a1888327cfb6aadca45433077cfa6ba5b14ebe4939978c2cefa554d9ec6902e4 | Triage

Analysis

max time kernel
56s
max time network
38s
platform
windows7_x64
resource
win7
submitted
13-07-2020 00:30

Sharing

Report Analysis Logs

General

Target

prevxcsifree.exe
Size

915KB
MD5

be3fe5bcd8618fe557eba2ee42bb929f
SHA1

5df89d70d7dcff69179c472a0dee623fe225dae9
SHA256

a1888327cfb6aadca45433077cfa6ba5b14ebe4939978c2cefa554d9ec6902e4
SHA512

ec9d09c89600af5e999d0c1a73d2c45b43e4e06d2f6fefccaa307b64c3ad29a54e8f9908c8e0780c954553e1f1a5be7cbeacdcc33cd1e573d4be3bc806dfa6be

Score

8^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

prevxcsifree.exe

pid process

240 prevxcsifree.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

prevxcsifree.exe

description	pid	process	target process
PID 240 wrote to memory of 112	240	prevxcsifree.exe	pvxinst638.exe
PID 240 wrote to memory of 112	240	prevxcsifree.exe	pvxinst638.exe
PID 240 wrote to memory of 112	240	prevxcsifree.exe	pvxinst638.exe
PID 240 wrote to memory of 112	240	prevxcsifree.exe	pvxinst638.exe

Executes dropped EXE 1 IoCs

Processes:

pvxinst638.exe

pid process

112 pvxinst638.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

pvxinst638.exe

pid process

112 pvxinst638.exe
Drops file in Windows directory 1 IoCs

Processes:

prevxcsifree.exe

description ioc process

File opened for modification C:\Windows\wininit.ini prevxcsifree.exe

C:\Users\Admin\AppData\Local\Temp\prevxcsifree.exe
"C:\Users\Admin\AppData\Local\Temp\prevxcsifree.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- Drops file in Windows directory
PID:240
- C:\Users\Admin\AppData\Local\Temp\pvxinst638.exe
  /prop PRIORITY=Y /prop INSTSHELL=Y /prop INSTNAME="prevxcsifree.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  PID:112

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pvxinst638.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\pvxinst638.exe

Download Submit
\Users\Admin\AppData\Local\Temp\pvxinst638.exe

Download Submit
memory/112-2-0x0000000000000000-mapping.dmp

Download
memory/240-1-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download