46ff17be11d368e4fee688bc6fbc6dcd33cf794408d39605cf343556810a9b09

Analysis

max time kernel
147s
max time network
135s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
11/12/2023, 14:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tuc3.exe
Size

6.9MB
MD5

93a061a4bbab4efd27c7e47d09629eac
SHA1

3ffbc7263d8039202ea372ad956dd7187e138c56
SHA256

46ff17be11d368e4fee688bc6fbc6dcd33cf794408d39605cf343556810a9b09
SHA512

604061374154814aea69bcef4a1e687dd4d152293fd650100d1e6ba297a4796fb019db908e85823b457fdab845fa9117a07942abd85e2e97903bdf68c47e0271
SSDEEP

196608:gW0fKLtr95HARqIrmVY8S50UL8Kj8yTwHvWY3Nzj:gtO/hAPmVNyEWeNzj

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2756	tuc3.tmp
1616	wmaconvert.exe
2120	wmaconvert.exe

Loads dropped DLL 6 IoCs

pid	Process
2384	tuc3.exe
2756	tuc3.tmp
2756	tuc3.tmp
2756	tuc3.tmp
2756	tuc3.tmp
2756	tuc3.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	152.89.198.214

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 63 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-7A20E.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-GTQUH.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-B6B0G.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\plugins\internal\is-E273J.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\stuff\is-F74VE.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-FJSEV.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-05EE4.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-TKI1N.tmp	tuc3.tmp
File opened for modification	C:\Program Files (x86)\ConvertWMA\uninstall\unins000.dat	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-J94SI.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-5RET1.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-A8Q4O.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\is-SHUE0.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-T5QAB.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-VHUKJ.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-F34K3.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-A72IP.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\stuff\is-0JEU2.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-HCF13.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-0DHR3.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-PU2T6.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-GAQQI.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-DPPE2.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\stuff\is-UMFHN.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-HLKJI.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-E581K.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-7BDPF.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-QN4C5.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-D5GUL.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-PTRSK.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-HCENP.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-ILKD3.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-VGRBD.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-RIT7F.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-JCQAC.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-P7A78.tmp	tuc3.tmp
File opened for modification	C:\Program Files (x86)\ConvertWMA\wmaconvert.exe	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\stuff\is-FE0N6.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-RDHQU.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-AC8DU.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-QEV9B.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-2FK9P.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\lessmsi\is-HHVL6.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-F5J34.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-1V4K6.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-87GG5.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-MR45S.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-C2KEO.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-60OTA.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-CAR9S.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-B33Q0.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-97VV0.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-QRN7C.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-DV7OS.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-O98CS.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\plugins\internal\is-JLVM4.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-A5I4I.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-G4L6V.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\uninstall\unins000.dat	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\uninstall\is-245KU.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-UIUFU.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-JG4S7.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-A3PPR.tmp	tuc3.tmp

Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2756	tuc3.tmp

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2756	2384	tuc3.exe	22
PID 2384 wrote to memory of 2756	2384	tuc3.exe	22
PID 2384 wrote to memory of 2756	2384	tuc3.exe	22
PID 2384 wrote to memory of 2756	2384	tuc3.exe	22
PID 2384 wrote to memory of 2756	2384	tuc3.exe	22
PID 2384 wrote to memory of 2756	2384	tuc3.exe	22
PID 2384 wrote to memory of 2756	2384	tuc3.exe	22
PID 2756 wrote to memory of 1632	2756	tuc3.tmp	29
PID 2756 wrote to memory of 1632	2756	tuc3.tmp	29
PID 2756 wrote to memory of 1632	2756	tuc3.tmp	29
PID 2756 wrote to memory of 1632	2756	tuc3.tmp	29
PID 2756 wrote to memory of 1616	2756	tuc3.tmp	31
PID 2756 wrote to memory of 1616	2756	tuc3.tmp	31
PID 2756 wrote to memory of 1616	2756	tuc3.tmp	31
PID 2756 wrote to memory of 1616	2756	tuc3.tmp	31
PID 2756 wrote to memory of 1696	2756	tuc3.tmp	32
PID 2756 wrote to memory of 1696	2756	tuc3.tmp	32
PID 2756 wrote to memory of 1696	2756	tuc3.tmp	32
PID 2756 wrote to memory of 1696	2756	tuc3.tmp	32
PID 2756 wrote to memory of 2120	2756	tuc3.tmp	35
PID 2756 wrote to memory of 2120	2756	tuc3.tmp	35
PID 2756 wrote to memory of 2120	2756	tuc3.tmp	35
PID 2756 wrote to memory of 2120	2756	tuc3.tmp	35
PID 1696 wrote to memory of 2116	1696	net.exe	34
PID 1696 wrote to memory of 2116	1696	net.exe	34
PID 1696 wrote to memory of 2116	1696	net.exe	34
PID 1696 wrote to memory of 2116	1696	net.exe	34

C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Users\Admin\AppData\Local\Temp\is-VTSI1.tmp\tuc3.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-VTSI1.tmp\tuc3.tmp" /SL5="$70122,6973457,68096,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Query
    3⤵
    PID:1632
- - C:\Program Files (x86)\ConvertWMA\wmaconvert.exe
    "C:\Program Files (x86)\ConvertWMA\wmaconvert.exe" -i
    3⤵
    - Executes dropped EXE
    PID:1616
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 11
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1696
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 helpmsg 11
      4⤵
      PID:2116
- - C:\Program Files (x86)\ConvertWMA\wmaconvert.exe
    "C:\Program Files (x86)\ConvertWMA\wmaconvert.exe" -s
    3⤵
    - Executes dropped EXE
    PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ConvertWMA\wmaconvert.exe

Filesize
646KB

MD5
7d97c14bba81563ad3d642078d1398be

SHA1
90ee5f381d9df36b10c941d14b028ec8d28f22f7

SHA256
2d21a3f2f4c57e9bb59175bee00f990250390dbff8b8a04e6360659553bb25b1

SHA512
178546f5a254ed0cc3530d22a22faa601aa3cef40ec6c045ce48f57137f9abb33bd723d98fa4d1dab31bb431afb6150087f33a1960fc8d750564a8318a91b696

Download Submit
C:\Program Files (x86)\ConvertWMA\wmaconvert.exe

Filesize
172KB

MD5
f715f0ad46ac916f2231f636204358e2

SHA1
da32e8fc9a5e9710de82cd488522ecb39ade5164

SHA256
bc968f6a8836675377bb047e4e5d6a08fee44ad865b87c36851effbd59c06469

SHA512
1cdeb447152284c508581669dd561dde84fcf5f1a6e7cc0fdde7c6e8d0d881b535f97b283ab451f898a4638a780454874ddc74ac9a0d4b5c8af59029ce25f487

Download Submit
C:\Program Files (x86)\ConvertWMA\wmaconvert.exe

Filesize
20KB

MD5
55290823c1e6bfc943b2b1ef445bd8e8

SHA1
a84fc932657799498110f9812bfa54978c97ce42

SHA256
592e0ec55b5df99a9e9930fc567fd67acaeda76d1836b5837d916fea0463ca37

SHA512
ff6cf08fe86a09214a9747842a5be99641203d4a080d991ff263ed4b7e0963be137b1fff0780b15737aaeb108137128ac4eaa4e6c17c301c6ed700d57b258256

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VTSI1.tmp\tuc3.tmp

Filesize
290KB

MD5
da0eaff9516582ff2a05892a094da2d5

SHA1
69a063c8241f240def851f2ef9d7e77ffaea8212

SHA256
27f7819a6e6959d2b758511e8c5b5489a38f2ab2507f0abc056873b448aeaa4f

SHA512
7b06d21cb8037ec64361bfb6c3753cb76f1c7f84e96890f92a5dbc17a632b692ee1eeecbee70542cad0df9919000314c0babb09e22af5786e9a75af5c1bd692a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VTSI1.tmp\tuc3.tmp

Filesize
437KB

MD5
79ab60af5394bf9644120a2bc0244181

SHA1
50eea82ec5c0c6aaf8d967c675474e8c0c62fcb6

SHA256
df99695210a23d4d82d71610428129d19a664061911db2efb8ea1d6bfb9fdbac

SHA512
781cde3b5f3593c6c6d1a5fc0b942a2a04705c1a22cd3329c4bb1fbca8ed1c8b91ee8eb437b9b9c227bd1e183b1aca387ea989c457ee8dd4c6b4a39809c2d037

Download Submit
\Program Files (x86)\ConvertWMA\wmaconvert.exe

Filesize
291KB

MD5
eea411e371a4290c3ccb31747761a1db

SHA1
f13de829cbe21badad9b29683551c42c87a613dd

SHA256
2d367c933d4c4e9b2818a24704b5a60dfafa8dd4ea3a1b8769c5a2db4fdf5f01

SHA512
601484668208c648f03e592dd1cf52a0e337e7dfa0f4f792a0e438f363270e86cc721f6a10b5950924a16cba582bfa86ff846d5f494c8d3dccbe4fc1da8e6ef6

Download Submit
\Users\Admin\AppData\Local\Temp\is-BC44T.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-BC44T.tmp\_isetup\_isdecmp.dll

Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
\Users\Admin\AppData\Local\Temp\is-BC44T.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-VTSI1.tmp\tuc3.tmp

Filesize
569KB

MD5
b97067a8c84a7349719f37e2bdaf9cb8

SHA1
be426c08beff3484395de9df71a65c8b66ffb55d

SHA256
b3e18fe0ab1f82e7057bc8a642f42c376f4c6706aa3caeca48d8d96eb8136c90

SHA512
f2e98131b1716c116440454b5657c84e00efc528b9ba025290cdf24a16d307a672ea50d96245963649e0964e742827784ff97ec31b5baa4d997368fe9e996d62

Download Submit
memory/1616-152-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/1616-157-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/1616-153-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/1616-156-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2120-183-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2120-192-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2120-211-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2120-159-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2120-161-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2120-208-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2120-205-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2120-202-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2120-199-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2120-166-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2120-169-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2120-170-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2120-173-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2120-174-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2120-177-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2120-180-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2120-196-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2120-184-0x00000000025E0000-0x000000000267E000-memory.dmp

Filesize
632KB

Download
memory/2120-189-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2120-195-0x00000000025E0000-0x000000000267E000-memory.dmp

Filesize
632KB

Download
memory/2384-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2384-162-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2756-151-0x0000000003520000-0x00000000036EF000-memory.dmp

Filesize
1.8MB

Download
memory/2756-165-0x0000000003520000-0x00000000036EF000-memory.dmp

Filesize
1.8MB

Download
memory/2756-164-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2756-163-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2756-10-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download