5480df9cd132b06451421d27999536b4866a95286f3e28cbdbaba1851d405f34

Analysis

max time kernel
143s
max time network
148s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
11/12/2023, 19:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tuc5.exe
Size

7.5MB
MD5

5d2c2f6216fb8ed787d1f3ebe34dea37
SHA1

5acabcbf4a6429213854b95bd58ebc5db33c95f2
SHA256

5480df9cd132b06451421d27999536b4866a95286f3e28cbdbaba1851d405f34
SHA512

92e3685ae00d989475d1136a8079fa2b264353313a8a304b009ca7ae30dfde8574d66a786573c325cf8b111e9deea44ed658336478a97d0517e81ef32b1a9965
SSDEEP

196608:3O78pimeIjZMmsj7bXzjl3iT1A9SG7ul2xdVNWiYmJE6RI6zj:+78pimNjMDzjl3dQAdVN1YyRPzj

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3008	tuc5.tmp
1532	gifplayer.exe
1240	gifplayer.exe

Loads dropped DLL 6 IoCs

pid	Process
2232	tuc5.exe
3008	tuc5.tmp
3008	tuc5.tmp
3008	tuc5.tmp
3008	tuc5.tmp
3008	tuc5.tmp

Unexpected DNS network traffic destination 2 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	152.89.198.214
Destination IP	81.31.197.38

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 63 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-0JL7C.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-6ED0R.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-L9C1G.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-5476O.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-PFTE5.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-G6MPH.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-1PGML.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\uninstall\unins000.dat	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\stuff\is-STDCT.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-RFIO2.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-8E4V3.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-JKI8B.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-QS4PH.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-83KUC.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\stuff\is-L8HNQ.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-HOQ17.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-E7H4N.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-3L08R.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-VP0M8.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-I7GV6.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-RJOL7.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-VV18O.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-VSLQV.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-QHL68.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-Q63C4.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-557M4.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-9U7ED.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\uninstall\is-II43K.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-CIJUH.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-LJ90U.tmp	tuc5.tmp
File opened for modification	C:\Program Files (x86)\PlayGIF\uninstall\unins000.dat	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-F2MUI.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-MT1P8.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-33SJB.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-NK1SQ.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-HSP7H.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-488GJ.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\plugins\internal\is-RUMF2.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-9P5RS.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-JEB7S.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-DTT4L.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\stuff\is-4E6RU.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-520V4.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-CCRBS.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-LS3NL.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-HD9ET.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-FNT0M.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\plugins\internal\is-KQTCK.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-9TOV0.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-50JAL.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-3263G.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\stuff\is-JC6F1.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-GC510.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-NGJUR.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\lessmsi\is-AO3J1.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-CP556.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-6B5P1.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-3GLU7.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-LTM0U.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-KFCTB.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\is-6D3M7.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-MMNIU.tmp	tuc5.tmp
File opened for modification	C:\Program Files (x86)\PlayGIF\gifplayer.exe	tuc5.tmp

Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3008	tuc5.tmp

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 3008	2232	tuc5.exe	28
PID 2232 wrote to memory of 3008	2232	tuc5.exe	28
PID 2232 wrote to memory of 3008	2232	tuc5.exe	28
PID 2232 wrote to memory of 3008	2232	tuc5.exe	28
PID 2232 wrote to memory of 3008	2232	tuc5.exe	28
PID 2232 wrote to memory of 3008	2232	tuc5.exe	28
PID 2232 wrote to memory of 3008	2232	tuc5.exe	28
PID 3008 wrote to memory of 1928	3008	tuc5.tmp	29
PID 3008 wrote to memory of 1928	3008	tuc5.tmp	29
PID 3008 wrote to memory of 1928	3008	tuc5.tmp	29
PID 3008 wrote to memory of 1928	3008	tuc5.tmp	29
PID 3008 wrote to memory of 1532	3008	tuc5.tmp	31
PID 3008 wrote to memory of 1532	3008	tuc5.tmp	31
PID 3008 wrote to memory of 1532	3008	tuc5.tmp	31
PID 3008 wrote to memory of 1532	3008	tuc5.tmp	31
PID 3008 wrote to memory of 2768	3008	tuc5.tmp	35
PID 3008 wrote to memory of 2768	3008	tuc5.tmp	35
PID 3008 wrote to memory of 2768	3008	tuc5.tmp	35
PID 3008 wrote to memory of 2768	3008	tuc5.tmp	35
PID 3008 wrote to memory of 1240	3008	tuc5.tmp	33
PID 3008 wrote to memory of 1240	3008	tuc5.tmp	33
PID 3008 wrote to memory of 1240	3008	tuc5.tmp	33
PID 3008 wrote to memory of 1240	3008	tuc5.tmp	33
PID 2768 wrote to memory of 1612	2768	net.exe	34
PID 2768 wrote to memory of 1612	2768	net.exe	34
PID 2768 wrote to memory of 1612	2768	net.exe	34
PID 2768 wrote to memory of 1612	2768	net.exe	34

C:\Users\Admin\AppData\Local\Temp\tuc5.exe
"C:\Users\Admin\AppData\Local\Temp\tuc5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\is-L91CC.tmp\tuc5.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-L91CC.tmp\tuc5.tmp" /SL5="$400F0,7611198,68096,C:\Users\Admin\AppData\Local\Temp\tuc5.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Query
    3⤵
    PID:1928
- - C:\Program Files (x86)\PlayGIF\gifplayer.exe
    "C:\Program Files (x86)\PlayGIF\gifplayer.exe" -i
    3⤵
    - Executes dropped EXE
    PID:1532
- - C:\Program Files (x86)\PlayGIF\gifplayer.exe
    "C:\Program Files (x86)\PlayGIF\gifplayer.exe" -s
    3⤵
    - Executes dropped EXE
    PID:1240
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 11
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2768

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 11
1⤵
PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PlayGIF\gifplayer.exe

Filesize
1.3MB

MD5
b0eb742fb90db2f1ebbc66cbbfbc29ff

SHA1
f4f7e8b9a80a1b8b4e1e7a96a649bddda9577101

SHA256
aaad1c3cb8da938164217ee5a916e77d95766c3ed52d0a32b8446decdd0b91f7

SHA512
e6d42eeb8d766a5bbc1cd2db27cf2fc46122fdae3be82a757fcdeb95f159021b0c7b41f89776358b2dc6d4c5a3f43dce510d33c687883230288bab1819916745

Download Submit
C:\Program Files (x86)\PlayGIF\gifplayer.exe

Filesize
41KB

MD5
f74378a0102a5be1b137ac15582f3641

SHA1
5c3c2cfd649c9fa4bf83dc8b06643edd7e9e2314

SHA256
f5f29c537370541111468d9e0a1cc9934643e0fec85b5e83c203dd3208cd74ba

SHA512
31a6c9c3f55d727b79a064c4d493eaa6662880b94ceaa09c60272107e33d86494ccceda74d435951bc93d07974c43eb056bc3d0e6437a55ceec7bde94483c3c8

Download Submit
C:\Program Files (x86)\PlayGIF\gifplayer.exe

Filesize
21KB

MD5
3ad59880034644ba322d23b6f0c6a1b0

SHA1
3b1c413936f54b30e2025c5a60025487746095af

SHA256
03c43e91f110712eaff4749f753c4bdaf9e4b67ae07916d03e8dda4a6c22e03d

SHA512
10df88bdfef439f6de5062b84abf6c02d1497418690708b4986433d1e13ca6658ed5bb06daf091ffe168bc859f9a75e0c7bcdbaa22c2db37f822aed28406884e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-L91CC.tmp\tuc5.tmp

Filesize
687KB

MD5
f448d7f4b76e5c9c3a4eaff16a8b9b73

SHA1
31808f1ffa84c954376975b7cdb0007e6b762488

SHA256
7233b85eb0f8b3aa5cae3811d727aa8742fec4d1091c120a0fe15006f424cc49

SHA512
f8197458cd2764c0b852dac34f9bf361110a7dc86903024a97c7bcd3f77b148342bf45e3c2b60f6af8198ae3b83938dbaad5e007d71a0f88006f3a0618cf36f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-L91CC.tmp\tuc5.tmp

Filesize
16KB

MD5
fcc260261b30f0542422b1c3551eb2be

SHA1
c20a9462bec917c88a7543709a282853074947df

SHA256
eca6f8f17fd22b739529df84a7b8bd7f795930fe966641fc91a9e7ec5b38907a

SHA512
23c8f5da03884d23223211de059a658001ac97d72a924356a491209b2950f50a13e555da364121179fb4ceabdb9f8a2e99ddd25276dd2a93752d7e49b61e96d2

Download Submit
\Program Files (x86)\PlayGIF\gifplayer.exe

Filesize
1.2MB

MD5
f80a3d82869231854cfc425c190395ed

SHA1
c34a3e090b4676dc9e880e3f369c5d0d57cd63c6

SHA256
ba6139f955099343733854b796538757d15e47b41debb87eed847a08cf148a2b

SHA512
abc66203a01df5ec4d6fc9fe20f3f4f96590019eae5c675d6407715cf26c55e400641f6fcfc597a53971fed67cfa3bdf5d0fd2d13c7d8ac0482d17e5c167313b

Download Submit
\Users\Admin\AppData\Local\Temp\is-DGFQE.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-DGFQE.tmp\_isetup\_isdecmp.dll

Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
\Users\Admin\AppData\Local\Temp\is-DGFQE.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-L91CC.tmp\tuc5.tmp

Filesize
45KB

MD5
89fa54616a21ed78122a7d8eed7cf733

SHA1
d7343f206fc2f1e41b5375f00a4a0af43dd82a20

SHA256
f521f5aac473965224b6d7056de202992be49462865981bd5db502e85cd695a0

SHA512
c6dc87d192ab801c67c0b9ff59d0895cedfde59dc75da1d322e9560598b137b53b61bc2512dd0eb0bfc5b1a35d70eb683de3093762005d1fbf849166085d23f5

Download Submit
memory/1240-160-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1240-204-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1240-198-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1240-195-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1240-192-0x00000000028E0000-0x000000000297E000-memory.dmp

Filesize
632KB

Download
memory/1240-191-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1240-188-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1240-201-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1240-210-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1240-162-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1240-207-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1240-183-0x00000000028E0000-0x000000000297E000-memory.dmp

Filesize
632KB

Download
memory/1240-165-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1240-182-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1240-169-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1240-170-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1240-173-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1240-176-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1240-179-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1532-153-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1532-158-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1532-157-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1532-154-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/2232-163-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2232-2-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2232-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3008-152-0x00000000038A0000-0x0000000003B06000-memory.dmp

Filesize
2.4MB

Download
memory/3008-166-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/3008-164-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3008-15-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download