ebb79e30dabce5f6e76dc1ce26ff1795a561276d9142582245e870f0ea326e91

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20231130-en
resource tags

arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system
submitted
11-12-2023 15:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tuc6.exe
Size

6.9MB
MD5

347aedaf7e529be49229d7e0a7760d20
SHA1

be0a01f958a0c31380b9fc35675f4c8cd6d2516f
SHA256

ebb79e30dabce5f6e76dc1ce26ff1795a561276d9142582245e870f0ea326e91
SHA512

caeb515dca8da1927718e659dfad7f003eda7ffab28befa0d010e74499755e87c67d928ecd471b9d737f84f8a703fdb7f767a23ef68571901aeb374e22d93122
SSDEEP

196608:Bbw61woT7mRIc+DaTblZEZTXuNkrAk8TQNY0pzj:Bbw61woTCR9+OTbl0Zo/Gzj

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2128	tuc6.tmp
2692	wmaconvert.exe
2628	wmaconvert.exe

Loads dropped DLL 6 IoCs

pid	Process
2200	tuc6.exe
2128	tuc6.tmp
2128	tuc6.tmp
2128	tuc6.tmp
2128	tuc6.tmp
2128	tuc6.tmp

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	81.31.197.38
Destination IP	152.89.198.214
Destination IP	194.49.94.194

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 63 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-A2UAA.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-9GN7J.tmp	tuc6.tmp
File opened for modification	C:\Program Files (x86)\ConvertWMA\wmaconvert.exe	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-8J0OM.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-E12SA.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-A1N34.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-9LVA0.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-N747Q.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-QB1EF.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-LCQG1.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\plugins\internal\is-GS7US.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\stuff\is-6J79G.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\stuff\is-0Q25I.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\is-UFDKV.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-8FKH1.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-ROK6K.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-1RPT8.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-5BNMC.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-4MIVQ.tmp	tuc6.tmp
File opened for modification	C:\Program Files (x86)\ConvertWMA\uninstall\unins000.dat	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-R542D.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-P8J4I.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\uninstall\unins000.dat	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\stuff\is-9KBJN.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-1SO1B.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-3FR49.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-AM3EL.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-0ADR2.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-UALBG.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-9U92H.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-1MHBV.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-51GUC.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\stuff\is-MAAQK.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-9D09U.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-FO0N5.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-8TP5H.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\plugins\internal\is-H0LCA.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-KRJIE.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\uninstall\is-3ASGQ.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-PA421.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-PF26C.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-U5TKT.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-S2T5S.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-FJLUG.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-3BNMN.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-HCMMB.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-JR7UH.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\lessmsi\is-4CDTB.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-FQNG2.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-US6Q9.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-BLOGD.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-E9ODU.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-0R52M.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-FIR6G.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-4MT81.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-G0BUG.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-N6GQR.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-AAMJ1.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-U1DEI.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-QQDAS.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-LQGPS.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-QJOI7.tmp	tuc6.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-0O3B3.tmp	tuc6.tmp

Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2128	tuc6.tmp

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2128	2200	tuc6.exe	18
PID 2200 wrote to memory of 2128	2200	tuc6.exe	18
PID 2200 wrote to memory of 2128	2200	tuc6.exe	18
PID 2200 wrote to memory of 2128	2200	tuc6.exe	18
PID 2200 wrote to memory of 2128	2200	tuc6.exe	18
PID 2200 wrote to memory of 2128	2200	tuc6.exe	18
PID 2200 wrote to memory of 2128	2200	tuc6.exe	18
PID 2128 wrote to memory of 1676	2128	tuc6.tmp	29
PID 2128 wrote to memory of 1676	2128	tuc6.tmp	29
PID 2128 wrote to memory of 1676	2128	tuc6.tmp	29
PID 2128 wrote to memory of 1676	2128	tuc6.tmp	29
PID 2128 wrote to memory of 2692	2128	tuc6.tmp	30
PID 2128 wrote to memory of 2692	2128	tuc6.tmp	30
PID 2128 wrote to memory of 2692	2128	tuc6.tmp	30
PID 2128 wrote to memory of 2692	2128	tuc6.tmp	30
PID 2128 wrote to memory of 2784	2128	tuc6.tmp	35
PID 2128 wrote to memory of 2784	2128	tuc6.tmp	35
PID 2128 wrote to memory of 2784	2128	tuc6.tmp	35
PID 2128 wrote to memory of 2784	2128	tuc6.tmp	35
PID 2128 wrote to memory of 2628	2128	tuc6.tmp	34
PID 2128 wrote to memory of 2628	2128	tuc6.tmp	34
PID 2128 wrote to memory of 2628	2128	tuc6.tmp	34
PID 2128 wrote to memory of 2628	2128	tuc6.tmp	34
PID 2784 wrote to memory of 1388	2784	net.exe	33
PID 2784 wrote to memory of 1388	2784	net.exe	33
PID 2784 wrote to memory of 1388	2784	net.exe	33
PID 2784 wrote to memory of 1388	2784	net.exe	33

C:\Users\Admin\AppData\Local\Temp\tuc6.exe
"C:\Users\Admin\AppData\Local\Temp\tuc6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Users\Admin\AppData\Local\Temp\is-2U7G4.tmp\tuc6.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-2U7G4.tmp\tuc6.tmp" /SL5="$50150,6958728,68096,C:\Users\Admin\AppData\Local\Temp\tuc6.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Query
    3⤵
    PID:1676
- - C:\Program Files (x86)\ConvertWMA\wmaconvert.exe
    "C:\Program Files (x86)\ConvertWMA\wmaconvert.exe" -i
    3⤵
    - Executes dropped EXE
    PID:2692
- - C:\Program Files (x86)\ConvertWMA\wmaconvert.exe
    "C:\Program Files (x86)\ConvertWMA\wmaconvert.exe" -s
    3⤵
    - Executes dropped EXE
    PID:2628
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 11
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2784

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 11
1⤵
PID:1388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ConvertWMA\wmaconvert.exe

Filesize
180KB

MD5
7ce1890db0bdbfaf1dc63d809014288d

SHA1
a23c32e1e1bb59f36f210c85b598140e576d588b

SHA256
9d4a3932946f17f5ee60f274c31ed73b5a683dbac5aa5c052307a498518b57c2

SHA512
c94637170bb40d9adb526eaf29dd8887bb18ef7c5345f61ec1143aaa709bc5f6de312171cfe34078193702c2d51706d85bc3ed6e2b9faa6233c565f596f3ad43

Download Submit
C:\Program Files (x86)\ConvertWMA\wmaconvert.exe

Filesize
179KB

MD5
9b0446884ec49cec68b8569a63853b93

SHA1
62ef6ba3b8e24e1681978c77d3502f56f57b53ed

SHA256
4043c15cb19c57857306375f654077f848852d70852688a1f5a20312fc554c8a

SHA512
c19aa9f8a03e7a673b5b3de57e3e6d96127c7b94e0bda1649061dc2423fc5c92290f2eecf56d5f8ad02f6cbb9c29642b73159884d6fa42a76fabf3712032d188

Download Submit
C:\Program Files (x86)\ConvertWMA\wmaconvert.exe

Filesize
116KB

MD5
7ca49c0016e25b62405f19fcc589cab5

SHA1
5f44000ae1e5afec468fc40c612ec0ee597f1cb6

SHA256
e4b4cf2c6df88f9b450d0b920972ea0ffeda0a292dc25a9724dbc5697a723932

SHA512
5f04aa16d5e32bb9de7d8caf05c95b77d75da4a38b9fa906b72869172a9a802e1c0d67678d8e3c0c60ad3faf2ad8c93dee1f5b6966082be911fc5af6f16c44de

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2U7G4.tmp\tuc6.tmp

Filesize
189KB

MD5
e8edf8957e09c2d9dd8cbbe8a5b8ca4b

SHA1
e182fb702783160192881ec85edf53bea98fde77

SHA256
deeb0c577b16288cca30869e6353539eb0e1c6598bc036aa4f5112a310a4c561

SHA512
098473a9d1038ca887e63a7531185f16864c69687f943ea06d93dabfa3a17ecf7343ec165704c9b53b0466e8134d5394a453d739dceeb89f8dbca82dd432bbf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2U7G4.tmp\tuc6.tmp

Filesize
134KB

MD5
c2206e045bd4685d38229a3284b7cb66

SHA1
08213f3f3dc7eb7364db38b257afab391e1b37cd

SHA256
82c466eb87497274effeddf87481d7d15c4250adb5f2dcdaf9df590ef882923d

SHA512
017c6d59ea6a96ddab913f31463f4f4ccbf6a0c383fe7dd4bf8a4400655aee1522ba0aab84a47451d6f6500fac74ec861fc5edebba787393292a3bfff122884b

Download Submit
\Program Files (x86)\ConvertWMA\wmaconvert.exe

Filesize
115KB

MD5
d7c6c5f2c35f982965770c65c4082352

SHA1
43a0f983491cc529289b00539b16459f92b13b03

SHA256
42ef8c8c3ef1ea01cdbb6e1f195906b260e66ec76df4a0f830fa1e6e366d354a

SHA512
1222b04d814d3b6301ab77855d9dd3e68354529eee68e80abf9e11f642bb41c095d40abd8f1e2fc2a317622f0967a5bc531d2b7553b3cf169570c37b9c6f02f5

Download Submit
\Users\Admin\AppData\Local\Temp\is-2U7G4.tmp\tuc6.tmp

Filesize
369KB

MD5
3e779a2bc60576ae33ba277093ea07c7

SHA1
c24e4ad1efb06305fadd8a5fca1baebb0d561809

SHA256
0ad58412c53516e63f9e1bd65ff7215ee394a32fdc056042ce9a2ca519d09332

SHA512
6e6dd5f580dfd4082e8fc85d41711d76a36b163ff2dea4403aefa76035ab2701812ae2d6c9f09c2d8bb3572124a687f9992ef3a641b23a58d27b2abffd053480

Download Submit
\Users\Admin\AppData\Local\Temp\is-L4SCM.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-L4SCM.tmp\_isetup\_isdecmp.dll

Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
\Users\Admin\AppData\Local\Temp\is-L4SCM.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/2128-164-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2128-152-0x0000000003780000-0x000000000394F000-memory.dmp

Filesize
1.8MB

Download
memory/2128-169-0x0000000003780000-0x000000000394F000-memory.dmp

Filesize
1.8MB

Download
memory/2128-166-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2128-16-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2200-2-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2200-163-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2200-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2628-170-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2628-193-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2628-212-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2628-160-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2628-165-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2628-209-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2628-206-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2628-203-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2628-171-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2628-174-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2628-177-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2628-180-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2628-183-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2628-184-0x0000000002920000-0x00000000029BE000-memory.dmp

Filesize
632KB

Download
memory/2628-186-0x0000000002920000-0x00000000029BE000-memory.dmp

Filesize
632KB

Download
memory/2628-190-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2628-162-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2628-194-0x0000000002920000-0x00000000029BE000-memory.dmp

Filesize
632KB

Download
memory/2628-197-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2628-200-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2692-153-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2692-154-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2692-158-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2692-157-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download