c2e16de97139bc0967e0f258df08311e25697ddd1a4aa4c8e50e1e95a8d04299

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231130-en
resource tags

arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
submitted
11/12/2023, 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tuc7.exe
Size

6.9MB
MD5

cfa8e151ffde662bf810677309b55ae9
SHA1

79eee243b42540b79e6d1550b3443b168c3bd951
SHA256

c2e16de97139bc0967e0f258df08311e25697ddd1a4aa4c8e50e1e95a8d04299
SHA512

832eefa37ee34ba0edbfec275e942939d908a238349a2d61d3f5165ebc6af7eb0810cbaccfe33e4a30b351f7c44c7de705a88a55b01e2a2c689c0d68ad1dc93c
SSDEEP

196608:weusL5Sg97UrK5EvfjuiKsrGugWn7juD9k3Ozj:DVsg95KnxLrGufn765k+zj

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
5092	tuc7.tmp
1288	wmaconvert.exe
1460	wmaconvert.exe

Loads dropped DLL 3 IoCs

pid	Process
5092	tuc7.tmp
5092	tuc7.tmp
5092	tuc7.tmp

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	194.49.94.194
Destination IP	152.89.198.214
Destination IP	194.49.94.194

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 63 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-14SU9.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-F1QP0.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\plugins\internal\is-40EUJ.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-6OBI1.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-AAUFI.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-463HS.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\is-OU4T2.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\stuff\is-7VFKD.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\stuff\is-HT0DF.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-7JMKL.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-PV03C.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-J68DT.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-4IVG3.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-P27R3.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\stuff\is-EA1T0.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-ITHCU.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-JOBB4.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-8AGKC.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-BKT83.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-MLUEC.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\uninstall\is-GK60U.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-9DUTV.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-VF564.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-O9713.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-QA2KK.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-DN4L9.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-4N91M.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\stuff\is-38GC7.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-A8E1R.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-92GK5.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-EFJ1H.tmp	tuc7.tmp
File opened for modification	C:\Program Files (x86)\ConvertWMA\wmaconvert.exe	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-R3IUR.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-K6KM5.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-2TNJN.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-MMT0Q.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-EOUPB.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-L2BHN.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-R65C7.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-D0JDB.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-ABT27.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-F3DKH.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-IQVT1.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-BK7RV.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-8IFG0.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-MJ4L2.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-JMQRC.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\plugins\internal\is-6H6VB.tmp	tuc7.tmp
File opened for modification	C:\Program Files (x86)\ConvertWMA\uninstall\unins000.dat	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-3973P.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-55N6N.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-1CFFF.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-GD611.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-HHHLK.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\lessmsi\is-IJUIF.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-628RN.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-F9QFP.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-QJL0R.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-1AQ2N.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-K86DP.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\uninstall\unins000.dat	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-AVNSP.tmp	tuc7.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-G2DE4.tmp	tuc7.tmp

Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5092	tuc7.tmp

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4044 wrote to memory of 5092	4044	tuc7.exe	61
PID 4044 wrote to memory of 5092	4044	tuc7.exe	61
PID 4044 wrote to memory of 5092	4044	tuc7.exe	61
PID 5092 wrote to memory of 3068	5092	tuc7.tmp	95
PID 5092 wrote to memory of 3068	5092	tuc7.tmp	95
PID 5092 wrote to memory of 3068	5092	tuc7.tmp	95
PID 5092 wrote to memory of 1288	5092	tuc7.tmp	89
PID 5092 wrote to memory of 1288	5092	tuc7.tmp	89
PID 5092 wrote to memory of 1288	5092	tuc7.tmp	89
PID 5092 wrote to memory of 1920	5092	tuc7.tmp	93
PID 5092 wrote to memory of 1920	5092	tuc7.tmp	93
PID 5092 wrote to memory of 1920	5092	tuc7.tmp	93
PID 5092 wrote to memory of 1460	5092	tuc7.tmp	91
PID 5092 wrote to memory of 1460	5092	tuc7.tmp	91
PID 5092 wrote to memory of 1460	5092	tuc7.tmp	91
PID 1920 wrote to memory of 3764	1920	net.exe	92
PID 1920 wrote to memory of 3764	1920	net.exe	92
PID 1920 wrote to memory of 3764	1920	net.exe	92

C:\Users\Admin\AppData\Local\Temp\tuc7.exe
"C:\Users\Admin\AppData\Local\Temp\tuc7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Users\Admin\AppData\Local\Temp\is-AETIA.tmp\tuc7.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-AETIA.tmp\tuc7.tmp" /SL5="$60060,6944675,68096,C:\Users\Admin\AppData\Local\Temp\tuc7.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:5092
- - C:\Program Files (x86)\ConvertWMA\wmaconvert.exe
    "C:\Program Files (x86)\ConvertWMA\wmaconvert.exe" -i
    3⤵
    - Executes dropped EXE
    PID:1288
- - C:\Program Files (x86)\ConvertWMA\wmaconvert.exe
    "C:\Program Files (x86)\ConvertWMA\wmaconvert.exe" -s
    3⤵
    - Executes dropped EXE
    PID:1460
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 11
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1920
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Query
    3⤵
    PID:3068

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 11
1⤵
PID:3764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ConvertWMA\wmaconvert.exe

Filesize
99KB

MD5
008751a4de8d807e4bacf47af14720e4

SHA1
0d1f01238689d688dbb136dba5da608deae7cbe5

SHA256
057bc00fc627537d52cbcccc12b5d4273f31ba132b52a7e3f5f4b9c08787a750

SHA512
27c7af994e3c4b312467c45bc731d1bf168990b1ff75fb859b6e5cd623b7e796a4cab3f66048f84cba742a12a697ce488f50a68662e18683e4d8c1e4692efc78

Download Submit
C:\Program Files (x86)\ConvertWMA\wmaconvert.exe

Filesize
150KB

MD5
b0370ca612c46eed6d91eaff0355ee74

SHA1
83fde309142a21a0eb222c1ee529b0cc8c29da0d

SHA256
8a8427fcb47a175ea4ba8acb120529505d3f464c818b66c989fd025e12e3b659

SHA512
793be260d2253ff894bf7611e7a120ab542398481eccdc458d20fc702847e701009ea129bddcc85c26762e2288501f154a85b54829443b4f50c9241034dfef7f

Download Submit
C:\Program Files (x86)\ConvertWMA\wmaconvert.exe

Filesize
42KB

MD5
badd53440d1be05f1331e058f5f115e8

SHA1
59c5ed1448ce3b91bf93ee50dbbb1943ae8145c9

SHA256
e293b6bf1b0d9c09a7b9dbf2d5f8275e288e9707285a88014fc432aa4e9c25a6

SHA512
283d7313bfb72b9fec7e7cd15a2b3ad71e9583b148dfcf41004fd1d40e99346e695390f1352482d6a42b0ead6edf0bf3b718ee2a13d75e20824e606bc26ab2c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-73LPG.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-73LPG.tmp\_isetup\_isdecmp.dll

Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AETIA.tmp\tuc7.tmp

Filesize
447KB

MD5
5098285ba89ff4d6e3dbf94a9930c644

SHA1
04e57552b09744b5405fdfbe7b92f5e9f8876a8d

SHA256
7b66c766dad2797e4a31cdf333a0cf09a8b376a44806c3628ca540bc6dfae10f

SHA512
7c9907664a303b38a761dcb407259607eac9d700db3cb36c964611a81fab86df4334b4f7af6aaba95c51ffa3dbc683d6c9a24d9930272ca7418b90e90f161c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AETIA.tmp\tuc7.tmp

Filesize
487KB

MD5
82c2f40a9b8d222867024ef2b9a28507

SHA1
34ca79dff2556e6b30e5ffd12f5f34f00844a367

SHA256
15652a0c97b6fd37e9e879c42d1ba8eb0f21f90abc214162b061137a6e18c8a4

SHA512
8448adb195cddd7737847cd693bc40c6fec92b7c228c312fa91927a1e95b7eddedab18be34b62e015f5d9f4c4a066c178c2fb4ff3584ff3ef03e94c66d216394

Download Submit
memory/1288-151-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/1288-154-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/1288-152-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/1288-155-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/1460-162-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/1460-190-0x00000000008B0000-0x000000000094E000-memory.dmp

Filesize
632KB

Download
memory/1460-157-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/1460-208-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/1460-205-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/1460-202-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/1460-199-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/1460-196-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/1460-193-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/1460-166-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/1460-167-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/1460-170-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/1460-173-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/1460-176-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/1460-178-0x00000000008B0000-0x000000000094E000-memory.dmp

Filesize
632KB

Download
memory/1460-182-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/1460-183-0x00000000008B0000-0x000000000094E000-memory.dmp

Filesize
632KB

Download
memory/1460-186-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/1460-189-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/1460-159-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/4044-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4044-160-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4044-2-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5092-163-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/5092-161-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/5092-13-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download