7deabd4d922c9c04d4fbe04ea5a59f5eb2902f5a80c4ef96388ceab2bb053c91

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231130-en
resource tags

arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
submitted
11/12/2023, 14:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

tuc3.exe
Size

6.9MB
MD5

59634bdf3c25c0b48d2623288ef47ecc
SHA1

2610ba8246fdaa1795d6b90e4132350a783f2271
SHA256

7deabd4d922c9c04d4fbe04ea5a59f5eb2902f5a80c4ef96388ceab2bb053c91
SHA512

cb9c3c451d4895207f9acd4b5c8423f3bfd1fe7904dcaa2018884da09be0c6b7944212b7285ab5438b2ac70e3506d59705546fdad638c32d7337327bcd92d566
SSDEEP

196608:vW0fKLtr95HARqIrmVY8S50UL8Kj8yTwHvWY3Nzj:vtO/hAPmVNyEWeNzj

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1880	tuc3.tmp
1588	wmaconvert.exe
3604	wmaconvert.exe

Loads dropped DLL 3 IoCs

pid	Process
1880	tuc3.tmp
1880	tuc3.tmp
1880	tuc3.tmp

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	152.89.198.214
Destination IP	194.49.94.194
Destination IP	194.49.94.194

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 63 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-I859B.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-RKKSO.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-AKU05.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-HP2Q8.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-KUN5M.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-1RUJM.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-RI07K.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-6J5VU.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-SCNL7.tmp	tuc3.tmp
File opened for modification	C:\Program Files (x86)\ConvertWMA\uninstall\unins000.dat	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-M5V0O.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-AQ90T.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-KB69C.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-NQ6BS.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-PDF27.tmp	tuc3.tmp
File opened for modification	C:\Program Files (x86)\ConvertWMA\wmaconvert.exe	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-FSVO0.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-3B0LT.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-1IOFS.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-RIND1.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\lessmsi\is-03UP7.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-CH5VS.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-Q9B75.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-JJBH0.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-RUSI1.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-FJGFB.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-GKQBD.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-38E41.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-L09AD.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-GHU1L.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-8GGJ1.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-9CVUK.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-U7IBC.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-MVLEE.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-R9MPC.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-QVCSR.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-2BUBQ.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\is-BHVKU.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-83N0L.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-NP9IV.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-S105G.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-CU55B.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-895LC.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-CS6V3.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-RGTL0.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\uninstall\is-P6AK8.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\plugins\internal\is-UOO34.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-2DHNB.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-VQIJC.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-0RCED.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-L1MEK.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-41UII.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\uninstall\unins000.dat	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\stuff\is-D9GHJ.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-P4L00.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-LCQ0L.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-73BKR.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\plugins\internal\is-GN6D8.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\stuff\is-JVLRK.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\stuff\is-E7NTS.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-BTRPR.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-KQBEL.tmp	tuc3.tmp
File created	C:\Program Files (x86)\ConvertWMA\stuff\is-BP3O0.tmp	tuc3.tmp

Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1880	tuc3.tmp

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 804 wrote to memory of 1880	804	tuc3.exe	87
PID 804 wrote to memory of 1880	804	tuc3.exe	87
PID 804 wrote to memory of 1880	804	tuc3.exe	87
PID 1880 wrote to memory of 4996	1880	tuc3.tmp	94
PID 1880 wrote to memory of 4996	1880	tuc3.tmp	94
PID 1880 wrote to memory of 4996	1880	tuc3.tmp	94
PID 1880 wrote to memory of 1588	1880	tuc3.tmp	92
PID 1880 wrote to memory of 1588	1880	tuc3.tmp	92
PID 1880 wrote to memory of 1588	1880	tuc3.tmp	92
PID 1880 wrote to memory of 4656	1880	tuc3.tmp	95
PID 1880 wrote to memory of 4656	1880	tuc3.tmp	95
PID 1880 wrote to memory of 4656	1880	tuc3.tmp	95
PID 1880 wrote to memory of 3604	1880	tuc3.tmp	97
PID 1880 wrote to memory of 3604	1880	tuc3.tmp	97
PID 1880 wrote to memory of 3604	1880	tuc3.tmp	97
PID 4656 wrote to memory of 4444	4656	net.exe	98
PID 4656 wrote to memory of 4444	4656	net.exe	98
PID 4656 wrote to memory of 4444	4656	net.exe	98

C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:804
- C:\Users\Admin\AppData\Local\Temp\is-9AB3V.tmp\tuc3.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-9AB3V.tmp\tuc3.tmp" /SL5="$80068,6973457,68096,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\Program Files (x86)\ConvertWMA\wmaconvert.exe
    "C:\Program Files (x86)\ConvertWMA\wmaconvert.exe" -i
    3⤵
    - Executes dropped EXE
    PID:1588
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Query
    3⤵
    PID:4996
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 11
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4656
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 helpmsg 11
      4⤵
      PID:4444
- - C:\Program Files (x86)\ConvertWMA\wmaconvert.exe
    "C:\Program Files (x86)\ConvertWMA\wmaconvert.exe" -s
    3⤵
    - Executes dropped EXE
    PID:3604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ConvertWMA\wmaconvert.exe

Filesize
800KB

MD5
8b2e0611bfcab302a01c97d10a435131

SHA1
fa964e13e094a664438e71c452d9a761f5f00162

SHA256
5a4016ae5766deff33418c1d52a0daca261e1cb2d3d8fda80e790986da815687

SHA512
4cd3269c329da8532bc5158c565f8c61cf4f15d731ae32437ca4e43953e466f818901398d590fde5f9b6e65c70207bb410ea4141cc6f21769d25489501f5596e

Download Submit
C:\Program Files (x86)\ConvertWMA\wmaconvert.exe

Filesize
814KB

MD5
a3b5cc4a35eaa6f42cccde036d8ccae4

SHA1
0f3a6d21210603e33dfac7609fe7b885441ab343

SHA256
d6beff2acd3dc7cf213f2955cb3e3375e816a34f203fd0b0d583b555dc5850d5

SHA512
e46b9fc75a4eeb6e816e23f323cb4c463d8e884675e8f41c94bd63f4fb49464be7b12d395a36152e41962bfd3581ed7a7bce8a111b9dde1a7014b7aa604937c8

Download Submit
C:\Program Files (x86)\ConvertWMA\wmaconvert.exe

Filesize
551KB

MD5
aa267792766a13de0928b38e8a5942c3

SHA1
a440f59185db1adf373cb6349986776faf7855cc

SHA256
89c00f324e1dc78e70b10f0a1b9fb3d50a1b6a97e95b942620e1fa00d3b64649

SHA512
032d009145ea98c66a56821ce34397dfd6c3ad37758b9c9cb20e6f347eef4e44df39bc8a519050514c7188dc12245396d923b6e79a1e41205a8b2e8ed759a59c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9AB3V.tmp\tuc3.tmp

Filesize
672KB

MD5
371563cd67a97034448d0ce0a0f7961f

SHA1
3a6b409ba5aa4da2252448097ae99875027cd591

SHA256
f15b6421cf14efbb37743e555839ced4c5108d02f639808596ad78b88f3dba2f

SHA512
9699379a5bc7574ea66875d51d95ea3ac61306793fea71478d53fdb2d44c5f7c46088f5854583dd8f65fd6feb736e91447214a2bbeb7ed96739fa61c13f82293

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9AB3V.tmp\tuc3.tmp

Filesize
200KB

MD5
224ed3717b4329b59878eb2ce9627c21

SHA1
e227fbecd3db15f437617326764029dceee18ef5

SHA256
17191b524f96ca3c0a2c46b38bc098f3b68686db878a8b0ceace4c54a0e5d0eb

SHA512
64b5c253bcdc419dc1927f7d961a89a5d2a6ae7905365c49b90c84b30da0969680236da5c46faad93d8a988cedb5c26276318c0c3184840c4e8b2ea008282d92

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-M17F5.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-M17F5.tmp\_isetup\_isdecmp.dll

Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
memory/804-159-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/804-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/804-2-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1588-151-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/1588-152-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/1588-153-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/1588-155-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/1880-160-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1880-162-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/1880-13-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/3604-179-0x00000000006D0000-0x000000000076E000-memory.dmp

Filesize
632KB

Download
memory/3604-184-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/3604-165-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/3604-166-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/3604-169-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/3604-172-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/3604-175-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/3604-178-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/3604-158-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/3604-161-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/3604-187-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/3604-188-0x00000000006D0000-0x000000000076E000-memory.dmp

Filesize
632KB

Download
memory/3604-191-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/3604-194-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/3604-197-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/3604-200-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/3604-203-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/3604-206-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download