cc1045628dac1a205ebf599e038ef9d95f6583eb568a2047bf2b67900331cb9c

Analysis

max time kernel
151s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
11/12/2023, 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tuc3.exe
Size

6.9MB
MD5

55e4542f2aa4a37e84e68dcdb7b9d0eb
SHA1

2cf30be58632e20c28fcacb9c3bd04d7210fb842
SHA256

cc1045628dac1a205ebf599e038ef9d95f6583eb568a2047bf2b67900331cb9c
SHA512

c9cf7ce1a40db20b517602f8b37c9e0259bb01911fd0385f789b942cf3e1eb537269f469ec242939d62cc64e6fea9dbee417b48f8636d36bafb5117df0de7226
SSDEEP

196608:TW0fKLtr95HARqIrmVY8S50UL8Kj8yTwHvWY3Nzj:TtO/hAPmVNyEWeNzj

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1516	tuc3.tmp
4424	wmaconvert.exe
4756	wmaconvert.exe

Loads dropped DLL 3 IoCs

pid	Process
1516	tuc3.tmp
1516	tuc3.tmp
1516	tuc3.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	81.31.197.38

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 63 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-2K7AU.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-12MQA.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-HBMJ4.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-3P8R1.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-I8598.tmp	tuc3.tmp
File opened for modification	C:\Program Files (x86)\ConvertWMA\wmaconvert.exe	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-F7U63.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-7PNFM.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-034K2.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-4C3G5.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-7OAAA.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-65KP2.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\plugins\internal\is-ERMKD.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-V232T.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\is-KVM0M.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-SP5VD.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-TMN5V.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-KCJV4.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-QECKG.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-9B997.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-N2G8R.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-MSTNP.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-CLH3I.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-U1GFU.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-I2S62.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-695NB.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-ACLEA.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-RQ44E.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-G0QEM.tmp	tuc3.tmp
File opened for modification	C:\Program Files (x86)\ConvertWMA\uninstall\unins000.dat	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\uninstall\unins000.dat	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-PTFJ3.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-HK0DA.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-PKS1Q.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-3D3H7.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-B4P4R.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-3MS0B.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-VHBIN.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\stuff\is-CJL98.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-M8GGU.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\stuff\is-3K11U.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\lessmsi\is-758BB.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-FM882.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-6B7QJ.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-NE20R.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\uninstall\is-RA00A.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-4C2NB.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-V19SE.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-8JHAP.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-J4RAI.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-CRRKI.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-CL871.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\stuff\is-DAGT6.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\stuff\is-GCP53.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-DVPB9.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-0575C.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\plugins\internal\is-APN59.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-PMPC6.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-CG9S9.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-01BR4.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-6KU2H.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-KG5N3.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-LBDA2.tmp	tuc3.tmp

Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1516	tuc3.tmp

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3144 wrote to memory of 1516	3144	tuc3.exe	87
PID 3144 wrote to memory of 1516	3144	tuc3.exe	87
PID 3144 wrote to memory of 1516	3144	tuc3.exe	87
PID 1516 wrote to memory of 1792	1516	tuc3.tmp	90
PID 1516 wrote to memory of 1792	1516	tuc3.tmp	90
PID 1516 wrote to memory of 1792	1516	tuc3.tmp	90
PID 1516 wrote to memory of 4424	1516	tuc3.tmp	92
PID 1516 wrote to memory of 4424	1516	tuc3.tmp	92
PID 1516 wrote to memory of 4424	1516	tuc3.tmp	92
PID 1516 wrote to memory of 2912	1516	tuc3.tmp	96
PID 1516 wrote to memory of 2912	1516	tuc3.tmp	96
PID 1516 wrote to memory of 2912	1516	tuc3.tmp	96
PID 1516 wrote to memory of 4756	1516	tuc3.tmp	95
PID 1516 wrote to memory of 4756	1516	tuc3.tmp	95
PID 1516 wrote to memory of 4756	1516	tuc3.tmp	95
PID 2912 wrote to memory of 2552	2912	net.exe	97
PID 2912 wrote to memory of 2552	2912	net.exe	97
PID 2912 wrote to memory of 2552	2912	net.exe	97

C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3144
- C:\Users\Admin\AppData\Local\Temp\is-QQCAC.tmp\tuc3.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-QQCAC.tmp\tuc3.tmp" /SL5="$401F2,6973457,68096,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Query
    3⤵
    PID:1792
- - C:\Program Files (x86)\ConvertWMA\wmaconvert.exe
    "C:\Program Files (x86)\ConvertWMA\wmaconvert.exe" -i
    3⤵
    - Executes dropped EXE
    PID:4424
- - C:\Program Files (x86)\ConvertWMA\wmaconvert.exe
    "C:\Program Files (x86)\ConvertWMA\wmaconvert.exe" -s
    3⤵
    - Executes dropped EXE
    PID:4756
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 11
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 helpmsg 11
      4⤵
      PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ConvertWMA\wmaconvert.exe

Filesize
1.3MB

MD5
01520ceb8a9b4f420347ef89a52d4bbe

SHA1
a15917ad7f917d64a75c387218c11397a3c03f88

SHA256
73dcf3694bee16ad592165ac2fe43bb8a35539cea3e97a245b62ce58c94a2316

SHA512
2b5d983fdcf7c11c4442dd49005d4018924c2fed0654f51f8dbc3d9d8c76ebb33c1474994513875bd7d37914b1b59669eb843592dbf4bd3f46775b1101cdad51

Download Submit
C:\Program Files (x86)\ConvertWMA\wmaconvert.exe

Filesize
1.4MB

MD5
4b8b4e8804c9ce290651a0707f55837d

SHA1
cb2ad7d8005f8870698506c1e950f3431ea4bdd5

SHA256
92f0317b99a58e68ad026e4472053eef26fe7e9cc4d7b0fecd0cc60ea3bf63ab

SHA512
9d27a2bdb01dd11cde8678d83a272cf31c09b1deae51ff1f570f4dc4658adb93bb3449355f1bf9b0bfdc928fa070216a663b98178c68d833f0cf7611e7a8b36c

Download Submit
C:\Program Files (x86)\ConvertWMA\wmaconvert.exe

Filesize
64KB

MD5
e1662fb9b86c4de28f97a893ed1056af

SHA1
e9234595e6a35cb29d9ba228a8528c46c047c97c

SHA256
f0b368443d6b5c27bb367e476b6c629655534c4fb01e9b7c1db5cc0ea2402553

SHA512
dac91e364b6442d9ca7eb795e28a3823869816bc6040adfe8c84cdc1a3f8cf04476fb966e15fdc739d159ca2ffaed5e9cff3d38f754512708911523148767a4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-G117P.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-G117P.tmp\_isetup\_isdecmp.dll

Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QQCAC.tmp\tuc3.tmp

Filesize
320KB

MD5
ca8171abe9eb54e30eb37539e0296072

SHA1
6a83e6f2cd03d659e60ed602f961b75a882953eb

SHA256
5e411b680cdd9e87c8e061d38f8fc2f43759193c7399488973597668dce113dd

SHA512
d74b4e38dd0d0950894b4c080f6a6ce785fad70e87da62ee5e18d2e4efb29f733477ffaa02e02bb6f777660369adba7359fbbf66647efc7ec8906b6da625f6e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QQCAC.tmp\tuc3.tmp

Filesize
21KB

MD5
c5e99211f494f499bfbc6e9878fd4331

SHA1
c139502d26ca4671a024c91fd9424e0f2e128e90

SHA256
f5a1bf6b55c91e9e359d3e7951a16a052bb5f8408e1a7f2f522b98a6f2cc7b5c

SHA512
8b29b77c607b8fc62a6f40461ced3339f4d09496f98ac0f49660555eabaa7f3062ca03dceaa3f44b5746a40c522c9161732904dc28acf8b075dacc6ef27e2ecc

Download Submit
memory/1516-8-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/1516-162-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/1516-160-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3144-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3144-159-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4424-150-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/4424-153-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/4424-151-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/4424-154-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/4756-175-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/4756-180-0x0000000000900000-0x000000000099E000-memory.dmp

Filesize
632KB

Download
memory/4756-158-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/4756-165-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/4756-166-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/4756-169-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/4756-172-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/4756-156-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/4756-178-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/4756-161-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/4756-185-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/4756-188-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/4756-189-0x0000000000900000-0x000000000099E000-memory.dmp

Filesize
632KB

Download
memory/4756-192-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/4756-195-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/4756-198-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/4756-202-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/4756-205-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/4756-208-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download