336175427d72d0d3c9e6358c5cc4b1a4059bffc471687a1d4f9411b28f4b376c

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231130-en
resource tags

arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
submitted
11/12/2023, 19:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tuc7.exe
Size

7.5MB
MD5

c84dde359b0a69f3ca9d995b21ffe1d4
SHA1

383971a7b38dc9d926da52afab0c53a5ed308f29
SHA256

336175427d72d0d3c9e6358c5cc4b1a4059bffc471687a1d4f9411b28f4b376c
SHA512

9a158db4298a7c67acaca80dfabfe7e322df9464b3e446227869e37aeae1abc03ce0688280ef59ae1696874f82ff95d624395470f488101f25e2a2877dea0311
SSDEEP

196608:MWc5A2XV/1qTZGgnkphp0rAwZYGespRHDfY5cdV4qCzj:wDFyOTpBsLp1c5SV4qCzj

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4556	tuc7.tmp
1400	gifplayer.exe
3168	gifplayer.exe

Loads dropped DLL 3 IoCs

pid	Process
4556	tuc7.tmp
4556	tuc7.tmp
4556	tuc7.tmp

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	45.155.250.90
Destination IP	152.89.198.214
Destination IP	194.49.94.194

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 63 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-L5DC8.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-AHT5R.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\is-LTHSU.tmp	tuc7.tmp
File opened for modification	C:\Program Files (x86)\PlayGIF\gifplayer.exe	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-53QVE.tmp	tuc7.tmp
File opened for modification	C:\Program Files (x86)\PlayGIF\uninstall\unins000.dat	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-PFERH.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-F1BQI.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-R5JU8.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-0VNI3.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-NO24A.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-3KLD9.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-SEDUK.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-JJRJV.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-4VO94.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\plugins\internal\is-1ITD2.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-085G4.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-F4TCF.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-AI657.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-VRSLR.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-2N2B4.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-UE4J0.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-9QTVF.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-SCN7I.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\lessmsi\is-1TCHA.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\stuff\is-PH16V.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-2NT2Q.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-G2AJ3.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-15EPC.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-S5H8E.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-HEI7E.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-94I44.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-HTF28.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-5KP5O.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-FVNBR.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-HVP2U.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-2CT00.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-LQ5L0.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-3BA15.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-QA1LK.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\uninstall\is-QSPFH.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-BJ72Q.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-V97FD.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-LLKMQ.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-JE0DM.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-MK0P4.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\plugins\internal\is-FT21E.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-M2QNC.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-L2S7E.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-7LSOR.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-6IA4P.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\stuff\is-R5AHI.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-KP671.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-QKH8D.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\stuff\is-MLNHA.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\stuff\is-8SGN7.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-7RRM4.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-T9THS.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\uninstall\unins000.dat	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-JH4S4.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-ETQNH.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-PPA66.tmp	tuc7.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-CIRTI.tmp	tuc7.tmp

Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4556	tuc7.tmp

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 4556	1416	tuc7.exe	41
PID 1416 wrote to memory of 4556	1416	tuc7.exe	41
PID 1416 wrote to memory of 4556	1416	tuc7.exe	41
PID 4556 wrote to memory of 2908	4556	tuc7.tmp	93
PID 4556 wrote to memory of 2908	4556	tuc7.tmp	93
PID 4556 wrote to memory of 2908	4556	tuc7.tmp	93
PID 4556 wrote to memory of 1400	4556	tuc7.tmp	91
PID 4556 wrote to memory of 1400	4556	tuc7.tmp	91
PID 4556 wrote to memory of 1400	4556	tuc7.tmp	91
PID 4556 wrote to memory of 4248	4556	tuc7.tmp	97
PID 4556 wrote to memory of 4248	4556	tuc7.tmp	97
PID 4556 wrote to memory of 4248	4556	tuc7.tmp	97
PID 4556 wrote to memory of 3168	4556	tuc7.tmp	96
PID 4556 wrote to memory of 3168	4556	tuc7.tmp	96
PID 4556 wrote to memory of 3168	4556	tuc7.tmp	96
PID 4248 wrote to memory of 3956	4248	net.exe	95
PID 4248 wrote to memory of 3956	4248	net.exe	95
PID 4248 wrote to memory of 3956	4248	net.exe	95

C:\Users\Admin\AppData\Local\Temp\tuc7.exe
"C:\Users\Admin\AppData\Local\Temp\tuc7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Users\Admin\AppData\Local\Temp\is-EMO7K.tmp\tuc7.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-EMO7K.tmp\tuc7.tmp" /SL5="$6011C,7612629,68096,C:\Users\Admin\AppData\Local\Temp\tuc7.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4556
- - C:\Program Files (x86)\PlayGIF\gifplayer.exe
    "C:\Program Files (x86)\PlayGIF\gifplayer.exe" -i
    3⤵
    - Executes dropped EXE
    PID:1400
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Query
    3⤵
    PID:2908
- - C:\Program Files (x86)\PlayGIF\gifplayer.exe
    "C:\Program Files (x86)\PlayGIF\gifplayer.exe" -s
    3⤵
    - Executes dropped EXE
    PID:3168
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 11
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4248

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 11
1⤵
PID:3956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PlayGIF\gifplayer.exe

Filesize
43KB

MD5
f720a1372f268b91488c2dc19bcb8523

SHA1
6904b8ed1589792fc4122a43f6e0a111ad992208

SHA256
ffb3f9fc24108e31016ab85625d3c6ef428138a1b74212cc4a206ebfdc94736d

SHA512
9ea788daf5d9194e1edeb5932cbb66867b506b2de9e28b0013eef2836945e2c42f7b5cf935ee611b5881eca199a9064689c7d20a176e493b6f8ff61e31eadf60

Download Submit
C:\Program Files (x86)\PlayGIF\gifplayer.exe

Filesize
32KB

MD5
f6a0d62169339e7db5428ef7f8e75926

SHA1
c269272b5d46e8e043152b2da3e544e023acb256

SHA256
d0da8f083ffe8ab2c1a9edb4aec3fc23d1797fa49b3370936df2324d48790584

SHA512
79bbb130200e973000212d8498e63d2bf691dc3cc47e19ff9f8b86530649e2ecbb867646ae6f19ebd73d7d8c87c76c834445f71eb40b00e45f8c16851dd659d2

Download Submit
C:\Program Files (x86)\PlayGIF\gifplayer.exe

Filesize
195KB

MD5
dbcd6e702c13409486b76e1dcd01e33e

SHA1
7e1989ae786fd786293213ced2daa3a8149d65fd

SHA256
5f97a319325d637d0a3aa1c8bfd407d7a1045c9cb36c660eeae2e1395ef98ca3

SHA512
3b73476f94a481c7d84be449899b603cd6b928935f5ad40b1bfc1b9077fe8d9f22cd7479f8e9f61dfdd7fcffcc695d18a996f61d8f0f30a0f207e0e85c4ccce5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BBGEQ.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BBGEQ.tmp\_isetup\_isdecmp.dll

Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EMO7K.tmp\tuc7.tmp

Filesize
496KB

MD5
10230d3c5191a17ad24e28250d51bdf6

SHA1
c357e9028e387a54a720366598f946bc5d860bff

SHA256
1fcbd23fd65f4be1d524ba8c974c24f9288377adaa28714089c9343bad5ac45c

SHA512
cf87bc9527373c21a3f26c219334323101ae9f6570ceee08b4d1dfafc2da3e920ff87b31f823da5370ac1b769965aa0962da2f9ca0d77355b7ac9a21b9037df0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EMO7K.tmp\tuc7.tmp

Filesize
235KB

MD5
b739ba021858cff9768f74f85c41124f

SHA1
749b405e7c9d2d591c07f277e73448caf7704b0b

SHA256
de684b43b4d1f00618ac3951aadd48dba59d6548d7f7d4680ca5405cdd2a2c56

SHA512
777737cd0b21a67ed8bdbc8b455a96f46d6654dea7cfc45c931e12de902862693ec8d84529d747041101ff512eb34cb7e6cf900e1216414f91eb8ddb51793e1a

Download Submit
memory/1400-152-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1400-154-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1400-151-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1416-2-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1416-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1416-158-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3168-160-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/3168-178-0x00000000009C0000-0x0000000000A5E000-memory.dmp

Filesize
632KB

Download
memory/3168-157-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/3168-206-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/3168-203-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/3168-164-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/3168-165-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/3168-168-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/3168-171-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/3168-174-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/3168-177-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/3168-200-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/3168-179-0x00000000009C0000-0x0000000000A5E000-memory.dmp

Filesize
632KB

Download
memory/3168-184-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/3168-187-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/3168-188-0x00000000009C0000-0x0000000000A5E000-memory.dmp

Filesize
632KB

Download
memory/3168-191-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/3168-194-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/3168-197-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/4556-159-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4556-161-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/4556-13-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download