Loading ...

Play interactive tourEdit tour

Analysis Report CvevSVDCvu

Overview

General Information

Joe Sandbox Version:26.0.0 Aquamarine
Analysis ID:156316
Start date:25.07.2019
Start time:13:33:13
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 7m 32s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:CvevSVDCvu (renamed file extension from none to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:26
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal92.rans.adwa.evad.winEXE@24/1029@0/0
EGA Information:
  • Successful, ratio: 66.7%
HDC Information:
  • Successful, ratio: 100% (good quality ratio 94.7%)
  • Quality average: 84.3%
  • Quality standard deviation: 26.5%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, conhost.exe, VSSVC.exe, CompatTelRunner.exe, svchost.exe
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtCreateFile calls found.
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtReadFile calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.
  • Report size getting too big, too many NtWriteFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold920 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsExecution through API1Hidden Files and Directories1Startup Items2Hidden Files and Directories1Credential DumpingSystem Time Discovery1Application Deployment SoftwareData from Local SystemData Encrypted1Standard Cryptographic Protocol1
Replication Through Removable MediaService ExecutionStartup Items2Process Injection11Disabling Security Tools2Network SniffingQuery Registry1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback Channels
Drive-by CompromiseWindows Management InstrumentationRegistry Run Keys / Startup Folder121Path InterceptionSoftware Packing1Input CaptureProcess Discovery3Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic Protocol
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingProcess Injection11Credentials in FilesSecurity Software Discovery21Logon ScriptsInput CaptureData EncryptedMultiband Communication
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessFile Deletion2Account ManipulationFile and Directory Discovery2Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol
Spearphishing AttachmentGraphical User InterfaceModify Existing ServiceNew ServiceObfuscated Files or Information1Brute ForceSystem Information Discovery22Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used Port
Spearphishing via ServiceScriptingPath InterceptionScheduled TaskDLL Side-Loading1Two-Factor Authentication InterceptionNetwork SniffingPass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used Port

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus or Machine Learning detection for sampleShow sources
Source: CvevSVDCvu.exeAvira: Label: TR/Crypt.XPACK.Gen
Source: CvevSVDCvu.exeJoe Sandbox ML: detected
Multi AV Scanner detection for submitted fileShow sources
Source: CvevSVDCvu.exevirustotal: Detection: 78%Perma Link
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 16.0.CvevSVDCvu.exe.970000.0.unpackJoe Sandbox ML: detected
Source: 17.2.CvevSVDCvu.exe.970000.0.unpackJoe Sandbox ML: detected
Source: 21.2.CvevSVDCvu.exe.970000.0.unpackJoe Sandbox ML: detected
Source: 17.0.CvevSVDCvu.exe.970000.0.unpackJoe Sandbox ML: detected
Source: 1.0.CvevSVDCvu.exe.a40000.0.unpackJoe Sandbox ML: detected
Source: 0.0.CvevSVDCvu.exe.a40000.0.unpackJoe Sandbox ML: detected
Source: 0.2.CvevSVDCvu.exe.a40000.0.unpackJoe Sandbox ML: detected
Source: 21.0.CvevSVDCvu.exe.970000.0.unpackJoe Sandbox ML: detected
Source: 1.2.CvevSVDCvu.exe.a40000.1.unpackJoe Sandbox ML: detected
Source: 17.1.CvevSVDCvu.exe.970000.0.unpackJoe Sandbox ML: detected
Source: 1.1.CvevSVDCvu.exe.a40000.0.unpackJoe Sandbox ML: detected
Source: 16.2.CvevSVDCvu.exe.970000.0.unpackJoe Sandbox ML: detected
Source: 21.1.CvevSVDCvu.exe.970000.0.unpackJoe Sandbox ML: detected
Source: 0.1.CvevSVDCvu.exe.a40000.0.unpackJoe Sandbox ML: detected
Source: 22.1.CvevSVDCvu.exe.bf0000.0.unpackJoe Sandbox ML: detected
Source: 16.1.CvevSVDCvu.exe.970000.0.unpackJoe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\Desktop\CvevSVDCvu.exeCode function: 0_2_00A43E72 _malloc,_memmove,CryptDestroyKey,0_2_00A43E72
Source: C:\Users\user\Desktop\CvevSVDCvu.exeCode function: 0_2_00A45193 SetFileAttributesW,_wcsrchr,MoveFileW,CreateFileW,_memmove,CryptDestroyKey,SetFilePointerEx,WriteFile,SetEndOfFile,MoveFileW,FindCloseChangeNotification,0_2_00A45193
Source: C:\Users\user\Desktop\CvevSVDCvu.exeCode function: 0_2_00A441DD CryptAcquireContextW,CryptGenRandom,_rand,_memmove,0_2_00A441DD
Source: C:\Users\user\Desktop\CvevSVDCvu.exeCode function: 0_2_00A43F30 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptDestroyKey,0_2_00A43F30
Source: C:\Users\user\Desktop\CvevSVDCvu.exeCode function: 0_2_00A44D46 SetFileAttributesW,_wcsrchr,GetFileAttributesW,CreateFileW,SetFilePointerEx,SetFilePointerEx,SetFilePointerEx,CreateFileW,_memset,WriteFile,ReadFile,_memmove,CryptDestroyKey,WriteFile,CryptDestroyKey,CloseHandle,FindCloseChangeNotification,FindCloseChangeNotification,DeleteFileW,0_2_00A44D46
Source: C:\Users\user\Desktop\CvevSVDCvu.exeCode function: 0_2_00A4403E CryptAcquireContextW,CryptGenRandom,0_2_00A4403E
Source: C:\Users\user\Desktop\CvevSVDCvu.exeCode function: 0_2_00A43FBD _memmove,CryptEncrypt,0_2_00A43FBD
Source: C:\Users\user\Desktop\CvevSVDCvu.exeCode function: 0_2_00A43FFF _memmove,CryptDecrypt,0_2_00A43FFF
Source: C:\Users\user\AppData\Local\CvevSVDCvu.exeCode function: 16_2_00973E72 _malloc,_memmove,CryptDestroyKey,16_2_00973E72
Source: C:\Users\user\AppData\Local\CvevSVDCvu.exeCode function: 16_2_00973F30 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptDestroyKey,16_2_00973F30
Source: C:\Users\user\AppData\Local\CvevSVDCvu.exeCode function: 16_2_0097403E CryptAcquireContextW,CryptGenRandom,16_2_0097403E
Source: C:\Users\user\AppData\Local\CvevSVDCvu.exeCode function: 16_2_00975193 SetFileAttributesW,_wcsrchr,MoveFileW,CreateFileW,_memmove,CryptDestroyKey,SetFilePointerEx,WriteFile,SetEndOfFile,MoveFileW,CloseHandle,16_2_00975193
Source: C:\Users\user\AppData\Local\CvevSVDCvu.exeCode function: 16_2_00973FBD _memmove,CryptEncrypt,16_2_00973FBD
Source: C:\Users\user\AppData\Local\CvevSVDCvu.exeCode function: 16_2_009741DD CryptAcquireContextW,CryptGenRandom,_rand,_memmove,16_2_009741DD
Source: C:\Users\user\AppData\Local\CvevSVDCvu.exeCode function: 16_2_00973FFF _memmove,CryptDecrypt,16_2_00973FFF
Source: C:\Users\user\AppData\Local\CvevSVDCvu.exeCode function: 16_2_00974D46 SetFileAttributesW,_wcsrchr,GetFileAttributesW,CreateFileW,SetFilePointerEx,SetFilePointerEx,SetFilePointerEx,CreateFileW,_memset,WriteFile,ReadFile,_memmove,CryptDestroyKey,WriteFile,CryptDestroyKey,CloseHandle,CloseHandle,CloseHandle,DeleteFileW,16_2_00974D46

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\CvevSVDCvu.exeCode function: 0_2_00A456D4 _malloc,FindFirstFileW,FindNextFileW,FindClose,_free,0_2_00A456D4
Source: C:\Users\user\AppData\Local\CvevSVDCvu.exeCode function: 16_2_009756D4 _malloc,FindFirstFileW,FindNextFileW,FindClose,_free,16_2_009756D4

Spam, unwanted Advertisements and Ransom Demands:

barindex
Deletes shadow drive data (may be related to ransomware)Show sources
Source: unknownProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
Source: unknownProcess created: C:\Windows\System32\wbem\WMIC.exe wmic shadowcopy delete
Source: CvevSVDCvu.exe, 00000000.00000002.24217892024.0000000002880000.00000004.00000040.sdmpBinary or memory string: vssadmin delete shadows /all /quiet
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quietJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic shadowcopy deleteJump to behavior
Source: vssadmin.exe, 00000006.00000002.23800210067.0000017B84BB5000.00000004.00000040.sdmpBinary or memory string: vssadmindeleteshadows/all/quiet
Source: vssadmin.exe, 00000006.00000002.23799856965.0000017B84910000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete ShadowStorage
Source: vssadmin.exe, 00000006.00000002.23799856965.0000017B84910000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete Shadows /Type=ClientAccessible /For=C:
Source: vssadmin.exe, 00000006.00000002.23799856965.0000017B84910000.00000002.00000001.sdmpBinary or memory string: vssadmin Delete Shadows
Source: vssadmin.exe, 00000006.00000002.23799856965.0000017B84910000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete Shadows /For=C: /Oldest
Source: vssadmin.exe, 00000006.00000002.23799856965.0000017B84910000.00000002.00000001.sdmpBinary or memory string: Example Usage: vssadmin Delete ShadowStorage /For=C: /On=D:
Source: vssadmin.exe, 00000006.00000002.23799948863.0000017B84920000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quietvssadmin delete shadows /all /quietWinSta0\Default[
Source: vssadmin.exe, 00000006.00000002.23799948863.0000017B84920000.00000004.00000020.sdmpBinary or memory string: vssadmin delete shadows /all /quiet
May disable shadow drive data (uses vssadmin)Show sources
Source: unknownProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quietJump to behavior
Writes many files with high entropyShow sources
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Adobe\ARM\S\18392\AdobeARM.msi.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.9998527271Jump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Adobe\ARM\S\20227\AdobeARMHelper.exe.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99986674389Jump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Adobe\ARM\S\ARM.msi.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99978679618Jump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.9996046325Jump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\AirSpace.Etw.man.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99950988007Jump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\msoutilstat.etw.man.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.9983548474Jump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\A605F2A5-9D01-4691-9FDC-BE6391D70203\en-us.16\MasterDescriptor.en-us.xml.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99421416766Jump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\wordEtw.man.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99983076641Jump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\A605F2A5-9D01-4691-9FDC-BE6391D70203\en-us.16\stream.x86.en-us.man.dat.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99981189985Jump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\A605F2A5-9D01-4691-9FDC-BE6391D70203\x-none.16\MasterDescriptor.x-none.xml.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99475704802Jump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.9996963301Jump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.excelmui.msi.16.en-us.xml.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99483426176Jump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\Diagnosis\DownloadedScenarios\windows.uif_ondemand.xml.inbox.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99983855521Jump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.office64ww.msi.16.x-none.xml.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99921575378Jump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.officemuiset.msi.16.en-us.xml.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.9988096131Jump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99800568473Jump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99787551342Jump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.outlookmui.msi.16.en-us.xml.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99770461766Jump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99818086384Jump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.powerpointmui.msi.16.en-us.xml.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99323428222Jump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\Network\Downloader\edbres00001.jrs.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99987540676Jump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.en-us.xml.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99461422658Jump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\Network\Downloader\edbres00002.jrs.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99987359156Jump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.fr-fr.xml.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99277256329Jump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.shared.Office.x-none.msi.16.x-none.xml.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99973844915Jump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Word.Word.x-none.msi.16.x-none.xml.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99825793861Jump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.wordmui.msi.16.en-us.xml.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99759293023Jump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99988691308Jump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\Network\Downloader\edb.log.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99985280321Jump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99983391944Jump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\customizations.xml.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99975681144Jump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime.xml.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99958478138Jump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\Provisioning\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\customizations.xml.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99628184386Jump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb.log.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99737708788Jump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb00001.log.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99748405297Jump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbtmp.log.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99648634684Jump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\14__Cellular_PerSimSettings_$(__ICCID)_BrandingIconPath.provxml.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.9991480716Jump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.9997093736Jump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\User Account Pictures\user.bmp.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99966646878Jump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\Windows\AppxProvisioning.xml.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99108404691Jump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000009.db.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99941049357Jump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99972944625Jump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99961687801Jump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb.jtx.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99983782976Jump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb00009.jtx.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99981602312Jump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb0000A.jtx.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99982513791Jump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edbres00001.jrs.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.9998296887Jump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edbres00002.jrs.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99980134899Jump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edbtmp.jtx.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99985673883Jump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.3.gthr.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99174819476Jump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.001.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99728313306Jump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.002.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99725807697Jump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99839333843Jump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.002.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.9986830072Jump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00001.jrs.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99741685691Jump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00002.jrs.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99694335525Jump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\Windows\DeviceMetadataCache\dmrc.idx.id[3C4E0000-1096].[lockhelp@qq.com].acute entropy: 7.99975984715Jump to dropped file
Contains functionality to import cryptographic keys (often used in ransomware)Show sources
Source: C:\Users\user\Desktop\CvevSVDCvu.exeCode function: 0_2_00A43F30 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptDestroyKey,0_2_00A43F30
Source: C:\Users\user\AppData\Local\CvevSVDCvu.exeCode function: 16_2_00973F30 CryptAcquireContextW,CryptImportKey,CryptSetKeyParam,CryptDestroyKey,16_2_00973F30

Operating System Destruction:

barindex
Mass deletion, destroys many filesShow sources
Source: c:\users\user\desktop\cvevsvdcvu.exeFile deleted: Number of file deletion 494 exceeds threshold 400

System Summary:

barindex
Abnormal high CPU UsageShow sources
Source: C:\Users\user\Desktop\CvevSVDCvu.exeProcess Stats: CPU usage > 98%
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2988:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2984:120:WilError_01
Source: C:\Users\user\Desktop\CvevSVDCvu.exeMutant created: \Sessions\1\BaseNamedObjects\Global\10963C4E000000
Source: C:\Users\user\Desktop\CvevSVDCvu.exeMutant created: \Sessions\1\BaseNamedObjects\Global\10963C4E000001
Sample file is different than original file name gathered from version infoShow sources
Source: CvevSVDCvu.exe, 00000001.00000002.24262713777.0000000002580000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs CvevSVDCvu.exe
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile read: C:\Users\user\Desktop\CvevSVDCvu.exeJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\CvevSVDCvu.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\CvevSVDCvu.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\CvevSVDCvu.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\CvevSVDCvu.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CvevSVDCvu.exeSection loaded: wow64log.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal92.rans.adwa.evad.winEXE@24/1029@0/0
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\Desktop\CvevSVDCvu.exeCode function: 0_2_00A432FA CreateToolhelp32Snapshot,_memset,Process32FirstW,OpenProcess,TerminateProcess,CloseHandle,Process32NextW,FindCloseChangeNotification,0_2_00A432FA
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\Users\user\AppData\Local\CvevSVDCvu.exe\:Zone.Identifier:$DATAJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: CvevSVDCvu.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads ini filesShow sources
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile read: C:\$Recycle.Bin\S-1-5-21-58933367-3072710494-194312298-1001\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\CvevSVDCvu.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: CvevSVDCvu.exevirustotal: Detection: 78%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\CvevSVDCvu.exe 'C:\Users\user\Desktop\CvevSVDCvu.exe'
Source: unknownProcess created: C:\Users\user\Desktop\CvevSVDCvu.exe C:\Users\user\Desktop\CvevSVDCvu.exe
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quiet
Source: unknownProcess created: C:\Windows\System32\netsh.exe netsh advfirewall set currentprofile state off
Source: unknownProcess created: C:\Windows\System32\netsh.exe netsh firewall set opmode mode=disable
Source: unknownProcess created: C:\Windows\System32\wbem\WMIC.exe wmic shadowcopy delete
Source: unknownProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailures
Source: unknownProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled no
Source: unknownProcess created: C:\Users\user\AppData\Local\CvevSVDCvu.exe 'C:\Users\user\AppData\Local\CvevSVDCvu.exe'
Source: unknownProcess created: C:\Users\user\AppData\Local\CvevSVDCvu.exe 'C:\Users\user\AppData\Local\CvevSVDCvu.exe'
Source: unknownProcess created: C:\Users\user\AppData\Local\CvevSVDCvu.exe 'C:\Users\user\AppData\Local\CvevSVDCvu.exe'
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CvevSVDCvu.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CvevSVDCvu.exe'
Source: C:\Users\user\Desktop\CvevSVDCvu.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exeJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quietJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic shadowcopy deleteJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailuresJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled noJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh advfirewall set currentprofile state offJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall set opmode mode=disableJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\vssadmin.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F2C2787D-95AB-40D4-942D-298F5F757874}\InProcServer32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: CvevSVDCvu.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
PE file contains a valid data directory to section mappingShow sources
Source: CvevSVDCvu.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: CvevSVDCvu.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: CvevSVDCvu.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: CvevSVDCvu.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: CvevSVDCvu.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\CvevSVDCvu.exeCode function: 0_2_00A495CB LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00A495CB
PE file contains sections with non-standard namesShow sources
Source: CvevSVDCvu.exeStatic PE information: section name: .cdata
Source: CvevSVDCvu.exe.0.drStatic PE information: section name: .cdata
Source: CvevSVDCvu.exe0.0.drStatic PE information: section name: .cdata
Source: CvevSVDCvu.exe.1.drStatic PE information: section name: .cdata
Source: CvevSVDCvu.exe0.1.drStatic PE information: section name: .cdata
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\CvevSVDCvu.exeCode function: 0_2_00A48A95 push ecx; ret 0_2_00A48AA8
Source: C:\Users\user\AppData\Local\CvevSVDCvu.exeCode function: 16_2_00978A95 push ecx; ret 16_2_00978AA8

Persistence and Installation Behavior:

barindex
Uses bcdedit to modify the Windows boot settingsShow sources
Source: unknownProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailures
Source: unknownProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled no
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailuresJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled noJump to behavior
Drops PE filesShow sources
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CvevSVDCvu.exeJump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\CvevSVDCvu.exeJump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\Users\user\AppData\Local\CvevSVDCvu.exeJump to dropped file
Drops PE files to the application program directory (C:\ProgramData)Show sources
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\CvevSVDCvu.exeJump to dropped file

Boot Survival:

barindex
Drops PE files to the startup folderShow sources
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CvevSVDCvu.exeJump to dropped file
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\CvevSVDCvu.exeJump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)Show sources
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: c:\programdata\microsoft\windows\start menu\programs\startup\CvevSVDCvu.exeJump to behavior
Stores files to the Windows start menu directoryShow sources
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: c:\programdata\microsoft\windows\start menu\programs\startup\CvevSVDCvu.exeJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\CvevSVDCvu.exe\:Zone.Identifier:$DATAJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\CvevSVDCvu.exeJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CvevSVDCvu.exe\:Zone.Identifier:$DATAJump to behavior
Creates an autostart registry keyShow sources
Source: C:\Users\user\Desktop\CvevSVDCvu.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run CvevSVDCvuJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run CvevSVDCvuJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run CvevSVDCvuJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run CvevSVDCvuJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Creates files in the recycle bin to hide itselfShow sources
Source: C:\Users\user\Desktop\CvevSVDCvu.exeFile created: C:\$Recycle.Bin\S-1-5-18\desktop.ini.id[3C4E0000-1096].[lockhelp@qq.com].acuteJump to behavior
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\user\Desktop\CvevSVDCvu.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_0-5259
Source: C:\Users\user\Desktop\CvevSVDCvu.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-5444
Source: C:\Users\user\AppData\Local\CvevSVDCvu.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Found evasive API chain checking for process token informationShow sources
Source: C:\Users\user\Desktop\CvevSVDCvu.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-6307
Source: C:\Users\user\AppData\Local\CvevSVDCvu.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\CvevSVDCvu.exe TID: 3760Thread sleep count: 37 > 30Jump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exe TID: 2780Thread sleep count: 103 > 30Jump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exe TID: 2780Thread sleep time: -103000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exe TID: 2624Thread sleep time: -120000s >= -30000sJump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Users\user\Desktop\CvevSVDCvu.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\CvevSVDCvu.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\CvevSVDCvu.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\CvevSVDCvu.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\CvevSVDCvu.exeCode function: 0_2_00A456D4 _malloc,FindFirstFileW,FindNextFileW,FindClose,_free,0_2_00A456D4
Source: C:\Users\user\AppData\Local\CvevSVDCvu.exeCode function: 16_2_009756D4 _malloc,FindFirstFileW,FindNextFileW,FindClose,_free,16_2_009756D4
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: CvevSVDCvu.exe, 00000001.00000002.24262713777.0000000002580000.00000002.00000001.sdmp, WMIC.exe, 0000000D.00000002.23807782699.000001BFD1AF0000.00000002.00000001.sdmp, bcdedit.exe, 0000000E.00000002.23810109038.0000024EEF060000.00000002.00000001.sdmp, bcdedit.exe, 0000000F.00000002.23812557921.000002305F650000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: CvevSVDCvu.exe, 00000001.00000002.24262713777.0000000002580000.00000002.00000001.sdmp, WMIC.exe, 0000000D.00000002.23807782699.000001BFD1AF0000.00000002.00000001.sdmp, bcdedit.exe, 0000000E.00000002.23810109038.0000024EEF060000.00000002.00000001.sdmp, bcdedit.exe, 0000000F.00000002.23812557921.000002305F650000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: CvevSVDCvu.exe, 00000001.00000002.24262713777.0000000002580000.00000002.00000001.sdmp, WMIC.exe, 0000000D.00000002.23807782699.000001BFD1AF0000.00000002.00000001.sdmp, bcdedit.exe, 0000000E.00000002.23810109038.0000024EEF060000.00000002.00000001.sdmp, bcdedit.exe, 0000000F.00000002.23812557921.000002305F650000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: CvevSVDCvu.exe, 00000001.00000002.24262713777.0000000002580000.00000002.00000001.sdmp, WMIC.exe, 0000000D.00000002.23807782699.000001BFD1AF0000.00000002.00000001.sdmp, bcdedit.exe, 0000000E.00000002.23810109038.0000024EEF060000.00000002.00000001.sdmp, bcdedit.exe, 0000000F.00000002.23812557921.000002305F650000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Program exit pointsShow sources
Source: C:\Users\user\Desktop\CvevSVDCvu.exeAPI call chain: ExitProcess graph end nodegraph_0-5445
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\CvevSVDCvu.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\System32\wbem\WMIC.exeSystem information queried: KernelDebuggerInformationJump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\CvevSVDCvu.exeCode function: 0_2_00A48CE9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00A48CE9
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\CvevSVDCvu.exeCode function: 0_2_00A495CB LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00A495CB
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\CvevSVDCvu.exeCode function: 0_2_00A48238 SetUnhandledExceptionFilter,0_2_00A48238
Source: C:\Users\user\Desktop\CvevSVDCvu.exeCode function: 0_2_00A48CE9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00A48CE9
Source: C:\Users\user\Desktop\CvevSVDCvu.exeCode function: 0_2_00A49936 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00A49936
Source: C:\Users\user\AppData\Local\CvevSVDCvu.exeCode function: 16_2_00978238 SetUnhandledExceptionFilter,16_2_00978238
Source: C:\Users\user\AppData\Local\CvevSVDCvu.exeCode function: 16_2_00978CE9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_00978CE9
Source: C:\Users\user\AppData\Local\CvevSVDCvu.exeCode function: 16_2_00979936 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,16_2_00979936

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\CvevSVDCvu.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exeJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe vssadmin delete shadows /all /quietJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic shadowcopy deleteJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailuresJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\bcdedit.exe bcdedit /set {default} recoveryenabled noJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh advfirewall set currentprofile state offJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh firewall set opmode mode=disableJump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: CvevSVDCvu.exe, 00000000.00000002.24215275284.00000000013D0000.00000002.00000001.sdmp, CvevSVDCvu.exe, 00000001.00000002.24254663323.0000000000DF0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: CvevSVDCvu.exe, 00000000.00000002.24215275284.00000000013D0000.00000002.00000001.sdmp, CvevSVDCvu.exe, 00000001.00000002.24254663323.0000000000DF0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: CvevSVDCvu.exe, 00000000.00000002.24215275284.00000000013D0000.00000002.00000001.sdmp, CvevSVDCvu.exe, 00000001.00000002.24254663323.0000000000DF0000.00000002.00000001.sdmpBinary or memory string: Program Manager6
Source: CvevSVDCvu.exe, 00000000.00000002.24215275284.00000000013D0000.00000002.00000001.sdmp, CvevSVDCvu.exe, 00000001.00000002.24254663323.0000000000DF0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\CvevSVDCvu.exeCode function: GetTickCount,GetLocaleInfoW,CreateThread,CreateThread,Sleep,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,ReleaseMutex,CloseHandle,0_2_00A4210E
Source: C:\Users\user\AppData\Local\CvevSVDCvu.exeCode function: GetTickCount,GetLocaleInfoW,CreateThread,CreateThread,Sleep,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,WaitForMultipleObjects,CloseHandle,ReleaseMutex,CloseHandle,16_2_0097210E
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeQueries volume information: C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\51__Connections.provxml.id[3C4E0000-1096].[lockhelp@qq.com].acute VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CvevSVDCvu.exeQueries volume information: C:\ VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\CvevSVDCvu.exeCode function: 0_2_00A48C3F GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00A48C3F
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\CvevSVDCvu.exeCode function: 0_2_00A42E4F GetVersion,GetCurrentProcess,OpenProcessToken,GetTokenInformation,FindCloseChangeNotification,0_2_00A42E4F
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\CvevSVDCvu.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Modifies the windows firewallShow sources
Source: unknownProcess created: C:\Windows\System32\netsh.exe netsh advfirewall set currentprofile state off
Uses netsh to modify the Windows network and firewall settingsShow sources
Source: unknownProcess created: C:\Windows\System32\netsh.exe netsh advfirewall set currentprofile state off

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 156316 Sample: CvevSVDCvu Startdate: 25/07/2019 Architecture: WINDOWS Score: 92 61 Antivirus or Machine Learning detection for sample 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 May disable shadow drive data (uses vssadmin) 2->65 67 5 other signatures 2->67 7 CvevSVDCvu.exe 1 501 2->7         started        11 CvevSVDCvu.exe 2->11         started        13 CvevSVDCvu.exe 2->13         started        15 2 other processes 2->15 process3 file4 47 C:\ProgramData\Microsoft\...\CvevSVDCvu.exe, PE32 7->47 dropped 49 C:\...\CvevSVDCvu.exe:Zone.Identifier, ASCII 7->49 dropped 51 dmrc.idx.id[3C4E00...khelp@qq.com].acute, data 7->51 dropped 53 69 other files (57 malicious) 7->53 dropped 69 Creates files in the recycle bin to hide itself 7->69 71 Drops PE files to the startup folder 7->71 73 Writes many files with high entropy 7->73 17 cmd.exe 1 7->17         started        20 CvevSVDCvu.exe 1 7 7->20         started        23 cmd.exe 1 7->23         started        signatures5 process6 file7 55 May disable shadow drive data (uses vssadmin) 17->55 57 Deletes shadow drive data (may be related to ransomware) 17->57 59 Uses bcdedit to modify the Windows boot settings 17->59 25 bcdedit.exe 1 17->25         started        27 bcdedit.exe 1 17->27         started        29 WMIC.exe 1 17->29         started        37 2 other processes 17->37 39 C:\Users\user\AppData\...\CvevSVDCvu.exe, PE32 20->39 dropped 41 C:\Users\user\AppData\Local\CvevSVDCvu.exe, PE32 20->41 dropped 43 C:\Users\...\CvevSVDCvu.exe:Zone.Identifier, ASCII 20->43 dropped 45 C:\Users\...\CvevSVDCvu.exe:Zone.Identifier, ASCII 20->45 dropped 31 netsh.exe 1 3 23->31         started        33 netsh.exe 3 23->33         started        35 conhost.exe 23->35         started        signatures8 process9

Simulations

Behavior and APIs

TimeTypeDescription
13:34:08AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run CvevSVDCvu C:\Users\user\AppData\Local\CvevSVDCvu.exe
13:34:13API Interceptor9x Sleep call for process: CvevSVDCvu.exe modified
13:34:16AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run CvevSVDCvu C:\Users\user\AppData\Local\CvevSVDCvu.exe
13:34:25AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run CvevSVDCvu C:\Users\user\AppData\Local\CvevSVDCvu.exe
13:34:34AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CvevSVDCvu.exe

Antivirus and Machine Learning Detection

Initial Sample

SourceDetectionScannerLabelLink
CvevSVDCvu.exe79%virustotalBrowse
CvevSVDCvu.exe100%AviraTR/Crypt.XPACK.Gen
CvevSVDCvu.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
16.0.CvevSVDCvu.exe.970000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
17.2.CvevSVDCvu.exe.970000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
21.2.CvevSVDCvu.exe.970000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
17.0.CvevSVDCvu.exe.970000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
1.0.CvevSVDCvu.exe.a40000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
0.0.CvevSVDCvu.exe.a40000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
0.2.CvevSVDCvu.exe.a40000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
21.0.CvevSVDCvu.exe.970000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
1.2.CvevSVDCvu.exe.a40000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
16.2.CvevSVDCvu.exe.970000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
16.0.CvevSVDCvu.exe.970000.0.unpack100%Joe Sandbox MLDownload File
17.2.CvevSVDCvu.exe.970000.0.unpack100%Joe Sandbox MLDownload File
21.2.CvevSVDCvu.exe.970000.0.unpack100%Joe Sandbox MLDownload File
17.0.CvevSVDCvu.exe.970000.0.unpack100%Joe Sandbox MLDownload File
1.0.CvevSVDCvu.exe.a40000.0.unpack100%Joe Sandbox MLDownload File
0.0.CvevSVDCvu.exe.a40000.0.unpack100%Joe Sandbox MLDownload File
0.2.CvevSVDCvu.exe.a40000.0.unpack100%Joe Sandbox MLDownload File
21.0.CvevSVDCvu.exe.970000.0.unpack100%Joe Sandbox MLDownload File
1.2.CvevSVDCvu.exe.a40000.1.unpack100%Joe Sandbox MLDownload File
17.1.CvevSVDCvu.exe.970000.0.unpack100%Joe Sandbox MLDownload File
1.1.CvevSVDCvu.exe.a40000.0.unpack100%Joe Sandbox MLDownload File
16.2.CvevSVDCvu.exe.970000.0.unpack100%Joe Sandbox MLDownload File
21.1.CvevSVDCvu.exe.970000.0.unpack100%Joe Sandbox MLDownload File
0.1.CvevSVDCvu.exe.a40000.0.unpack100%Joe Sandbox MLDownload File
22.1.CvevSVDCvu.exe.bf0000.0.unpack100%Joe Sandbox MLDownload File
16.1.CvevSVDCvu.exe.970000.0.unpack100%Joe Sandbox MLDownload File

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context