Analysis
-
max time kernel
48s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
18-10-2022 15:52
Static task
static1
Behavioral task
behavioral1
Sample
PROFORMA.EXE.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
PROFORMA.EXE.exe
Resource
win10v2004-20220812-en
General
-
Target
PROFORMA.EXE.exe
-
Size
1.3MB
-
MD5
fc5ab0fbd99f07685a8dc7701627f214
-
SHA1
e80e5a3d1450748736f035a7ee7856a4aacfeed9
-
SHA256
797ed9f4cabf70bcf98dbc50235bfacd785ca91a747febc965c92465a3d53283
-
SHA512
9f02188f31952a888f52c498d5ef23b1f35098e37d56cf65c26be5f91d2acf48315c8f5fa378bb5e7045e6a68e63812762beeca5736aba2099fb2a9983704e90
-
SSDEEP
24576:2xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxNussjTkuAHGe:VAm0THYewFdj
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 948 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 1972 PROFORMA.EXE.exe 1972 PROFORMA.EXE.exe 1972 PROFORMA.EXE.exe 1972 PROFORMA.EXE.exe 1972 PROFORMA.EXE.exe 1972 PROFORMA.EXE.exe 1972 PROFORMA.EXE.exe 1972 PROFORMA.EXE.exe 1972 PROFORMA.EXE.exe 1972 PROFORMA.EXE.exe 1972 PROFORMA.EXE.exe 1776 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1972 PROFORMA.EXE.exe Token: SeDebugPrivilege 1776 powershell.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1972 wrote to memory of 1776 1972 PROFORMA.EXE.exe 28 PID 1972 wrote to memory of 1776 1972 PROFORMA.EXE.exe 28 PID 1972 wrote to memory of 1776 1972 PROFORMA.EXE.exe 28 PID 1972 wrote to memory of 1776 1972 PROFORMA.EXE.exe 28 PID 1972 wrote to memory of 948 1972 PROFORMA.EXE.exe 30 PID 1972 wrote to memory of 948 1972 PROFORMA.EXE.exe 30 PID 1972 wrote to memory of 948 1972 PROFORMA.EXE.exe 30 PID 1972 wrote to memory of 948 1972 PROFORMA.EXE.exe 30 PID 1972 wrote to memory of 288 1972 PROFORMA.EXE.exe 32 PID 1972 wrote to memory of 288 1972 PROFORMA.EXE.exe 32 PID 1972 wrote to memory of 288 1972 PROFORMA.EXE.exe 32 PID 1972 wrote to memory of 288 1972 PROFORMA.EXE.exe 32 PID 1972 wrote to memory of 472 1972 PROFORMA.EXE.exe 33 PID 1972 wrote to memory of 472 1972 PROFORMA.EXE.exe 33 PID 1972 wrote to memory of 472 1972 PROFORMA.EXE.exe 33 PID 1972 wrote to memory of 472 1972 PROFORMA.EXE.exe 33 PID 1972 wrote to memory of 656 1972 PROFORMA.EXE.exe 34 PID 1972 wrote to memory of 656 1972 PROFORMA.EXE.exe 34 PID 1972 wrote to memory of 656 1972 PROFORMA.EXE.exe 34 PID 1972 wrote to memory of 656 1972 PROFORMA.EXE.exe 34 PID 1972 wrote to memory of 320 1972 PROFORMA.EXE.exe 35 PID 1972 wrote to memory of 320 1972 PROFORMA.EXE.exe 35 PID 1972 wrote to memory of 320 1972 PROFORMA.EXE.exe 35 PID 1972 wrote to memory of 320 1972 PROFORMA.EXE.exe 35 PID 1972 wrote to memory of 336 1972 PROFORMA.EXE.exe 36 PID 1972 wrote to memory of 336 1972 PROFORMA.EXE.exe 36 PID 1972 wrote to memory of 336 1972 PROFORMA.EXE.exe 36 PID 1972 wrote to memory of 336 1972 PROFORMA.EXE.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\PROFORMA.EXE.exe"C:\Users\Admin\AppData\Local\Temp\PROFORMA.EXE.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\WXtEQNGzoNewfR.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1776
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WXtEQNGzoNewfR" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9B76.tmp"2⤵
- Creates scheduled task(s)
PID:948
-
-
C:\Users\Admin\AppData\Local\Temp\PROFORMA.EXE.exe"C:\Users\Admin\AppData\Local\Temp\PROFORMA.EXE.exe"2⤵PID:288
-
-
C:\Users\Admin\AppData\Local\Temp\PROFORMA.EXE.exe"C:\Users\Admin\AppData\Local\Temp\PROFORMA.EXE.exe"2⤵PID:472
-
-
C:\Users\Admin\AppData\Local\Temp\PROFORMA.EXE.exe"C:\Users\Admin\AppData\Local\Temp\PROFORMA.EXE.exe"2⤵PID:656
-
-
C:\Users\Admin\AppData\Local\Temp\PROFORMA.EXE.exe"C:\Users\Admin\AppData\Local\Temp\PROFORMA.EXE.exe"2⤵PID:320
-
-
C:\Users\Admin\AppData\Local\Temp\PROFORMA.EXE.exe"C:\Users\Admin\AppData\Local\Temp\PROFORMA.EXE.exe"2⤵PID:336
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD59ed217a99d54a178fa842c3f270e5dc9
SHA15ba09fea3f829faa3ddd15bc533955b177976bae
SHA25632fc52b6de11f82d9cfb9c130997547b27adf111d5e1ccafe818a9e1d6761391
SHA5128100caf5a736d6e377ebefa7d75521bece7775b09bf056ff1c80dfebf2d23a93f74f74544a13e5f367c2551eb0c8d6bd6046e5613376ece87f60a8f91e865b33