50a9cc4decaf32975996710740956b5a9c4985c50ded5a2bb8611945263af65a

General

Target

dekont.exe
Size

269KB
MD5

1218da9d299571a80c774838d2a55516
SHA1

1bce59e7afb303e0c170cb8f6fdb5a1806e41eda
SHA256

50a9cc4decaf32975996710740956b5a9c4985c50ded5a2bb8611945263af65a
SHA512

96fef1449441f526e05a1c514d4cb464bbaa2156e8c2e1c84563ac8eb22ee132c2e3593bd09e0516ba171879b4c52d71ddf064abb9dc2a7c1e23f54ecb930895

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

nuavxkimr.exe

pid process

1068 nuavxkimr.exe
Loads dropped DLL 2 IoCs

Processes:

dekont.exenuavxkimr.exe

pid process

940 dekont.exe
1068 nuavxkimr.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1068	nuavxkimr.exe

pid	process
940	dekont.exe
1068	nuavxkimr.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

dekont.exenuavxkimr.exe

description	pid	process	target process
PID 940 wrote to memory of 1068	940	dekont.exe	nuavxkimr.exe
PID 940 wrote to memory of 1068	940	dekont.exe	nuavxkimr.exe
PID 940 wrote to memory of 1068	940	dekont.exe	nuavxkimr.exe
PID 940 wrote to memory of 1068	940	dekont.exe	nuavxkimr.exe
PID 1068 wrote to memory of 1884	1068	nuavxkimr.exe	nuavxkimr.exe
PID 1068 wrote to memory of 1884	1068	nuavxkimr.exe	nuavxkimr.exe
PID 1068 wrote to memory of 1884	1068	nuavxkimr.exe	nuavxkimr.exe
PID 1068 wrote to memory of 1884	1068	nuavxkimr.exe	nuavxkimr.exe

C:\Users\Admin\AppData\Local\Temp\dekont.exe
"C:\Users\Admin\AppData\Local\Temp\dekont.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:940

C:\Users\Admin\AppData\Local\Temp\nuavxkimr.exe
C:\Users\Admin\AppData\Local\Temp\nuavxkimr.exe C:\Users\Admin\AppData\Local\Temp\vdmtqslp
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1068

C:\Users\Admin\AppData\Local\Temp\nuavxkimr.exe
C:\Users\Admin\AppData\Local\Temp\nuavxkimr.exe C:\Users\Admin\AppData\Local\Temp\vdmtqslp
3⤵
PID:1884

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b0uszk89s3fikiiz8qd9
Filesize
212KB

MD5
3c3affba98d209d52ef52d57e3fb1867

SHA1
6bdc62a7764b6ac644ccc2b2a95eb6a02928840c

SHA256
3769aac7a7f7c2763c0b0038bf1dc0f753c2fa79539ef9f709ca103a012e3677

SHA512
e36aec4d0b8b394c72a14778776b38816ee1e153123eaa2a22707e45955eeacb6a43a47cbf7873967ab8bc52919820269c6f07d32adb03ae0f899c9866edfb45

Download Submit
C:\Users\Admin\AppData\Local\Temp\nuavxkimr.exe
Filesize
69KB

MD5
ef5a62fa6896f9f8fad9ed88dcba1571

SHA1
e0cc7fd742a95d1080abe1939fc619f0c456e858

SHA256
add218fc58b4c754930bd49bc28ede74ff3e279bcddc67ed035c03734aeac241

SHA512
825d91965528c89c4127b7550886b67d11bb76cfd6501fd38e9776b98dfee255e2f387109d76a732ce2f77588ba04b8c4002fa601de7ef5e93f2b92b8875276b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nuavxkimr.exe
Filesize
69KB

MD5
ef5a62fa6896f9f8fad9ed88dcba1571

SHA1
e0cc7fd742a95d1080abe1939fc619f0c456e858

SHA256
add218fc58b4c754930bd49bc28ede74ff3e279bcddc67ed035c03734aeac241

SHA512
825d91965528c89c4127b7550886b67d11bb76cfd6501fd38e9776b98dfee255e2f387109d76a732ce2f77588ba04b8c4002fa601de7ef5e93f2b92b8875276b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vdmtqslp
Filesize
4KB

MD5
f9cf556dc24692d529f57bc7e3845bfe

SHA1
3beb526650e5f39b2296b85a8f1b7adbf99c2673

SHA256
6055e8633adf7c0acacc045ffe055fca53e5362fbbbe1455cfdd20bd17b0df36

SHA512
359312bc7dd7fa9821528041a548b89ab5f1f0a9f084bf945bcc88849b1c6b12a7d78c1f064f67defca24dfa1ee65e6c215592e3304b6397139063edce27fc42

Download Submit
\Users\Admin\AppData\Local\Temp\nuavxkimr.exe
Filesize
69KB

MD5
ef5a62fa6896f9f8fad9ed88dcba1571

SHA1
e0cc7fd742a95d1080abe1939fc619f0c456e858

SHA256
add218fc58b4c754930bd49bc28ede74ff3e279bcddc67ed035c03734aeac241

SHA512
825d91965528c89c4127b7550886b67d11bb76cfd6501fd38e9776b98dfee255e2f387109d76a732ce2f77588ba04b8c4002fa601de7ef5e93f2b92b8875276b

Download Submit
\Users\Admin\AppData\Local\Temp\nuavxkimr.exe
Filesize
69KB

MD5
ef5a62fa6896f9f8fad9ed88dcba1571

SHA1
e0cc7fd742a95d1080abe1939fc619f0c456e858

SHA256
add218fc58b4c754930bd49bc28ede74ff3e279bcddc67ed035c03734aeac241

SHA512
825d91965528c89c4127b7550886b67d11bb76cfd6501fd38e9776b98dfee255e2f387109d76a732ce2f77588ba04b8c4002fa601de7ef5e93f2b92b8875276b

Download Submit
memory/940-54-0x0000000076861000-0x0000000076863000-memory.dmp

Filesize
8KB

Download
memory/1068-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing