Analysis
-
max time kernel
107s -
max time network
57s -
platform
windows7_x64 -
resource
win7v200217 -
submitted
02-03-2020 14:49
Static task
static1
Behavioral task
behavioral1
Sample
Revised Proforma.exe
Resource
win7v200217
windows7_x64
0 signatures
0 seconds
General
-
Target
Revised Proforma.exe
-
Size
824KB
-
MD5
77a2f8cbf67a4300fc43a1d3d9fb837d
-
SHA1
6698b2e49ea6eb0a9eb3612cdbd32ec123f8e7f0
-
SHA256
eea93e9618df03aea319fbb6098aebaa2c2ab45940435f15915917c3c0e3f202
-
SHA512
0808d509d2d5b22d2d8f4d49f0f4856f416f2479f207f1242424cd4d4aaf9a5c9b83e02394810b992a877022f9c847d5b5cb814b16012ea3731d1f7d126e60d9
Malware Config
Signatures
-
Drops file in Program Files directory 538 IoCs
Processes:
Revised Proforma.exedescription ioc process File renamed C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe => C:\Program Files\Java\jdk1.7.0_80\bin\vjvisualvm.exe Revised Proforma.exe File renamed C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe => C:\Program Files\Java\jdk1.7.0_80\jre\bin\vklist.exe Revised Proforma.exe File opened for modification C:\Program Files\Windows Mail\wab.exe Revised Proforma.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe Revised Proforma.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\vSetup.exe Revised Proforma.exe File deleted C:\Program Files\7-Zip\v7zG.ico Revised Proforma.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\vnative2ascii.exe Revised Proforma.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe Revised Proforma.exe File renamed C:\Program Files\VideoLAN\VLC\uninstall.exe => C:\Program Files\VideoLAN\VLC\vuninstall.exe Revised Proforma.exe File deleted C:\Program Files\VideoLAN\VLC\vuninstall.ico Revised Proforma.exe File deleted C:\Program Files\Java\jdk1.7.0_80\bin\vjvisualvm.ico Revised Proforma.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Smart Tag\SmartTagInstall.exe Revised Proforma.exe File created C:\Program Files\Common Files\Microsoft Shared\Smart Tag\SmartTagInstall.exe Revised Proforma.exe File renamed C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe => C:\Program Files\Java\jdk1.7.0_80\bin\vjavah.exe Revised Proforma.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\vjvisualvm.ico Revised Proforma.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe Revised Proforma.exe File renamed C:\Program Files\Common Files\Microsoft Shared\Smart Tag\SmartTagInstall.exe => C:\Program Files\Common Files\Microsoft Shared\Smart Tag\vSmartTagInstall.exe Revised Proforma.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe Revised Proforma.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\vjstack.ico Revised Proforma.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe Revised Proforma.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\RCX7506.tmp Revised Proforma.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe Revised Proforma.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\vktab.ico Revised Proforma.exe File renamed C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe => C:\Program Files\Java\jdk1.7.0_80\jre\bin\vjavaw.exe Revised Proforma.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe Revised Proforma.exe File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\ODeploy.exe Revised Proforma.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe Revised Proforma.exe File renamed C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe => C:\Program Files\Java\jdk1.7.0_80\bin\vrmic.exe Revised Proforma.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe Revised Proforma.exe File created C:\Program Files\7-Zip\7zFM.exe Revised Proforma.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe Revised Proforma.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe Revised Proforma.exe File renamed C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe => C:\Program Files\Java\jdk1.7.0_80\bin\vjcmd.exe Revised Proforma.exe File created C:\Program Files\VideoLAN\VLC\vuninstall.ico Revised Proforma.exe File renamed C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE => C:\Program Files\Common Files\Microsoft Shared\Source Engine\vOSE.EXE Revised Proforma.exe File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\vLICLUA.ico Revised Proforma.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\vapt.ico Revised Proforma.exe File renamed C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe => C:\Program Files\Java\jdk1.7.0_80\bin\vrmid.exe Revised Proforma.exe File created (read-only) C:\Program Files\Java\jdk1.7.0_80\jre\bin\RCX7B86.tmp Revised Proforma.exe File renamed C:\Program Files\Common Files\Microsoft Shared\DW\RCX733E.tmp => C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE Revised Proforma.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe Revised Proforma.exe File created (read-only) C:\Program Files\Common Files\Microsoft Shared\OFFICE14\RCX7565.tmp Revised Proforma.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\vjabswitch.exe Revised Proforma.exe File created C:\Program Files\Common Files\Microsoft Shared\DW\vDWTRIG20.ico Revised Proforma.exe File renamed C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe => C:\Program Files\Java\jdk1.7.0_80\bin\vtnameserv.exe Revised Proforma.exe File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe Revised Proforma.exe File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\vOSPPREARM.ico Revised Proforma.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe Revised Proforma.exe File renamed C:\Program Files\Java\jdk1.7.0_80\jre\bin\RCX7B76.tmp => C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe Revised Proforma.exe File renamed C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe => C:\Program Files\Java\jdk1.7.0_80\jre\bin\vkeytool.exe Revised Proforma.exe File opened for modification C:\Program Files\7-Zip\RCX72EE.tmp Revised Proforma.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\msinfo32.exe.mui Revised Proforma.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe Revised Proforma.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe Revised Proforma.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\vkeytool.ico Revised Proforma.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe Revised Proforma.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Revised Proforma.exe File deleted C:\Program Files\7-Zip\vUninstall.ico Revised Proforma.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\RCX75D3.tmp Revised Proforma.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe Revised Proforma.exe File created (read-only) C:\Program Files\Java\jdk1.7.0_80\jre\bin\RCX7BA7.tmp Revised Proforma.exe File renamed C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\com.oracle.jmc.executable.win32.win32.x86_64_5.5.0 => C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\vcom.oracle.jmc.executable.win32.win32.x86_64_5.5.0 Revised Proforma.exe File created C:\Program Files\Java\jre7\bin\jabswitch.exe Revised Proforma.exe File renamed C:\Program Files\7-Zip\RCX72EE.tmp => C:\Program Files\7-Zip\7zG.exe Revised Proforma.exe -
Drops file in Windows directory 1 IoCs
Processes:
Revised Proforma.exedescription ioc process File opened for modification C:\Windows\bfsvc.exe Revised Proforma.exe -
Processes:
Revised Proforma.exedescription ioc process File opened for modification C:\autorun.inf Revised Proforma.exe File renamed C:\hold.inf => C:\autorun.inf Revised Proforma.exe -
Loads dropped DLL 83 IoCs
Processes:
Revised Proforma.exepid process 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe 1860 Revised Proforma.exe -
Drops startup file 1 IoCs
Processes:
Revised Proforma.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Paint.lnk Revised Proforma.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Program Files\7-Zip\v7z.exe
-
\Program Files\7-Zip\v7zFM.exe
-
\Program Files\7-Zip\v7zG.exe
-
\Program Files\7-Zip\vUninstall.exe
-
\Program Files\Common Files\Microsoft Shared\DW\vDW20.EXE
-
\Program Files\Common Files\Microsoft Shared\DW\vDWTRIG20.EXE
-
\Program Files\Common Files\Microsoft Shared\EQUATION\vEQNEDT32.EXE
-
\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\vODeploy.exe
-
\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\vSetup.exe
-
\Program Files\Common Files\Microsoft Shared\OFFICE14\vFLTLDR.EXE
-
\Program Files\Common Files\Microsoft Shared\OFFICE14\vLICLUA.EXE
-
\Program Files\Common Files\Microsoft Shared\OFFICE14\vMSOICONS.EXE
-
\Program Files\Common Files\Microsoft Shared\OFFICE14\vMSOXMLED.EXE
-
\Program Files\Common Files\Microsoft Shared\OFFICE14\vOarpmany.exe
-
\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\vOSPPREARM.EXE
-
\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\vOSPPSVC.EXE
-
\Program Files\Common Files\Microsoft Shared\Smart Tag\vSmartTagInstall.exe
-
\Program Files\Common Files\Microsoft Shared\Source Engine\vOSE.EXE
-
\Program Files\Java\jdk1.7.0_80\bin\vappletviewer.exe
-
\Program Files\Java\jdk1.7.0_80\bin\vapt.exe
-
\Program Files\Java\jdk1.7.0_80\bin\vextcheck.exe
-
\Program Files\Java\jdk1.7.0_80\bin\vidlj.exe
-
\Program Files\Java\jdk1.7.0_80\bin\vjabswitch.exe
-
\Program Files\Java\jdk1.7.0_80\bin\vjar.exe
-
\Program Files\Java\jdk1.7.0_80\bin\vjarsigner.exe
-
\Program Files\Java\jdk1.7.0_80\bin\vjava-rmi.exe
-
\Program Files\Java\jdk1.7.0_80\bin\vjava.exe
-
\Program Files\Java\jdk1.7.0_80\bin\vjavac.exe
-
\Program Files\Java\jdk1.7.0_80\bin\vjavadoc.exe
-
\Program Files\Java\jdk1.7.0_80\bin\vjavafxpackager.exe
-
\Program Files\Java\jdk1.7.0_80\bin\vjavah.exe
-
\Program Files\Java\jdk1.7.0_80\bin\vjavap.exe
-
\Program Files\Java\jdk1.7.0_80\bin\vjavaw.exe
-
\Program Files\Java\jdk1.7.0_80\bin\vjavaws.exe
-
\Program Files\Java\jdk1.7.0_80\bin\vjcmd.exe
-
\Program Files\Java\jdk1.7.0_80\bin\vjconsole.exe
-
\Program Files\Java\jdk1.7.0_80\bin\vjdb.exe
-
\Program Files\Java\jdk1.7.0_80\bin\vjhat.exe
-
\Program Files\Java\jdk1.7.0_80\bin\vjinfo.exe
-
\Program Files\Java\jdk1.7.0_80\bin\vjmap.exe
-
\Program Files\Java\jdk1.7.0_80\bin\vjmc.exe
-
\Program Files\Java\jdk1.7.0_80\bin\vjps.exe
-
\Program Files\Java\jdk1.7.0_80\bin\vjrunscript.exe
-
\Program Files\Java\jdk1.7.0_80\bin\vjsadebugd.exe
-
\Program Files\Java\jdk1.7.0_80\bin\vjstack.exe
-
\Program Files\Java\jdk1.7.0_80\bin\vjstat.exe
-
\Program Files\Java\jdk1.7.0_80\bin\vjstatd.exe
-
\Program Files\Java\jdk1.7.0_80\bin\vjvisualvm.exe
-
\Program Files\Java\jdk1.7.0_80\bin\vkeytool.exe
-
\Program Files\Java\jdk1.7.0_80\bin\vkinit.exe
-
\Program Files\Java\jdk1.7.0_80\bin\vklist.exe
-
\Program Files\Java\jdk1.7.0_80\bin\vktab.exe
-
\Program Files\Java\jdk1.7.0_80\bin\vnative2ascii.exe
-
\Program Files\Java\jdk1.7.0_80\bin\vorbd.exe
-
\Program Files\Java\jdk1.7.0_80\bin\vpack200.exe
-
\Program Files\Java\jdk1.7.0_80\bin\vpolicytool.exe
-
\Program Files\Java\jdk1.7.0_80\bin\vrmic.exe
-
\Program Files\Java\jdk1.7.0_80\bin\vrmid.exe
-
\Program Files\Java\jdk1.7.0_80\bin\vrmiregistry.exe
-
\Program Files\Java\jdk1.7.0_80\bin\vschemagen.exe
-
\Program Files\Java\jdk1.7.0_80\bin\vserialver.exe
-
\Program Files\Java\jdk1.7.0_80\bin\vservertool.exe
-
\Program Files\Java\jdk1.7.0_80\bin\vtnameserv.exe
-
\Program Files\Java\jdk1.7.0_80\bin\vunpack200.exe
-
\Program Files\Java\jdk1.7.0_80\bin\vwsgen.exe
-
\Program Files\Java\jdk1.7.0_80\bin\vwsimport.exe
-
\Program Files\Java\jdk1.7.0_80\bin\vxjc.exe
-
\Program Files\Java\jdk1.7.0_80\jre\bin\vjabswitch.exe
-
\Program Files\Java\jdk1.7.0_80\jre\bin\vjava-rmi.exe
-
\Program Files\Java\jdk1.7.0_80\jre\bin\vjava.exe
-
\Program Files\Java\jdk1.7.0_80\jre\bin\vjavacpl.exe
-
\Program Files\Java\jdk1.7.0_80\jre\bin\vjavaw.exe
-
\Program Files\Java\jdk1.7.0_80\jre\bin\vjavaws.exe
-
\Program Files\Java\jdk1.7.0_80\jre\bin\vjp2launcher.exe
-
\Program Files\Java\jdk1.7.0_80\jre\bin\vkeytool.exe
-
\Program Files\Java\jdk1.7.0_80\jre\bin\vkinit.exe
-
\Program Files\Java\jdk1.7.0_80\jre\bin\vklist.exe
-
\Program Files\Java\jdk1.7.0_80\jre\lib\vlauncher.exe
-
\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\vnbexec.exe
-
\Program Files\Java\jre7\bin\vjabswitch.exe
-
\Program Files\Microsoft Office\Office14\vACCICONS.EXE
-
\Program Files\VideoLAN\VLC\vuninstall.exe
-
\Users\Admin\AppData\Roaming\Paint.exe