a8c1ac9575fbacb880b46937828bcf41f54e7734a3871f5bbaa2ca5f704c913f

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
12/12/2023, 14:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tuc3.exe
Size

7.2MB
MD5

a5c73f548d3ecf47fdbb6d2f5c3f93d8
SHA1

f5bec713ca192b58a310f0130a9f484ecd556db6
SHA256

a8c1ac9575fbacb880b46937828bcf41f54e7734a3871f5bbaa2ca5f704c913f
SHA512

8d5ab8cad1d90b6d137674946723a6586f100c3bf4000ae20e815cb771253f7f6810f83e3a2946a92c0bdf711fad1e3130d3307b34e9f73f08965fc0af2eedb3
SSDEEP

196608:ixm50EF70ZaWLZ97vnC8LpS7+bI9cpSzj:8Et0Zak7aIA7kSzj

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1232	tuc3.tmp
2540	numgif.exe
2656	numgif.exe

Loads dropped DLL 6 IoCs

pid	Process
2040	tuc3.exe
1232	tuc3.tmp
1232	tuc3.tmp
1232	tuc3.tmp
1232	tuc3.tmp
1232	tuc3.tmp

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	194.49.94.194
Destination IP	141.98.234.31
Destination IP	152.89.198.214

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 63 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\numGIF\bin\x86\is-5NBE9.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-BQ2BL.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-T6NFK.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-KMUVB.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-5676S.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-I70KB.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-T8P3N.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-IQMV9.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-RUAP4.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\uninstall\is-BCN8H.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\stuff\is-V8SQ5.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-UCNFH.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-SIN44.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-LS4IR.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\lessmsi\is-88FIK.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-PAR50.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-HM6E1.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-I8NO7.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-AKIJ7.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-LCLHL.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-3AD0J.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-E7GSJ.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\plugins\internal\is-QH4H6.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-FAB14.tmp	tuc3.tmp
File opened for modification	C:\Program Files (x86)\numGIF\numgif.exe	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-VR47P.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-UVGHC.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-6ACFF.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-8VCRJ.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-AO4IR.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\uninstall\unins000.dat	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-DI90P.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-7G66B.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-G8JN0.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-AL5IL.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\is-JK746.tmp	tuc3.tmp
File opened for modification	C:\Program Files (x86)\numGIF\uninstall\unins000.dat	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\stuff\is-CQEOH.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-TS4QR.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-P95NN.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-ADKDD.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-LQ9F1.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-LDP76.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-0BT57.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-H5T1G.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-QGDKS.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-1OVNS.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\stuff\is-3NVFK.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-587AV.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-NS7AE.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-26J03.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-J6RCI.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\stuff\is-0FDV9.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-65PL2.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-8TGNS.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-9H7CI.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-S7D37.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-08H7V.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-HUB7J.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-5TII7.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-RTV8A.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-AHM6G.tmp	tuc3.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\plugins\internal\is-02KQK.tmp	tuc3.tmp

Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1232	tuc3.tmp

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 1232	2040	tuc3.exe	28
PID 2040 wrote to memory of 1232	2040	tuc3.exe	28
PID 2040 wrote to memory of 1232	2040	tuc3.exe	28
PID 2040 wrote to memory of 1232	2040	tuc3.exe	28
PID 2040 wrote to memory of 1232	2040	tuc3.exe	28
PID 2040 wrote to memory of 1232	2040	tuc3.exe	28
PID 2040 wrote to memory of 1232	2040	tuc3.exe	28
PID 1232 wrote to memory of 1760	1232	tuc3.tmp	29
PID 1232 wrote to memory of 1760	1232	tuc3.tmp	29
PID 1232 wrote to memory of 1760	1232	tuc3.tmp	29
PID 1232 wrote to memory of 1760	1232	tuc3.tmp	29
PID 1232 wrote to memory of 2540	1232	tuc3.tmp	30
PID 1232 wrote to memory of 2540	1232	tuc3.tmp	30
PID 1232 wrote to memory of 2540	1232	tuc3.tmp	30
PID 1232 wrote to memory of 2540	1232	tuc3.tmp	30
PID 1232 wrote to memory of 2568	1232	tuc3.tmp	34
PID 1232 wrote to memory of 2568	1232	tuc3.tmp	34
PID 1232 wrote to memory of 2568	1232	tuc3.tmp	34
PID 1232 wrote to memory of 2568	1232	tuc3.tmp	34
PID 1232 wrote to memory of 2656	1232	tuc3.tmp	33
PID 1232 wrote to memory of 2656	1232	tuc3.tmp	33
PID 1232 wrote to memory of 2656	1232	tuc3.tmp	33
PID 1232 wrote to memory of 2656	1232	tuc3.tmp	33
PID 2568 wrote to memory of 1904	2568	net.exe	35
PID 2568 wrote to memory of 1904	2568	net.exe	35
PID 2568 wrote to memory of 1904	2568	net.exe	35
PID 2568 wrote to memory of 1904	2568	net.exe	35

C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Local\Temp\is-MTGDU.tmp\tuc3.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-MTGDU.tmp\tuc3.tmp" /SL5="$4014E,7257737,121856,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Query
    3⤵
    PID:1760
- - C:\Program Files (x86)\numGIF\numgif.exe
    "C:\Program Files (x86)\numGIF\numgif.exe" -i
    3⤵
    - Executes dropped EXE
    PID:2540
- - C:\Program Files (x86)\numGIF\numgif.exe
    "C:\Program Files (x86)\numGIF\numgif.exe" -s
    3⤵
    - Executes dropped EXE
    PID:2656
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 12
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 helpmsg 12
      4⤵
      PID:1904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\numGIF\numgif.exe

Filesize
1.9MB

MD5
2359cb01f16c0e385014e5be4a2496dc

SHA1
21efe8fdb26f7a9be4e3da38e87705d21e80f16e

SHA256
83f72f2a992c3bc896c33aa164ec329b807cee2591a6b8b50de94dd753e3ed1a

SHA512
2da16f7ba8c1bfd7dfc98141013d66827f8ac812bf9db3b73c00049ab5a7b32dbe82d7ca3f6eca58893e5590f46cb8ce3943300f452753b772ae10ffe368385c

Download Submit
C:\Program Files (x86)\numGIF\numgif.exe

Filesize
100KB

MD5
a9e9f9995433b5ecbf1104bc95bf2371

SHA1
b6f9e7a61557a04d981c7f129ea63dc8ef0b5f90

SHA256
768cfbc47557bf89714c566d239fd3aada5f576c20df43e253fd023afc86e635

SHA512
0c4f21d96cac44c4ad754854d6c8cad0c7c2d1de10ad6ece0fdcdbd6f211abce180a65ea17c7b1d8409e8316b748a867a9797b270eae9d4b92ca9386cb926b47

Download Submit
C:\Program Files (x86)\numGIF\numgif.exe

Filesize
49KB

MD5
60884b909cdf786617b22e6ca2fbd12b

SHA1
5e6650b411b8709676cbdcbec3368bb8b505bcfb

SHA256
b558104d86af32edbd90076d8556761cc71928366d0615f33a3d2d87a3ca59b1

SHA512
7d2497f9c83b9c61e85ee7236ddb91ccda328c305fed7b77a0b4138369697371049fd26f207cc8830a25d3d4a67362ada66655cd775519a2079811fd956199e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MTGDU.tmp\tuc3.tmp

Filesize
342KB

MD5
d438c1476509945f90fe70458b6d905b

SHA1
576bd797a58b28a40490d438614d857352a0507b

SHA256
c22c387f36b5b3ecbade01d992b2ba9de28d75ab0e9ae97bbfbafc860fbd353b

SHA512
2de915be3cbe480b11b740ac615b3844e4e3ab4c30f78a8dade8c353139817fbdc8a513eaf095a930229e7e948531214ea87a902decd2bf692dcfb393ba0ea65

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MTGDU.tmp\tuc3.tmp

Filesize
319KB

MD5
1b9322e1b7d0cd5b10198d1b7bd0a3ab

SHA1
7a8d5323a587e72845c3ae7cdd17cf0959fd2bd7

SHA256
b73c52a7dd931ab38abf89dc2ae65efbfb6c02d20627ca03b5223413983d53d1

SHA512
618af962d39ce6235f646c987691c6943b040c6f271d859d69dc820bf38d8da7b0df50e6ffc7a3c44fb05396b5e078b1aaf86e3c3f1ce9a71d0b45784518ecff

Download Submit
\Program Files (x86)\numGIF\numgif.exe

Filesize
1.6MB

MD5
8419bbe752e4f8bbfc28850811e56d52

SHA1
280216275235d8b6c0315d245f58deaadc88ce10

SHA256
97496f3d00096ca921d220e10554b259853ee0ed1698ba5359cc28c4ddf3e833

SHA512
3c2f53fb4dece9040e09ae5dea4cb9573d12bff344c230656f97633b54317f7203c42d2597190a541d58004acdc7bd64644c6fa1ed348572aad90e88f13042f2

Download Submit
\Users\Admin\AppData\Local\Temp\is-K5K59.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-K5K59.tmp\_isetup\_isdecmp.dll

Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
\Users\Admin\AppData\Local\Temp\is-K5K59.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-MTGDU.tmp\tuc3.tmp

Filesize
299KB

MD5
add22dd2d4d2028dde80e2321fd05b1c

SHA1
6d7359e8f59b0ec77e8b38efe748c9d5a784d4dc

SHA256
893c76126cd0889fcf8cfed0e90dfad35bbdbe331cc843ca4857f678aad1b52d

SHA512
bfd059dce6206ec164f7a35901258684527d360229d9acccc0030df6cde426819b3b9644116a0dff58720a4b7831c18c82ca578dcc2e2bec8d68b396ff80c412

Download Submit
memory/1232-16-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1232-152-0x0000000003770000-0x0000000003999000-memory.dmp

Filesize
2.2MB

Download
memory/1232-166-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1232-164-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1232-169-0x0000000003770000-0x0000000003999000-memory.dmp

Filesize
2.2MB

Download
memory/2040-163-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2040-0-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2040-2-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2540-153-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/2540-158-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/2540-157-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/2540-154-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/2656-177-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/2656-184-0x0000000002640000-0x00000000026DE000-memory.dmp

Filesize
632KB

Download
memory/2656-162-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/2656-170-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/2656-171-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/2656-174-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/2656-160-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/2656-180-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/2656-183-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/2656-165-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/2656-187-0x0000000002640000-0x00000000026DE000-memory.dmp

Filesize
632KB

Download
memory/2656-190-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/2656-193-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/2656-194-0x0000000002640000-0x00000000026DE000-memory.dmp

Filesize
632KB

Download
memory/2656-197-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/2656-200-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/2656-203-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/2656-206-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/2656-209-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/2656-212-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download