846d963b3be07336806e9a35ec551588e1cc8eac3cc74fffedb2b16635ab5fe3

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231130-en
resource tags

arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
submitted
11/12/2023, 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tuc5.exe
Size

7.5MB
MD5

7e4edc7bfc3e78389f6ec517f55b56a9
SHA1

9b267a42749d9118e9f95aae9a908e3b9d0d88dc
SHA256

846d963b3be07336806e9a35ec551588e1cc8eac3cc74fffedb2b16635ab5fe3
SHA512

cd051c58d5bd118eb7f071315660eead841ba3070731e54647f4358bd815c49d1f2ac1178fdf39e3719657b058719be25cca27791086eb5e76d5bd1f9013ac29
SSDEEP

196608:DO78pimeIjZMmsj7bXzjl3iT1A9SG7ul2xdVNWiYmJE6RI6zj:a78pimNjMDzjl3dQAdVN1YyRPzj

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2732	tuc5.tmp
4816	gifplayer.exe
4300	gifplayer.exe

Loads dropped DLL 3 IoCs

pid	Process
2732	tuc5.tmp
2732	tuc5.tmp
2732	tuc5.tmp

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	152.89.198.214
Destination IP	152.89.198.214
Destination IP	194.49.94.194

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 63 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-FCUTP.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\lessmsi\is-QAKB6.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-GO279.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-QNVPJ.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-SQIH4.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-K2ES3.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-5J5TE.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-Q7V31.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-S7URP.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\plugins\internal\is-T5AD9.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-HO9KO.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-2E3OI.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-SJ72V.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-24KQI.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-GTD4E.tmp	tuc5.tmp
File opened for modification	C:\Program Files (x86)\PlayGIF\gifplayer.exe	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\uninstall\is-G4073.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-S8NPT.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-MQK4K.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-82VAU.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-7U3EQ.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\stuff\is-P5BN9.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-AF948.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-513FH.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-3TQ69.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-BV0UB.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-P2G8L.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-TPOQP.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-E3NC5.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-FDJ18.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\stuff\is-S84G6.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-5GSOU.tmp	tuc5.tmp
File opened for modification	C:\Program Files (x86)\PlayGIF\uninstall\unins000.dat	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-4944O.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-MR32S.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-FAL53.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-996S6.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-4PK2T.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-16PMI.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-OEC9C.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\uninstall\unins000.dat	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-CIBRD.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-QUQPL.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-7FQ8A.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\plugins\internal\is-RQSL9.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\stuff\is-4I3OR.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-273E2.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-8IGQV.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-8023L.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-16CAE.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-S6M5V.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-AA5SC.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\stuff\is-1HPCC.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-5SEN2.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-SFID5.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-8S7K1.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-VPLOU.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\is-EA5VO.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-MC8LD.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-MR3UD.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-R565O.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-94RPE.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-CSSSG.tmp	tuc5.tmp

Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2732	tuc5.tmp

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 5060 wrote to memory of 2732	5060	tuc5.exe	87
PID 5060 wrote to memory of 2732	5060	tuc5.exe	87
PID 5060 wrote to memory of 2732	5060	tuc5.exe	87
PID 2732 wrote to memory of 1984	2732	tuc5.tmp	91
PID 2732 wrote to memory of 1984	2732	tuc5.tmp	91
PID 2732 wrote to memory of 1984	2732	tuc5.tmp	91
PID 2732 wrote to memory of 4816	2732	tuc5.tmp	92
PID 2732 wrote to memory of 4816	2732	tuc5.tmp	92
PID 2732 wrote to memory of 4816	2732	tuc5.tmp	92
PID 2732 wrote to memory of 5080	2732	tuc5.tmp	96
PID 2732 wrote to memory of 5080	2732	tuc5.tmp	96
PID 2732 wrote to memory of 5080	2732	tuc5.tmp	96
PID 2732 wrote to memory of 4300	2732	tuc5.tmp	95
PID 2732 wrote to memory of 4300	2732	tuc5.tmp	95
PID 2732 wrote to memory of 4300	2732	tuc5.tmp	95
PID 5080 wrote to memory of 3076	5080	net.exe	97
PID 5080 wrote to memory of 3076	5080	net.exe	97
PID 5080 wrote to memory of 3076	5080	net.exe	97

C:\Users\Admin\AppData\Local\Temp\tuc5.exe
"C:\Users\Admin\AppData\Local\Temp\tuc5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Users\Admin\AppData\Local\Temp\is-KLATG.tmp\tuc5.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-KLATG.tmp\tuc5.tmp" /SL5="$B0068,7611198,68096,C:\Users\Admin\AppData\Local\Temp\tuc5.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Query
    3⤵
    PID:1984
- - C:\Program Files (x86)\PlayGIF\gifplayer.exe
    "C:\Program Files (x86)\PlayGIF\gifplayer.exe" -i
    3⤵
    - Executes dropped EXE
    PID:4816
- - C:\Program Files (x86)\PlayGIF\gifplayer.exe
    "C:\Program Files (x86)\PlayGIF\gifplayer.exe" -s
    3⤵
    - Executes dropped EXE
    PID:4300
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 11
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5080
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 helpmsg 11
      4⤵
      PID:3076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PlayGIF\gifplayer.exe

Filesize
105KB

MD5
7172241fb107c6b36663e5fcbacea180

SHA1
4d2b03a25bb83169203ceb49e0e91dd6e3bd17ce

SHA256
e911ad76695578ef34e3fc0ba0f5dbe766e730bce2d91d755395f363559bb318

SHA512
d4e86f1139844ef480dfa77aa4c5daa40a39a01ef204096fefd5a9ba054341160edbaa74f2c61b9074025983945bcad1f08105782f9151c4b1dd2ed20aca0da2

Download Submit
C:\Program Files (x86)\PlayGIF\gifplayer.exe

Filesize
570KB

MD5
af8df8e2b72f2a37d49683fb03276ffa

SHA1
8c08694b868b8ef0fd7929328598802da5b29aad

SHA256
240754780a6a2a7989b2bc3ad5b428748517291315213af4163a4e6a9f8d5cc3

SHA512
a71b9c5ffcde4773a7969518c8bd5d3241450512f7cabc0f015c82cc6039e56a5b24307466952dbe5122878031c5c746fdffc3928f1f9bb96d639e20ace39f82

Download Submit
C:\Program Files (x86)\PlayGIF\gifplayer.exe

Filesize
174KB

MD5
f6ee0f262b706568df95c4f951e86222

SHA1
34eb439e3827d643126b64ea21b4576c3c9acfb5

SHA256
7349b1cdc6a036efc0243b8016b017f2fc629db9fd6e2d3df728081deca697b4

SHA512
8e528a64432751073462234484ea98b7acc16b709a1d9b99c355cd68538ad81686ef92c5d93c2367b92aa34f113045d111c38c99393553e9b29ea5c363c4091c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2838U.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2838U.tmp\_isetup\_isdecmp.dll

Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KLATG.tmp\tuc5.tmp

Filesize
504KB

MD5
172fba39a259769fb956e412c027d6ce

SHA1
b90e9e0c66ffd9e032daf48cae133a882381bc8e

SHA256
b5f5bf166acb5828fb7a49137365686b20066bd0ef216f27d7022ec5d7ef7ee2

SHA512
ae2411d6e45755350d7ae0bb93b65384a32e298a33b2aa380cb5dc6ee51d760bad5cc23d3c6348c51884dcc2ad3c58ff20f7d7945ac558156fb53c85d1669f73

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KLATG.tmp\tuc5.tmp

Filesize
613KB

MD5
8429a2f2e70edccf17a0ad82e285cce9

SHA1
ab67da61d67f3f95e46460e95320bd3f6defdaa3

SHA256
bf2ef06feeb47a0fbc58787590f3d970744c3cec9043b91596a234ee4d30c7cd

SHA512
24d63eaf1fa582458914ba8b2ed2c6d02a2aa1006db5b165a2a03426e6267d74836b45fa47f9cb41c3cc574c16d238410cf357a54c211d2e1aefadbc9bffd31f

Download Submit
memory/2732-162-0x00000000020F0000-0x00000000020F1000-memory.dmp

Filesize
4KB

Download
memory/2732-10-0x00000000020F0000-0x00000000020F1000-memory.dmp

Filesize
4KB

Download
memory/2732-160-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4300-178-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/4300-175-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/4300-206-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/4300-203-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/4300-158-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/4300-200-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/4300-197-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/4300-161-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/4300-194-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/4300-165-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/4300-166-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/4300-169-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/4300-172-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/4300-191-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/4300-188-0x0000000000940000-0x00000000009DE000-memory.dmp

Filesize
632KB

Download
memory/4300-179-0x0000000000940000-0x00000000009DE000-memory.dmp

Filesize
632KB

Download
memory/4300-184-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/4300-187-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/4816-154-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/4816-152-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/4816-151-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/4816-155-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/5060-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5060-2-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5060-159-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download