7f5764844ab366849a5c4dc0c5b6af4fce6b96b1f8411a8b6e4484a418aaf1d7

General

Target

DEKONT.exe
Size

554KB
MD5

b68bd92478369e4dcd776b77326fa66b
SHA1

41b039e8d555c0b0b04d172b6509859b8e32c878
SHA256

16fda49dd0a5b3c520619c1f5e88723cd2fe0c92b9cc2946416b2e29a1ccdfff
SHA512

f216b9c25cdd054fcde7ed0038ab56a1a0952a65eee3b12cf41406a1908a7012683f8303981cad959bf904212cf8440b618fc39fd22275879eece52f45a111de

Score

1^/10

Malware Config

Signatures

Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

DEKONT.exeDEKONT.exeDEKONT.exeDEKONT.exeDEKONT.exeDEKONT.exeDEKONT.exeDEKONT.exeDEKONT.exeDEKONT.exeDEKONT.exeDEKONT.exeDEKONT.exeDEKONT.exe

pid	process
1920	DEKONT.exe
2024	DEKONT.exe
1768	DEKONT.exe
1768	DEKONT.exe
1988	DEKONT.exe
380	DEKONT.exe
1696	DEKONT.exe
1696	DEKONT.exe
1188	DEKONT.exe
936	DEKONT.exe
936	DEKONT.exe
1968	DEKONT.exe
1980	DEKONT.exe
836	DEKONT.exe
836	DEKONT.exe
1596	DEKONT.exe
288	DEKONT.exe
288	DEKONT.exe
1668	DEKONT.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

DEKONT.exeDEKONT.exeDEKONT.exeDEKONT.exeDEKONT.exe

description	pid	process	target process
PID 1920 wrote to memory of 1208	1920	DEKONT.exe	cmd.exe
PID 1920 wrote to memory of 1208	1920	DEKONT.exe	cmd.exe
PID 1920 wrote to memory of 1208	1920	DEKONT.exe	cmd.exe
PID 1920 wrote to memory of 1208	1920	DEKONT.exe	cmd.exe
PID 1920 wrote to memory of 2020	1920	DEKONT.exe	MSBuild.exe
PID 1920 wrote to memory of 2020	1920	DEKONT.exe	MSBuild.exe
PID 1920 wrote to memory of 2020	1920	DEKONT.exe	MSBuild.exe
PID 1920 wrote to memory of 2020	1920	DEKONT.exe	MSBuild.exe
PID 1920 wrote to memory of 2020	1920	DEKONT.exe	MSBuild.exe
PID 1920 wrote to memory of 2024	1920	DEKONT.exe	DEKONT.exe
PID 1920 wrote to memory of 2024	1920	DEKONT.exe	DEKONT.exe
PID 1920 wrote to memory of 2024	1920	DEKONT.exe	DEKONT.exe
PID 1920 wrote to memory of 2024	1920	DEKONT.exe	DEKONT.exe
PID 2024 wrote to memory of 1120	2024	DEKONT.exe	cmd.exe
PID 2024 wrote to memory of 1120	2024	DEKONT.exe	cmd.exe
PID 2024 wrote to memory of 1120	2024	DEKONT.exe	cmd.exe
PID 2024 wrote to memory of 1120	2024	DEKONT.exe	cmd.exe
PID 2024 wrote to memory of 2036	2024	DEKONT.exe	MSBuild.exe
PID 2024 wrote to memory of 2036	2024	DEKONT.exe	MSBuild.exe
PID 2024 wrote to memory of 2036	2024	DEKONT.exe	MSBuild.exe
PID 2024 wrote to memory of 2036	2024	DEKONT.exe	MSBuild.exe
PID 2024 wrote to memory of 2036	2024	DEKONT.exe	MSBuild.exe
PID 2024 wrote to memory of 1768	2024	DEKONT.exe	DEKONT.exe
PID 2024 wrote to memory of 1768	2024	DEKONT.exe	DEKONT.exe
PID 2024 wrote to memory of 1768	2024	DEKONT.exe	DEKONT.exe
PID 2024 wrote to memory of 1768	2024	DEKONT.exe	DEKONT.exe
PID 1768 wrote to memory of 1788	1768	DEKONT.exe	cmd.exe
PID 1768 wrote to memory of 1788	1768	DEKONT.exe	cmd.exe
PID 1768 wrote to memory of 1788	1768	DEKONT.exe	cmd.exe
PID 1768 wrote to memory of 1788	1768	DEKONT.exe	cmd.exe
PID 1768 wrote to memory of 964	1768	DEKONT.exe	MSBuild.exe
PID 1768 wrote to memory of 964	1768	DEKONT.exe	MSBuild.exe
PID 1768 wrote to memory of 964	1768	DEKONT.exe	MSBuild.exe
PID 1768 wrote to memory of 964	1768	DEKONT.exe	MSBuild.exe
PID 1768 wrote to memory of 964	1768	DEKONT.exe	MSBuild.exe
PID 1768 wrote to memory of 1988	1768	DEKONT.exe	DEKONT.exe
PID 1768 wrote to memory of 1988	1768	DEKONT.exe	DEKONT.exe
PID 1768 wrote to memory of 1988	1768	DEKONT.exe	DEKONT.exe
PID 1768 wrote to memory of 1988	1768	DEKONT.exe	DEKONT.exe
PID 1988 wrote to memory of 1616	1988	DEKONT.exe	cmd.exe
PID 1988 wrote to memory of 1616	1988	DEKONT.exe	cmd.exe
PID 1988 wrote to memory of 1616	1988	DEKONT.exe	cmd.exe
PID 1988 wrote to memory of 1616	1988	DEKONT.exe	cmd.exe
PID 1988 wrote to memory of 1824	1988	DEKONT.exe	MSBuild.exe
PID 1988 wrote to memory of 1824	1988	DEKONT.exe	MSBuild.exe
PID 1988 wrote to memory of 1824	1988	DEKONT.exe	MSBuild.exe
PID 1988 wrote to memory of 1824	1988	DEKONT.exe	MSBuild.exe
PID 1988 wrote to memory of 1824	1988	DEKONT.exe	MSBuild.exe
PID 1988 wrote to memory of 380	1988	DEKONT.exe	DEKONT.exe
PID 1988 wrote to memory of 380	1988	DEKONT.exe	DEKONT.exe
PID 1988 wrote to memory of 380	1988	DEKONT.exe	DEKONT.exe
PID 1988 wrote to memory of 380	1988	DEKONT.exe	DEKONT.exe
PID 380 wrote to memory of 1736	380	DEKONT.exe	cmd.exe
PID 380 wrote to memory of 1736	380	DEKONT.exe	cmd.exe
PID 380 wrote to memory of 1736	380	DEKONT.exe	cmd.exe
PID 380 wrote to memory of 1736	380	DEKONT.exe	cmd.exe
PID 380 wrote to memory of 1480	380	DEKONT.exe	MSBuild.exe
PID 380 wrote to memory of 1480	380	DEKONT.exe	MSBuild.exe
PID 380 wrote to memory of 1480	380	DEKONT.exe	MSBuild.exe
PID 380 wrote to memory of 1480	380	DEKONT.exe	MSBuild.exe
PID 380 wrote to memory of 1480	380	DEKONT.exe	MSBuild.exe
PID 380 wrote to memory of 1696	380	DEKONT.exe	DEKONT.exe
PID 380 wrote to memory of 1696	380	DEKONT.exe	DEKONT.exe
PID 380 wrote to memory of 1696	380	DEKONT.exe	DEKONT.exe

C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
PID:2020

C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"
2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:1120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
PID:2036

C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"
3⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
4⤵
PID:1788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:964

C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"
4⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
5⤵
PID:1616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
5⤵
PID:1824

C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"
5⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
6⤵
PID:1736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
6⤵
PID:1480

C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"
6⤵
- Suspicious behavior: MapViewOfSection
PID:1696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
7⤵
PID:700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
7⤵
PID:1032

C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"
7⤵
- Suspicious behavior: MapViewOfSection
PID:1188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
8⤵
PID:1044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
8⤵
PID:1392

C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"
8⤵
- Suspicious behavior: MapViewOfSection
PID:936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
9⤵
PID:1340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
9⤵
PID:532

C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"
9⤵
- Suspicious behavior: MapViewOfSection
PID:1968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
10⤵
PID:1932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
10⤵
PID:1732

C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"
10⤵
- Suspicious behavior: MapViewOfSection
PID:1980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
11⤵
PID:1996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
11⤵
PID:1760

C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"
11⤵
- Suspicious behavior: MapViewOfSection
PID:836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
12⤵
PID:1516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
12⤵
PID:1560

C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"
12⤵
- Suspicious behavior: MapViewOfSection
PID:1596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
13⤵
PID:1784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
13⤵
PID:1136

C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"
13⤵
- Suspicious behavior: MapViewOfSection
PID:288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
14⤵
PID:1296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
14⤵
PID:1576

C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"
14⤵
- Suspicious behavior: MapViewOfSection
PID:1668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
15⤵
PID:580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
15⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"
15⤵
PID:1912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
16⤵
PID:1208

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/288-101-0x0000000000000000-mapping.dmp

Download
memory/288-104-0x00000000002BD000-0x00000000002C0000-memory.dmp

Filesize
12KB

Download
memory/380-72-0x000000000028D000-0x0000000000290000-memory.dmp

Filesize
12KB

Download
memory/380-69-0x0000000000000000-mapping.dmp

Download
memory/580-107-0x0000000000000000-mapping.dmp

Download
memory/700-75-0x0000000000000000-mapping.dmp

Download
memory/836-96-0x00000000002AD000-0x00000000002B0000-memory.dmp

Filesize
12KB

Download
memory/836-93-0x0000000000000000-mapping.dmp

Download
memory/936-84-0x00000000002FD000-0x0000000000300000-memory.dmp

Filesize
12KB

Download
memory/936-81-0x0000000000000000-mapping.dmp

Download
memory/1044-79-0x0000000000000000-mapping.dmp

Download
memory/1120-59-0x0000000000000000-mapping.dmp

Download
memory/1188-80-0x000000000032D000-0x0000000000330000-memory.dmp

Filesize
12KB

Download
memory/1188-77-0x0000000000000000-mapping.dmp

Download
memory/1208-111-0x0000000000000000-mapping.dmp

Download
memory/1208-55-0x0000000000000000-mapping.dmp

Download
memory/1296-103-0x0000000000000000-mapping.dmp

Download
memory/1340-83-0x0000000000000000-mapping.dmp

Download
memory/1516-95-0x0000000000000000-mapping.dmp

Download
memory/1596-97-0x0000000000000000-mapping.dmp

Download
memory/1596-100-0x00000000003AD000-0x00000000003B0000-memory.dmp

Filesize
12KB

Download
memory/1616-67-0x0000000000000000-mapping.dmp

Download
memory/1668-108-0x000000000032D000-0x0000000000330000-memory.dmp

Filesize
12KB

Download
memory/1668-105-0x0000000000000000-mapping.dmp

Download
memory/1696-73-0x0000000000000000-mapping.dmp

Download
memory/1696-76-0x000000000027D000-0x0000000000280000-memory.dmp

Filesize
12KB

Download
memory/1736-71-0x0000000000000000-mapping.dmp

Download
memory/1768-64-0x000000000025D000-0x0000000000260000-memory.dmp

Filesize
12KB

Download
memory/1768-61-0x0000000000000000-mapping.dmp

Download
memory/1784-99-0x0000000000000000-mapping.dmp

Download
memory/1788-63-0x0000000000000000-mapping.dmp

Download
memory/1912-109-0x0000000000000000-mapping.dmp

Download
memory/1912-112-0x000000000036D000-0x0000000000370000-memory.dmp

Filesize
12KB

Download
memory/1920-56-0x000000000042D000-0x0000000000430000-memory.dmp

Filesize
12KB

Download
memory/1920-54-0x0000000075F61000-0x0000000075F63000-memory.dmp

Filesize
8KB

Download
memory/1932-87-0x0000000000000000-mapping.dmp

Download
memory/1968-88-0x000000000029D000-0x00000000002A0000-memory.dmp

Filesize
12KB

Download
memory/1968-85-0x0000000000000000-mapping.dmp

Download
memory/1980-92-0x00000000003BD000-0x00000000003C0000-memory.dmp

Filesize
12KB

Download
memory/1980-89-0x0000000000000000-mapping.dmp

Download
memory/1988-65-0x0000000000000000-mapping.dmp

Download
memory/1988-68-0x000000000037D000-0x0000000000380000-memory.dmp

Filesize
12KB

Download
memory/1996-91-0x0000000000000000-mapping.dmp

Download
memory/2024-60-0x00000000002ED000-0x00000000002F0000-memory.dmp

Filesize
12KB

Download
memory/2024-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing