670c53e661d7b4a59476c616f9d391ce943c6ac63d430ec76d99b6e54fa2d524

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231130-en
resource tags

arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
submitted
12/12/2023, 16:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tuc7.exe
Size

7.0MB
MD5

5af1fcb9ad4bdf29b37aeaf5ff636651
SHA1

b0c7eda67bd98e5aae35d6dd045fd6e67e518356
SHA256

670c53e661d7b4a59476c616f9d391ce943c6ac63d430ec76d99b6e54fa2d524
SHA512

88dec474310e8f2b2a7cb62413a836d8722e5ed7339f51c9fafdcb664e58bf3eff131ab0bb517a6dcb12ccda3f00f29d88af5d83c541c60d02133e532a2c80ca
SSDEEP

196608:9xm5Z7xPjWtYOkdHWd1V3GaO4TwWHvzASW8P7Bzj:y7RjWtfj95dLASWyzj

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3420	tuc7.tmp
4660	numgif.exe
2796	numgif.exe

Loads dropped DLL 3 IoCs

pid	Process
3420	tuc7.tmp
3420	tuc7.tmp
3420	tuc7.tmp

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	194.49.94.194
Destination IP	152.89.198.214
Destination IP	194.49.94.194

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 63 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\numGIF\stuff\is-A39U0.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-SHDPT.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-B7CTD.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-4HIUD.tmp	tuc7.tmp
File opened for modification	C:\Program Files (x86)\numGIF\numgif.exe	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\uninstall\is-IKJSS.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-8MP9N.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-8MGL9.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-T5S2S.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-MH19M.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-50MIV.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\plugins\internal\is-E43MT.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-DP4BF.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-5SSM9.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-TRUNR.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-K2SN3.tmp	tuc7.tmp
File opened for modification	C:\Program Files (x86)\numGIF\uninstall\unins000.dat	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\stuff\is-V2JL3.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-Q7VQD.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-MJ87Q.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-7V695.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-F28JC.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-C2TLS.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-P4DRJ.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-T26GQ.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-KFOUM.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-5LB4O.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-JKNF7.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\stuff\is-GHNTG.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-JTTP9.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-MDEC8.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-CC6K4.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\stuff\is-D01IK.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-AN13J.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-DKMOE.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-1TB6I.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-UDEQF.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-QU5PP.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-AAGGH.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-4UV3P.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\is-IUEPJ.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-ELS2B.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-5FJJG.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-8RIS3.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-O17C9.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-T1RN0.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-HJ9AD.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-8PSHL.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-V91SM.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-6UA6N.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-DB14L.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\uninstall\unins000.dat	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-48TUH.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\plugins\internal\is-5EKFV.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-BLKMP.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-AHV64.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-MRNFH.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-ADFRP.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\lessmsi\is-MJQLS.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-NG9Q9.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-4H12U.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-UKKJU.tmp	tuc7.tmp
File created	C:\Program Files (x86)\numGIF\bin\x86\is-KL6J3.tmp	tuc7.tmp

Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3420	tuc7.tmp

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 868 wrote to memory of 3420	868	tuc7.exe	87
PID 868 wrote to memory of 3420	868	tuc7.exe	87
PID 868 wrote to memory of 3420	868	tuc7.exe	87
PID 3420 wrote to memory of 5000	3420	tuc7.tmp	92
PID 3420 wrote to memory of 5000	3420	tuc7.tmp	92
PID 3420 wrote to memory of 5000	3420	tuc7.tmp	92
PID 3420 wrote to memory of 4660	3420	tuc7.tmp	94
PID 3420 wrote to memory of 4660	3420	tuc7.tmp	94
PID 3420 wrote to memory of 4660	3420	tuc7.tmp	94
PID 3420 wrote to memory of 796	3420	tuc7.tmp	97
PID 3420 wrote to memory of 796	3420	tuc7.tmp	97
PID 3420 wrote to memory of 796	3420	tuc7.tmp	97
PID 3420 wrote to memory of 2796	3420	tuc7.tmp	96
PID 3420 wrote to memory of 2796	3420	tuc7.tmp	96
PID 3420 wrote to memory of 2796	3420	tuc7.tmp	96
PID 796 wrote to memory of 4008	796	net.exe	98
PID 796 wrote to memory of 4008	796	net.exe	98
PID 796 wrote to memory of 4008	796	net.exe	98

C:\Users\Admin\AppData\Local\Temp\tuc7.exe
"C:\Users\Admin\AppData\Local\Temp\tuc7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:868
- C:\Users\Admin\AppData\Local\Temp\is-1V68Q.tmp\tuc7.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-1V68Q.tmp\tuc7.tmp" /SL5="$40206,7089240,121856,C:\Users\Admin\AppData\Local\Temp\tuc7.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3420
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Query
    3⤵
    PID:5000
- - C:\Program Files (x86)\numGIF\numgif.exe
    "C:\Program Files (x86)\numGIF\numgif.exe" -i
    3⤵
    - Executes dropped EXE
    PID:4660
- - C:\Program Files (x86)\numGIF\numgif.exe
    "C:\Program Files (x86)\numGIF\numgif.exe" -s
    3⤵
    - Executes dropped EXE
    PID:2796
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 12
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:796
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 helpmsg 12
      4⤵
      PID:4008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\numGIF\numgif.exe

Filesize
1.3MB

MD5
14d2d06d611c89a20030ce9c65d007e5

SHA1
747d243c6b7fc5a4c1997c5c184f90f52a2ae1ca

SHA256
dabcc2f1b9a3f4e6fd201c47a5f0595eae35c48ebc469d7d1f0fd5ff66df4ff9

SHA512
569f9fbcb5d36551dee9a3947eba91dcb74e6c7e98bab12dfc1ecde30560ab9a50ce268f551d09ba7b1bbec5c1b5dbc092a5b53352a9645c0de7fb153cccbe68

Download Submit
C:\Program Files (x86)\numGIF\numgif.exe

Filesize
429KB

MD5
a64818d861794c755d8e719363fa4984

SHA1
a28e140dc1b07e2585a324aba3adfb0b50b83fd9

SHA256
0f7cb5aed266e7d46d4ff5591efae3c3eb278e4aed5ba31c5461d42a3ae738ce

SHA512
4d40ebccaf0d3ede31ff61c6355e16ece304939c5495a45b51bfed270f5123a1cd27f33d1260f5012666abfe7404bf9691f60a455def09a9eed3571bf67172b3

Download Submit
C:\Program Files (x86)\numGIF\numgif.exe

Filesize
273KB

MD5
b90326c50c6c3cf8e71be029b28b5448

SHA1
04f313e35f23469f442709860b1a552b9bb0c79c

SHA256
8aa3dc5ca5ad81a696d03ca01d7e9a36d398484866e912aa0a8794974ea2c0d3

SHA512
759d013c4ca93a9e8bd6171f5581ea2d3c1dccc4dfbfb512a125bb1bb4771b935911740c31d8a58080aaf38348a9368e9c438cc15b6ecabb5912b9714d07a9a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1V68Q.tmp\tuc7.tmp

Filesize
47KB

MD5
db6ccc61a989efbfd166a982ea8fb916

SHA1
dbae8e4a5e8064950dd4f5cc21587e5c3243f3ab

SHA256
f48e0d193c9d1b4215aadb393808e7c03d9959112ffca2c8ba179a7c919e3c68

SHA512
67c13e327d70e9c02384d05018e534866cb7f291b0195545afbd8bd605743496c525741779dbfd5c864ef0d60e1dabddb809210dfcc08c07c732ca6fb8deebdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1V68Q.tmp\tuc7.tmp

Filesize
73KB

MD5
a24ae7f88a59a60a6bad8fd8e2685a89

SHA1
9e161bb190bd1fc43fc21b878324e2058ff4b003

SHA256
9b98e46b107920127341891bf1ced434435ffad5fb225d668a191902917eee87

SHA512
c19e9b1ada6326aa504f2933eb83d1ec07368f1ebf6b8078c752e8353ed8d46d821f345a713023a307e612f1e24f42d85cd59af4cef423c6d27a237cb7da6fd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EHQC0.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EHQC0.tmp\_isetup\_isdecmp.dll

Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
memory/868-2-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/868-0-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/868-160-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2796-162-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2796-189-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2796-208-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2796-205-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2796-157-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2796-159-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2796-202-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2796-199-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2796-196-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2796-193-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2796-166-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2796-167-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2796-170-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2796-173-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2796-176-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2796-179-0x0000000000750000-0x00000000007EE000-memory.dmp

Filesize
632KB

Download
memory/2796-182-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2796-183-0x0000000000750000-0x00000000007EE000-memory.dmp

Filesize
632KB

Download
memory/2796-186-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/2796-190-0x0000000000750000-0x00000000007EE000-memory.dmp

Filesize
632KB

Download
memory/3420-163-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/3420-10-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/3420-161-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4660-154-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/4660-151-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/4660-152-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/4660-155-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download