c66e973686ee6d1761be2781a9f27f0f8d81fad4db088d836bebf6055cba193f

General

Target

Proforma.exe
Size

4KB
MD5

c57cea8db447cb9bec608f939026bd86
SHA1

e48f6b38215a9b26a31901c67d93da244ad1a546
SHA256

c66e973686ee6d1761be2781a9f27f0f8d81fad4db088d836bebf6055cba193f
SHA512

bae53eba4576b0d0ad261e1c79916a06c8a70e7545609c65ece25d6c6bb7c8eccbbedc1aa7a368e4ff310e2315c8d2b67d053c09c97eb07ae7a27653b939f4c0

Score

8^/10

pyinstaller

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

tg.exetg.exe

pid process

1632 tg.exe
1464 tg.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

524 cmd.exe
Loads dropped DLL 2 IoCs

Processes:

tg.exetg.exe

pid process

1632 tg.exe
1464 tg.exe

pid	process
1632	tg.exe
1464	tg.exe

pid	process
524	cmd.exe

pid	process
1632	tg.exe
1464	tg.exe

Detects Pyinstaller 4 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\tg.exe	pyinstaller
C:\Users\Admin\AppData\Local\Temp\tg.exe	pyinstaller
\Users\Admin\AppData\Local\Temp\tg.exe	pyinstaller
C:\Users\Admin\AppData\Local\Temp\tg.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Proforma.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Proforma.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Proforma.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

640 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

tg.exe

pid process

1632 tg.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Proforma.exe

description pid process

Token: SeDebugPrivilege 1208 Proforma.exe

pid	process
640	PING.EXE

pid	process
1632	tg.exe

description	pid	process
Token: SeDebugPrivilege	1208	Proforma.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

Proforma.execmd.execmd.exetg.exe

description	pid	process	target process
PID 1208 wrote to memory of 1368	1208	Proforma.exe	cmd.exe
PID 1208 wrote to memory of 1368	1208	Proforma.exe	cmd.exe
PID 1208 wrote to memory of 1368	1208	Proforma.exe	cmd.exe
PID 1208 wrote to memory of 524	1208	Proforma.exe	cmd.exe
PID 1208 wrote to memory of 524	1208	Proforma.exe	cmd.exe
PID 1208 wrote to memory of 524	1208	Proforma.exe	cmd.exe
PID 524 wrote to memory of 1492	524	cmd.exe	chcp.com
PID 524 wrote to memory of 1492	524	cmd.exe	chcp.com
PID 524 wrote to memory of 1492	524	cmd.exe	chcp.com
PID 524 wrote to memory of 640	524	cmd.exe	PING.EXE
PID 524 wrote to memory of 640	524	cmd.exe	PING.EXE
PID 524 wrote to memory of 640	524	cmd.exe	PING.EXE
PID 1368 wrote to memory of 1632	1368	cmd.exe	tg.exe
PID 1368 wrote to memory of 1632	1368	cmd.exe	tg.exe
PID 1368 wrote to memory of 1632	1368	cmd.exe	tg.exe
PID 1368 wrote to memory of 1632	1368	cmd.exe	tg.exe
PID 1632 wrote to memory of 1464	1632	tg.exe	tg.exe
PID 1632 wrote to memory of 1464	1632	tg.exe	tg.exe
PID 1632 wrote to memory of 1464	1632	tg.exe	tg.exe
PID 1632 wrote to memory of 1464	1632	tg.exe	tg.exe

C:\Users\Admin\AppData\Local\Temp\Proforma.exe
"C:\Users\Admin\AppData\Local\Temp\Proforma.exe"
1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tg.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1368

C:\Users\Admin\AppData\Local\Temp\tg.exe
C:\Users\Admin\AppData\Local\Temp\tg.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:1632

C:\Users\Admin\AppData\Local\Temp\tg.exe
C:\Users\Admin\AppData\Local\Temp\tg.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1464

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Proforma.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:524

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:1492

C:\Windows\system32\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:640

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI16322\python39.dll
MD5
7fd9240404f3d2c7dc76414e128ee16c

SHA1
143217da693fbb23bb8dce1cc12fc68d5a35a091

SHA256
803cb2119787f7a4d966dfb0f992729dd2df91e272f87393c3186f190adcb068

SHA512
c1f492cf8edcf0c6327261c320f205e098ccd8418a4a905df9fa4a1861eb08a222337adee39d9a25c1289b2fdd1b19d767e96ca5961210ade223cc360403d61e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tg.exe
MD5
a3533b0da7c92a24237c55110538ab0b

SHA1
2f25940be4d94a4d777547dd13bbc0d27361777a

SHA256
c565e73940b7ca256d951bf65b1f3cd8fb79f3a9c6125a64efd3d1a89a21f7c7

SHA512
9580b0e134ce64e907e192c988a03a0a4cb23a92de2c3a4d656485fe8b815dd7cac2ccfc1fd9b2f0864f97c58f2586719c14e3b455f4a2048b398d3d653c08ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tg.exe
MD5
a3533b0da7c92a24237c55110538ab0b

SHA1
2f25940be4d94a4d777547dd13bbc0d27361777a

SHA256
c565e73940b7ca256d951bf65b1f3cd8fb79f3a9c6125a64efd3d1a89a21f7c7

SHA512
9580b0e134ce64e907e192c988a03a0a4cb23a92de2c3a4d656485fe8b815dd7cac2ccfc1fd9b2f0864f97c58f2586719c14e3b455f4a2048b398d3d653c08ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tg.exe
MD5
a3533b0da7c92a24237c55110538ab0b

SHA1
2f25940be4d94a4d777547dd13bbc0d27361777a

SHA256
c565e73940b7ca256d951bf65b1f3cd8fb79f3a9c6125a64efd3d1a89a21f7c7

SHA512
9580b0e134ce64e907e192c988a03a0a4cb23a92de2c3a4d656485fe8b815dd7cac2ccfc1fd9b2f0864f97c58f2586719c14e3b455f4a2048b398d3d653c08ac

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI16322\python39.dll
MD5
7fd9240404f3d2c7dc76414e128ee16c

SHA1
143217da693fbb23bb8dce1cc12fc68d5a35a091

SHA256
803cb2119787f7a4d966dfb0f992729dd2df91e272f87393c3186f190adcb068

SHA512
c1f492cf8edcf0c6327261c320f205e098ccd8418a4a905df9fa4a1861eb08a222337adee39d9a25c1289b2fdd1b19d767e96ca5961210ade223cc360403d61e

Download Submit
\Users\Admin\AppData\Local\Temp\tg.exe
MD5
a3533b0da7c92a24237c55110538ab0b

SHA1
2f25940be4d94a4d777547dd13bbc0d27361777a

SHA256
c565e73940b7ca256d951bf65b1f3cd8fb79f3a9c6125a64efd3d1a89a21f7c7

SHA512
9580b0e134ce64e907e192c988a03a0a4cb23a92de2c3a4d656485fe8b815dd7cac2ccfc1fd9b2f0864f97c58f2586719c14e3b455f4a2048b398d3d653c08ac

Download Submit
memory/524-64-0x0000000000000000-mapping.dmp

Download
memory/640-66-0x0000000000000000-mapping.dmp

Download
memory/1208-60-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1208-62-0x000000001AA40000-0x000000001AA42000-memory.dmp

Filesize
8KB

Download
memory/1368-63-0x0000000000000000-mapping.dmp

Download
memory/1464-71-0x0000000000000000-mapping.dmp

Download
memory/1492-65-0x0000000000000000-mapping.dmp

Download
memory/1632-68-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads