8a5e92a2abef83798bf150c49e4b3e34af2f9104c0cd0d4a2c382b9c9b8b43d6

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231130-en
resource tags

arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
submitted
11/12/2023, 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tuc5.exe
Size

7.5MB
MD5

338541e642a4cf6f111296f49e5839e4
SHA1

5c61c2662070995fbf22ef25c0a623d7c90624af
SHA256

8a5e92a2abef83798bf150c49e4b3e34af2f9104c0cd0d4a2c382b9c9b8b43d6
SHA512

e167572a6f952af80ee7b3246cdc544fb54e6d1c12e4303c29591a51c61007fcbfc01af0c449ea9bed8372421ec99966ff25dcfa0725095c419a25e4e59961b1
SSDEEP

196608:hO78pimeIjZMmsj7bXzjl3iT1A9SG7ul2xdVNWiYmJE6RI6zj:E78pimNjMDzjl3dQAdVN1YyRPzj

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
5020	tuc5.tmp
2728	gifplayer.exe
4512	gifplayer.exe

Loads dropped DLL 3 IoCs

pid	Process
5020	tuc5.tmp
5020	tuc5.tmp
5020	tuc5.tmp

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	152.89.198.214
Destination IP	152.89.198.214
Destination IP	194.49.94.194

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 63 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-U6ED7.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-7BLPO.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\is-NDP8F.tmp	tuc5.tmp
File opened for modification	C:\Program Files (x86)\PlayGIF\uninstall\unins000.dat	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-OJBA3.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\stuff\is-1JR3F.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-53KPO.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-MK70D.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\plugins\internal\is-59A1I.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\stuff\is-T4UV0.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\stuff\is-92T43.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-PBE9V.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-KDLPA.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-RSRV7.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-ABBF8.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-RIUF7.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-CLEH9.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-F87TA.tmp	tuc5.tmp
File opened for modification	C:\Program Files (x86)\PlayGIF\gifplayer.exe	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-128C9.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-R6MU6.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-VVF4T.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-6FJVJ.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-DT8GP.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-LF4KC.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-CN737.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-4RRJB.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-D2RVF.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-EONL0.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-6VB04.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-JL34K.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-K0J27.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-EMLAN.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-1HLKS.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\lessmsi\is-IEMCJ.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\uninstall\is-1ESFD.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-8H0M0.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-GFU8O.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-B07T4.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-7NPQB.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-ULBSR.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-PV0TA.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-93AJB.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\uninstall\unins000.dat	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-0AOJC.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-4B01R.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-NL96D.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-T6OCR.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-K9L1R.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\plugins\internal\is-AVM4M.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\stuff\is-5DPRV.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-IBHM3.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-2R0E8.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-9M29A.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-I6FAB.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-9546K.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-3NDJ8.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-B26J2.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-GO3UE.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-O4CEU.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-NUB6I.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-J17TM.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-5C5SV.tmp	tuc5.tmp

Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5020	tuc5.tmp

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 5020	1952	tuc5.exe	45
PID 1952 wrote to memory of 5020	1952	tuc5.exe	45
PID 1952 wrote to memory of 5020	1952	tuc5.exe	45
PID 5020 wrote to memory of 2376	5020	tuc5.tmp	97
PID 5020 wrote to memory of 2376	5020	tuc5.tmp	97
PID 5020 wrote to memory of 2376	5020	tuc5.tmp	97
PID 5020 wrote to memory of 2728	5020	tuc5.tmp	91
PID 5020 wrote to memory of 2728	5020	tuc5.tmp	91
PID 5020 wrote to memory of 2728	5020	tuc5.tmp	91
PID 5020 wrote to memory of 1492	5020	tuc5.tmp	96
PID 5020 wrote to memory of 1492	5020	tuc5.tmp	96
PID 5020 wrote to memory of 1492	5020	tuc5.tmp	96
PID 5020 wrote to memory of 4512	5020	tuc5.tmp	94
PID 5020 wrote to memory of 4512	5020	tuc5.tmp	94
PID 5020 wrote to memory of 4512	5020	tuc5.tmp	94
PID 1492 wrote to memory of 1276	1492	net.exe	95
PID 1492 wrote to memory of 1276	1492	net.exe	95
PID 1492 wrote to memory of 1276	1492	net.exe	95

C:\Users\Admin\AppData\Local\Temp\tuc5.exe
"C:\Users\Admin\AppData\Local\Temp\tuc5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Users\Admin\AppData\Local\Temp\is-QV06U.tmp\tuc5.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-QV06U.tmp\tuc5.tmp" /SL5="$70062,7611198,68096,C:\Users\Admin\AppData\Local\Temp\tuc5.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:5020
- - C:\Program Files (x86)\PlayGIF\gifplayer.exe
    "C:\Program Files (x86)\PlayGIF\gifplayer.exe" -i
    3⤵
    - Executes dropped EXE
    PID:2728
- - C:\Program Files (x86)\PlayGIF\gifplayer.exe
    "C:\Program Files (x86)\PlayGIF\gifplayer.exe" -s
    3⤵
    - Executes dropped EXE
    PID:4512
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 11
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1492
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Query
    3⤵
    PID:2376

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 11
1⤵
PID:1276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PlayGIF\gifplayer.exe

Filesize
375KB

MD5
e19ede1787539e3b6eed0221538a105a

SHA1
402be54b21aec436bdf83b5b2a2bb479f57388d6

SHA256
469e3209ef05e17e162749acd441b20f0c88c2ce6a04588627c7c9e7847f4b7d

SHA512
d94daf15a56429e4da3c81e73d802d898323653842676ab9808a21951eaac5f6209163e59bdad66d471f920bfc2285e39a5ca88484726dfdf667b02b5845c6ac

Download Submit
C:\Program Files (x86)\PlayGIF\gifplayer.exe

Filesize
13KB

MD5
5a9257877307e769ddc71e4c4c15e408

SHA1
181a92bf0d0fe81bf17c30137d84d5c1ddd9d726

SHA256
e6b31da2a06de9f3ef79740c006fdbe05aeccdec2df94a79dc4fed7509faefc6

SHA512
4788cb525054d7bc52b83443fc1f9ed3e45e0115af635086f983defffa5d1b356f6c76febe52d741930f191a27bde6ca3abf7f350356fcab5e7d4366a38b7216

Download Submit
C:\Program Files (x86)\PlayGIF\gifplayer.exe

Filesize
6KB

MD5
66681aa86c7fa81a53acbed5eec3ca64

SHA1
6afec4c7c43fce7b3c56522549408ceefa19eedf

SHA256
f3ac04ae9cbea683aaec5d3a66d2facf7819d5c87ab253c47594d63992c271b5

SHA512
d4fcbe087065184d70790c8957188fdd5de855db62ff44b74222bca62c150a1b4d73385c29201e7128cc77b8cf6d4756de9fa0d601fa88dab381866168353f67

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OFKEB.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OFKEB.tmp\_isetup\_isdecmp.dll

Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QV06U.tmp\tuc5.tmp

Filesize
538KB

MD5
ccf12486294a14975c1102ce08eb4797

SHA1
8730b28653becb335673232aa359a8abe9268553

SHA256
3ede7809636b34ddddf35180bbff39a36ad5e7575294023ba4f97070279498e3

SHA512
681f6f6270946d76bd2f2113129003d2b1087e02dee36116ca54d28f0ef72a472addbefe2141d475757593db5e1eea4527a51f77a883d34fccf0e0d2cd7df0e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QV06U.tmp\tuc5.tmp

Filesize
649KB

MD5
7ff746267a34358452a2ed023aa343e6

SHA1
903983161c02153d0dcc49608b03f7c31c931c56

SHA256
2d885a0c788581250ef2e388f5bccf8dcd14446029e02fa2941ee7a2aa2d59e1

SHA512
e07d2f9337feff17f7cabea4e48697a0951c87fdcd1993491a4ae6fcd50e103f49a06a21ca5a7f2c62f7966f9c81198c0ccb9f30e26f061976a2841e8efd9f2f

Download Submit
memory/1952-2-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1952-160-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1952-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2728-152-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/2728-155-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/2728-151-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/2728-154-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/4512-162-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/4512-179-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/4512-208-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/4512-158-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/4512-205-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/4512-202-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/4512-166-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/4512-167-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/4512-170-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/4512-173-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/4512-176-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/4512-159-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/4512-183-0x0000000000900000-0x000000000099E000-memory.dmp

Filesize
632KB

Download
memory/4512-180-0x0000000000900000-0x000000000099E000-memory.dmp

Filesize
632KB

Download
memory/4512-186-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/4512-189-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/4512-190-0x0000000000900000-0x000000000099E000-memory.dmp

Filesize
632KB

Download
memory/4512-193-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/4512-196-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/4512-199-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/5020-163-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/5020-10-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/5020-161-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download