Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
26-09-2023 19:59
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
84196815c135e19db65295a1cea9a522
-
SHA1
fc46f3972ad6280b17e27f3ff519c2b7d035370f
-
SHA256
e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8
-
SHA512
3be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070
-
SSDEEP
49152:7vWhBYjCO4Dt2d5aKCuVPzlEmVQL0wvwkaYiRJ6TbR3LoGdjTHHB72eh2NT:7v4t2d5aKCuVPzlEmVQ0wvwfYiRJ6F
Malware Config
Extracted
quasar
1.4.1
slave
cherrywoods-29890.portmap.host:29890:16243
5d49d039-8bce-40c5-82b6-413e6ca1279a
-
encryption_key
2E34CBDFC0A612A970A99A781D3AB0C010E1A59C
-
install_name
cvvhost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Security notification icon
-
subdirectory
SubDir
Signatures
-
Quasar payload 14 IoCs
Processes:
resource yara_rule behavioral1/memory/1132-0-0x00000000007D0000-0x0000000000AF4000-memory.dmp family_quasar C:\Windows\System32\SubDir\cvvhost.exe family_quasar C:\Windows\system32\SubDir\cvvhost.exe family_quasar C:\Windows\System32\SubDir\cvvhost.exe family_quasar C:\Windows\System32\SubDir\cvvhost.exe family_quasar C:\Windows\System32\SubDir\cvvhost.exe family_quasar C:\Windows\System32\SubDir\cvvhost.exe family_quasar C:\Windows\System32\SubDir\cvvhost.exe family_quasar C:\Windows\System32\SubDir\cvvhost.exe family_quasar C:\Windows\System32\SubDir\cvvhost.exe family_quasar C:\Windows\System32\SubDir\cvvhost.exe family_quasar C:\Windows\System32\SubDir\cvvhost.exe family_quasar C:\Windows\System32\SubDir\cvvhost.exe family_quasar C:\Windows\System32\SubDir\cvvhost.exe family_quasar -
Checks computer location settings 2 TTPs 12 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation cvvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation cvvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation cvvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation cvvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation cvvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation cvvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation cvvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation cvvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation cvvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation cvvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation cvvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation cvvhost.exe -
Executes dropped EXE 12 IoCs
Processes:
cvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.exepid process 3204 cvvhost.exe 4668 cvvhost.exe 5100 cvvhost.exe 5060 cvvhost.exe 4152 cvvhost.exe 1700 cvvhost.exe 4800 cvvhost.exe 4820 cvvhost.exe 3660 cvvhost.exe 1560 cvvhost.exe 4556 cvvhost.exe 3320 cvvhost.exe -
Drops file in System32 directory 27 IoCs
Processes:
cvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.exeClient-built.exedescription ioc process File opened for modification C:\Windows\system32\SubDir\cvvhost.exe cvvhost.exe File opened for modification C:\Windows\system32\SubDir cvvhost.exe File opened for modification C:\Windows\system32\SubDir\cvvhost.exe cvvhost.exe File opened for modification C:\Windows\system32\SubDir\cvvhost.exe cvvhost.exe File opened for modification C:\Windows\system32\SubDir cvvhost.exe File opened for modification C:\Windows\system32\SubDir\cvvhost.exe cvvhost.exe File opened for modification C:\Windows\system32\SubDir cvvhost.exe File opened for modification C:\Windows\system32\SubDir cvvhost.exe File opened for modification C:\Windows\system32\SubDir\cvvhost.exe cvvhost.exe File opened for modification C:\Windows\system32\SubDir cvvhost.exe File opened for modification C:\Windows\system32\SubDir\cvvhost.exe cvvhost.exe File opened for modification C:\Windows\system32\SubDir cvvhost.exe File opened for modification C:\Windows\system32\SubDir cvvhost.exe File opened for modification C:\Windows\system32\SubDir\cvvhost.exe cvvhost.exe File opened for modification C:\Windows\system32\SubDir cvvhost.exe File opened for modification C:\Windows\system32\SubDir cvvhost.exe File created C:\Windows\system32\SubDir\cvvhost.exe Client-built.exe File opened for modification C:\Windows\system32\SubDir\cvvhost.exe Client-built.exe File opened for modification C:\Windows\system32\SubDir Client-built.exe File opened for modification C:\Windows\system32\SubDir cvvhost.exe File opened for modification C:\Windows\system32\SubDir\cvvhost.exe cvvhost.exe File opened for modification C:\Windows\system32\SubDir cvvhost.exe File opened for modification C:\Windows\system32\SubDir\cvvhost.exe cvvhost.exe File opened for modification C:\Windows\system32\SubDir\cvvhost.exe cvvhost.exe File opened for modification C:\Windows\system32\SubDir\cvvhost.exe cvvhost.exe File opened for modification C:\Windows\system32\SubDir\cvvhost.exe cvvhost.exe File opened for modification C:\Windows\system32\SubDir cvvhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 13 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1532 schtasks.exe 3672 schtasks.exe 4480 schtasks.exe 2212 schtasks.exe 1268 schtasks.exe 1676 schtasks.exe 1508 schtasks.exe 1288 schtasks.exe 1352 schtasks.exe 4016 schtasks.exe 4144 schtasks.exe 3956 schtasks.exe 2724 schtasks.exe -
Runs ping.exe 1 TTPs 12 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 4300 PING.EXE 4648 PING.EXE 2776 PING.EXE 880 PING.EXE 2704 PING.EXE 3656 PING.EXE 4132 PING.EXE 1912 PING.EXE 1056 PING.EXE 2160 PING.EXE 2984 PING.EXE 1732 PING.EXE -
Suspicious behavior: LoadsDriver 14 IoCs
Processes:
pid 4 4 4 4 4 676 4 4 4 4 4 4 4 4 -
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
Client-built.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.exedescription pid process Token: SeDebugPrivilege 1132 Client-built.exe Token: SeDebugPrivilege 3204 cvvhost.exe Token: SeDebugPrivilege 4668 cvvhost.exe Token: SeDebugPrivilege 5100 cvvhost.exe Token: SeDebugPrivilege 5060 cvvhost.exe Token: SeDebugPrivilege 4152 cvvhost.exe Token: SeDebugPrivilege 1700 cvvhost.exe Token: SeDebugPrivilege 4800 cvvhost.exe Token: SeDebugPrivilege 4820 cvvhost.exe Token: SeDebugPrivilege 3660 cvvhost.exe Token: SeDebugPrivilege 1560 cvvhost.exe Token: SeDebugPrivilege 4556 cvvhost.exe Token: SeDebugPrivilege 3320 cvvhost.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
Processes:
cvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.exepid process 3204 cvvhost.exe 4668 cvvhost.exe 5100 cvvhost.exe 5060 cvvhost.exe 4152 cvvhost.exe 1700 cvvhost.exe 4800 cvvhost.exe 4820 cvvhost.exe 3660 cvvhost.exe 1560 cvvhost.exe 4556 cvvhost.exe 3320 cvvhost.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
cvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.exepid process 3204 cvvhost.exe 4668 cvvhost.exe 5100 cvvhost.exe 5060 cvvhost.exe 4152 cvvhost.exe 1700 cvvhost.exe 4800 cvvhost.exe 4820 cvvhost.exe 3660 cvvhost.exe 1560 cvvhost.exe 4556 cvvhost.exe 3320 cvvhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Client-built.execvvhost.execmd.execvvhost.execmd.execvvhost.execmd.execvvhost.execmd.execvvhost.execmd.execvvhost.execmd.exedescription pid process target process PID 1132 wrote to memory of 3956 1132 Client-built.exe schtasks.exe PID 1132 wrote to memory of 3956 1132 Client-built.exe schtasks.exe PID 1132 wrote to memory of 3204 1132 Client-built.exe cvvhost.exe PID 1132 wrote to memory of 3204 1132 Client-built.exe cvvhost.exe PID 3204 wrote to memory of 1268 3204 cvvhost.exe schtasks.exe PID 3204 wrote to memory of 1268 3204 cvvhost.exe schtasks.exe PID 3204 wrote to memory of 384 3204 cvvhost.exe cmd.exe PID 3204 wrote to memory of 384 3204 cvvhost.exe cmd.exe PID 384 wrote to memory of 1752 384 cmd.exe chcp.com PID 384 wrote to memory of 1752 384 cmd.exe chcp.com PID 384 wrote to memory of 2776 384 cmd.exe PING.EXE PID 384 wrote to memory of 2776 384 cmd.exe PING.EXE PID 384 wrote to memory of 4668 384 cmd.exe cvvhost.exe PID 384 wrote to memory of 4668 384 cmd.exe cvvhost.exe PID 4668 wrote to memory of 1676 4668 cvvhost.exe schtasks.exe PID 4668 wrote to memory of 1676 4668 cvvhost.exe schtasks.exe PID 4668 wrote to memory of 4728 4668 cvvhost.exe cmd.exe PID 4668 wrote to memory of 4728 4668 cvvhost.exe cmd.exe PID 4728 wrote to memory of 1296 4728 cmd.exe chcp.com PID 4728 wrote to memory of 1296 4728 cmd.exe chcp.com PID 4728 wrote to memory of 880 4728 cmd.exe PING.EXE PID 4728 wrote to memory of 880 4728 cmd.exe PING.EXE PID 4728 wrote to memory of 5100 4728 cmd.exe cvvhost.exe PID 4728 wrote to memory of 5100 4728 cmd.exe cvvhost.exe PID 5100 wrote to memory of 2724 5100 cvvhost.exe schtasks.exe PID 5100 wrote to memory of 2724 5100 cvvhost.exe schtasks.exe PID 5100 wrote to memory of 4224 5100 cvvhost.exe cmd.exe PID 5100 wrote to memory of 4224 5100 cvvhost.exe cmd.exe PID 4224 wrote to memory of 1532 4224 cmd.exe chcp.com PID 4224 wrote to memory of 1532 4224 cmd.exe chcp.com PID 4224 wrote to memory of 1056 4224 cmd.exe PING.EXE PID 4224 wrote to memory of 1056 4224 cmd.exe PING.EXE PID 4224 wrote to memory of 5060 4224 cmd.exe cvvhost.exe PID 4224 wrote to memory of 5060 4224 cmd.exe cvvhost.exe PID 5060 wrote to memory of 1508 5060 cvvhost.exe schtasks.exe PID 5060 wrote to memory of 1508 5060 cvvhost.exe schtasks.exe PID 5060 wrote to memory of 396 5060 cvvhost.exe cmd.exe PID 5060 wrote to memory of 396 5060 cvvhost.exe cmd.exe PID 396 wrote to memory of 4508 396 cmd.exe chcp.com PID 396 wrote to memory of 4508 396 cmd.exe chcp.com PID 396 wrote to memory of 2704 396 cmd.exe PING.EXE PID 396 wrote to memory of 2704 396 cmd.exe PING.EXE PID 396 wrote to memory of 4152 396 cmd.exe cvvhost.exe PID 396 wrote to memory of 4152 396 cmd.exe cvvhost.exe PID 4152 wrote to memory of 1532 4152 cvvhost.exe schtasks.exe PID 4152 wrote to memory of 1532 4152 cvvhost.exe schtasks.exe PID 4152 wrote to memory of 4068 4152 cvvhost.exe cmd.exe PID 4152 wrote to memory of 4068 4152 cvvhost.exe cmd.exe PID 4068 wrote to memory of 3720 4068 cmd.exe chcp.com PID 4068 wrote to memory of 3720 4068 cmd.exe chcp.com PID 4068 wrote to memory of 2160 4068 cmd.exe PING.EXE PID 4068 wrote to memory of 2160 4068 cmd.exe PING.EXE PID 4068 wrote to memory of 1700 4068 cmd.exe cvvhost.exe PID 4068 wrote to memory of 1700 4068 cmd.exe cvvhost.exe PID 1700 wrote to memory of 1288 1700 cvvhost.exe schtasks.exe PID 1700 wrote to memory of 1288 1700 cvvhost.exe schtasks.exe PID 1700 wrote to memory of 4028 1700 cvvhost.exe cmd.exe PID 1700 wrote to memory of 4028 1700 cvvhost.exe cmd.exe PID 4028 wrote to memory of 4224 4028 cmd.exe chcp.com PID 4028 wrote to memory of 4224 4028 cmd.exe chcp.com PID 4028 wrote to memory of 2984 4028 cmd.exe PING.EXE PID 4028 wrote to memory of 2984 4028 cmd.exe PING.EXE PID 4028 wrote to memory of 4800 4028 cmd.exe cvvhost.exe PID 4028 wrote to memory of 4800 4028 cmd.exe cvvhost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\SubDir\cvvhost.exe"C:\Windows\system32\SubDir\cvvhost.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MYjrtDLC7Iy9.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\cvvhost.exe"C:\Windows\system32\SubDir\cvvhost.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FFExtO0rMaXI.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\cvvhost.exe"C:\Windows\system32\SubDir\cvvhost.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f7⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9K9OQMAMIf6a.bat" "7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650018⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\cvvhost.exe"C:\Windows\system32\SubDir\cvvhost.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f9⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FNplaGhmTD8R.bat" "9⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500110⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\cvvhost.exe"C:\Windows\system32\SubDir\cvvhost.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f11⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XyRJ8dlK1DFB.bat" "11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500112⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\cvvhost.exe"C:\Windows\system32\SubDir\cvvhost.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f13⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wHtBMA8JSLQz.bat" "13⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500114⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\cvvhost.exe"C:\Windows\system32\SubDir\cvvhost.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f15⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xvr1ubKr1SzJ.bat" "15⤵
-
C:\Windows\system32\chcp.comchcp 6500116⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\cvvhost.exe"C:\Windows\system32\SubDir\cvvhost.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f17⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qzos8pT5WmVk.bat" "17⤵
-
C:\Windows\system32\chcp.comchcp 6500118⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\cvvhost.exe"C:\Windows\system32\SubDir\cvvhost.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f19⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\64WnlnLVPpmB.bat" "19⤵
-
C:\Windows\system32\chcp.comchcp 6500120⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\cvvhost.exe"C:\Windows\system32\SubDir\cvvhost.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f21⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6sXNdJHcEzH0.bat" "21⤵
-
C:\Windows\system32\chcp.comchcp 6500122⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\cvvhost.exe"C:\Windows\system32\SubDir\cvvhost.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f23⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eeqTDstX7u7H.bat" "23⤵
-
C:\Windows\system32\chcp.comchcp 6500124⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\cvvhost.exe"C:\Windows\system32\SubDir\cvvhost.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f25⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\k15iLayzSyGn.bat" "25⤵
-
C:\Windows\system32\chcp.comchcp 6500126⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- Runs ping.exe
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\cvvhost.exe.logFilesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
C:\Users\Admin\AppData\Local\Temp\64WnlnLVPpmB.batFilesize
197B
MD55819e2be0ec878ef9d41162bed8066e6
SHA191783692d6ff85ef1730720ab60e5ba2c7dda0bd
SHA256251656aee2a9152a4b31efdc10e8704fb5f75fbecd7ff3312f553af6fea5c88c
SHA51223c954c53f353da88b3beb70ef0b2489c1cf6f5d7113a7bbb7b454adc664292b458e61e48d6499dc15f9b05466dcfaff97689cfd3f80932acb80e11906654dd7
-
C:\Users\Admin\AppData\Local\Temp\6sXNdJHcEzH0.batFilesize
197B
MD5bb1c04fbe19fad214a350cd2f988cea4
SHA1a59d7ed7a341c1b574bae7eeb6aa337d8ae20f3c
SHA256d9ca20f45408e61f3f60d6b158b8523528a3b09158375b3097ec22de0b449d7c
SHA512ad10d3453a1d01c4ff81bee90b3ea01b61dfc6d069afcb4f7c3210ea2fc8d85a2d525885f6136da48bfdfd627428b429e48ecf7505e377ecb342d9dad5ea4526
-
C:\Users\Admin\AppData\Local\Temp\9K9OQMAMIf6a.batFilesize
197B
MD5864253f6630c9a22579b7f777de60b97
SHA1a9692551696fd902c7b5b007f7803ef8d7c671ae
SHA25666486196e2fded36464e54a036f54b8a5169075501d4d373cdf3faf251c6c157
SHA5129072b9eb56f4baafa0a94c6785705c235da8f23f9d991c480fd807cb09ec4814b05f28c41a077ca16dc139e7f7ceb8c8eb7b9d14e60601c8baa12bd624cf4b0f
-
C:\Users\Admin\AppData\Local\Temp\FFExtO0rMaXI.batFilesize
197B
MD5e21271ba92c961b74f32e283375c5db8
SHA139dbda594c87cc76ac2a4d30430fc5e328cbacc2
SHA25631d310badef73d96931ee529865481026eeb5a6ff65ed97f883e0e71bfd3cecd
SHA51288558d0adf926e3d0152d1a29a46e23c342c4c525a0389a69daff22378cea35fed4bed0d0369ec37e97672705a1dc6cdea92a797a7cd5132341f5f61decbccd4
-
C:\Users\Admin\AppData\Local\Temp\FNplaGhmTD8R.batFilesize
197B
MD53534db72aacf99c0f33045d52ade6730
SHA173652a85ba9fd19cb879ddb37ed71d718b59fe48
SHA2562087e5deefe9313474a7645ca8f9f38d673a48ddce2da941f34835b96d43cde9
SHA512fe32affbe5940991bd40d0459744df543550ed7edb26581b4abc37ad9a39178b19255c1f52ec204f8dc88b73698500841d8f3993ed3038d7459a45859a99d3ea
-
C:\Users\Admin\AppData\Local\Temp\MYjrtDLC7Iy9.batFilesize
197B
MD5cd59a2336346e0c747ef18a616d72d32
SHA18dafbd3f2d4428880dff9edb4997979fbeb79331
SHA2567a30439c821e1aa930af186bc2b4686e3f8dbd2a8e759ed2c7641ebdbf1a1247
SHA512aafb8af5a4ab06a6af900e146a70f7e0c6b5bfab2cbe6f4586cf8d1812708d1af5f6d25b272414ade547fdf37e569b39a29630e68d6c0ae56df2e390b9bc7073
-
C:\Users\Admin\AppData\Local\Temp\XyRJ8dlK1DFB.batFilesize
197B
MD576f58823876be149b640c37506d111f8
SHA10ed31baeb2694781bfeb728245f569aa577f4287
SHA25635b2d0d36ece42c7b57e714798d9af3815423b2d4d17431b579df2fae5666b6d
SHA5122291d312e3422922e16a51052b345e5ceed4e4559ca3523a7f72b48a7721abdf2276ab9847b0309bbf996831ecd5a1eea87d69516b26e9ca373f56ac58d287fb
-
C:\Users\Admin\AppData\Local\Temp\eeqTDstX7u7H.batFilesize
197B
MD529e3af9809cc287b5b591fe474a37c7b
SHA1a291e79fac22c7b9108d929933c73114962a34c0
SHA2562649aac25d8d6eb78a194845e9f8eac119c5c2080486d476299068112a781cd1
SHA512af3b54dff4b2ac03f240a4c5898f5ce1c14705b4874e5af0b805350dcc2b52608e45636f82fa5349c60062b55b45b6f520356b218611082465c12731ccc34aba
-
C:\Users\Admin\AppData\Local\Temp\k15iLayzSyGn.batFilesize
197B
MD5696cf7b5ae6c8cec95278fd60f8a0bc4
SHA1f6c1e90ee281195a3f69dff6ea849072d7e3caec
SHA256f4f5acd63eeb1e97ded2502c4c780f858795a768af28ece73711fc84f74a4dce
SHA512a866ac875535065749c0ff6ee63d3da324af9a7468ee7978009cc8495922c8405463c893787fe197a339c1805a7a01ef9f3ccd07e6a71d4cc9c74f69ce7d063c
-
C:\Users\Admin\AppData\Local\Temp\qzos8pT5WmVk.batFilesize
197B
MD5d23e7eacfde40b93a3728a5af60c7524
SHA1eb442240cdbe669c60c555223df343c6deb4dd86
SHA256c98c6d0b74ee9c3673fed58e9915af568a8a4e892f0e88415aa6556ebb0eae3b
SHA512db6f56dc272047afb9ce70328cc9104627da5a9b74d57793e911744d5fbadbf3fbe54cba27669d298e7f335a553f5f52ffd3588387f438fe819b3369e1754435
-
C:\Users\Admin\AppData\Local\Temp\wHtBMA8JSLQz.batFilesize
197B
MD59093933a9eea785f420c1d792a0cdec7
SHA143daa6fabb5717bcb017de87644ac4302b4ce9cb
SHA256d7f11da414f608eb2ddd8d2f13527b8ff5126d5e2decc9d7c4a8a3f80895936e
SHA5129704059d8234317d8d3ce5382104a4a1a8fd4fa504c4e24e43b754a334d66cfc5821aaf203cca5fe1b5f113b7902e73a35891bf555b1a5adf8c1e40ff11ed032
-
C:\Users\Admin\AppData\Local\Temp\xvr1ubKr1SzJ.batFilesize
197B
MD55370a982f92a1dea0b47196afab34405
SHA13dbacaf9fc3100508a15e39de59730dc48a99769
SHA256aa49c88c3ba38560b5d60209b9329a7b0c081db759d1093871fdbc7fd8f236de
SHA5126419baf235b9f132fd772e5f849a6483a9a1fdabe8f246f48ead061298d740a49908c6b6e0cb51fab7332cae35f836cfe4a158272bf6aedfecf2df78a1da4f93
-
C:\Windows\System32\SubDir\cvvhost.exeFilesize
3.1MB
MD584196815c135e19db65295a1cea9a522
SHA1fc46f3972ad6280b17e27f3ff519c2b7d035370f
SHA256e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8
SHA5123be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070
-
C:\Windows\System32\SubDir\cvvhost.exeFilesize
3.1MB
MD584196815c135e19db65295a1cea9a522
SHA1fc46f3972ad6280b17e27f3ff519c2b7d035370f
SHA256e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8
SHA5123be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070
-
C:\Windows\System32\SubDir\cvvhost.exeFilesize
3.1MB
MD584196815c135e19db65295a1cea9a522
SHA1fc46f3972ad6280b17e27f3ff519c2b7d035370f
SHA256e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8
SHA5123be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070
-
C:\Windows\System32\SubDir\cvvhost.exeFilesize
3.1MB
MD584196815c135e19db65295a1cea9a522
SHA1fc46f3972ad6280b17e27f3ff519c2b7d035370f
SHA256e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8
SHA5123be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070
-
C:\Windows\System32\SubDir\cvvhost.exeFilesize
3.1MB
MD584196815c135e19db65295a1cea9a522
SHA1fc46f3972ad6280b17e27f3ff519c2b7d035370f
SHA256e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8
SHA5123be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070
-
C:\Windows\System32\SubDir\cvvhost.exeFilesize
3.1MB
MD584196815c135e19db65295a1cea9a522
SHA1fc46f3972ad6280b17e27f3ff519c2b7d035370f
SHA256e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8
SHA5123be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070
-
C:\Windows\System32\SubDir\cvvhost.exeFilesize
3.1MB
MD584196815c135e19db65295a1cea9a522
SHA1fc46f3972ad6280b17e27f3ff519c2b7d035370f
SHA256e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8
SHA5123be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070
-
C:\Windows\System32\SubDir\cvvhost.exeFilesize
3.1MB
MD584196815c135e19db65295a1cea9a522
SHA1fc46f3972ad6280b17e27f3ff519c2b7d035370f
SHA256e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8
SHA5123be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070
-
C:\Windows\System32\SubDir\cvvhost.exeFilesize
3.1MB
MD584196815c135e19db65295a1cea9a522
SHA1fc46f3972ad6280b17e27f3ff519c2b7d035370f
SHA256e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8
SHA5123be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070
-
C:\Windows\System32\SubDir\cvvhost.exeFilesize
3.1MB
MD584196815c135e19db65295a1cea9a522
SHA1fc46f3972ad6280b17e27f3ff519c2b7d035370f
SHA256e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8
SHA5123be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070
-
C:\Windows\System32\SubDir\cvvhost.exeFilesize
3.1MB
MD584196815c135e19db65295a1cea9a522
SHA1fc46f3972ad6280b17e27f3ff519c2b7d035370f
SHA256e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8
SHA5123be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070
-
C:\Windows\System32\SubDir\cvvhost.exeFilesize
3.1MB
MD584196815c135e19db65295a1cea9a522
SHA1fc46f3972ad6280b17e27f3ff519c2b7d035370f
SHA256e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8
SHA5123be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070
-
C:\Windows\system32\SubDir\cvvhost.exeFilesize
3.1MB
MD584196815c135e19db65295a1cea9a522
SHA1fc46f3972ad6280b17e27f3ff519c2b7d035370f
SHA256e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8
SHA5123be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070
-
memory/1132-2-0x0000000002B90000-0x0000000002BA0000-memory.dmpFilesize
64KB
-
memory/1132-10-0x00007FFBF6AD0000-0x00007FFBF7591000-memory.dmpFilesize
10.8MB
-
memory/1132-1-0x00007FFBF6AD0000-0x00007FFBF7591000-memory.dmpFilesize
10.8MB
-
memory/1132-0-0x00000000007D0000-0x0000000000AF4000-memory.dmpFilesize
3.1MB
-
memory/1560-86-0x00007FFBF5460000-0x00007FFBF5F21000-memory.dmpFilesize
10.8MB
-
memory/1560-87-0x000000001BCF0000-0x000000001BD00000-memory.dmpFilesize
64KB
-
memory/1560-91-0x00007FFBF5460000-0x00007FFBF5F21000-memory.dmpFilesize
10.8MB
-
memory/1700-54-0x00007FFBF5460000-0x00007FFBF5F21000-memory.dmpFilesize
10.8MB
-
memory/1700-55-0x0000000002C50000-0x0000000002C60000-memory.dmpFilesize
64KB
-
memory/1700-59-0x00007FFBF5460000-0x00007FFBF5F21000-memory.dmpFilesize
10.8MB
-
memory/3204-19-0x00007FFBF6AD0000-0x00007FFBF7591000-memory.dmpFilesize
10.8MB
-
memory/3204-9-0x00007FFBF6AD0000-0x00007FFBF7591000-memory.dmpFilesize
10.8MB
-
memory/3204-11-0x000000001B1D0000-0x000000001B1E0000-memory.dmpFilesize
64KB
-
memory/3204-12-0x000000001BE40000-0x000000001BE90000-memory.dmpFilesize
320KB
-
memory/3204-13-0x000000001BF50000-0x000000001C002000-memory.dmpFilesize
712KB
-
memory/3320-107-0x00007FFBF5460000-0x00007FFBF5F21000-memory.dmpFilesize
10.8MB
-
memory/3320-103-0x000000001B560000-0x000000001B570000-memory.dmpFilesize
64KB
-
memory/3320-102-0x00007FFBF5460000-0x00007FFBF5F21000-memory.dmpFilesize
10.8MB
-
memory/3660-79-0x0000000000B80000-0x0000000000B90000-memory.dmpFilesize
64KB
-
memory/3660-83-0x00007FFBF5460000-0x00007FFBF5F21000-memory.dmpFilesize
10.8MB
-
memory/3660-78-0x00007FFBF5460000-0x00007FFBF5F21000-memory.dmpFilesize
10.8MB
-
memory/4152-51-0x00007FFBF5460000-0x00007FFBF5F21000-memory.dmpFilesize
10.8MB
-
memory/4152-47-0x000000001BE00000-0x000000001BE10000-memory.dmpFilesize
64KB
-
memory/4152-46-0x00007FFBF5460000-0x00007FFBF5F21000-memory.dmpFilesize
10.8MB
-
memory/4556-95-0x000000001B3D0000-0x000000001B3E0000-memory.dmpFilesize
64KB
-
memory/4556-94-0x00007FFBF5460000-0x00007FFBF5F21000-memory.dmpFilesize
10.8MB
-
memory/4556-100-0x00007FFBF5460000-0x00007FFBF5F21000-memory.dmpFilesize
10.8MB
-
memory/4668-23-0x0000000002520000-0x0000000002530000-memory.dmpFilesize
64KB
-
memory/4668-22-0x00007FFBF6C10000-0x00007FFBF76D1000-memory.dmpFilesize
10.8MB
-
memory/4668-27-0x00007FFBF6C10000-0x00007FFBF76D1000-memory.dmpFilesize
10.8MB
-
memory/4800-67-0x00007FFBF5460000-0x00007FFBF5F21000-memory.dmpFilesize
10.8MB
-
memory/4800-62-0x00007FFBF5460000-0x00007FFBF5F21000-memory.dmpFilesize
10.8MB
-
memory/4800-63-0x000000001B7B0000-0x000000001B7C0000-memory.dmpFilesize
64KB
-
memory/4820-70-0x00007FFBF5460000-0x00007FFBF5F21000-memory.dmpFilesize
10.8MB
-
memory/4820-71-0x000000001B8B0000-0x000000001B8C0000-memory.dmpFilesize
64KB
-
memory/4820-75-0x00007FFBF5460000-0x00007FFBF5F21000-memory.dmpFilesize
10.8MB
-
memory/5060-44-0x00007FFBF5460000-0x00007FFBF5F21000-memory.dmpFilesize
10.8MB
-
memory/5060-39-0x000000001B800000-0x000000001B810000-memory.dmpFilesize
64KB
-
memory/5060-38-0x00007FFBF5460000-0x00007FFBF5F21000-memory.dmpFilesize
10.8MB
-
memory/5100-31-0x0000000002A10000-0x0000000002A20000-memory.dmpFilesize
64KB
-
memory/5100-30-0x00007FFBF5460000-0x00007FFBF5F21000-memory.dmpFilesize
10.8MB
-
memory/5100-35-0x00007FFBF5460000-0x00007FFBF5F21000-memory.dmpFilesize
10.8MB