0a86a03eb33ca09a55c10959585ba22b57d7b6c5d773f3fb3aa7185a621a6931

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
12/12/2023, 14:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

tuc6.exe
Size

7.2MB
MD5

fb2c214d6b896feb0b4c3703e57119cb
SHA1

45e41993b9bdbfd172d09e72061fa738e3b353a3
SHA256

0a86a03eb33ca09a55c10959585ba22b57d7b6c5d773f3fb3aa7185a621a6931
SHA512

ba1139d3247a7fe12f744dfb370ceddb21db13d2123b0c11f114c2ddc938bb64e6545b1343f031022c40c836e0eb1ff484df0871b997e91e6a696f699e7fbdcd
SSDEEP

196608:Pxm56Uu8mvAF2l3qqRHw/djqMJueNbMvn+pXnhH5RCLK5Ehezj:Qul8A3nHwljqMksY/4p5RC25qezj

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2232	tuc6.tmp
1660	numgif.exe
2780	numgif.exe

Loads dropped DLL 6 IoCs

pid	Process
2976	tuc6.exe
2232	tuc6.tmp
2232	tuc6.tmp
2232	tuc6.tmp
2232	tuc6.tmp
2232	tuc6.tmp

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	45.155.250.90
Destination IP	152.89.198.214
Destination IP	194.49.94.194

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 63 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\numGIF\bin\x86\is-41PT0.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-7R045.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-ANBAJ.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-M1485.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-PNKA0.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-5GN0K.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\stuff\is-EHAIF.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-4O2OK.tmp	tuc6.tmp
File opened for modification	C:\Program Files (x86)\numGIF\numgif.exe	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-MCAL1.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-E593D.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\stuff\is-E3D6U.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-RSD2Q.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\plugins\internal\is-BVES1.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-8DTGM.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-UUVQB.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-KHQVR.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-G41US.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-AHJD0.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-BH8QT.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-TPTVV.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-NC8LT.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\uninstall\is-AIDKJ.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-9IRPU.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-0VN83.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\uninstall\unins000.dat	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-IQ71O.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-AFITR.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-73O31.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-TCVGU.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-4BP7L.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-012I0.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\is-07USS.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-UNEND.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-5G2BK.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-5KORK.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-OP2DL.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-DSI50.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-QEDGD.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-710ER.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-1MLAL.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-V20I1.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-HFC50.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-I9EEB.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-OB56C.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-OFFD5.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-JG3FU.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-SV18C.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-25NEC.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-JUG8Q.tmp	tuc6.tmp
File opened for modification	C:\Program Files (x86)\numGIF\uninstall\unins000.dat	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-OE80K.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-8UH1L.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-PV3QC.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\lessmsi\is-RHJJE.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-3SQ4B.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-TN7CC.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\stuff\is-UG8VT.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-FS5T8.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-BST2M.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\plugins\internal\is-A6FSS.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\stuff\is-JS8U0.tmp	tuc6.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-NG9ED.tmp	tuc6.tmp

Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2232	tuc6.tmp

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2232	2976	tuc6.exe	28
PID 2976 wrote to memory of 2232	2976	tuc6.exe	28
PID 2976 wrote to memory of 2232	2976	tuc6.exe	28
PID 2976 wrote to memory of 2232	2976	tuc6.exe	28
PID 2976 wrote to memory of 2232	2976	tuc6.exe	28
PID 2976 wrote to memory of 2232	2976	tuc6.exe	28
PID 2976 wrote to memory of 2232	2976	tuc6.exe	28
PID 2232 wrote to memory of 2036	2232	tuc6.tmp	29
PID 2232 wrote to memory of 2036	2232	tuc6.tmp	29
PID 2232 wrote to memory of 2036	2232	tuc6.tmp	29
PID 2232 wrote to memory of 2036	2232	tuc6.tmp	29
PID 2232 wrote to memory of 1660	2232	tuc6.tmp	30
PID 2232 wrote to memory of 1660	2232	tuc6.tmp	30
PID 2232 wrote to memory of 1660	2232	tuc6.tmp	30
PID 2232 wrote to memory of 1660	2232	tuc6.tmp	30
PID 2232 wrote to memory of 2772	2232	tuc6.tmp	32
PID 2232 wrote to memory of 2772	2232	tuc6.tmp	32
PID 2232 wrote to memory of 2772	2232	tuc6.tmp	32
PID 2232 wrote to memory of 2772	2232	tuc6.tmp	32
PID 2232 wrote to memory of 2780	2232	tuc6.tmp	33
PID 2232 wrote to memory of 2780	2232	tuc6.tmp	33
PID 2232 wrote to memory of 2780	2232	tuc6.tmp	33
PID 2232 wrote to memory of 2780	2232	tuc6.tmp	33
PID 2772 wrote to memory of 2836	2772	net.exe	34
PID 2772 wrote to memory of 2836	2772	net.exe	34
PID 2772 wrote to memory of 2836	2772	net.exe	34
PID 2772 wrote to memory of 2836	2772	net.exe	34

C:\Users\Admin\AppData\Local\Temp\tuc6.exe
"C:\Users\Admin\AppData\Local\Temp\tuc6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Users\Admin\AppData\Local\Temp\is-OGE5N.tmp\tuc6.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-OGE5N.tmp\tuc6.tmp" /SL5="$4010A,7260641,121856,C:\Users\Admin\AppData\Local\Temp\tuc6.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Query
    3⤵
    PID:2036
- - C:\Program Files (x86)\numGIF\numgif.exe
    "C:\Program Files (x86)\numGIF\numgif.exe" -i
    3⤵
    - Executes dropped EXE
    PID:1660
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 12
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 helpmsg 12
      4⤵
      PID:2836
- - C:\Program Files (x86)\numGIF\numgif.exe
    "C:\Program Files (x86)\numGIF\numgif.exe" -s
    3⤵
    - Executes dropped EXE
    PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\numGIF\numgif.exe

Filesize
105KB

MD5
2b1fbb0a161b62db10b329dd74f63b7e

SHA1
5b5239625c4f79275ae3883c2bcab5bff0c6940d

SHA256
73bbb2fe50ace92ec33131917601be8ae1cfe59671a50d3e49e56253cf8a114c

SHA512
492235df9937cd0f612ca3abc082903017aee73baa39ab75fc47afaf513b850f957e460f024b3dee21748fdd9b92a097bf86802f541e6ed4953f85975fdcd36b

Download Submit
C:\Program Files (x86)\numGIF\numgif.exe

Filesize
1.1MB

MD5
b1bf5e04fb98ef87d328c0b2283f1988

SHA1
8502d344292c746ba1951cb5028f1d9a27b03f50

SHA256
57a450be2a8577b3e79a6dc08a9f1f57cfd7bc7bfdb0cc4057a8b1ee35b8bafd

SHA512
eb0c1464ab77957f8372f5a2ac9f0c1c81e7e1d5505ce7bebe4f04ea9e37f8e0f0895b47fba39d355b1a714c1101d1cc7ab71f77d1eba22e2c9dded03322fe24

Download Submit
C:\Program Files (x86)\numGIF\numgif.exe

Filesize
715KB

MD5
9ccc296a257c59ee3700bd440bb9be12

SHA1
60e806155b2eebb4c40a69de327e7cf387335d45

SHA256
6145e84471a63d8405b7e5dee8650aa889d5253ada90cee5d2a5b633f4b6bbcb

SHA512
232825e6fec3cd1a6d236fd4805decbd79d699aa21d84f8caa117f3eed593739cc13e03984f4d5880e39a0f4f262e66e2049c26160192f68741e497895a91925

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OGE5N.tmp\tuc6.tmp

Filesize
611KB

MD5
7e1f6cf1e87ed42d62f2e5aa6386ff7e

SHA1
5c666c6a1acf480028b7251dc2fc23819f5d02cf

SHA256
847c7bf37ec1c30bef1e62b31902f3ab837a78dbbcf0b9d9d3fa3b872e2b60b8

SHA512
b10fd642599aa7a842b391d55d8791a18712fe41395de9383c86a3838e0a060042f2a15c12b9a01854cdda9398c725fae7d788c9a5d706c8696dac3e82eb7541

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OGE5N.tmp\tuc6.tmp

Filesize
687KB

MD5
25d89e5ca3c04d6f7fda01c1e5734f2b

SHA1
a0a9a15646c5ee8ae235c24709a775b26ccbc25a

SHA256
df0147be9de19af0f5c6583c819496ae01c8ee77a029ef08645e5c3727a712ec

SHA512
5d72c4dff6a7141f247b08ac9d2c028433c2d546e196793e833ed07b31e1665d8cc20347688408e4171ea3000186a1471a7299db0c9e130f9650bc88867212f6

Download Submit
\Program Files (x86)\numGIF\numgif.exe

Filesize
218KB

MD5
7aa5be9d92ce57dc2841e13ea17c68b0

SHA1
8a2044081f5da9dc0b8f3fb5fe94e968ce59e80d

SHA256
389a193f1d2333ea0f49b0cf45e2f496cbf3a7cbaa6e90b7833f8b4ea54467d1

SHA512
04627c4ad6554af11497cd1e4ea70e114430a7de00ac2ad5aae6e8e51a53b114643603a652eb0d86b1a05481e321677496e69d8e408fdafb3ee82a6fe2d94bcf

Download Submit
\Users\Admin\AppData\Local\Temp\is-MOM59.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-MOM59.tmp\_isetup\_isdecmp.dll

Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
\Users\Admin\AppData\Local\Temp\is-MOM59.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-OGE5N.tmp\tuc6.tmp

Filesize
687KB

MD5
f448d7f4b76e5c9c3a4eaff16a8b9b73

SHA1
31808f1ffa84c954376975b7cdb0007e6b762488

SHA256
7233b85eb0f8b3aa5cae3811d727aa8742fec4d1091c120a0fe15006f424cc49

SHA512
f8197458cd2764c0b852dac34f9bf361110a7dc86903024a97c7bcd3f77b148342bf45e3c2b60f6af8198ae3b83938dbaad5e007d71a0f88006f3a0618cf36f4

Download Submit
memory/1660-153-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/1660-157-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/1660-158-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/1660-154-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/2232-11-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2232-152-0x0000000003740000-0x0000000003969000-memory.dmp

Filesize
2.2MB

Download
memory/2232-169-0x0000000003740000-0x0000000003969000-memory.dmp

Filesize
2.2MB

Download
memory/2232-164-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2232-166-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2780-184-0x0000000002640000-0x00000000026DE000-memory.dmp

Filesize
632KB

Download
memory/2780-199-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/2780-165-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/2780-162-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/2780-160-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/2780-170-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/2780-171-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/2780-174-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/2780-177-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/2780-180-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/2780-183-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/2780-211-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/2780-189-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/2780-192-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/2780-193-0x0000000002640000-0x00000000026DE000-memory.dmp

Filesize
632KB

Download
memory/2780-196-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/2780-208-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/2780-202-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/2780-205-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/2976-163-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2976-1-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download