db2df2578d7d2c15e5c1696c6dbe2ebc4426beff743c724afb99f0d5b28ed56e

Analysis

max time kernel
144s
max time network
149s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
11/12/2023, 16:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

tuc3.exe
Size

7.6MB
MD5

511cd2302f0fe5d87619126aa3de8ef6
SHA1

efb34b47412a277a0bb898ee036b2830d66dd102
SHA256

db2df2578d7d2c15e5c1696c6dbe2ebc4426beff743c724afb99f0d5b28ed56e
SHA512

98b0c36bc3cdc4b08af59c704f3333be99ef405201062c5158b5f36892e5451fe51a475975cf9745fcea77c73b6d13ed5a567559b1eb2a73e640c846d9c472c1
SSDEEP

196608:KnnY8NWvGpWTTlm0OxwW+nFnfZsMUdFt30Dzj:KnnY8NELTIrxwlxQWDzj

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1984	tuc3.tmp
1856	gifplayer.exe
2780	gifplayer.exe

Loads dropped DLL 6 IoCs

pid	Process
2396	tuc3.exe
1984	tuc3.tmp
1984	tuc3.tmp
1984	tuc3.tmp
1984	tuc3.tmp
1984	tuc3.tmp

Unexpected DNS network traffic destination 2 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	45.155.250.90
Destination IP	152.89.198.214

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 63 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-OODJ6.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-U4GQC.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-E4ADK.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\lessmsi\is-UJIET.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-NUUMQ.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-I15OU.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-PIEP3.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-U3BK0.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-EPEJ8.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-530IS.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-VPCPN.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-BDDPH.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\stuff\is-FUTKP.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-MD5G1.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\plugins\internal\is-6F26O.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-K09BF.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-UH30T.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-TQCH2.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-BPTR8.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-C0RVC.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-76F72.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-MSKCC.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-EO8K0.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-8QIHH.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-N20T6.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-AFL9D.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\plugins\internal\is-UO0QC.tmp	tuc3.tmp
File opened for modification	C:\Program Files (x86)\PlayGIF\gifplayer.exe	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\stuff\is-KV3LG.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-51T2O.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-PTG8O.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-96GVP.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-Q239O.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-1DRO0.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-V80J9.tmp	tuc3.tmp
File opened for modification	C:\Program Files (x86)\PlayGIF\uninstall\unins000.dat	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-T64L7.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-V9MS7.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-A7Q3H.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-0P6G9.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\uninstall\unins000.dat	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-BA8ES.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-AJ4TH.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-HQ9S4.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-I25ET.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\uninstall\is-UU0KQ.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\stuff\is-EBKFQ.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-H21HG.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-O2P48.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-K7NK7.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-UVAG8.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-AG0IV.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-TUPMQ.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-VKFO7.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\stuff\is-9NBV7.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-MFPS1.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-ELEHN.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\is-UBR5J.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-1BLM9.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-3MKAB.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-SEMV3.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-1FDQ9.tmp	tuc3.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-VJCSH.tmp	tuc3.tmp

Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1984	tuc3.tmp

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 1984	2396	tuc3.exe	28
PID 2396 wrote to memory of 1984	2396	tuc3.exe	28
PID 2396 wrote to memory of 1984	2396	tuc3.exe	28
PID 2396 wrote to memory of 1984	2396	tuc3.exe	28
PID 2396 wrote to memory of 1984	2396	tuc3.exe	28
PID 2396 wrote to memory of 1984	2396	tuc3.exe	28
PID 2396 wrote to memory of 1984	2396	tuc3.exe	28
PID 1984 wrote to memory of 1284	1984	tuc3.tmp	29
PID 1984 wrote to memory of 1284	1984	tuc3.tmp	29
PID 1984 wrote to memory of 1284	1984	tuc3.tmp	29
PID 1984 wrote to memory of 1284	1984	tuc3.tmp	29
PID 1984 wrote to memory of 1856	1984	tuc3.tmp	30
PID 1984 wrote to memory of 1856	1984	tuc3.tmp	30
PID 1984 wrote to memory of 1856	1984	tuc3.tmp	30
PID 1984 wrote to memory of 1856	1984	tuc3.tmp	30
PID 1984 wrote to memory of 2560	1984	tuc3.tmp	35
PID 1984 wrote to memory of 2560	1984	tuc3.tmp	35
PID 1984 wrote to memory of 2560	1984	tuc3.tmp	35
PID 1984 wrote to memory of 2560	1984	tuc3.tmp	35
PID 1984 wrote to memory of 2780	1984	tuc3.tmp	34
PID 1984 wrote to memory of 2780	1984	tuc3.tmp	34
PID 1984 wrote to memory of 2780	1984	tuc3.tmp	34
PID 1984 wrote to memory of 2780	1984	tuc3.tmp	34
PID 2560 wrote to memory of 1528	2560	net.exe	33
PID 2560 wrote to memory of 1528	2560	net.exe	33
PID 2560 wrote to memory of 1528	2560	net.exe	33
PID 2560 wrote to memory of 1528	2560	net.exe	33

C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Users\Admin\AppData\Local\Temp\is-M684M.tmp\tuc3.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-M684M.tmp\tuc3.tmp" /SL5="$4001A,7715663,68096,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Query
    3⤵
    PID:1284
- - C:\Program Files (x86)\PlayGIF\gifplayer.exe
    "C:\Program Files (x86)\PlayGIF\gifplayer.exe" -i
    3⤵
    - Executes dropped EXE
    PID:1856
- - C:\Program Files (x86)\PlayGIF\gifplayer.exe
    "C:\Program Files (x86)\PlayGIF\gifplayer.exe" -s
    3⤵
    - Executes dropped EXE
    PID:2780
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 11
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2560

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 11
1⤵
PID:1528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PlayGIF\gifplayer.exe

Filesize
222KB

MD5
c2881f97172f46f16a8d491855f834f5

SHA1
f8fbd3ac5223064265eae50a5136ed5b871ac3ac

SHA256
f141d1f3d2da187143dfd1cd6440cd97b3d9f1c04432fac84317f7e261547477

SHA512
8744244a12bc62569e6d40d315215e3d55459360679bf0706102fbda3d201595be5f2b9ba158f44919d8b7a4c251494d72dd90c9eccd95bfbd4ac02d40c50e70

Download Submit
C:\Program Files (x86)\PlayGIF\gifplayer.exe

Filesize
203KB

MD5
7d49d0d195a9599ac92555d7e3091270

SHA1
820ad5988973c87a8f1e5fff0ed9fef65dd8a24c

SHA256
1bbc224679ef62f778251e34678d01587470eea6b4e2b57b0254a4944b8a13e9

SHA512
dc96ad81557ed8b3d5f432e6abbcfe537a175b196eb697e6bf8f61ccea2ade7b4aebb9240dec4748e067a9a1122a6e7fbde0854a718ac0506724399e8f135721

Download Submit
C:\Program Files (x86)\PlayGIF\gifplayer.exe

Filesize
203KB

MD5
959b9b4ea25d9e5758dfb3bfe4d46ad2

SHA1
7993c020f134118fe5f4d7f55637dfcbfcd81681

SHA256
04def3286c00a9385b646860da46ab0b46e92c74678645ebd586499a5bf2150d

SHA512
1242ffb0aea20ed042037815cd93f84820770ca4a5a067e52aff7e1f582ce9c20e07e40f81a52b6947f1128e3342e733baed75a1e90331c6dc81c953b6e01f4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-M684M.tmp\tuc3.tmp

Filesize
665KB

MD5
a16dc12003a521dfbce854d73b26a339

SHA1
ca20238e0e32b83a267aa8084fa93b42df8cfbf7

SHA256
0eb8843f646f7713a9ae1634014b4b2e633cfc4b7547d4b2731c7b6de2713c43

SHA512
e0242670be3b2bc7d42afe31ff157e69c36aee48455e5d4e2687c40bfe999d34d397cb5da8060b60004bca3bad9122d77fa2f3813681a69f9e2bbb5bf35331d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-M684M.tmp\tuc3.tmp

Filesize
51KB

MD5
1a724473c87a30e6ad5f343b17ff7821

SHA1
226ce1c2272313dcf25392a252507be70edcaf7f

SHA256
022e9008a526b21ed23b3b923f0c4ca79cdbc4216dfae67b2ebd9506aa3a7d57

SHA512
d64affb5d5d857ec19df19de45586b01007601a1a579201e2b72ecf6431edd36bd74ce3deec01a846d7610d7128221aef0d64d6fd1ad602b5e6a9b3b8b2097a2

Download Submit
\Program Files (x86)\PlayGIF\gifplayer.exe

Filesize
261KB

MD5
02ee5afe6f0c368699277f7b2de27af3

SHA1
1500faa51800d51e7803ee92cd044e0b3dd97be9

SHA256
5ffe3134e5964fa26e7286c386976bc208126600628a3719ce49e29eaf56ab5e

SHA512
a4acde9a2e92ecb29cdd084715be621b168fa410b6442b2a820e829428e4023320fe4983aaca00866eac0ab28813ec820cc11451e2f0acfbe1960405bac9670b

Download Submit
\Users\Admin\AppData\Local\Temp\is-M684M.tmp\tuc3.tmp

Filesize
303KB

MD5
660814d5c3600ab62790e3351918c261

SHA1
91931b46675346d2833feaa8cdccea47ccb330f8

SHA256
80f202760ca2b28a9e487a1e8954ad7c88f09dd1bcb3e1345dbdd4b62badaeda

SHA512
99a2104ac5db290d95048645ee69c99fde930c3c8e7e5ba1cafb69002f5fcb9d37952230cc4e3ca5100e3f753814e6fd08a7ea6c17312ae3540a00d5817ca08c

Download Submit
\Users\Admin\AppData\Local\Temp\is-OF159.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-OF159.tmp\_isetup\_isdecmp.dll

Filesize
512B

MD5
4bca85420703b590c1346076c1f10841

SHA1
126e115e93a522803324089aef432973445f1210

SHA256
bf218fb92a27cfe64b6b1ba9b33e34a87d3144499461b6f716cf5a21b82f3b80

SHA512
71aeed2b53c87de2b7d1bdf999154c9a8601ee831ca6e160531f6fa5f83228333d3491a6f88a03017976cf3a6bad206d87efbae4e4502e0425f3ba8f68c08056

Download Submit
\Users\Admin\AppData\Local\Temp\is-OF159.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/1856-158-0x0000000000400000-0x000000000068F000-memory.dmp

Filesize
2.6MB

Download
memory/1856-157-0x0000000000400000-0x000000000068F000-memory.dmp

Filesize
2.6MB

Download
memory/1856-153-0x0000000000400000-0x000000000068F000-memory.dmp

Filesize
2.6MB

Download
memory/1856-154-0x0000000000400000-0x000000000068F000-memory.dmp

Filesize
2.6MB

Download
memory/1984-164-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1984-167-0x0000000003770000-0x00000000039FF000-memory.dmp

Filesize
2.6MB

Download
memory/1984-15-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1984-152-0x0000000003770000-0x00000000039FF000-memory.dmp

Filesize
2.6MB

Download
memory/1984-166-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2396-2-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2396-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2396-163-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2780-174-0x0000000000400000-0x000000000068F000-memory.dmp

Filesize
2.6MB

Download
memory/2780-187-0x0000000002760000-0x00000000027FE000-memory.dmp

Filesize
632KB

Download
memory/2780-162-0x0000000000400000-0x000000000068F000-memory.dmp

Filesize
2.6MB

Download
memory/2780-170-0x0000000000400000-0x000000000068F000-memory.dmp

Filesize
2.6MB

Download
memory/2780-171-0x0000000000400000-0x000000000068F000-memory.dmp

Filesize
2.6MB

Download
memory/2780-160-0x0000000000400000-0x000000000068F000-memory.dmp

Filesize
2.6MB

Download
memory/2780-177-0x0000000000400000-0x000000000068F000-memory.dmp

Filesize
2.6MB

Download
memory/2780-180-0x0000000000400000-0x000000000068F000-memory.dmp

Filesize
2.6MB

Download
memory/2780-183-0x0000000000400000-0x000000000068F000-memory.dmp

Filesize
2.6MB

Download
memory/2780-165-0x0000000000400000-0x000000000068F000-memory.dmp

Filesize
2.6MB

Download
memory/2780-184-0x0000000002760000-0x00000000027FE000-memory.dmp

Filesize
632KB

Download
memory/2780-190-0x0000000000400000-0x000000000068F000-memory.dmp

Filesize
2.6MB

Download
memory/2780-193-0x0000000000400000-0x000000000068F000-memory.dmp

Filesize
2.6MB

Download
memory/2780-196-0x0000000002760000-0x00000000027FE000-memory.dmp

Filesize
632KB

Download
memory/2780-197-0x0000000000400000-0x000000000068F000-memory.dmp

Filesize
2.6MB

Download
memory/2780-200-0x0000000000400000-0x000000000068F000-memory.dmp

Filesize
2.6MB

Download
memory/2780-203-0x0000000000400000-0x000000000068F000-memory.dmp

Filesize
2.6MB

Download
memory/2780-206-0x0000000000400000-0x000000000068F000-memory.dmp

Filesize
2.6MB

Download
memory/2780-209-0x0000000000400000-0x000000000068F000-memory.dmp

Filesize
2.6MB

Download
memory/2780-212-0x0000000000400000-0x000000000068F000-memory.dmp

Filesize
2.6MB

Download