daa74b36d89c37396f2df487ad202f513ea6779793e7a3fc6243d33d8f82fbea

General

Target

tuc4.exe
Size

4.5MB
MD5

84beecea8a3b79b1a0993c5efe787ea8
SHA1

8f82b68359bc4e4e4a3d4f082d5d3825bebc1049
SHA256

daa74b36d89c37396f2df487ad202f513ea6779793e7a3fc6243d33d8f82fbea
SHA512

96da6b8e83610c976df3de06b683f82eea1dd7905cde2def92ef673c8edd05e49137de7f7cc75f59ba84bef31c879f8d3e5de67f40ec55f06cb7a64a5482e540
SSDEEP

98304:Q9rs7Swve6EwRuh50lRkmNOz7bbd+2OKbZ7+KSkmVFWajbdl4dm8:wo16wOqE7OiCKSFWajRl4dD

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2780	tuc4.tmp
4476	pip-master-std-lib.exe
2528	pip-master-std-lib.exe

Loads dropped DLL 3 IoCs

pid	Process
2780	tuc4.tmp
2780	tuc4.tmp
2780	tuc4.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2780	tuc4.tmp

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4544 wrote to memory of 2780	4544	tuc4.exe	96
PID 4544 wrote to memory of 2780	4544	tuc4.exe	96
PID 4544 wrote to memory of 2780	4544	tuc4.exe	96
PID 2780 wrote to memory of 2756	2780	tuc4.tmp	99
PID 2780 wrote to memory of 2756	2780	tuc4.tmp	99
PID 2780 wrote to memory of 2756	2780	tuc4.tmp	99
PID 2780 wrote to memory of 4476	2780	tuc4.tmp	101
PID 2780 wrote to memory of 4476	2780	tuc4.tmp	101
PID 2780 wrote to memory of 4476	2780	tuc4.tmp	101
PID 2756 wrote to memory of 4588	2756	net.exe	102
PID 2756 wrote to memory of 4588	2756	net.exe	102
PID 2756 wrote to memory of 4588	2756	net.exe	102
PID 2780 wrote to memory of 2528	2780	tuc4.tmp	103
PID 2780 wrote to memory of 2528	2780	tuc4.tmp	103
PID 2780 wrote to memory of 2528	2780	tuc4.tmp	103

C:\Users\Admin\AppData\Local\Temp\tuc4.exe
"C:\Users\Admin\AppData\Local\Temp\tuc4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4544
- C:\Users\Admin\AppData\Local\Temp\is-E76UR.tmp\tuc4.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-E76UR.tmp\tuc4.tmp" /SL5="$6011A,4463955,54272,C:\Users\Admin\AppData\Local\Temp\tuc4.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 153
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 helpmsg 153
      4⤵
      PID:4588
- - C:\Users\Admin\AppData\Local\PIP Master std lib\pip-master-std-lib.exe
    "C:\Users\Admin\AppData\Local\PIP Master std lib\pip-master-std-lib.exe" -i
    3⤵
    - Executes dropped EXE
    PID:4476
- - C:\Users\Admin\AppData\Local\PIP Master std lib\pip-master-std-lib.exe
    "C:\Users\Admin\AppData\Local\PIP Master std lib\pip-master-std-lib.exe" -s
    3⤵
    - Executes dropped EXE
    PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\PIP Master std lib\pip-master-std-lib.exe

Filesize
1.2MB

MD5
b2f674e28e2f50ad732b01634260eb5f

SHA1
92a11ab5d536a3fe01a0cdf8b50ca044dcced05f

SHA256
a14b9c633ce91f1a659757481b024b275a8ca0cc5eb59a7b24dc6453454061e4

SHA512
9bf21365d88333993e86cb646c9160e1e38d1956b320966c93600395a233e2f8df85ae08dbee6f4c1246616778ee80621c8d154eeb00e2218e6014097eef2253

Download Submit
C:\Users\Admin\AppData\Local\PIP Master std lib\pip-master-std-lib.exe

Filesize
1024KB

MD5
07c2626d79fb09833814f3e6afa3b695

SHA1
094c79dc6129e4c0f786e484762499c5d3f19b02

SHA256
4255c8d5020ee092d4ee10faebb4403323720586a0eae15f54ee3377ccaf2280

SHA512
750d017efee8201521d154bbea8109a548d7d1b0b1ed3306f2c486353b6c7d2d12b60c950d99ba29de308e0b3aada40dfc7a030cc0ccc332e4a39f2df6343c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-E76UR.tmp\tuc4.tmp

Filesize
688KB

MD5
a7662827ecaeb4fc68334f6b8791b917

SHA1
f93151dd228d680aa2910280e51f0a84d0cad105

SHA256
05f159722d6905719d2d6f340981a293f40ab8a0d2d4a282c948066809d4af6d

SHA512
e9880b3f3ec9201e59114850e9c570d0ad6d3b0e04c60929a03cf983c62c505fcb6bb9dc3adeee88c78d43bd484159626b4a2f000a34b8883164c263f21e6f4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FEV33.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FEV33.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
memory/2528-161-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/2528-158-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/2528-155-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/2528-152-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/2528-150-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/2528-148-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/2528-145-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/2780-12-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/2780-10-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2780-33-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/2780-30-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2780-136-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2780-32-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2780-28-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4476-135-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/4476-137-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/4476-138-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/4476-141-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/4544-29-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4544-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4544-9-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4544-5-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4544-3-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4544-1-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing