72cb051b8ab0fd53c7c7c0ca35b81579f588a191aab4a55b7398637fdaa6f331

Analysis

max time kernel
145s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
12/12/2023, 15:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tuc4.exe
Size

7.1MB
MD5

7e62d85a76a1757805e381e57ac8fd23
SHA1

5578e71d218f6444b882a608b0f56a39b95954d3
SHA256

72cb051b8ab0fd53c7c7c0ca35b81579f588a191aab4a55b7398637fdaa6f331
SHA512

850063fb6311f082ebdc127b5587e72ebe3b52d226b6c2e6d99ad82737c9a3a7499283c87490e06457875953f3d8e9877cf0570e6852ca9d9f58e195444bca3e
SSDEEP

196608:Sxm5D5YUyRe7VvZKwamjGKAVW7R+gSoASGm8PvsLMwzj:ERepZKwaS79SoASGDP0Qwzj

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4512	tuc4.tmp
3668	numgif.exe
3548	numgif.exe

Loads dropped DLL 3 IoCs

pid	Process
4512	tuc4.tmp
4512	tuc4.tmp
4512	tuc4.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	45.155.250.90

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 63 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\numGIF\bin\x86\is-SVQQI.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-1LERP.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-PM418.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-07KTC.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-TITAL.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-RSU7N.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-NFMQK.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-77U74.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-SE73M.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-MPPII.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-1KUDQ.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\plugins\internal\is-SNEA6.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-NNJLO.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-P88D6.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-P3EJ1.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-OURPK.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\stuff\is-OG86U.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-BK0BQ.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-7EJFB.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-FE70E.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\stuff\is-2D4S2.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-ILIKS.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-DIOJJ.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-UOMKI.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\is-EE1N3.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-HPP1F.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-FL8OG.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-SHC4E.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-RHAEA.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-D2CMU.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-L7UOJ.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-HLACI.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-P0CT9.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-EPSTO.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-6NLMP.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-RT3B2.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\plugins\internal\is-J6O1B.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\stuff\is-7JVRU.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-V5PGA.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-FSCFK.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-55UAQ.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-AU54V.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-NOU3K.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\lessmsi\is-R0IFN.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-3AE9H.tmp	tuc4.tmp
File opened for modification	C:\Program Files (x86)\numGIF\uninstall\unins000.dat	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-BHCUK.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-ECRGB.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-04K32.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-368PE.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\uninstall\is-Q2FJB.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-H9HOU.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-P5H5R.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-0LO5J.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-H6H8U.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-HGMVK.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-EUV9E.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\stuff\is-GCKGK.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-J2K2G.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-IQATB.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-CRAG9.tmp	tuc4.tmp
File created	C:\Program Files (x86)\numGIF\uninstall\unins000.dat	tuc4.tmp
File opened for modification	C:\Program Files (x86)\numGIF\numgif.exe	tuc4.tmp

Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4512	tuc4.tmp

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 4512	1780	tuc4.exe	90
PID 1780 wrote to memory of 4512	1780	tuc4.exe	90
PID 1780 wrote to memory of 4512	1780	tuc4.exe	90
PID 4512 wrote to memory of 4900	4512	tuc4.tmp	92
PID 4512 wrote to memory of 4900	4512	tuc4.tmp	92
PID 4512 wrote to memory of 4900	4512	tuc4.tmp	92
PID 4512 wrote to memory of 3668	4512	tuc4.tmp	94
PID 4512 wrote to memory of 3668	4512	tuc4.tmp	94
PID 4512 wrote to memory of 3668	4512	tuc4.tmp	94
PID 4512 wrote to memory of 2616	4512	tuc4.tmp	97
PID 4512 wrote to memory of 2616	4512	tuc4.tmp	97
PID 4512 wrote to memory of 2616	4512	tuc4.tmp	97
PID 4512 wrote to memory of 3548	4512	tuc4.tmp	95
PID 4512 wrote to memory of 3548	4512	tuc4.tmp	95
PID 4512 wrote to memory of 3548	4512	tuc4.tmp	95
PID 2616 wrote to memory of 3360	2616	net.exe	98
PID 2616 wrote to memory of 3360	2616	net.exe	98
PID 2616 wrote to memory of 3360	2616	net.exe	98

C:\Users\Admin\AppData\Local\Temp\tuc4.exe
"C:\Users\Admin\AppData\Local\Temp\tuc4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Users\Admin\AppData\Local\Temp\is-5BGUS.tmp\tuc4.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-5BGUS.tmp\tuc4.tmp" /SL5="$F0040,7235080,121856,C:\Users\Admin\AppData\Local\Temp\tuc4.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Query
    3⤵
    PID:4900
- - C:\Program Files (x86)\numGIF\numgif.exe
    "C:\Program Files (x86)\numGIF\numgif.exe" -i
    3⤵
    - Executes dropped EXE
    PID:3668
- - C:\Program Files (x86)\numGIF\numgif.exe
    "C:\Program Files (x86)\numGIF\numgif.exe" -s
    3⤵
    - Executes dropped EXE
    PID:3548
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 12
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 helpmsg 12
      4⤵
      PID:3360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\numGIF\numgif.exe

Filesize
160KB

MD5
458294ef4af96b0177b325580dfbb0c4

SHA1
6679ccc83277ef65e9041c507cd40f4bb641ed32

SHA256
965a8ac9034d2e292c31cb4f093602a569bc5501637bc6b61db05dc4b83e1b3e

SHA512
70129b23f1c9fe2e3f96e5e3cacae75f82777e403d554e3f3657dd3f28053e82e9b1e6f1cb05dcd269511d5d2a0b5d6b0b9ee34ce04b19f74b5f8cb3c1828653

Download Submit
C:\Program Files (x86)\numGIF\numgif.exe

Filesize
421KB

MD5
5abc192b9ae2ac1e2cfa7a067fe8a102

SHA1
09691ed0900a3f862101de4e4931f4f55caf62ac

SHA256
5bc0f03d2a9440f93350a5268a11dea4d2d25280093657e26bb6e12f35aba3ce

SHA512
f5c068a53f694285d5a8d7de10651fb0b465a1f4021de4b2c6e89e334e5f946f2337504f5318fc48703a2e6aa60ee6c24300dac865e187b63c8501e4bf59918a

Download Submit
C:\Program Files (x86)\numGIF\numgif.exe

Filesize
1.2MB

MD5
f54ab8fbca31c55090125786a423aab9

SHA1
63913cddbd5efbf87b07e571d2f87d761235ee53

SHA256
e834db8a2a743de1a6ec8f191c6392b4960be08e826735b4062864fef2bb529d

SHA512
ca9cb08a30d23ccd7cb7d96e3c091527993d1bc010faa19e06f04621f6cd2ed088ef130f2d286bcef0d787c4bf86e51716a99b13f48b6ad6ed57665e6b0d1f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5BGUS.tmp\tuc4.tmp

Filesize
601KB

MD5
54de2c479b28f0a18f95baa7d43dab4a

SHA1
4ee1d14469099150377c594cdd05283b4aeab8f5

SHA256
587b1b11dda9e96b0cd69a8ba1ca8380f447255688c81c3fe202c71d81371d24

SHA512
82120e2d42c8c16101698391e9ff8c9db7a1c01f4c462fdcdfb5522d1a628e8192b9f7b449de00a6c556c21de9307f9c3e4a47289f33b071626e15db398e2cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5BGUS.tmp\tuc4.tmp

Filesize
44KB

MD5
bd9122e6046b16d2292f92a164c99c65

SHA1
fa5a53f8f6dc5ef7cb36b4ad069b4c3adee6ee1a

SHA256
e537c72d2a0f6aed30c65e40dd7bc7c0fa71fdd7487b536ab6a1d6164301b88a

SHA512
b476b46dc9a8ae1052bfeddfcff7ae696b0c5c9d130b6ca1b234a945258b07196371e1f7a63519ce3d7e82d576766004fe7dffa4d68063729eb11d5c27b32510

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D3LOS.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D3LOS.tmp\_isetup\_isdecmp.dll

Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
memory/1780-2-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1780-0-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1780-160-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3548-185-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/3548-189-0x0000000000950000-0x00000000009EE000-memory.dmp

Filesize
632KB

Download
memory/3548-208-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/3548-205-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/3548-157-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/3548-159-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/3548-202-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/3548-198-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/3548-162-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/3548-195-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/3548-166-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/3548-167-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/3548-170-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/3548-173-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/3548-176-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/3548-179-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/3548-180-0x0000000000950000-0x00000000009EE000-memory.dmp

Filesize
632KB

Download
memory/3548-192-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/3548-188-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/3668-154-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/3668-151-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/3668-152-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/3668-155-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/4512-7-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/4512-163-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/4512-161-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download