eea93e9618df03aea319fbb6098aebaa2c2ab45940435f15915917c3c0e3f202

General

Target

Revised Proforma.exe
Size

824KB
MD5

77a2f8cbf67a4300fc43a1d3d9fb837d
SHA1

6698b2e49ea6eb0a9eb3612cdbd32ec123f8e7f0
SHA256

eea93e9618df03aea319fbb6098aebaa2c2ab45940435f15915917c3c0e3f202
SHA512

0808d509d2d5b22d2d8f4d49f0f4856f416f2479f207f1242424cd4d4aaf9a5c9b83e02394810b992a877022f9c847d5b5cb814b16012ea3731d1f7d126e60d9

Score

7^/10

spreading trojan

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

Revised Proforma.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Paint.lnk Revised Proforma.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Paint.lnk	Revised Proforma.exe

Drops file in Program Files directory 634 IoCs

Processes:

Revised Proforma.exe

description	ioc	process
File renamed	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\misc.exe => C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\vmisc.exe	Revised Proforma.exe
File renamed	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\RCX892B.tmp => C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\misc.exe	Revised Proforma.exe
File created	C:\Program Files\VideoLAN\VLC\uninstall.exe	Revised Proforma.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\vjarsigner.ico	Revised Proforma.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	Revised Proforma.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	Revised Proforma.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\wsgen.exe	Revised Proforma.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\RCX81A2.tmp	Revised Proforma.exe
File renamed	C:\Program Files\7-Zip\7z.exe => C:\Program Files\7-Zip\v7z.exe	Revised Proforma.exe
File renamed	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe => C:\Program Files\Java\jdk1.8.0_66\bin\vjabswitch.exe	Revised Proforma.exe
File deleted	C:\Program Files\Java\jdk1.8.0_66\bin\vjvisualvm.ico	Revised Proforma.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\vnative2ascii.ico	Revised Proforma.exe
File renamed	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe => C:\Program Files\Java\jdk1.8.0_66\jre\bin\vjp2launcher.exe	Revised Proforma.exe
File renamed	C:\Program Files\7-Zip\7zG.exe => C:\Program Files\7-Zip\v7zG.exe	Revised Proforma.exe
File renamed	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe => C:\Program Files\Java\jdk1.8.0_66\bin\vjavafxpackager.exe	Revised Proforma.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\vjstack.exe	Revised Proforma.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	Revised Proforma.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe	Revised Proforma.exe
File created	C:\Program Files\7-Zip\v7zFM.ico	Revised Proforma.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Revised Proforma.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\vjava.ico	Revised Proforma.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\vSQLDumper.exe	Revised Proforma.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\misc.exe	Revised Proforma.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	Revised Proforma.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\RCX8152.tmp	Revised Proforma.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\accicons.exe	Revised Proforma.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\vjavadoc.ico	Revised Proforma.exe
File renamed	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe => C:\Program Files\Java\jdk1.8.0_66\bin\vkinit.exe	Revised Proforma.exe
File renamed	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\RCX890B.tmp => C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\misc.exe	Revised Proforma.exe
File renamed	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE => C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\vFLTLDR.EXE	Revised Proforma.exe
File opened for modification	C:\Program Files\7-Zip\RCX79E6.tmp	Revised Proforma.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\vInspectorOfficeGadget.ico	Revised Proforma.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\vextcheck.exe	Revised Proforma.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	Revised Proforma.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\vjjs.exe	Revised Proforma.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\vrmid.exe	Revised Proforma.exe
File deleted	C:\Program Files\Microsoft Office\root\Office16\vCLVIEW.ico	Revised Proforma.exe
File renamed	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\RCX88DB.tmp => C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe	Revised Proforma.exe
File renamed	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe => C:\Program Files\Java\jdk1.8.0_66\bin\vjdb.exe	Revised Proforma.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\vxjc.ico	Revised Proforma.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\vjavacpl.exe	Revised Proforma.exe
File renamed	C:\Program Files\Java\jdk1.8.0_66\jre\bin\RCX8152.tmp => C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe	Revised Proforma.exe
File renamed	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe => C:\Program Files\Java\jdk1.8.0_66\jre\bin\vrmid.exe	Revised Proforma.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\vjrunscript.exe	Revised Proforma.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe	Revised Proforma.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\RCX890B.tmp	Revised Proforma.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\vjavaw.ico	Revised Proforma.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\vjavacpl.ico	Revised Proforma.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\vktab.exe	Revised Proforma.exe
File renamed	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-1000-0000000FF1CE}\RCX88AB.tmp => C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-1000-0000000FF1CE}\misc.exe	Revised Proforma.exe
File renamed	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe => C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\vmisc.exe	Revised Proforma.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\vmisc.ico	Revised Proforma.exe
File deleted	C:\Program Files\Common Files\microsoft shared\ClickToRun\vOfficeC2RClient.ico	Revised Proforma.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\vjabswitch.exe	Revised Proforma.exe
File renamed	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe => C:\Program Files\Java\jdk1.8.0_66\bin\vjava.exe	Revised Proforma.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe	Revised Proforma.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\vMavInject32.ico	Revised Proforma.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	Revised Proforma.exe
File created (read-only)	C:\Program Files\VideoLAN\VLC\RCX898B.tmp	Revised Proforma.exe
File renamed	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe => C:\Program Files\Java\jdk1.8.0_66\bin\vjavadoc.exe	Revised Proforma.exe
File renamed	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe => C:\Program Files\Java\jdk1.8.0_66\bin\vjps.exe	Revised Proforma.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\RCX83B7.tmp	Revised Proforma.exe
File deleted	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\vmisc.ico	Revised Proforma.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	Revised Proforma.exe

Drops file in Windows directory 1 IoCs

Processes:

Revised Proforma.exe

description ioc process

File opened for modification C:\Windows\bfsvc.exe Revised Proforma.exe
Drops autorun.inf file 1 TTPs 2 IoCs
spreading trojan

Replication Through Removable Media
T1091

Processes:

Revised Proforma.exe

description ioc process

File renamed C:\hold.inf => C:\autorun.inf Revised Proforma.exe
File opened for modification C:\autorun.inf Revised Proforma.exe

description	ioc	process
File opened for modification	C:\Windows\bfsvc.exe	Revised Proforma.exe

description	ioc	process
File renamed	C:\hold.inf => C:\autorun.inf	Revised Proforma.exe
File opened for modification	C:\autorun.inf	Revised Proforma.exe

C:\Users\Admin\AppData\Local\Temp\Revised Proforma.exe
"C:\Users\Admin\AppData\Local\Temp\Revised Proforma.exe"
1⤵
- Drops startup file
- Drops file in Program Files directory
- Drops file in Windows directory
- Drops autorun.inf file
PID:3972

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Exfiltration

Command and Control

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads