8a5e92a2abef83798bf150c49e4b3e34af2f9104c0cd0d4a2c382b9c9b8b43d6

Analysis

max time kernel
143s
max time network
149s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
11/12/2023, 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tuc5.exe
Size

7.5MB
MD5

338541e642a4cf6f111296f49e5839e4
SHA1

5c61c2662070995fbf22ef25c0a623d7c90624af
SHA256

8a5e92a2abef83798bf150c49e4b3e34af2f9104c0cd0d4a2c382b9c9b8b43d6
SHA512

e167572a6f952af80ee7b3246cdc544fb54e6d1c12e4303c29591a51c61007fcbfc01af0c449ea9bed8372421ec99966ff25dcfa0725095c419a25e4e59961b1
SSDEEP

196608:hO78pimeIjZMmsj7bXzjl3iT1A9SG7ul2xdVNWiYmJE6RI6zj:E78pimNjMDzjl3dQAdVN1YyRPzj

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1876	tuc5.tmp
1968	gifplayer.exe
1356	gifplayer.exe

Loads dropped DLL 6 IoCs

pid	Process
2032	tuc5.exe
1876	tuc5.tmp
1876	tuc5.tmp
1876	tuc5.tmp
1876	tuc5.tmp
1876	tuc5.tmp

Unexpected DNS network traffic destination 2 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	194.49.94.194
Destination IP	152.89.198.214

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 63 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\PlayGIF\uninstall\unins000.dat	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\stuff\is-D14EC.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-VOUCJ.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-T8LUQ.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-016UA.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-38BR0.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-O8O06.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-V0GTL.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-E3G5T.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-HV2G6.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-Q4DDB.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-MJJIM.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-CIPEB.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-RM3I0.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-AH68M.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-QSKS6.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-91FN7.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-IV6QD.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-3ORFM.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-SHSBQ.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-NDGC7.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-HRR1A.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-NF339.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-3AM0K.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-NVFO0.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-F9JMH.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-BFBD1.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-0H9CG.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\uninstall\is-TL7DC.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\stuff\is-64A06.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-604J3.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-F0HGQ.tmp	tuc5.tmp
File opened for modification	C:\Program Files (x86)\PlayGIF\gifplayer.exe	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-6RAHT.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-JLHI4.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-9TT8I.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-V5G45.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\stuff\is-0K79H.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-8SLA1.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-RG92P.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-LV5OO.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\plugins\internal\is-MF8TT.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\stuff\is-G7M0J.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-ELCHL.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-06A1L.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-GPVR9.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-9PJR2.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-I3DR1.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-R9S7D.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-3NEJ5.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-QQBLG.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-5L5HH.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-LG9RB.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-P1SLE.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-7Q5FK.tmp	tuc5.tmp
File opened for modification	C:\Program Files (x86)\PlayGIF\uninstall\unins000.dat	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-EMIBE.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\plugins\internal\is-EH4FE.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-QLPEH.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\is-AO5JH.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-RQG7H.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-U9FVM.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\lessmsi\is-OG8M7.tmp	tuc5.tmp

Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1876	tuc5.tmp

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 1876	2032	tuc5.exe	28
PID 2032 wrote to memory of 1876	2032	tuc5.exe	28
PID 2032 wrote to memory of 1876	2032	tuc5.exe	28
PID 2032 wrote to memory of 1876	2032	tuc5.exe	28
PID 2032 wrote to memory of 1876	2032	tuc5.exe	28
PID 2032 wrote to memory of 1876	2032	tuc5.exe	28
PID 2032 wrote to memory of 1876	2032	tuc5.exe	28
PID 1876 wrote to memory of 2548	1876	tuc5.tmp	29
PID 1876 wrote to memory of 2548	1876	tuc5.tmp	29
PID 1876 wrote to memory of 2548	1876	tuc5.tmp	29
PID 1876 wrote to memory of 2548	1876	tuc5.tmp	29
PID 1876 wrote to memory of 1968	1876	tuc5.tmp	31
PID 1876 wrote to memory of 1968	1876	tuc5.tmp	31
PID 1876 wrote to memory of 1968	1876	tuc5.tmp	31
PID 1876 wrote to memory of 1968	1876	tuc5.tmp	31
PID 1876 wrote to memory of 1964	1876	tuc5.tmp	35
PID 1876 wrote to memory of 1964	1876	tuc5.tmp	35
PID 1876 wrote to memory of 1964	1876	tuc5.tmp	35
PID 1876 wrote to memory of 1964	1876	tuc5.tmp	35
PID 1876 wrote to memory of 1356	1876	tuc5.tmp	33
PID 1876 wrote to memory of 1356	1876	tuc5.tmp	33
PID 1876 wrote to memory of 1356	1876	tuc5.tmp	33
PID 1876 wrote to memory of 1356	1876	tuc5.tmp	33
PID 1964 wrote to memory of 1524	1964	net.exe	34
PID 1964 wrote to memory of 1524	1964	net.exe	34
PID 1964 wrote to memory of 1524	1964	net.exe	34
PID 1964 wrote to memory of 1524	1964	net.exe	34

C:\Users\Admin\AppData\Local\Temp\tuc5.exe
"C:\Users\Admin\AppData\Local\Temp\tuc5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\Local\Temp\is-6C3HJ.tmp\tuc5.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-6C3HJ.tmp\tuc5.tmp" /SL5="$50026,7611198,68096,C:\Users\Admin\AppData\Local\Temp\tuc5.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1876
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Query
    3⤵
    PID:2548
- - C:\Program Files (x86)\PlayGIF\gifplayer.exe
    "C:\Program Files (x86)\PlayGIF\gifplayer.exe" -i
    3⤵
    - Executes dropped EXE
    PID:1968
- - C:\Program Files (x86)\PlayGIF\gifplayer.exe
    "C:\Program Files (x86)\PlayGIF\gifplayer.exe" -s
    3⤵
    - Executes dropped EXE
    PID:1356
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 11
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1964

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 11
1⤵
PID:1524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PlayGIF\gifplayer.exe

Filesize
468KB

MD5
208c3a3331104c8ed23a3569b9435aa1

SHA1
15f2d73415361d331c9d9e777efa401e8d7166f7

SHA256
ef955c45c0d3fdd23aa6a7b4ee4f175e1e2b23b89b8e711a46d8df7d1b54d1c5

SHA512
baa888c5cd90a5bd218ecfe69b5989243a8d0633b155f1696d2be3e25abcc6e96200b880f4d7d54cd02436556dfc2878dc5f882c0b5d740a4f25e737dfd71d8b

Download Submit
C:\Program Files (x86)\PlayGIF\gifplayer.exe

Filesize
60KB

MD5
e666c9049892e413606b2dd0eca89734

SHA1
f003f174f7978ae17fd236682e76c0f42ca1a1b2

SHA256
8257f17221c914e9f53551e9f2cd72868bde7087cd7b6e752a623e03bb47929a

SHA512
7f5307f14cadc563db7eb8496d40c030c80ad6244838b7d1687491297a5786e1a2936f66bde833ed3eb590e0b2a5f890296405e6436c255d531b7faba12d3aab

Download Submit
C:\Program Files (x86)\PlayGIF\gifplayer.exe

Filesize
71KB

MD5
fc85beb4141968e21568ca379999e0bd

SHA1
8721419d133088c86ec5a521236f0e341f7797ee

SHA256
f7270234c8c3315d627c12b9b84349d4bf24fd77dfb6f0dd98c6a632040ba9d0

SHA512
b417de46a5c531c31f1b00a194597b0e0a968402a36bd038881b9cecdde0e64597f8672958fb250b1da90093f365481a26316ecf28a2e42c10ba5c5437ce023c

Download Submit
\Program Files (x86)\PlayGIF\gifplayer.exe

Filesize
1.4MB

MD5
29a06e80e4228721b6ff5e9096bcdd55

SHA1
d859faa8a1a15f885ff6f0969b1cb2f297629923

SHA256
95eed7cbea556fca64a8c28f775b96bfd3cab4e5c02928462616dd62b3d6c6f3

SHA512
cc177dc78a85e410097977149c99a95c3d1f2dc465152466635e3302728025d76e7a1798136e2517122af0042a6b6adaec2527e5d3b51e607ca3f1458c3525c6

Download Submit
\Users\Admin\AppData\Local\Temp\is-6C3HJ.tmp\tuc5.tmp

Filesize
687KB

MD5
f448d7f4b76e5c9c3a4eaff16a8b9b73

SHA1
31808f1ffa84c954376975b7cdb0007e6b762488

SHA256
7233b85eb0f8b3aa5cae3811d727aa8742fec4d1091c120a0fe15006f424cc49

SHA512
f8197458cd2764c0b852dac34f9bf361110a7dc86903024a97c7bcd3f77b148342bf45e3c2b60f6af8198ae3b83938dbaad5e007d71a0f88006f3a0618cf36f4

Download Submit
\Users\Admin\AppData\Local\Temp\is-LMJTE.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-LMJTE.tmp\_isetup\_isdecmp.dll

Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
\Users\Admin\AppData\Local\Temp\is-LMJTE.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/1356-180-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1356-189-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1356-211-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1356-208-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1356-205-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1356-202-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1356-160-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1356-199-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1356-196-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1356-162-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1356-193-0x00000000027A0000-0x000000000283E000-memory.dmp

Filesize
632KB

Download
memory/1356-192-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1356-165-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1356-184-0x00000000027A0000-0x000000000283E000-memory.dmp

Filesize
632KB

Download
memory/1356-183-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1356-170-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1356-171-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1356-174-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1356-177-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1876-166-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1876-167-0x0000000003740000-0x00000000039A6000-memory.dmp

Filesize
2.4MB

Download
memory/1876-164-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1876-18-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1876-151-0x0000000003740000-0x00000000039A6000-memory.dmp

Filesize
2.4MB

Download
memory/1968-153-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1968-154-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1968-158-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1968-157-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/2032-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2032-163-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2032-3-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download