2701118a934ae7590c7a70e1b30699e6479cbd008ba52050f2bb045d7f789fb3

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
11-12-2023 21:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tuc5.exe
Size

7.5MB
MD5

bdad1671d0fced667545a53923fedfea
SHA1

8693fd1f0bffc13ff413a0377ffb07559a940200
SHA256

2701118a934ae7590c7a70e1b30699e6479cbd008ba52050f2bb045d7f789fb3
SHA512

e88d8abd45f1a9ab5e56957182dfc47f15b6d5c9d67129b2d9bfa0f2de172a49ddf77fb7c6c010cb7f6b7dad085da298f94700f9c1e0fe95efe46011de3a7b40
SSDEEP

196608:iO78pimeIjZMmsj7bXzjl3iT1A9SG7ul2xdVNWiYmJE6RI6zj:b78pimNjMDzjl3dQAdVN1YyRPzj

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3932	tuc5.tmp
3376	gifplayer.exe
1392	gifplayer.exe

Loads dropped DLL 3 IoCs

pid	Process
3932	tuc5.tmp
3932	tuc5.tmp
3932	tuc5.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	45.155.250.90

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 63 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\PlayGIF\uninstall\unins000.dat	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-SD5O4.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-7OUV3.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-1PFEL.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-K1DS4.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-UO888.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-B5NLG.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-GNJ7Q.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-GKRNU.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-N58IU.tmp	tuc5.tmp
File opened for modification	C:\Program Files (x86)\PlayGIF\uninstall\unins000.dat	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-VKHJS.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-LSH4C.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-BBU1U.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\lessmsi\is-T4C8Q.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\stuff\is-2PTK1.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-KK0VI.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-N7NRE.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-LNQ5T.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-IEI66.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-FP3T0.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-P6Q45.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-9CM2P.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\plugins\internal\is-VERHD.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-H2S6F.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\stuff\is-B664D.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\stuff\is-FT17P.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\stuff\is-OHF7P.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-5NSRA.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-BN040.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-98081.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-41171.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-1EKT7.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-F156S.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-HOERI.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\plugins\internal\is-CUM9O.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-TU2BN.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-4HFSR.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-KKO9A.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-KHCF2.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\is-Q2JS6.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-55K42.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-MHM9V.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-2D4IP.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\uninstall\is-UC0L0.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-A3NEL.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-MQ9BQ.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-DJUUC.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-UK1JC.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-7VSPR.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-79G2L.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-GE22U.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-5SOJF.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-S52KR.tmp	tuc5.tmp
File opened for modification	C:\Program Files (x86)\PlayGIF\gifplayer.exe	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-EKR8O.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-UC94G.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-J6LVI.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-I22C2.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-UEINH.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-DL3A9.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-NH0UU.tmp	tuc5.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-9Q7NS.tmp	tuc5.tmp

Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3932	tuc5.tmp

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4632 wrote to memory of 3932	4632	tuc5.exe	88
PID 4632 wrote to memory of 3932	4632	tuc5.exe	88
PID 4632 wrote to memory of 3932	4632	tuc5.exe	88
PID 3932 wrote to memory of 4052	3932	tuc5.tmp	91
PID 3932 wrote to memory of 4052	3932	tuc5.tmp	91
PID 3932 wrote to memory of 4052	3932	tuc5.tmp	91
PID 3932 wrote to memory of 3376	3932	tuc5.tmp	92
PID 3932 wrote to memory of 3376	3932	tuc5.tmp	92
PID 3932 wrote to memory of 3376	3932	tuc5.tmp	92
PID 3932 wrote to memory of 2156	3932	tuc5.tmp	96
PID 3932 wrote to memory of 2156	3932	tuc5.tmp	96
PID 3932 wrote to memory of 2156	3932	tuc5.tmp	96
PID 3932 wrote to memory of 1392	3932	tuc5.tmp	95
PID 3932 wrote to memory of 1392	3932	tuc5.tmp	95
PID 3932 wrote to memory of 1392	3932	tuc5.tmp	95
PID 2156 wrote to memory of 3484	2156	net.exe	97
PID 2156 wrote to memory of 3484	2156	net.exe	97
PID 2156 wrote to memory of 3484	2156	net.exe	97

C:\Users\Admin\AppData\Local\Temp\tuc5.exe
"C:\Users\Admin\AppData\Local\Temp\tuc5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4632
- C:\Users\Admin\AppData\Local\Temp\is-CEVQU.tmp\tuc5.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-CEVQU.tmp\tuc5.tmp" /SL5="$70066,7611198,68096,C:\Users\Admin\AppData\Local\Temp\tuc5.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3932
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Query
    3⤵
    PID:4052
- - C:\Program Files (x86)\PlayGIF\gifplayer.exe
    "C:\Program Files (x86)\PlayGIF\gifplayer.exe" -i
    3⤵
    - Executes dropped EXE
    PID:3376
- - C:\Program Files (x86)\PlayGIF\gifplayer.exe
    "C:\Program Files (x86)\PlayGIF\gifplayer.exe" -s
    3⤵
    - Executes dropped EXE
    PID:1392
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 11
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 helpmsg 11
      4⤵
      PID:3484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PlayGIF\gifplayer.exe

Filesize
371KB

MD5
a3916f1f4c54dc1fa28ce96d1c7c6068

SHA1
7f5ab33cb8db83e6adfe2838e5ec5b02faeace9b

SHA256
4738959f22500cd199bb619b85f95e1a96ca705e31e2337453c8214b070a8b40

SHA512
8d5b069c12dd02c05d57f561e6fc3553e93826f3e9dd752a455786baa36a4687eab8f04a962980374bc12a57e780e0a46af6e6bc413cb40edd4ec7ae44001f35

Download Submit
C:\Program Files (x86)\PlayGIF\gifplayer.exe

Filesize
369KB

MD5
535f4436efc2ff3993106971ee181cd9

SHA1
0ddda4a18728137a4112c10a76acce932c327c5b

SHA256
d69b1351eb04eaf99b10c0438554165cce5d2690ef2adc5df9ac6608ce2f40d9

SHA512
e7e2f6fe893ae2c7293103c4bcd30ec1d553c36195c1751cacf16d95a5e40cf4aee838a6f2ea394a8e68b3f38ff7d8924c8fc19b7fd3cbda55e284b473b8f6b1

Download Submit
C:\Program Files (x86)\PlayGIF\gifplayer.exe

Filesize
145KB

MD5
7f73bf3869d5f30d6f32e3cec401610d

SHA1
546c3862b38e0be52e86be8642fa63eb0a656e0b

SHA256
12f3c0dd649b51bd1012ea700724244eef4ad792e5df1ab8f18e559398248f07

SHA512
b92813bec48ebbafa735fe73b3d7dd3eb2621cac1571cde58c1c0c5fa5b9a6c83cc03b889efac3eeaf79ccc30c04808130aecb7d7fc4d006bf142a893ee1f552

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CEVQU.tmp\tuc5.tmp

Filesize
661KB

MD5
98c7c77a6896f717927a15fb050be615

SHA1
43bf78311d7912302a4c5b6ca420f8d127f734ba

SHA256
3f5682cc7963185ac1ea67627f3e11b1ce41aaea04691bec6e5dd141a4e8b563

SHA512
25a8cc44598c25942efa666353fe03c00692c71c6e7afb0b4822ec59871f8bf5e08232b219eb5b84eb86ff7f4bc0ea59c9c65f4e73ff0c4343b7740637b5cfc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CEVQU.tmp\tuc5.tmp

Filesize
383KB

MD5
6c62c77d4ba7682f5c431e6e7cf39805

SHA1
dcc2e996bef7e8c9ff17ca46af18b5a2ef7d79ec

SHA256
a73396f1e014c89b749d08722f33da497a0a5a1a3d0d7d2a03161c6a6fc5156b

SHA512
37fa5731ffb0f487e771fb21630ead51a474b5269111979865f61755e23da26e60a21a5902cbfd34bdc03553b8a9636ebf985464b02dddf327f7a1c295299786

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LUSLC.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LUSLC.tmp\_isetup\_isdecmp.dll

Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
memory/1392-180-0x0000000000830000-0x00000000008CE000-memory.dmp

Filesize
632KB

Download
memory/1392-170-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1392-209-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1392-206-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1392-202-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1392-199-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1392-157-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1392-196-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1392-159-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1392-193-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1392-192-0x0000000000830000-0x00000000008CE000-memory.dmp

Filesize
632KB

Download
memory/1392-162-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1392-189-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1392-166-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1392-167-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1392-186-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1392-173-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1392-176-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1392-179-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1392-181-0x0000000000830000-0x00000000008CE000-memory.dmp

Filesize
632KB

Download
memory/3376-155-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/3376-154-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/3376-152-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/3376-151-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/3932-7-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/3932-163-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/3932-161-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4632-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4632-160-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4632-2-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download