ee2ad2e20582f55bf1f770795c07595b22505be9e9c7f6b491889b976e051532

General

Target

DEKONT.exe
Size

611KB
MD5

da248e530b6e65e7457a6d472e0aeb47
SHA1

84ab397a9d4008c916666d9119e9fdc4b70d5642
SHA256

d57b7809ae71b779b00aa2e7e3b55c3ff6c210453e19a872489e330285031ed3
SHA512

dfae1e4876df412dbe8137c725a99023485e9e9a8cfbbeeb2026015903ed1522b2d3b1f613c3f4107880c484ee2314907341edb77f1091c670dde4b1dbf47589

Score

1^/10

Malware Config

Signatures

Suspicious behavior: MapViewOfSection 10 IoCs

Processes:

DEKONT.exeDEKONT.exeDEKONT.exeDEKONT.exeDEKONT.exeDEKONT.exeDEKONT.exeDEKONT.exeDEKONT.exe

pid process

1892 DEKONT.exe
1328 DEKONT.exe
1212 DEKONT.exe
892 DEKONT.exe
1468 DEKONT.exe
1468 DEKONT.exe
1756 DEKONT.exe
2044 DEKONT.exe
660 DEKONT.exe
2016 DEKONT.exe

pid	process
1892	DEKONT.exe
1328	DEKONT.exe
1212	DEKONT.exe
892	DEKONT.exe
1468	DEKONT.exe
1468	DEKONT.exe
1756	DEKONT.exe
2044	DEKONT.exe
660	DEKONT.exe
2016	DEKONT.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

DEKONT.exeDEKONT.exeDEKONT.exeDEKONT.exeDEKONT.exe

description	pid	process	target process
PID 1892 wrote to memory of 604	1892	DEKONT.exe	cmd.exe
PID 1892 wrote to memory of 604	1892	DEKONT.exe	cmd.exe
PID 1892 wrote to memory of 604	1892	DEKONT.exe	cmd.exe
PID 1892 wrote to memory of 604	1892	DEKONT.exe	cmd.exe
PID 1892 wrote to memory of 1932	1892	DEKONT.exe	MSBuild.exe
PID 1892 wrote to memory of 1932	1892	DEKONT.exe	MSBuild.exe
PID 1892 wrote to memory of 1932	1892	DEKONT.exe	MSBuild.exe
PID 1892 wrote to memory of 1932	1892	DEKONT.exe	MSBuild.exe
PID 1892 wrote to memory of 1932	1892	DEKONT.exe	MSBuild.exe
PID 1892 wrote to memory of 1328	1892	DEKONT.exe	DEKONT.exe
PID 1892 wrote to memory of 1328	1892	DEKONT.exe	DEKONT.exe
PID 1892 wrote to memory of 1328	1892	DEKONT.exe	DEKONT.exe
PID 1892 wrote to memory of 1328	1892	DEKONT.exe	DEKONT.exe
PID 1328 wrote to memory of 1172	1328	DEKONT.exe	cmd.exe
PID 1328 wrote to memory of 1172	1328	DEKONT.exe	cmd.exe
PID 1328 wrote to memory of 1172	1328	DEKONT.exe	cmd.exe
PID 1328 wrote to memory of 1172	1328	DEKONT.exe	cmd.exe
PID 1328 wrote to memory of 1348	1328	DEKONT.exe	MSBuild.exe
PID 1328 wrote to memory of 1348	1328	DEKONT.exe	MSBuild.exe
PID 1328 wrote to memory of 1348	1328	DEKONT.exe	MSBuild.exe
PID 1328 wrote to memory of 1348	1328	DEKONT.exe	MSBuild.exe
PID 1328 wrote to memory of 1348	1328	DEKONT.exe	MSBuild.exe
PID 1328 wrote to memory of 1212	1328	DEKONT.exe	DEKONT.exe
PID 1328 wrote to memory of 1212	1328	DEKONT.exe	DEKONT.exe
PID 1328 wrote to memory of 1212	1328	DEKONT.exe	DEKONT.exe
PID 1328 wrote to memory of 1212	1328	DEKONT.exe	DEKONT.exe
PID 1212 wrote to memory of 1164	1212	DEKONT.exe	cmd.exe
PID 1212 wrote to memory of 1164	1212	DEKONT.exe	cmd.exe
PID 1212 wrote to memory of 1164	1212	DEKONT.exe	cmd.exe
PID 1212 wrote to memory of 1164	1212	DEKONT.exe	cmd.exe
PID 1212 wrote to memory of 936	1212	DEKONT.exe	MSBuild.exe
PID 1212 wrote to memory of 936	1212	DEKONT.exe	MSBuild.exe
PID 1212 wrote to memory of 936	1212	DEKONT.exe	MSBuild.exe
PID 1212 wrote to memory of 936	1212	DEKONT.exe	MSBuild.exe
PID 1212 wrote to memory of 936	1212	DEKONT.exe	MSBuild.exe
PID 1212 wrote to memory of 892	1212	DEKONT.exe	DEKONT.exe
PID 1212 wrote to memory of 892	1212	DEKONT.exe	DEKONT.exe
PID 1212 wrote to memory of 892	1212	DEKONT.exe	DEKONT.exe
PID 1212 wrote to memory of 892	1212	DEKONT.exe	DEKONT.exe
PID 892 wrote to memory of 1020	892	DEKONT.exe	cmd.exe
PID 892 wrote to memory of 1020	892	DEKONT.exe	cmd.exe
PID 892 wrote to memory of 1020	892	DEKONT.exe	cmd.exe
PID 892 wrote to memory of 1020	892	DEKONT.exe	cmd.exe
PID 892 wrote to memory of 1948	892	DEKONT.exe	MSBuild.exe
PID 892 wrote to memory of 1948	892	DEKONT.exe	MSBuild.exe
PID 892 wrote to memory of 1948	892	DEKONT.exe	MSBuild.exe
PID 892 wrote to memory of 1948	892	DEKONT.exe	MSBuild.exe
PID 892 wrote to memory of 1948	892	DEKONT.exe	MSBuild.exe
PID 892 wrote to memory of 1468	892	DEKONT.exe	DEKONT.exe
PID 892 wrote to memory of 1468	892	DEKONT.exe	DEKONT.exe
PID 892 wrote to memory of 1468	892	DEKONT.exe	DEKONT.exe
PID 892 wrote to memory of 1468	892	DEKONT.exe	DEKONT.exe
PID 1468 wrote to memory of 1864	1468	DEKONT.exe	cmd.exe
PID 1468 wrote to memory of 1864	1468	DEKONT.exe	cmd.exe
PID 1468 wrote to memory of 1864	1468	DEKONT.exe	cmd.exe
PID 1468 wrote to memory of 1864	1468	DEKONT.exe	cmd.exe
PID 1468 wrote to memory of 1268	1468	DEKONT.exe	MSBuild.exe
PID 1468 wrote to memory of 1268	1468	DEKONT.exe	MSBuild.exe
PID 1468 wrote to memory of 1268	1468	DEKONT.exe	MSBuild.exe
PID 1468 wrote to memory of 1268	1468	DEKONT.exe	MSBuild.exe
PID 1468 wrote to memory of 1268	1468	DEKONT.exe	MSBuild.exe
PID 1468 wrote to memory of 1756	1468	DEKONT.exe	DEKONT.exe
PID 1468 wrote to memory of 1756	1468	DEKONT.exe	DEKONT.exe
PID 1468 wrote to memory of 1756	1468	DEKONT.exe	DEKONT.exe

C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
PID:1932

C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"
2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:1172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
PID:1348

C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"
3⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
4⤵
PID:1164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:936

C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"
4⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
5⤵
PID:1020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
5⤵
PID:1948

C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"
5⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
6⤵
PID:1864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
6⤵
PID:1268

C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"
6⤵
- Suspicious behavior: MapViewOfSection
PID:1756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
7⤵
PID:816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
7⤵
PID:1488

C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"
7⤵
- Suspicious behavior: MapViewOfSection
PID:2044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
8⤵
PID:1552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
8⤵
PID:1272

C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"
8⤵
- Suspicious behavior: MapViewOfSection
PID:660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
9⤵
PID:968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
9⤵
PID:520

C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"
9⤵
- Suspicious behavior: MapViewOfSection
PID:2016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
10⤵
PID:2032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
10⤵
PID:2004

C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"
10⤵
PID:1464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
11⤵
PID:1340

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/604-55-0x0000000000000000-mapping.dmp

Download
memory/660-84-0x000000000017D000-0x0000000000180000-memory.dmp

Filesize
12KB

Download
memory/660-81-0x0000000000000000-mapping.dmp

Download
memory/816-75-0x0000000000000000-mapping.dmp

Download
memory/892-65-0x0000000000000000-mapping.dmp

Download
memory/892-68-0x000000000033D000-0x0000000000340000-memory.dmp

Filesize
12KB

Download
memory/968-83-0x0000000000000000-mapping.dmp

Download
memory/1020-67-0x0000000000000000-mapping.dmp

Download
memory/1164-63-0x0000000000000000-mapping.dmp

Download
memory/1172-59-0x0000000000000000-mapping.dmp

Download
memory/1212-64-0x000000000054D000-0x0000000000550000-memory.dmp

Filesize
12KB

Download
memory/1212-61-0x0000000000000000-mapping.dmp

Download
memory/1328-60-0x000000000037D000-0x0000000000380000-memory.dmp

Filesize
12KB

Download
memory/1328-57-0x0000000000000000-mapping.dmp

Download
memory/1340-91-0x0000000000000000-mapping.dmp

Download
memory/1464-92-0x000000000031D000-0x0000000000320000-memory.dmp

Filesize
12KB

Download
memory/1464-89-0x0000000000000000-mapping.dmp

Download
memory/1468-69-0x0000000000000000-mapping.dmp

Download
memory/1468-72-0x00000000003DD000-0x00000000003E0000-memory.dmp

Filesize
12KB

Download
memory/1552-79-0x0000000000000000-mapping.dmp

Download
memory/1756-76-0x00000000001CD000-0x00000000001D0000-memory.dmp

Filesize
12KB

Download
memory/1756-73-0x0000000000000000-mapping.dmp

Download
memory/1864-71-0x0000000000000000-mapping.dmp

Download
memory/1892-56-0x00000000002ED000-0x00000000002F0000-memory.dmp

Filesize
12KB

Download
memory/1892-54-0x00000000756A1000-0x00000000756A3000-memory.dmp

Filesize
8KB

Download
memory/2016-85-0x0000000000000000-mapping.dmp

Download
memory/2016-88-0x000000000032D000-0x0000000000330000-memory.dmp

Filesize
12KB

Download
memory/2032-87-0x0000000000000000-mapping.dmp

Download
memory/2044-80-0x000000000055D000-0x0000000000560000-memory.dmp

Filesize
12KB

Download
memory/2044-77-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads