Overview

overview

10

Static

static

ctvhost.exe

windows7-x64

10

ctvhost.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ctvhost.exe

  • Size

    950KB

  • Sample

    221124-v5rs2ada3s

  • MD5

    400e6840d7481c535d4dd1cf118f128f

  • SHA1

    ce7b34e004cd85769405d55f2fdd5562f91b9811

  • SHA256

    d7072b1ca3dae32f46c5044acb5f4ada760fbca463d9295db43f30d52d6bc364

  • SHA512

    858ef64ce1d40013fc026790f2a5767c9284c9f7bfca58f4d3db6e61070893fda4ea05e01115ecbc92a36178f6c54be3c97e1a75fc7ad372113b041ef5d676d0

  • SSDEEP

    12288:1XHYsZ1DX/VDJtV7w974FzDxIh/LOj5dBgb2yHNrciAlFebwuZHyRA1x09:VHYkzMLQdO9N9fpn09

Score
10/10
quasarevasionpersistenceransomwarespywaretrojan

Malware Config

Targets

    • Target

      ctvhost.exe

    • Size

      950KB

    • MD5

      400e6840d7481c535d4dd1cf118f128f

    • SHA1

      ce7b34e004cd85769405d55f2fdd5562f91b9811

    • SHA256

      d7072b1ca3dae32f46c5044acb5f4ada760fbca463d9295db43f30d52d6bc364

    • SHA512

      858ef64ce1d40013fc026790f2a5767c9284c9f7bfca58f4d3db6e61070893fda4ea05e01115ecbc92a36178f6c54be3c97e1a75fc7ad372113b041ef5d676d0

    • SSDEEP

      12288:1XHYsZ1DX/VDJtV7w974FzDxIh/LOj5dBgb2yHNrciAlFebwuZHyRA1x09:VHYkzMLQdO9N9fpn09

    Score
    10/10
    quasarevasionpersistenceransomwarespywaretrojan

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Modifies security service

      evasion

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

2
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Bypass User Account Control

1
T1088

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

7
T1112

Disabling Security Tools

4
T1089

Bypass User Account Control

1
T1088

File Deletion

2
T1107

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Inhibit System Recovery

2
T1490

Tasks