHA1
7a956981ef217771a55f324d08b0d761b59bb97f

SHA256
5e3f5b1be00971a998ffecc0f54101da99b9afc5755b55293c77d89735f6b1ac

SHA512
680e39b96674edc86308c70b95ae122b1a2369683b23a264ca5fd2a2f1c5b257808d536ef73cede146d7ac24676e91a1a21cedba0d9880b6c2f9ff9835ca16e5

Download Submit
\Users\Admin\AppData\Local\Temp\is-E0AGG.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-E0AGG.tmp\_isetup\_isdecmp.dll

Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
\Users\Admin\AppData\Local\Temp\is-E0AGG.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-UQ2CM.tmp\tuc5.tmp

Filesize
303KB

MD5
ecf94a08aafbd1c80b7ed0449ab64caa

SHA1
9aa18e950f8626559f70323da7e6930bc862ecc4

SHA256
3463ee849cbed0e97e65a743c563bc2793a39590c8bc37568b6ae7e3eed10212

SHA512
7ae3c49666712f2c539e9fb0da46581bd54154a020af5176b3831067361b99b8a217e06b564f0de70e5fcdba82c143caab95e48e0d3bbac2f60b80c0be15a0f6

Download Submit
memory/2356-163-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2356-1-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2364-152-0x0000000003820000-0x00000000039EF000-memory.dmp

Filesize
1.8MB

Download
memory/2364-167-0x0000000003820000-0x00000000039EF000-memory.dmp

Filesize
1.8MB

Download
memory/2364-166-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2364-164-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2364-15-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2412-154-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2412-153-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2412-157-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2412-158-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2936-177-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2936-187-0x0000000002A00000-0x0000000002A9E000-memory.dmp

Filesize
632KB

Download
memory/2936-162-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2936-170-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2936-171-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2936-174-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2936-160-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2936-180-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2936-183-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2936-165-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2936-184-0x0000000002A00000-0x0000000002A9E000-memory.dmp

Filesize
632KB

Download
memory/2936-190-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2936-193-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2936-194-0x0000000002A00000-0x0000000002A9E000-memory.dmp

Filesize
632KB

Download
memory/2936-197-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2936-200-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2936-203-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2936-206-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2936-210-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2936-213-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download