Analysis
-
max time kernel
109s -
max time network
41s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
18-10-2022 19:16
Static task
static1
Behavioral task
behavioral1
Sample
Dekont.PDF.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Dekont.PDF.exe
Resource
win10v2004-20220901-en
General
-
Target
Dekont.PDF.exe
-
Size
1.3MB
-
MD5
dd351940dad3168f60d1b3d7cd10347b
-
SHA1
9cf4ff25559de1a6cbaeac06123abf04c2ec12b0
-
SHA256
33f6177e2d98b8b7a93daed5f05883a111f706ed3bcba925c9740c4feac6111e
-
SHA512
1cd9340b1ca9e5c460f69cda5410daa0a8791505b0367a0794b7f2f8fcd2a822d13574c0313fd1997525208a3af2a4e3a9a391d006e2576de13bd3792a78c8fa
-
SSDEEP
24576:hExxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxNusswO7Sayb:ualphF78zLyc/YFdj
Malware Config
Extracted
blustealer
https://api.telegram.org/bot5310184325:AAFI3fSQ6VcGu_NSTmv7d-qK2WCVhYY_qfg/sendMessage?chat_id=1293496579
Signatures
-
BluStealer
A Modular information stealer written in Visual Basic.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1384 set thread context of 1072 1384 Dekont.PDF.exe 32 PID 1072 set thread context of 1728 1072 Dekont.PDF.exe 33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1704 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1384 Dekont.PDF.exe 1384 Dekont.PDF.exe 1384 Dekont.PDF.exe 952 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1384 Dekont.PDF.exe Token: SeDebugPrivilege 952 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1072 Dekont.PDF.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 1384 wrote to memory of 952 1384 Dekont.PDF.exe 27 PID 1384 wrote to memory of 952 1384 Dekont.PDF.exe 27 PID 1384 wrote to memory of 952 1384 Dekont.PDF.exe 27 PID 1384 wrote to memory of 952 1384 Dekont.PDF.exe 27 PID 1384 wrote to memory of 1704 1384 Dekont.PDF.exe 29 PID 1384 wrote to memory of 1704 1384 Dekont.PDF.exe 29 PID 1384 wrote to memory of 1704 1384 Dekont.PDF.exe 29 PID 1384 wrote to memory of 1704 1384 Dekont.PDF.exe 29 PID 1384 wrote to memory of 820 1384 Dekont.PDF.exe 31 PID 1384 wrote to memory of 820 1384 Dekont.PDF.exe 31 PID 1384 wrote to memory of 820 1384 Dekont.PDF.exe 31 PID 1384 wrote to memory of 820 1384 Dekont.PDF.exe 31 PID 1384 wrote to memory of 1072 1384 Dekont.PDF.exe 32 PID 1384 wrote to memory of 1072 1384 Dekont.PDF.exe 32 PID 1384 wrote to memory of 1072 1384 Dekont.PDF.exe 32 PID 1384 wrote to memory of 1072 1384 Dekont.PDF.exe 32 PID 1384 wrote to memory of 1072 1384 Dekont.PDF.exe 32 PID 1384 wrote to memory of 1072 1384 Dekont.PDF.exe 32 PID 1384 wrote to memory of 1072 1384 Dekont.PDF.exe 32 PID 1384 wrote to memory of 1072 1384 Dekont.PDF.exe 32 PID 1384 wrote to memory of 1072 1384 Dekont.PDF.exe 32 PID 1072 wrote to memory of 1728 1072 Dekont.PDF.exe 33 PID 1072 wrote to memory of 1728 1072 Dekont.PDF.exe 33 PID 1072 wrote to memory of 1728 1072 Dekont.PDF.exe 33 PID 1072 wrote to memory of 1728 1072 Dekont.PDF.exe 33 PID 1072 wrote to memory of 1728 1072 Dekont.PDF.exe 33 PID 1072 wrote to memory of 1728 1072 Dekont.PDF.exe 33 PID 1072 wrote to memory of 1728 1072 Dekont.PDF.exe 33 PID 1072 wrote to memory of 1728 1072 Dekont.PDF.exe 33 PID 1072 wrote to memory of 1728 1072 Dekont.PDF.exe 33 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Dekont.PDF.exe"C:\Users\Admin\AppData\Local\Temp\Dekont.PDF.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gPgpDcrGk.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:952
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gPgpDcrGk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9F6C.tmp"2⤵
- Creates scheduled task(s)
PID:1704
-
-
C:\Users\Admin\AppData\Local\Temp\Dekont.PDF.exe"C:\Users\Admin\AppData\Local\Temp\Dekont.PDF.exe"2⤵PID:820
-
-
C:\Users\Admin\AppData\Local\Temp\Dekont.PDF.exe"C:\Users\Admin\AppData\Local\Temp\Dekont.PDF.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe3⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:1728
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d78306655c92759ef83f2793a56abe59
SHA1dfc4d7ea955e51d5e74c546655f52827a71f507c
SHA256fc6766a1bf6d5f6cfc7b79bc4e7f409d0827bac8a77276179256265c5361823d
SHA512ff4b306141f1baa7c64732b9549395cb6633fe1e2a00e646fc90c1accaf6689ecaeac80625b2adf972f802698dde6c29cb4b9ac3fe820b82f2441ebb1dacf554