3c21c1067f2f7fd008b20dda0422e4b50f679aadf5e91817889f58d759282f1d

General

Target

tuc5.exe
Size

4.6MB
MD5

bbd6c397ebe993fcc61895265adae480
SHA1

b087e55a6d6a15e4fbd09d4641e389c80e3be62f
SHA256

3c21c1067f2f7fd008b20dda0422e4b50f679aadf5e91817889f58d759282f1d
SHA512

637ab0dd6966a132163a96ed5189703f450f73cc14758d31143bce765d7d95c3809f66d5c27fede311417914a8b7ff4df63fd7a947dfd97e3eca2e10720ebf2e
SSDEEP

98304:joMwMk2nFZC/PkQ/dq5FrCGhhya/eAasl3WqfVkrqoBHQnYZS/4dm8:6t2FZLQ/iVoAH3zkmoCMC4dD

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2736	tuc5.tmp

Loads dropped DLL 4 IoCs

pid	Process
2440	tuc5.exe
2736	tuc5.tmp
2736	tuc5.tmp
2736	tuc5.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	45.155.250.90

Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2736	tuc5.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 2736	2440	tuc5.exe	16
PID 2440 wrote to memory of 2736	2440	tuc5.exe	16
PID 2440 wrote to memory of 2736	2440	tuc5.exe	16
PID 2440 wrote to memory of 2736	2440	tuc5.exe	16
PID 2440 wrote to memory of 2736	2440	tuc5.exe	16
PID 2440 wrote to memory of 2736	2440	tuc5.exe	16
PID 2440 wrote to memory of 2736	2440	tuc5.exe	16

C:\Users\Admin\AppData\Local\Temp\is-1IACF.tmp\tuc5.tmp
"C:\Users\Admin\AppData\Local\Temp\is-1IACF.tmp\tuc5.tmp" /SL5="$5014E,4620919,423424,C:\Users\Admin\AppData\Local\Temp\tuc5.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:2736
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\system32\net.exe" helpmsg 183
  2⤵
  PID:2996
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 helpmsg 183
    3⤵
    PID:1368
- C:\Users\Admin\AppData\Local\Start Energy Free library\startenergyfreelibrary.exe
  "C:\Users\Admin\AppData\Local\Start Energy Free library\startenergyfreelibrary.exe" -i
  2⤵
  PID:1896
- C:\Users\Admin\AppData\Local\Start Energy Free library\startenergyfreelibrary.exe
  "C:\Users\Admin\AppData\Local\Start Energy Free library\startenergyfreelibrary.exe" -s
  2⤵
  PID:1264

C:\Users\Admin\AppData\Local\Temp\tuc5.exe
"C:\Users\Admin\AppData\Local\Temp\tuc5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2440

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Start Energy Free library\startenergyfreelibrary.exe

Filesize
67KB

MD5
751239344f6e39cbad0219ef5f13ea8b

SHA1
12556893409cee78cb84f2f86187366e593b6e15

SHA256
53b22c0943a210b64a898d20770bd1c4c0111eb264719810ed258c8890c1137f

SHA512
c3a824b85c4978795e8997b2a8844b6063b078866775cae958902bce39434a517641a53d26bfb424df32c52573b4290d1ccfc41a04a266d7464bdaf201ea3e48

Download Submit
C:\Users\Admin\AppData\Local\Start Energy Free library\startenergyfreelibrary.exe

Filesize
9KB

MD5
cc3079285d1ab2113781a5acd00b28f8

SHA1
a40716106fd5321fdf2435fe31360f5817c546dc

SHA256
818c698036dc274546c47e385136c2d08bd6a10ada84ebb0e9b45aa36c4f3c18

SHA512
9754a8169a3b9417405d435ef289a4974325b31beb3dd7198c69bfb0559e3e95de4499443826d6eadb288b8822048507ec928f77784db377558d60e11474e1b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1IACF.tmp\tuc5.tmp

Filesize
12KB

MD5
7fe4c67b1f22b659ffd40948d067f473

SHA1
ce4ea38a021a83297f466f78324e8a105f84968a

SHA256
168decf14a45baed8650b894e293f87bac41c9abc6814e7e86b49356eb59e6df

SHA512
7d0f97fc0ec21995e5e4fd318fe4972c150ae0f23b2197e4007ed6c48564837c4f73d181f8a81ccd6266e99a742ae1fa2d8c13593c83e37f4fc9cf02dc99cf51

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1IACF.tmp\tuc5.tmp

Filesize
1KB

MD5
7791059c15b13576a401a9d464d0a913

SHA1
2440a117dd1c0fdc210515f1bdca4a680eb2f2ac

SHA256
228824d5dfcb516d916be3716b0f482bbd54a2a3e1eee106040f860b7b44e3e2

SHA512
1f5a9894a5245bcb088a51dc067f957cf366d85602ef8aa16b678fb89f11a07b31006b65f6e52157d5cdcb366fc5f2d6a5b6602e959f3a8777e82a682d2d2185

Download Submit
\Users\Admin\AppData\Local\Start Energy Free library\startenergyfreelibrary.exe

Filesize
5KB

MD5
55db95a923f0a41bae6590c8ec84f9e8

SHA1
800ec81c2c43c9ba12b27e823138854be1277b40

SHA256
507e74a2ac2be411ac753960ae9326cc72e8f3007f6710c21886c8b2b0d6c5bf

SHA512
68ec04f08d8585646ee86d284882f6c0a3dcde0c1825825c5d0d6815ef2879dc905afece7c0713092a4487c1ef901fa01f6179acf8f8404f1f0f4c90444f1853

Download Submit
\Users\Admin\AppData\Local\Temp\is-1IACF.tmp\tuc5.tmp

Filesize
10KB

MD5
45a4ed2fb9cf4a9df0c0919cf53c1b69

SHA1
2aacf831dab5bf4e698d066f6530e58e474b3abb

SHA256
1bda602355d1a4f00d28dc4d8acdabe8eed6e233f509a9db123b8eba6db901fe

SHA512
ece207ddc9ebd95ee607c153c60f78103028a6a1405c0f5fff3cd5a52c36d4b4afb689460a0c8b398816e6876fcd887bf060db913103c766ead5c7a35cea5707

Download Submit
\Users\Admin\AppData\Local\Temp\is-RQ1B1.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-RQ1B1.tmp\_isetup\_shfoldr.dll

Filesize
12KB

MD5
d3ab240e04521ff884d87210200dfd0c

SHA1
b717a9004cb195f5b1c8d9f53c7b1d36338ee6a4

SHA256
7bc52c5f5eb6ab2babf29e6401bfe60fe44e27add99be597503ecb0505587d63

SHA512
91d94e3bb2c5c7720f83199d9bc229ce5f9f6cbdc575cedaa24dcec1ec49488eb9c4512ab28d2c6a74c0c9c9e5a25bdb7eac767d76879b5a065fe16048ef4190

Download Submit
memory/1264-128-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/1264-133-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/1264-148-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/1264-145-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/1264-142-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/1264-130-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/1264-138-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/1264-139-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/1896-121-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/1896-126-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/1896-125-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/1896-122-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/2440-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2440-131-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2440-2-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2736-134-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2736-135-0x0000000003150000-0x0000000003315000-memory.dmp

Filesize
1.8MB

Download
memory/2736-132-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2736-120-0x0000000003150000-0x0000000003315000-memory.dmp

Filesize
1.8MB

Download
memory/2736-15-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing