Analysis
-
max time kernel
22s -
max time network
40s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
17-06-2021 07:20
Static task
static1
Behavioral task
behavioral1
Sample
Proforma.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Proforma.exe
Resource
win10v20210410
General
-
Target
Proforma.exe
-
Size
4KB
-
MD5
c57cea8db447cb9bec608f939026bd86
-
SHA1
e48f6b38215a9b26a31901c67d93da244ad1a546
-
SHA256
c66e973686ee6d1761be2781a9f27f0f8d81fad4db088d836bebf6055cba193f
-
SHA512
bae53eba4576b0d0ad261e1c79916a06c8a70e7545609c65ece25d6c6bb7c8eccbbedc1aa7a368e4ff310e2315c8d2b67d053c09c97eb07ae7a27653b939f4c0
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
tg.exetg.exepid process 1632 tg.exe 1464 tg.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 524 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
tg.exetg.exepid process 1632 tg.exe 1464 tg.exe -
Detects Pyinstaller 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\tg.exe pyinstaller C:\Users\Admin\AppData\Local\Temp\tg.exe pyinstaller \Users\Admin\AppData\Local\Temp\tg.exe pyinstaller C:\Users\Admin\AppData\Local\Temp\tg.exe pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
Proforma.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 Proforma.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 Proforma.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
tg.exepid process 1632 tg.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Proforma.exedescription pid process Token: SeDebugPrivilege 1208 Proforma.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
Proforma.execmd.execmd.exetg.exedescription pid process target process PID 1208 wrote to memory of 1368 1208 Proforma.exe cmd.exe PID 1208 wrote to memory of 1368 1208 Proforma.exe cmd.exe PID 1208 wrote to memory of 1368 1208 Proforma.exe cmd.exe PID 1208 wrote to memory of 524 1208 Proforma.exe cmd.exe PID 1208 wrote to memory of 524 1208 Proforma.exe cmd.exe PID 1208 wrote to memory of 524 1208 Proforma.exe cmd.exe PID 524 wrote to memory of 1492 524 cmd.exe chcp.com PID 524 wrote to memory of 1492 524 cmd.exe chcp.com PID 524 wrote to memory of 1492 524 cmd.exe chcp.com PID 524 wrote to memory of 640 524 cmd.exe PING.EXE PID 524 wrote to memory of 640 524 cmd.exe PING.EXE PID 524 wrote to memory of 640 524 cmd.exe PING.EXE PID 1368 wrote to memory of 1632 1368 cmd.exe tg.exe PID 1368 wrote to memory of 1632 1368 cmd.exe tg.exe PID 1368 wrote to memory of 1632 1368 cmd.exe tg.exe PID 1368 wrote to memory of 1632 1368 cmd.exe tg.exe PID 1632 wrote to memory of 1464 1632 tg.exe tg.exe PID 1632 wrote to memory of 1464 1632 tg.exe tg.exe PID 1632 wrote to memory of 1464 1632 tg.exe tg.exe PID 1632 wrote to memory of 1464 1632 tg.exe tg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Proforma.exe"C:\Users\Admin\AppData\Local\Temp\Proforma.exe"1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tg.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tg.exeC:\Users\Admin\AppData\Local\Temp\tg.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tg.exeC:\Users\Admin\AppData\Local\Temp\tg.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Proforma.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
C:\Windows\system32\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_MEI16322\python39.dllMD5
7fd9240404f3d2c7dc76414e128ee16c
SHA1143217da693fbb23bb8dce1cc12fc68d5a35a091
SHA256803cb2119787f7a4d966dfb0f992729dd2df91e272f87393c3186f190adcb068
SHA512c1f492cf8edcf0c6327261c320f205e098ccd8418a4a905df9fa4a1861eb08a222337adee39d9a25c1289b2fdd1b19d767e96ca5961210ade223cc360403d61e
-
C:\Users\Admin\AppData\Local\Temp\tg.exeMD5
a3533b0da7c92a24237c55110538ab0b
SHA12f25940be4d94a4d777547dd13bbc0d27361777a
SHA256c565e73940b7ca256d951bf65b1f3cd8fb79f3a9c6125a64efd3d1a89a21f7c7
SHA5129580b0e134ce64e907e192c988a03a0a4cb23a92de2c3a4d656485fe8b815dd7cac2ccfc1fd9b2f0864f97c58f2586719c14e3b455f4a2048b398d3d653c08ac
-
C:\Users\Admin\AppData\Local\Temp\tg.exeMD5
a3533b0da7c92a24237c55110538ab0b
SHA12f25940be4d94a4d777547dd13bbc0d27361777a
SHA256c565e73940b7ca256d951bf65b1f3cd8fb79f3a9c6125a64efd3d1a89a21f7c7
SHA5129580b0e134ce64e907e192c988a03a0a4cb23a92de2c3a4d656485fe8b815dd7cac2ccfc1fd9b2f0864f97c58f2586719c14e3b455f4a2048b398d3d653c08ac
-
C:\Users\Admin\AppData\Local\Temp\tg.exeMD5
a3533b0da7c92a24237c55110538ab0b
SHA12f25940be4d94a4d777547dd13bbc0d27361777a
SHA256c565e73940b7ca256d951bf65b1f3cd8fb79f3a9c6125a64efd3d1a89a21f7c7
SHA5129580b0e134ce64e907e192c988a03a0a4cb23a92de2c3a4d656485fe8b815dd7cac2ccfc1fd9b2f0864f97c58f2586719c14e3b455f4a2048b398d3d653c08ac
-
\Users\Admin\AppData\Local\Temp\_MEI16322\python39.dllMD5
7fd9240404f3d2c7dc76414e128ee16c
SHA1143217da693fbb23bb8dce1cc12fc68d5a35a091
SHA256803cb2119787f7a4d966dfb0f992729dd2df91e272f87393c3186f190adcb068
SHA512c1f492cf8edcf0c6327261c320f205e098ccd8418a4a905df9fa4a1861eb08a222337adee39d9a25c1289b2fdd1b19d767e96ca5961210ade223cc360403d61e
-
\Users\Admin\AppData\Local\Temp\tg.exeMD5
a3533b0da7c92a24237c55110538ab0b
SHA12f25940be4d94a4d777547dd13bbc0d27361777a
SHA256c565e73940b7ca256d951bf65b1f3cd8fb79f3a9c6125a64efd3d1a89a21f7c7
SHA5129580b0e134ce64e907e192c988a03a0a4cb23a92de2c3a4d656485fe8b815dd7cac2ccfc1fd9b2f0864f97c58f2586719c14e3b455f4a2048b398d3d653c08ac
-
memory/524-64-0x0000000000000000-mapping.dmp
-
memory/640-66-0x0000000000000000-mapping.dmp
-
memory/1208-60-0x0000000000250000-0x0000000000251000-memory.dmpFilesize
4KB
-
memory/1208-62-0x000000001AA40000-0x000000001AA42000-memory.dmpFilesize
8KB
-
memory/1368-63-0x0000000000000000-mapping.dmp
-
memory/1464-71-0x0000000000000000-mapping.dmp
-
memory/1492-65-0x0000000000000000-mapping.dmp
-
memory/1632-68-0x0000000000000000-mapping.dmp