Malware Analysis Report

2024-10-18 23:03

Sample ID 220502-m94z6aeeal
Target 7f5764844ab366849a5c4dc0c5b6af4fce6b96b1f8411a8b6e4484a418aaf1d7
SHA256 7f5764844ab366849a5c4dc0c5b6af4fce6b96b1f8411a8b6e4484a418aaf1d7
Tags
matiex collection keylogger stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7f5764844ab366849a5c4dc0c5b6af4fce6b96b1f8411a8b6e4484a418aaf1d7

Threat Level: Known bad

The file 7f5764844ab366849a5c4dc0c5b6af4fce6b96b1f8411a8b6e4484a418aaf1d7 was found to be: Known bad.

Malicious Activity Summary

matiex collection keylogger stealer

Matiex Main Payload

Matiex

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Program crash

outlook_office_path

outlook_win_path

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-02 11:10

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-02 11:10

Reported

2022-05-02 11:13

Platform

win7-20220414-en

Max time kernel

146s

Max time network

45s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1920 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Windows\SysWOW64\cmd.exe
PID 1920 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Windows\SysWOW64\cmd.exe
PID 1920 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Windows\SysWOW64\cmd.exe
PID 1920 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Windows\SysWOW64\cmd.exe
PID 1920 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1920 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1920 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1920 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1920 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1920 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
PID 1920 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
PID 1920 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
PID 1920 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
PID 2024 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2024 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2024 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2024 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2024 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2024 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
PID 2024 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
PID 2024 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
PID 2024 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
PID 1768 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Windows\SysWOW64\cmd.exe
PID 1768 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Windows\SysWOW64\cmd.exe
PID 1768 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Windows\SysWOW64\cmd.exe
PID 1768 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Windows\SysWOW64\cmd.exe
PID 1768 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1768 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1768 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1768 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1768 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1768 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
PID 1768 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
PID 1768 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
PID 1768 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
PID 1988 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1988 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1988 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1988 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1988 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1988 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
PID 1988 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
PID 1988 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
PID 1988 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
PID 380 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Windows\SysWOW64\cmd.exe
PID 380 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Windows\SysWOW64\cmd.exe
PID 380 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Windows\SysWOW64\cmd.exe
PID 380 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Windows\SysWOW64\cmd.exe
PID 380 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 380 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 380 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 380 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 380 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 380 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
PID 380 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Users\Admin\AppData\Local\Temp\DEKONT.exe
PID 380 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Users\Admin\AppData\Local\Temp\DEKONT.exe

Processes

C:\Users\Admin\AppData\Local\Temp\DEKONT.exe

"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Users\Admin\AppData\Local\Temp\DEKONT.exe

"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Users\Admin\AppData\Local\Temp\DEKONT.exe

"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Users\Admin\AppData\Local\Temp\DEKONT.exe

"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Users\Admin\AppData\Local\Temp\DEKONT.exe

"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Users\Admin\AppData\Local\Temp\DEKONT.exe

"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Users\Admin\AppData\Local\Temp\DEKONT.exe

"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Users\Admin\AppData\Local\Temp\DEKONT.exe

"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Users\Admin\AppData\Local\Temp\DEKONT.exe

"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Users\Admin\AppData\Local\Temp\DEKONT.exe

"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Users\Admin\AppData\Local\Temp\DEKONT.exe

"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Users\Admin\AppData\Local\Temp\DEKONT.exe

"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Users\Admin\AppData\Local\Temp\DEKONT.exe

"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Users\Admin\AppData\Local\Temp\DEKONT.exe

"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Users\Admin\AppData\Local\Temp\DEKONT.exe

"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cls

Network

N/A

Files

memory/1920-54-0x0000000075F61000-0x0000000075F63000-memory.dmp

memory/1208-55-0x0000000000000000-mapping.dmp

memory/1920-56-0x000000000042D000-0x0000000000430000-memory.dmp

memory/2024-57-0x0000000000000000-mapping.dmp

memory/1120-59-0x0000000000000000-mapping.dmp

memory/2024-60-0x00000000002ED000-0x00000000002F0000-memory.dmp

memory/1768-61-0x0000000000000000-mapping.dmp

memory/1788-63-0x0000000000000000-mapping.dmp

memory/1768-64-0x000000000025D000-0x0000000000260000-memory.dmp

memory/1988-65-0x0000000000000000-mapping.dmp

memory/1616-67-0x0000000000000000-mapping.dmp

memory/1988-68-0x000000000037D000-0x0000000000380000-memory.dmp

memory/380-69-0x0000000000000000-mapping.dmp

memory/1736-71-0x0000000000000000-mapping.dmp

memory/380-72-0x000000000028D000-0x0000000000290000-memory.dmp

memory/1696-73-0x0000000000000000-mapping.dmp

memory/700-75-0x0000000000000000-mapping.dmp

memory/1696-76-0x000000000027D000-0x0000000000280000-memory.dmp

memory/1188-77-0x0000000000000000-mapping.dmp

memory/1044-79-0x0000000000000000-mapping.dmp

memory/1188-80-0x000000000032D000-0x0000000000330000-memory.dmp

memory/936-81-0x0000000000000000-mapping.dmp

memory/1340-83-0x0000000000000000-mapping.dmp

memory/936-84-0x00000000002FD000-0x0000000000300000-memory.dmp

memory/1968-85-0x0000000000000000-mapping.dmp

memory/1932-87-0x0000000000000000-mapping.dmp

memory/1968-88-0x000000000029D000-0x00000000002A0000-memory.dmp

memory/1980-89-0x0000000000000000-mapping.dmp

memory/1996-91-0x0000000000000000-mapping.dmp

memory/1980-92-0x00000000003BD000-0x00000000003C0000-memory.dmp

memory/836-93-0x0000000000000000-mapping.dmp

memory/1516-95-0x0000000000000000-mapping.dmp

memory/836-96-0x00000000002AD000-0x00000000002B0000-memory.dmp

memory/1596-97-0x0000000000000000-mapping.dmp

memory/1784-99-0x0000000000000000-mapping.dmp

memory/1596-100-0x00000000003AD000-0x00000000003B0000-memory.dmp

memory/288-101-0x0000000000000000-mapping.dmp

memory/1296-103-0x0000000000000000-mapping.dmp

memory/288-104-0x00000000002BD000-0x00000000002C0000-memory.dmp

memory/1668-105-0x0000000000000000-mapping.dmp

memory/580-107-0x0000000000000000-mapping.dmp

memory/1668-108-0x000000000032D000-0x0000000000330000-memory.dmp

memory/1912-109-0x0000000000000000-mapping.dmp

memory/1208-111-0x0000000000000000-mapping.dmp

memory/1912-112-0x000000000036D000-0x0000000000370000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-02 11:10

Reported

2022-05-02 11:13

Platform

win10v2004-20220414-en

Max time kernel

144s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"

Signatures

Matiex

stealer keylogger matiex

Matiex Main Payload

Description Indicator Process Target
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4248 set thread context of 204 N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DEKONT.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\DEKONT.exe

"C:\Users\Admin\AppData\Local\Temp\DEKONT.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 204 -ip 204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 204 -s 1692

Network

Country Destination Domain Proto
NL 20.190.160.8:443 tcp
US 8.8.8.8:53 checkip.dyndns.org udp
US 158.101.44.242:80 checkip.dyndns.org tcp
US 104.208.16.90:443 tcp
NL 20.190.160.129:443 tcp
US 193.122.130.0:80 checkip.dyndns.org tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
JP 132.226.8.169:80 checkip.dyndns.org tcp
US 8.8.8.8:53 106.89.54.20.in-addr.arpa udp
BR 132.226.247.73:80 checkip.dyndns.org tcp
DE 193.122.6.168:80 checkip.dyndns.org tcp

Files

memory/3884-130-0x0000000000000000-mapping.dmp

memory/4248-131-0x000000000133D000-0x0000000001340000-memory.dmp

memory/204-132-0x0000000000000000-mapping.dmp

memory/204-133-0x0000000000600000-0x0000000000676000-memory.dmp

memory/204-134-0x0000000004C00000-0x0000000004C9C000-memory.dmp

memory/204-135-0x0000000005250000-0x00000000057F4000-memory.dmp

memory/204-136-0x0000000004D10000-0x0000000004D76000-memory.dmp