Analysis
-
max time kernel
57s -
max time network
58s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 12:18
Static task
static1
Behavioral task
behavioral1
Sample
Dekont.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Dekont.exe
Resource
win10v2004-20220414-en
General
-
Target
Dekont.exe
-
Size
1.0MB
-
MD5
1ba7ee7b1f0e03c2b63e828b4eb1158e
-
SHA1
bca0140b2bac77017b47676845ca97144c230ffa
-
SHA256
ac42965215afb055c4135cc87288be3f2aaff848972634fbaed4c365e112af43
-
SHA512
5d61af74c8b3ae2e307a1909b7d774f72d16c3db66e9f865b239d4ea1b4d743b205fb2239be7608e705606275c94eb96766d278bfc8079257a5b3dcb9309650b
Malware Config
Extracted
C:\Users\Admin\AppData\Local\79FE0CC911\Log.txt
masslogger
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
MassLogger log file 1 IoCs
Detects a log file produced by MassLogger.
Processes:
yara_rule masslogger_log_file -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Dekont.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation Dekont.exe -
Deletes itself 1 IoCs
Processes:
powershell.exepid process 1452 powershell.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 35 IoCs
Processes:
Dekont.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Dekont.exe Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Dekont.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Dekont.exe Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Dekont.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Dekont.exe Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Dekont.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook Dekont.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Dekont.exe Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Dekont.exe Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook Dekont.exe Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook Dekont.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Dekont.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Dekont.exe Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Dekont.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Dekont.exe Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook Dekont.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Dekont.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Dekont.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Dekont.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Dekont.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Dekont.exe Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Dekont.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Dekont.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Dekont.exe Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook Dekont.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Dekont.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook Dekont.exe Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Dekont.exe Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Dekont.exe Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Dekont.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Dekont.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook Dekont.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Dekont.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook Dekont.exe Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Dekont.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Dekont.exedescription pid process target process PID 1336 set thread context of 988 1336 Dekont.exe Dekont.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
Dekont.exepid process 988 Dekont.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
Dekont.exePowershell.exeDekont.exepowershell.exepid process 1336 Dekont.exe 1336 Dekont.exe 1336 Dekont.exe 2020 Powershell.exe 988 Dekont.exe 988 Dekont.exe 1452 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Dekont.exePowershell.exeDekont.exepowershell.exedescription pid process Token: SeDebugPrivilege 1336 Dekont.exe Token: SeDebugPrivilege 2020 Powershell.exe Token: SeDebugPrivilege 988 Dekont.exe Token: SeDebugPrivilege 1452 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Dekont.exepid process 988 Dekont.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
Dekont.exeDekont.execmd.exedescription pid process target process PID 1336 wrote to memory of 1912 1336 Dekont.exe Dekont.exe PID 1336 wrote to memory of 1912 1336 Dekont.exe Dekont.exe PID 1336 wrote to memory of 1912 1336 Dekont.exe Dekont.exe PID 1336 wrote to memory of 1912 1336 Dekont.exe Dekont.exe PID 1336 wrote to memory of 988 1336 Dekont.exe Dekont.exe PID 1336 wrote to memory of 988 1336 Dekont.exe Dekont.exe PID 1336 wrote to memory of 988 1336 Dekont.exe Dekont.exe PID 1336 wrote to memory of 988 1336 Dekont.exe Dekont.exe PID 1336 wrote to memory of 988 1336 Dekont.exe Dekont.exe PID 1336 wrote to memory of 988 1336 Dekont.exe Dekont.exe PID 1336 wrote to memory of 988 1336 Dekont.exe Dekont.exe PID 1336 wrote to memory of 988 1336 Dekont.exe Dekont.exe PID 1336 wrote to memory of 988 1336 Dekont.exe Dekont.exe PID 1336 wrote to memory of 2020 1336 Dekont.exe Powershell.exe PID 1336 wrote to memory of 2020 1336 Dekont.exe Powershell.exe PID 1336 wrote to memory of 2020 1336 Dekont.exe Powershell.exe PID 1336 wrote to memory of 2020 1336 Dekont.exe Powershell.exe PID 988 wrote to memory of 1888 988 Dekont.exe cmd.exe PID 988 wrote to memory of 1888 988 Dekont.exe cmd.exe PID 988 wrote to memory of 1888 988 Dekont.exe cmd.exe PID 988 wrote to memory of 1888 988 Dekont.exe cmd.exe PID 1888 wrote to memory of 1452 1888 cmd.exe powershell.exe PID 1888 wrote to memory of 1452 1888 cmd.exe powershell.exe PID 1888 wrote to memory of 1452 1888 cmd.exe powershell.exe PID 1888 wrote to memory of 1452 1888 cmd.exe powershell.exe -
outlook_office_path 1 IoCs
Processes:
Dekont.exedescription ioc process Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Dekont.exe -
outlook_win_path 1 IoCs
Processes:
Dekont.exedescription ioc process Key queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Dekont.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Dekont.exe"C:\Users\Admin\AppData\Local\Temp\Dekont.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Dekont.exe"C:\Users\Admin\AppData\Local\Temp\Dekont.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Dekont.exe"C:\Users\Admin\AppData\Local\Temp\Dekont.exe"2⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Dekont.exe' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Dekont.exe'4⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe"Powershell" Add-MpPreference -ExclusionPath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe"'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5aef5dbb4bf2efedb9561b6266960f3e5
SHA199e5628ab9fca96abfa92df12e760ad7ffdc1038
SHA256ce0807429c279525d2348707ad7cc40898f02aea691fcbdd6ff708d0e58b9e47
SHA5124449bbc136362ce10640a498ea5eb6ab9b424c825015750b7ef5fe1709a3b372240bb40629260525bc3ef32141c4371bc1c22195249f31ddad8a4fbc709bbaf1
-
memory/988-68-0x0000000000400000-0x00000000004C4000-memory.dmpFilesize
784KB
-
memory/988-73-0x00000000005B5000-0x00000000005C6000-memory.dmpFilesize
68KB
-
memory/988-66-0x0000000000400000-0x00000000004C4000-memory.dmpFilesize
784KB
-
memory/988-58-0x0000000000400000-0x00000000004C4000-memory.dmpFilesize
784KB
-
memory/988-60-0x0000000000400000-0x00000000004C4000-memory.dmpFilesize
784KB
-
memory/988-61-0x0000000000400000-0x00000000004C4000-memory.dmpFilesize
784KB
-
memory/988-62-0x0000000000400000-0x00000000004C4000-memory.dmpFilesize
784KB
-
memory/988-63-0x00000000004BF8CE-mapping.dmp
-
memory/988-57-0x0000000000400000-0x00000000004C4000-memory.dmpFilesize
784KB
-
memory/988-74-0x0000000000850000-0x0000000000864000-memory.dmpFilesize
80KB
-
memory/988-70-0x00000000022F0000-0x0000000002368000-memory.dmpFilesize
480KB
-
memory/1336-56-0x00000000007B0000-0x000000000086C000-memory.dmpFilesize
752KB
-
memory/1336-55-0x0000000074B51000-0x0000000074B53000-memory.dmpFilesize
8KB
-
memory/1336-54-0x0000000000880000-0x000000000098A000-memory.dmpFilesize
1.0MB
-
memory/1452-79-0x0000000072E40000-0x00000000733EB000-memory.dmpFilesize
5.7MB
-
memory/1452-76-0x0000000000000000-mapping.dmp
-
memory/1888-75-0x0000000000000000-mapping.dmp
-
memory/2020-65-0x0000000000000000-mapping.dmp
-
memory/2020-72-0x000000006FA70000-0x000000007001B000-memory.dmpFilesize
5.7MB