710e0b9618294908a87b16a4acdd9face597754ee11720dab5b094d6bcbebb1a

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20231130-en
resource tags

arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system
submitted
11/12/2023, 16:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

tuc4.exe
Size

6.9MB
MD5

aa76d89cd2cb04a6fc3ad2fef096ac65
SHA1

9feb12f808b3686a6e54d824af44fa4561e266fe
SHA256

710e0b9618294908a87b16a4acdd9face597754ee11720dab5b094d6bcbebb1a
SHA512

6ab5c0e2b7f519a9c8f106363caa190ea00b9b3a95e64e6885968b490feef023b30a088084f2a8cebfe55e061238a0f0b7a2cc6cd9215af7ccc9fda4e634b847
SSDEEP

196608:bDoG3bFqjpLC0TSMLsn33HR83v9i8l7INzj:bDyNLCWZ2HS9iQ7INzj

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2900	tuc4.tmp
2740	wmaconvert.exe
2760	wmaconvert.exe

Loads dropped DLL 6 IoCs

pid	Process
2520	tuc4.exe
2900	tuc4.tmp
2900	tuc4.tmp
2900	tuc4.tmp
2900	tuc4.tmp
2900	tuc4.tmp

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	152.89.198.214
Destination IP	152.89.198.214
Destination IP	194.49.94.194

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 63 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-TQ1EG.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-8L810.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-KJQ3U.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-VL8QU.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-TITKH.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-NH38T.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-VL107.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-Q9B2J.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\lessmsi\is-TS7VT.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\plugins\internal\is-TJ6N0.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\stuff\is-M085Q.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-U32TC.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-D7MN7.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-AE2F1.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-J4IDK.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-I5S9Q.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-N74S4.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\stuff\is-29V5T.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-BDQ3H.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-SRA7I.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-4674S.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-0RUH0.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-PBRL4.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-K5U68.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-V6AJN.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-E7K77.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-TM59K.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-SQASF.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-VPB72.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\uninstall\unins000.dat	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-O9CLO.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-4GKKA.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-1N24M.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-N6B8I.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-P193Q.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-5VR2P.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-I0TE8.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-4760J.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-QJ4D8.tmp	tuc4.tmp
File opened for modification	C:\Program Files (x86)\ConvertWMA\wmaconvert.exe	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\stuff\is-L1M06.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-PON38.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\is-RP6JJ.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-CMEKN.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\plugins\internal\is-1EH2U.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-OEH24.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-NBERH.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-2II97.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-U15U3.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-ISJUC.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-0EPDH.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-J631D.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-FGCQF.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\stuff\is-TTFU9.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-LQKG3.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-E7S79.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-B176S.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\uninstall\is-4Q5OG.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-VSB4D.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-RO09B.tmp	tuc4.tmp
File opened for modification	C:\Program Files (x86)\ConvertWMA\uninstall\unins000.dat	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-L692T.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ConvertWMA\bin\x86\is-ELV6T.tmp	tuc4.tmp

Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2900	tuc4.tmp

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2900	2520	tuc4.exe	17
PID 2520 wrote to memory of 2900	2520	tuc4.exe	17
PID 2520 wrote to memory of 2900	2520	tuc4.exe	17
PID 2520 wrote to memory of 2900	2520	tuc4.exe	17
PID 2520 wrote to memory of 2900	2520	tuc4.exe	17
PID 2520 wrote to memory of 2900	2520	tuc4.exe	17
PID 2520 wrote to memory of 2900	2520	tuc4.exe	17
PID 2900 wrote to memory of 1896	2900	tuc4.tmp	31
PID 2900 wrote to memory of 1896	2900	tuc4.tmp	31
PID 2900 wrote to memory of 1896	2900	tuc4.tmp	31
PID 2900 wrote to memory of 1896	2900	tuc4.tmp	31
PID 2900 wrote to memory of 2740	2900	tuc4.tmp	29
PID 2900 wrote to memory of 2740	2900	tuc4.tmp	29
PID 2900 wrote to memory of 2740	2900	tuc4.tmp	29
PID 2900 wrote to memory of 2740	2900	tuc4.tmp	29
PID 2900 wrote to memory of 2744	2900	tuc4.tmp	35
PID 2900 wrote to memory of 2744	2900	tuc4.tmp	35
PID 2900 wrote to memory of 2744	2900	tuc4.tmp	35
PID 2900 wrote to memory of 2744	2900	tuc4.tmp	35
PID 2900 wrote to memory of 2760	2900	tuc4.tmp	34
PID 2900 wrote to memory of 2760	2900	tuc4.tmp	34
PID 2900 wrote to memory of 2760	2900	tuc4.tmp	34
PID 2900 wrote to memory of 2760	2900	tuc4.tmp	34
PID 2744 wrote to memory of 1656	2744	net.exe	32
PID 2744 wrote to memory of 1656	2744	net.exe	32
PID 2744 wrote to memory of 1656	2744	net.exe	32
PID 2744 wrote to memory of 1656	2744	net.exe	32

C:\Users\Admin\AppData\Local\Temp\tuc4.exe
"C:\Users\Admin\AppData\Local\Temp\tuc4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Users\Admin\AppData\Local\Temp\is-1H9TG.tmp\tuc4.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-1H9TG.tmp\tuc4.tmp" /SL5="$30140,6971036,68096,C:\Users\Admin\AppData\Local\Temp\tuc4.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Program Files (x86)\ConvertWMA\wmaconvert.exe
    "C:\Program Files (x86)\ConvertWMA\wmaconvert.exe" -i
    3⤵
    - Executes dropped EXE
    PID:2740
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Query
    3⤵
    PID:1896
- - C:\Program Files (x86)\ConvertWMA\wmaconvert.exe
    "C:\Program Files (x86)\ConvertWMA\wmaconvert.exe" -s
    3⤵
    - Executes dropped EXE
    PID:2760
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 11
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2744

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 11
1⤵
PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ConvertWMA\wmaconvert.exe

Filesize
512KB

MD5
065f9a912f210793d19385e49aac50a7

SHA1
76a08e98e8a71ef2e97b1c4caa1c86ffdb6c0a34

SHA256
817a6f50ca49321ddb4a0cff59e8cdbfe2e1bffe6cc7fb32bba94eb5fbf5317d

SHA512
8999c116f8a176d296ce95c2ae8fa1e8cc83d644bc4c76483215d17c60c9dc6a63ec1553e902e3519ca333b79ed790f3502aa960f5fcdca13f1ba4c4b06216c0

Download Submit
C:\Program Files (x86)\ConvertWMA\wmaconvert.exe

Filesize
467KB

MD5
2819c16a7097e06549c6851f1299459f

SHA1
97c494d885d2a18d75d32d0b206f7365abc9f52a

SHA256
becb2e18e68d49c2409b6e2c2883fc22217e4d39e92c69671eea9e2b2fb435d6

SHA512
3e3ac2ea986601e250e31a4365ee103a0276d2d44abc38bffb5efed4e7e895c09e0ff5301ad587563a39959b62069c17b4e4aa8eb9fc13442d75c714622b55f6

Download Submit
C:\Program Files (x86)\ConvertWMA\wmaconvert.exe

Filesize
276KB

MD5
59b5d4b0aff148f6513f59975ac9751d

SHA1
ed3c7494da8fae0acee856c0073d0cb1ff8430e4

SHA256
7078382ae743b2612f280764a69518bb6856aa743f8f07eefd79a1c4b43d1b80

SHA512
e773152a797673aaed18c4d135ca45ed416a68c451768a0bb2c31d99a6a7ea93aa741bff63201483b3bda9081a651b1a87f1c5ac7c9dd44641f49de18e580e62

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1H9TG.tmp\tuc4.tmp

Filesize
361KB

MD5
58ee01b8912b9c9add6883dd944215c8

SHA1
bd4080126c08db31771c9fe3b624a1e2dd9577c2

SHA256
1e7be33b537d4ec66277d3f96d4f8fe8f3b52110a1bd400e9b4875b51e6f27c3

SHA512
d44c79f3276bf26eefe27d7f45dd39d3c2e1a4d0be7472e28cfaec85ecd58d849e45ecc43343dcdbb3811bb39ac70a83ee62a7b5eb7bc61f118d1d6f3e782c90

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1H9TG.tmp\tuc4.tmp

Filesize
447KB

MD5
959c8d4c36ffeb9eff20f04cdfd99f4a

SHA1
b89b26b359a38390c88ddf0fcb080e3ebb5b8e36

SHA256
ab21ddc440c0c08a79c96efd6aeec64a8e9ce1fa6cee95dd9f7523346fbbb07e

SHA512
bd0091fef358bd6ad5bae06e0dd4e1003399822fb132424606729c9c83aa012d088dc9c2884e0b29aa072b702748d5cbdf3acdab21851f97773ee7e774d7ec68

Download Submit
\Program Files (x86)\ConvertWMA\wmaconvert.exe

Filesize
216KB

MD5
16277c96bd82cda79cb5567757ce15e6

SHA1
c35efab1bc160071e39661a7de66668edff71a22

SHA256
263744e5c56bd8079faa53366e30ccd9da543e36f593908b5dae6737d557865f

SHA512
1bc334990eb6617127d30c001831df74627a0feab44854c1cf56f2ae76601243646fee9f398f00c0ebee4d5f2ea6bab7dc62367e3a29463a240397cafe48a514

Download Submit
\Users\Admin\AppData\Local\Temp\is-1H9TG.tmp\tuc4.tmp

Filesize
663KB

MD5
060bc6eff5448a8fd80414f90f8c5a69

SHA1
d33209af451607de82ae6ae47b95e1cb1c032d88

SHA256
21dede1d3fd9bed48369900392f06fee90f8ab9d719c69d25541e04185881823

SHA512
d82c4c71ed901f7106120d66e3733a4b9776061a1f8ea1e0df9496796c941ab9dffd3823c3b7218360b62af3866d1ee57db913b293c1369aa26bf83553edb406

Download Submit
\Users\Admin\AppData\Local\Temp\is-INQHQ.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-INQHQ.tmp\_isetup\_isdecmp.dll

Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
\Users\Admin\AppData\Local\Temp\is-INQHQ.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/2520-163-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2520-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2520-2-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2740-153-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2740-157-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2740-154-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2740-158-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2760-183-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2760-192-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2760-162-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2760-211-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2760-208-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2760-165-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2760-205-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2760-202-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2760-170-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2760-171-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2760-174-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2760-177-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2760-180-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2760-199-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2760-184-0x0000000002A20000-0x0000000002ABE000-memory.dmp

Filesize
632KB

Download
memory/2760-189-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2760-160-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2760-193-0x0000000002A20000-0x0000000002ABE000-memory.dmp

Filesize
632KB

Download
memory/2760-196-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2900-21-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2900-169-0x0000000003790000-0x000000000395F000-memory.dmp

Filesize
1.8MB

Download
memory/2900-166-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2900-152-0x0000000003790000-0x000000000395F000-memory.dmp

Filesize
1.8MB

Download
memory/2900-164-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download