9e2c5313f874ec182f871c988629d370b004f61274b009239b3ed5a193afafcc

Analysis

max time kernel
150s
max time network
143s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
11/12/2023, 16:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tuc4.exe
Size

7.5MB
MD5

807946fc465ebb7fb9a4dd9e056fd4e1
SHA1

63bd4777b6af4c25b330575d57155b6b61b94aab
SHA256

9e2c5313f874ec182f871c988629d370b004f61274b009239b3ed5a193afafcc
SHA512

a47b31ecdf9515a8126f934b083e188561028c25d7154d28dfa4f78d2cbc51b3e2d283d78ad20a46d02051bb72745d99ccc63120667bc32227f4d5709086965f
SSDEEP

196608:OpVDDR8SZqepbLqwjKpDf/NIpEpDqfBrT0/WViLFfzj:OpVBtvpbL/+vVYBrTTefzj

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2440	tuc4.tmp
2236	gifplayer.exe
584	gifplayer.exe

Loads dropped DLL 6 IoCs

pid	Process
2184	tuc4.exe
2440	tuc4.tmp
2440	tuc4.tmp
2440	tuc4.tmp
2440	tuc4.tmp
2440	tuc4.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	152.89.198.214

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 63 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-IC9VM.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-9R0MR.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-C3VUC.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-IE3HS.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-8JQU5.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-919DQ.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-GITOL.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-47PT5.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-O2UM9.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-MD8MV.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\plugins\internal\is-MLTDP.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\is-E43TG.tmp	tuc4.tmp
File opened for modification	C:\Program Files (x86)\PlayGIF\uninstall\unins000.dat	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-24IFO.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\uninstall\unins000.dat	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-EB64N.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\lessmsi\is-VRIQ8.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-4HFJ7.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-PJ4GA.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-FD9V9.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-N4E2G.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-9PEKA.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-7MQFO.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-7IBNH.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-IA3QJ.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-UIVDU.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-S9KRE.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-H5GRI.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-KC3GS.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-KO9NB.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-R1Q8H.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-7DIF8.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\stuff\is-QK9T7.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-U4VPC.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-9B89G.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-56AEO.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\stuff\is-BD3O6.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-SKVLF.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-HH9NA.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-3NMH0.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-M2S0I.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\uninstall\is-QHPH6.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\stuff\is-71O78.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-8URSM.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\stuff\is-5GJCA.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-BT8FQ.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-5BI6S.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-6T61Q.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-PNN8A.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-84LN5.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-1FT64.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-DNS2P.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-RJNTH.tmp	tuc4.tmp
File opened for modification	C:\Program Files (x86)\PlayGIF\gifplayer.exe	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\plugins\internal\is-H9GNS.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-BA87U.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-QPL84.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-O8PH2.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-DJAB1.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-BOKVK.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-CNB61.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-QG68A.tmp	tuc4.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-ST3JS.tmp	tuc4.tmp

Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2440	tuc4.tmp

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2440	2184	tuc4.exe	28
PID 2184 wrote to memory of 2440	2184	tuc4.exe	28
PID 2184 wrote to memory of 2440	2184	tuc4.exe	28
PID 2184 wrote to memory of 2440	2184	tuc4.exe	28
PID 2184 wrote to memory of 2440	2184	tuc4.exe	28
PID 2184 wrote to memory of 2440	2184	tuc4.exe	28
PID 2184 wrote to memory of 2440	2184	tuc4.exe	28
PID 2440 wrote to memory of 1936	2440	tuc4.tmp	29
PID 2440 wrote to memory of 1936	2440	tuc4.tmp	29
PID 2440 wrote to memory of 1936	2440	tuc4.tmp	29
PID 2440 wrote to memory of 1936	2440	tuc4.tmp	29
PID 2440 wrote to memory of 2236	2440	tuc4.tmp	31
PID 2440 wrote to memory of 2236	2440	tuc4.tmp	31
PID 2440 wrote to memory of 2236	2440	tuc4.tmp	31
PID 2440 wrote to memory of 2236	2440	tuc4.tmp	31
PID 2440 wrote to memory of 436	2440	tuc4.tmp	35
PID 2440 wrote to memory of 436	2440	tuc4.tmp	35
PID 2440 wrote to memory of 436	2440	tuc4.tmp	35
PID 2440 wrote to memory of 436	2440	tuc4.tmp	35
PID 2440 wrote to memory of 584	2440	tuc4.tmp	33
PID 2440 wrote to memory of 584	2440	tuc4.tmp	33
PID 2440 wrote to memory of 584	2440	tuc4.tmp	33
PID 2440 wrote to memory of 584	2440	tuc4.tmp	33
PID 436 wrote to memory of 1164	436	net.exe	34
PID 436 wrote to memory of 1164	436	net.exe	34
PID 436 wrote to memory of 1164	436	net.exe	34
PID 436 wrote to memory of 1164	436	net.exe	34

C:\Users\Admin\AppData\Local\Temp\tuc4.exe
"C:\Users\Admin\AppData\Local\Temp\tuc4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Users\Admin\AppData\Local\Temp\is-7FIN1.tmp\tuc4.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-7FIN1.tmp\tuc4.tmp" /SL5="$7011E,7565670,68096,C:\Users\Admin\AppData\Local\Temp\tuc4.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Query
    3⤵
    PID:1936
- - C:\Program Files (x86)\PlayGIF\gifplayer.exe
    "C:\Program Files (x86)\PlayGIF\gifplayer.exe" -i
    3⤵
    - Executes dropped EXE
    PID:2236
- - C:\Program Files (x86)\PlayGIF\gifplayer.exe
    "C:\Program Files (x86)\PlayGIF\gifplayer.exe" -s
    3⤵
    - Executes dropped EXE
    PID:584
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 11
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:436

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 11
1⤵
PID:1164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PlayGIF\gifplayer.exe

Filesize
460KB

MD5
5d0386df1ce39a078dd3330dd327642c

SHA1
e12f6dc7a75db4fcd0cfa0d0f6fcd63135f5b211

SHA256
903f5971896aa85a59f65d4e1ef1142a56d0d21b43fdc064cf7e1ce6885f2b90

SHA512
5802eae8ad28c21a5f956b20913f215bd736ef19469216a76664ac783195118b0749481cb21c06ee6d8c9fa3418e4763c0e455eea07cb9db2fc0091c9adf0751

Download Submit
C:\Program Files (x86)\PlayGIF\gifplayer.exe

Filesize
822KB

MD5
1d5acd9a257273c6d4c5c4bc04f1470c

SHA1
85c50cbeb68370c94acc26ac4c35e33c067d7bd8

SHA256
3300435f6b909bbefb3f15ca3a690c496f7bf640c2b3066ab8a7e626194932f9

SHA512
4f9a56727af2a0fa3d4fe584e397a78b4b38dccd2cf051e729f8a754754f15b65d768ac000b3c6c0bee184504dd37e82ee1804a3b424520636257f9aca1b5b0c

Download Submit
C:\Program Files (x86)\PlayGIF\gifplayer.exe

Filesize
601KB

MD5
8b2f12f9fed573d5b5fab70d4744f171

SHA1
1be0b08c2ba6defec4a0cf45a7df343e0e554823

SHA256
93ec09ab0ecf40a0a35232e083d38b90b51a386d01ca9ce4e1f0e14e64fe0b6a

SHA512
01ca1a9b6751905ebb043980ffad0f4b367de731a0736235dfaa6ff37fb9ca7e1b48a4b63e609abf94a3681f3eaa10800aa6b517a797d49c48634e7e197c57c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7FIN1.tmp\tuc4.tmp

Filesize
573KB

MD5
829cb872e5ab50dffa84ad86a5551863

SHA1
40c5019bb2bcc2f4e5c88e0e7da2a68d115c54a7

SHA256
bc2fa66c3e9be9e98e6823ffb973dd33ceac5e883c2eaa4f71f68586eca05ece

SHA512
82532bf905e7a1fbdc61984e573d756012bdb9a677fb756617a055f2b167b34e47ab7bfb69053b9d5361a6788be1fbe718403e80aaed3fb45bb9882f6c7b573b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7FIN1.tmp\tuc4.tmp

Filesize
430KB

MD5
6c3dc24491a127b350e84d61f2d7d73f

SHA1
a410483f767b8a0e7d853f987300e9e2829c66b8

SHA256
67b11178c934393076c9a809358701411e7cecfd3105f825bebc97c2e54a8b07

SHA512
9a186a2d61d65ed22286fd4c2e201308e0b8374088935031e9d5998c0c9cd41604f707ebe6fbb1774d2010caf501ba41db475d7eaf04f11de398f1280d47d4cc

Download Submit
\Program Files (x86)\PlayGIF\gifplayer.exe

Filesize
1.4MB

MD5
1612c687b1d60ca93b27f7add3979f0c

SHA1
f91aa6d4b7639fd9ecb9235204400b97e791dfd4

SHA256
43189743f4684e5ad27a0a853b260376ce2b0640ec3f556c1756e15118c71407

SHA512
d75a42586c9f90ef0e269a694dc24c3cd9dba6553ff16fb84b48d80cfbc2aa350524ccc816a2f009bd676531dc5c15c937ef7eb3bb03c8e6762446c1216a3efc

Download Submit
\Users\Admin\AppData\Local\Temp\is-48J68.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-48J68.tmp\_isetup\_isdecmp.dll

Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
\Users\Admin\AppData\Local\Temp\is-48J68.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-7FIN1.tmp\tuc4.tmp

Filesize
526KB

MD5
d8777dd511e08379667932fe6b213c05

SHA1
a31c8edd733bd4bfcadf1adf2faf4eef07d704c4

SHA256
06f27f1cdaf366e6069c0d2c67b3e4947bc93353a21ed24dc23eebc69274121d

SHA512
e5faf654deb73845616f4fb175e23c26b4155948b7b6f0c957972b2a727fae7771d960da62a7114fb558b3dd6848028aa5beae50281aec4e4bd26c3a2e02d14a

Download Submit
memory/584-160-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/584-178-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/584-197-0x0000000002880000-0x000000000291E000-memory.dmp

Filesize
632KB

Download
memory/584-196-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/584-193-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/584-213-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/584-190-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/584-187-0x0000000002880000-0x000000000291E000-memory.dmp

Filesize
632KB

Download
memory/584-200-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/584-184-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/584-210-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/584-164-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/584-206-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/584-166-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/584-203-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/584-170-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/584-171-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/584-174-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/584-175-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/584-181-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/2184-161-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2184-2-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2184-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2236-153-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/2236-158-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/2236-156-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/2236-154-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/2440-151-0x0000000003530000-0x0000000003796000-memory.dmp

Filesize
2.4MB

Download
memory/2440-167-0x0000000003530000-0x0000000003796000-memory.dmp

Filesize
2.4MB

Download
memory/2440-165-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2440-163-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2440-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download