Analysis
-
max time kernel
152s -
max time network
139s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
25-01-2022 14:19
Static task
static1
Behavioral task
behavioral1
Sample
Dekont.exe
Resource
win7-en-20211208
General
-
Target
Dekont.exe
-
Size
302KB
-
MD5
fb8596a40d08f57a5ec1e1abf81b440f
-
SHA1
5a9219dfff7ec0b32ecb8be445542e19b826774c
-
SHA256
8eaa17ae54b2e26d29ac40caf68baa9ebdf959ea40fb0a66d6317363c748679a
-
SHA512
eb88ccc25ecc94b78dd6e24396ce3c8f1d4e2b609615bddc5f45b5d901b1b48568576e1e88617dd363557ad2b811912d3ac7069b2da6df0a27f38cdccd8817e9
Malware Config
Extracted
formbook
4.1
k12t
alphasaludsas.com
route7adventures.com
zeenat.life
atendimento.center
alejandrojosueruizmazzeo.com
shopidentitymeisterdown.com
letseat.global
recettesbetty.com
neodrugtest.com
2eji5j.xyz
diversifyingawards.com
ptemeta.xyz
ivonelemos.com
051gg.com
michaelscomputerstore.com
warneattrinityclub.com
genesys-rdc.com
dcbest88.com
zdorovjaplus.com
laurelheap.com
sensebutindeed.xyz
ingbeginsh.xyz
3841o.com
optionshouraustinfix.com
torontomerchantdreamsjobs.com
laoshops.xyz
jbttags.com
cryptovszombie.finance
stillbuddies.com
youthfuly.com
unisap.online
mefacin.online
bb3pnja6.xyz
extraitems.space
revaprint.com
patienservices.com
yf34597j.com
one-click-zip.com
qm9914.com
butlertrucks.com
yayafeifei001.xyz
fastincome24h.site
engvibess.online
imnatefinancial.com
buycabladapter.com
metaqns.com
bnstocksmarkets.com
extremesimulator.com
recipegenerationdevildoctor.com
curtainmakingacademy.com
the-pta.online
wifimbcdmx.xyz
disruptedbyroutine.com
lineboss77.com
qdratksa.com
thegunnerd.com
emslearningnetwork.com
jyhsyc.com
datingium.com
mdfdfkl.com
lvcaodi99.com
eventsnotifications.com
members-towa.com
oguybeats.com
josephsimas.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3836-119-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3836-124-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/580-128-0x0000000003070000-0x000000000309F000-memory.dmp formbook -
Loads dropped DLL 1 IoCs
Processes:
Dekont.exepid process 2692 Dekont.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
Dekont.exeDekont.exemstsc.exedescription pid process target process PID 2692 set thread context of 3836 2692 Dekont.exe Dekont.exe PID 3836 set thread context of 3068 3836 Dekont.exe Explorer.EXE PID 3836 set thread context of 3068 3836 Dekont.exe Explorer.EXE PID 580 set thread context of 3068 580 mstsc.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
Dekont.exemstsc.exepid process 3836 Dekont.exe 3836 Dekont.exe 3836 Dekont.exe 3836 Dekont.exe 3836 Dekont.exe 3836 Dekont.exe 580 mstsc.exe 580 mstsc.exe 580 mstsc.exe 580 mstsc.exe 580 mstsc.exe 580 mstsc.exe 580 mstsc.exe 580 mstsc.exe 580 mstsc.exe 580 mstsc.exe 580 mstsc.exe 580 mstsc.exe 580 mstsc.exe 580 mstsc.exe 580 mstsc.exe 580 mstsc.exe 580 mstsc.exe 580 mstsc.exe 580 mstsc.exe 580 mstsc.exe 580 mstsc.exe 580 mstsc.exe 580 mstsc.exe 580 mstsc.exe 580 mstsc.exe 580 mstsc.exe 580 mstsc.exe 580 mstsc.exe 580 mstsc.exe 580 mstsc.exe 580 mstsc.exe 580 mstsc.exe 580 mstsc.exe 580 mstsc.exe 580 mstsc.exe 580 mstsc.exe 580 mstsc.exe 580 mstsc.exe 580 mstsc.exe 580 mstsc.exe 580 mstsc.exe 580 mstsc.exe 580 mstsc.exe 580 mstsc.exe 580 mstsc.exe 580 mstsc.exe 580 mstsc.exe 580 mstsc.exe 580 mstsc.exe 580 mstsc.exe 580 mstsc.exe 580 mstsc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3068 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
Dekont.exemstsc.exepid process 3836 Dekont.exe 3836 Dekont.exe 3836 Dekont.exe 3836 Dekont.exe 580 mstsc.exe 580 mstsc.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
Dekont.exemstsc.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 3836 Dekont.exe Token: SeDebugPrivilege 580 mstsc.exe Token: SeShutdownPrivilege 3068 Explorer.EXE Token: SeCreatePagefilePrivilege 3068 Explorer.EXE Token: SeShutdownPrivilege 3068 Explorer.EXE Token: SeCreatePagefilePrivilege 3068 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Dekont.exeExplorer.EXEmstsc.exedescription pid process target process PID 2692 wrote to memory of 3836 2692 Dekont.exe Dekont.exe PID 2692 wrote to memory of 3836 2692 Dekont.exe Dekont.exe PID 2692 wrote to memory of 3836 2692 Dekont.exe Dekont.exe PID 2692 wrote to memory of 3836 2692 Dekont.exe Dekont.exe PID 2692 wrote to memory of 3836 2692 Dekont.exe Dekont.exe PID 2692 wrote to memory of 3836 2692 Dekont.exe Dekont.exe PID 3068 wrote to memory of 580 3068 Explorer.EXE mstsc.exe PID 3068 wrote to memory of 580 3068 Explorer.EXE mstsc.exe PID 3068 wrote to memory of 580 3068 Explorer.EXE mstsc.exe PID 580 wrote to memory of 1888 580 mstsc.exe cmd.exe PID 580 wrote to memory of 1888 580 mstsc.exe cmd.exe PID 580 wrote to memory of 1888 580 mstsc.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Dekont.exe"C:\Users\Admin\AppData\Local\Temp\Dekont.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Dekont.exe"C:\Users\Admin\AppData\Local\Temp\Dekont.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Dekont.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nswAF00.tmp\enfvli.dllMD5
78e94d9eba25bc2dcd81e530ca5259df
SHA159919a0ea559e5d223b8d183e015ffeea1155e69
SHA256c09a464cbede92ab8c61c6a8a3b23dfb752e9f1e0313d0f362965f774f8ba75b
SHA51244ad040d82b0fb1afcb48484167de6289b505bfaa05d4cef89b0ed2892bcb660ea4446d1b19f87ab6523e4aa767a2de43a66fe20f45cffaa071fee330d198343
-
memory/580-127-0x0000000000A70000-0x0000000000D6C000-memory.dmpFilesize
3.0MB
-
memory/580-130-0x0000000004620000-0x00000000047BD000-memory.dmpFilesize
1.6MB
-
memory/580-129-0x00000000047C0000-0x0000000004AE0000-memory.dmpFilesize
3.1MB
-
memory/580-128-0x0000000003070000-0x000000000309F000-memory.dmpFilesize
188KB
-
memory/3068-131-0x0000000002E50000-0x0000000002F07000-memory.dmpFilesize
732KB
-
memory/3068-123-0x0000000001100000-0x00000000011BB000-memory.dmpFilesize
748KB
-
memory/3068-126-0x0000000006870000-0x00000000069A3000-memory.dmpFilesize
1.2MB
-
memory/3836-122-0x00000000004E0000-0x000000000062A000-memory.dmpFilesize
1.3MB
-
memory/3836-125-0x0000000002700000-0x0000000002714000-memory.dmpFilesize
80KB
-
memory/3836-124-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3836-120-0x0000000000A40000-0x0000000000D60000-memory.dmpFilesize
3.1MB
-
memory/3836-119-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB