bd73f27673d98e8d9fb20bec3ef0dd4456e33eefead3839a68c2228a5c1686ab

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2024 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fattura 00384788-00849838.pdf.exe
Size

884KB
MD5

23c1fa39c8cb4a46d54b2c9ea9df952d
SHA1

815dfd495271d7792e5d0dbb3e78a14bf4a8fd90
SHA256

97be6754d010714743932afa3f4ea308e2f0b19212e8b8b150af7cdd3383f44b
SHA512

78106662327d856f05bc98bc700ab0f5d719fd2365c46db26400ad140b96004a86acd9831cba3799de4eeffa959c82c5ee557c1a1db266f79c49aa4b910e5d60
SSDEEP

24576:dRHuj2I8hyf+fJGV8HiukodYP+gIHB7wcmZtpU:2jL8cf+xIsDWlVBZt6

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3120	cuvlong.exe
4184	cuvlong.exe

Loads dropped DLL 6 IoCs

pid	Process
1792	Fattura 00384788-00849838.pdf.exe
1792	Fattura 00384788-00849838.pdf.exe
1792	Fattura 00384788-00849838.pdf.exe
3120	cuvlong.exe
3120	cuvlong.exe
3120	cuvlong.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	svchost.exe

Drops file in System32 directory 49 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Cape_Verde	cuvlong.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\README_te.txt	cuvlong.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\rc-b-l-15-1body-2menu-3menu.png	cuvlong.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\history_report_yellow.png	cuvlong.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Cool Gray 9 bl 4.ADO	cuvlong.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\modules.xml	cuvlong.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\body.font.size.xml	cuvlong.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\sidebar.title.properties.xml	cuvlong.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\template.xml	cuvlong.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\htmlhelp.hhp.tail.xml	cuvlong.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\21.svg	cuvlong.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\annotation.support.xml	cuvlong.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\s0.png	cuvlong.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Prague	cuvlong.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\pcdrbdre.p5m	cuvlong.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\dfrg.png	cuvlong.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\refentry.source.name.profile.xml	cuvlong.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\admon.xsl	cuvlong.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Nwiz.dll	cuvlong.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\25-unhint-nonlatin.conf	cuvlong.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\insertfile.xsl	cuvlong.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Danmarkshavn	cuvlong.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Comoro	cuvlong.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Nicosia	cuvlong.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\built-with-forrest-button.png	cuvlong.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\HKS N Process.aco	cuvlong.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\item_valid.xml	cuvlong.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\SimpleDocument1.xml	cuvlong.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\msconfig.png	cuvlong.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\CommonMessages_en_US.xml	cuvlong.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\sRGB.pf	cuvlong.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\body.start.indent.xml	cuvlong.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\pcdroverrides.p5i.readonly	cuvlong.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Malta	cuvlong.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\ua.js.xml	cuvlong.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\rc-t-r-5-1header-2tab-unselected-3tab-unselected.png	cuvlong.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\glossterm.list.properties.xml	cuvlong.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\dingbat.font.family.xml	cuvlong.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\profile.role.xml	cuvlong.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\424 bl 4.ADO	cuvlong.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\hyph_gu_IN.dic	cuvlong.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\script-pass.png	cuvlong.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Buyout.9mA	cuvlong.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Cattleman.a95	cuvlong.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\dxdiag.png	cuvlong.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\arrow_left_enabled.png	cuvlong.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Hojo-EUC-H	cuvlong.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Monochromatic High Contrast.hdt	cuvlong.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Abidjan	cuvlong.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1792 set thread context of 4496	1792	Fattura 00384788-00849838.pdf.exe	84
PID 3120 set thread context of 4184	3120	cuvlong.exe	99

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3152	4184	WerFault.exe	99
1384	4184	WerFault.exe	99

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fattura 00384788-00849838.pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fattura 00384788-00849838.pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cuvlong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cuvlong.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x0007000000023cb5-69.dat	nsis_installer_1
behavioral2/files/0x0007000000023cb5-69.dat	nsis_installer_2

Modifies data under HKEY_USERS 23 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\shell32.dll,-50176 = "File Operation"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{625ed6c4-0000-0000-0000-d01200000000}\MaxCapacity = "14116"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{625ed6c4-0000-0000-0000-f0ff3a000000}	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00360032003500650064003600630034002d0030003000300030002d0030003000300030002d0030003000300030002d006400300031003200300030003000300030003000300030007d00000030002c007b00360032003500650064003600630034002d0030003000300030002d0030003000300030002d0030003000300030002d006600300066006600330061003000300030003000300030007d0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{625ed6c4-0000-0000-0000-d01200000000}	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{625ed6c4-0000-0000-0000-f0ff3a000000}\MaxCapacity = "2047"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{625ed6c4-0000-0000-0000-d01200000000}\NukeOnDelete = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{625ed6c4-0000-0000-0000-f0ff3a000000}\NukeOnDelete = "0"	svchost.exe

Modifies registry class 11 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133776934715656239"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133776934745499798"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133776935053624720"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133776934707531017"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133776934742843513"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133776935052062245"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI	svchost.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4496	Fattura 00384788-00849838.pdf.exe
4496	Fattura 00384788-00849838.pdf.exe
4184	cuvlong.exe
4184	cuvlong.exe
4184	cuvlong.exe
4184	cuvlong.exe
4184	cuvlong.exe
4184	cuvlong.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	4184	cuvlong.exe
Token: SeTcbPrivilege	816	svchost.exe
Token: SeTcbPrivilege	816	svchost.exe
Token: SeTcbPrivilege	816	svchost.exe
Token: SeTcbPrivilege	816	svchost.exe
Token: SeTcbPrivilege	816	svchost.exe
Token: SeTcbPrivilege	816	svchost.exe
Token: SeTcbPrivilege	816	svchost.exe
Token: SeTcbPrivilege	816	svchost.exe
Token: SeTcbPrivilege	816	svchost.exe
Token: SeTcbPrivilege	816	svchost.exe
Token: SeTcbPrivilege	816	svchost.exe
Token: SeTcbPrivilege	816	svchost.exe
Token: SeTcbPrivilege	816	svchost.exe
Token: SeTcbPrivilege	816	svchost.exe
Token: SeTcbPrivilege	816	svchost.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 4496	1792	Fattura 00384788-00849838.pdf.exe	84
PID 1792 wrote to memory of 4496	1792	Fattura 00384788-00849838.pdf.exe	84
PID 1792 wrote to memory of 4496	1792	Fattura 00384788-00849838.pdf.exe	84
PID 1792 wrote to memory of 4496	1792	Fattura 00384788-00849838.pdf.exe	84
PID 1792 wrote to memory of 4496	1792	Fattura 00384788-00849838.pdf.exe	84
PID 1792 wrote to memory of 4496	1792	Fattura 00384788-00849838.pdf.exe	84
PID 3120 wrote to memory of 4184	3120	cuvlong.exe	99
PID 3120 wrote to memory of 4184	3120	cuvlong.exe	99
PID 3120 wrote to memory of 4184	3120	cuvlong.exe	99
PID 3120 wrote to memory of 4184	3120	cuvlong.exe	99
PID 3120 wrote to memory of 4184	3120	cuvlong.exe	99
PID 3120 wrote to memory of 4184	3120	cuvlong.exe	99
PID 4184 wrote to memory of 816	4184	cuvlong.exe	10
PID 816 wrote to memory of 4420	816	svchost.exe	103
PID 816 wrote to memory of 4420	816	svchost.exe	103
PID 816 wrote to memory of 4420	816	svchost.exe	103
PID 816 wrote to memory of 1536	816	svchost.exe	107
PID 816 wrote to memory of 1536	816	svchost.exe	107
PID 816 wrote to memory of 1536	816	svchost.exe	107
PID 816 wrote to memory of 4596	816	svchost.exe	108
PID 816 wrote to memory of 4596	816	svchost.exe	108
PID 816 wrote to memory of 2392	816	svchost.exe	109
PID 816 wrote to memory of 2392	816	svchost.exe	109
PID 816 wrote to memory of 1604	816	svchost.exe	110
PID 816 wrote to memory of 1604	816	svchost.exe	110
PID 816 wrote to memory of 1604	816	svchost.exe	110

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:816
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:4420
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:1536
- C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
  C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
  2⤵
  PID:4596
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
  2⤵
  PID:2392
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:1604

C:\Users\Admin\AppData\Local\Temp\Fattura 00384788-00849838.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Fattura 00384788-00849838.pdf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Users\Admin\AppData\Local\Temp\Fattura 00384788-00849838.pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\Fattura 00384788-00849838.pdf.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4496

C:\Users\Admin\AppData\Local\Temp\cuvlong.exe
C:\Users\Admin\AppData\Local\Temp\cuvlong.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3120
- C:\Users\Admin\AppData\Local\Temp\cuvlong.exe
  C:\Users\Admin\AppData\Local\Temp\cuvlong.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4184
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 636
    3⤵
    - Program crash
    PID:3152
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 656
    3⤵
    - Program crash
    PID:1384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4184 -ip 4184
1⤵
PID:1376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4184 -ip 4184
1⤵
PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft OneDrive\dbcfgyj

Filesize
654B

MD5
819c843e14951e6a1b2cb123dada1ed3

SHA1
91450a1f4f02913802159e0e386673e205f489a1

SHA256
a35c443dbfe9e12741a6f6c3cd3ee8156b810c68a616fdc761d337a779235c12

SHA512
690c990b256e2a156ac7a7d854a27a1d84dc3595864128de2ee41b9f55b1a86145023b2085461a22362ce767d3f65e63f4e3dceed045bfd0627d576ffd53d2c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cuvlong.exe

Filesize
884KB

MD5
23c1fa39c8cb4a46d54b2c9ea9df952d

SHA1
815dfd495271d7792e5d0dbb3e78a14bf4a8fd90

SHA256
97be6754d010714743932afa3f4ea308e2f0b19212e8b8b150af7cdd3383f44b

SHA512
78106662327d856f05bc98bc700ab0f5d719fd2365c46db26400ad140b96004a86acd9831cba3799de4eeffa959c82c5ee557c1a1db266f79c49aa4b910e5d60

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr8BB6.tmp\System.dll

Filesize
11KB

MD5
883eff06ac96966270731e4e22817e11

SHA1
523c87c98236cbc04430e87ec19b977595092ac8

SHA256
44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82

SHA512
60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390

Download Submit
C:\Users\Admin\AppData\Roaming\Nwiz.dll

Filesize
54KB

MD5
af5cfacd0e4f50aea5e1353131d31ee1

SHA1
2c25083e39c4604bcde7ebc1ea966d45646eead8

SHA256
60737caef33db58b24924eecaeb13e9d6c6cbc27408fd2c59cda67d326b1495e

SHA512
5c58ecb55ca6a82bfe6d5647058b4d2e852010029d4a356d7cbd4a4e7fa3f31ca3fb88a8e81c9566e9d9736e104e8d8375053ff89d90802cc145e27349155db9

Download Submit
C:\Users\Admin\AppData\Roaming\README_te.TXT

Filesize
884B

MD5
0c041dcb1d9bb1c91548c46b484be783

SHA1
882c3e8e97fe1dacf3b30d250c3da72667b95417

SHA256
20c311f57374a8734d48426cca56e3a132daf65c3d01925f04cacf62ed82ffcf

SHA512
b0ffd5ed8e93e811a6b52ab70a4df807fa2f8c161f9c66737621b397f0b474c45402456c711a3a6931f98b78547a63c7ac3a17f7b58c2b62933ed98753ec5ca6

Download Submit
F:\$RECYCLE.BIN\S-1-5-18\desktop.ini

Filesize
129B

MD5
a526b9e7c716b3489d8cc062fbce4005

SHA1
2df502a944ff721241be20a9e449d2acd07e0312

SHA256
e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

SHA512
d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

Download Submit
memory/816-355-0x000000002DDF0000-0x000000002DE67000-memory.dmp

Filesize
476KB

Download
memory/816-3507-0x000000002DDF0000-0x000000002DE67000-memory.dmp

Filesize
476KB

Download
memory/816-149-0x000000002DDF0000-0x000000002DE67000-memory.dmp

Filesize
476KB

Download
memory/816-178-0x000000002DDF0000-0x000000002DE67000-memory.dmp

Filesize
476KB

Download
memory/816-161-0x000000002DDF0000-0x000000002DE67000-memory.dmp

Filesize
476KB

Download
memory/816-146-0x000000002DDF0000-0x000000002DE67000-memory.dmp

Filesize
476KB

Download
memory/816-143-0x000000002DDF0000-0x000000002DE67000-memory.dmp

Filesize
476KB

Download
memory/816-145-0x000000002DDF0000-0x000000002DE67000-memory.dmp

Filesize
476KB

Download
memory/816-151-0x000000002DDF0000-0x000000002DE67000-memory.dmp

Filesize
476KB

Download
memory/1792-64-0x0000000003070000-0x0000000003083000-memory.dmp

Filesize
76KB

Download
memory/1792-61-0x0000000003070000-0x0000000003083000-memory.dmp

Filesize
76KB

Download
memory/1792-57-0x0000000003070000-0x0000000003083000-memory.dmp

Filesize
76KB

Download
memory/3120-133-0x0000000000D60000-0x0000000000D73000-memory.dmp

Filesize
76KB

Download
memory/3120-139-0x0000000000D60000-0x0000000000D73000-memory.dmp

Filesize
76KB

Download
memory/3120-128-0x0000000000D60000-0x0000000000D73000-memory.dmp

Filesize
76KB

Download
memory/4184-140-0x0000000000940000-0x0000000000B8B000-memory.dmp

Filesize
2.3MB

Download
memory/4496-67-0x0000000000980000-0x0000000000BCB000-memory.dmp

Filesize
2.3MB

Download
memory/4496-65-0x0000000000760000-0x000000000097A000-memory.dmp

Filesize
2.1MB

Download
memory/4496-63-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/4496-66-0x0000000000400000-0x00000000004A4600-memory.dmp

Filesize
657KB

Download
memory/4496-60-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download