Analysis
-
max time kernel
146s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
27-03-2023 05:29
Static task
static1
Behavioral task
behavioral1
Sample
E-dekont.exe
Resource
win7-20230220-en
General
-
Target
E-dekont.exe
-
Size
286KB
-
MD5
7f453b503f828a474ca684b065498d01
-
SHA1
b82a91e97e1c0a23b993db56f9f6049a96580b34
-
SHA256
7cdb9e0fde39ad1578dbd905a88c8b6492a608349c0fed0c79879f5a086108e9
-
SHA512
167c0afb30cd84f7a2980f1713012f5722b00a642977cb1c7d6f353698a8d74c11cfb367585d1a93b3ff4defee526017d71240bb1331baaf2169062e258f73a3
-
SSDEEP
6144:hT5Uzm0s9s3LWwHCZwX+A6UXqc0LrWK5OcraEUq2YWPOjJlaq8+:hT55Ns3LNi+uAz6c0LrWSaxHmX8+
Malware Config
Extracted
formbook
4.1
be83
woodlandscancercare.org.uk
hosting-delightful.lol
bilpreco.com
diplomk-v-habarovske.com
dzgck.com
jsdappraisals.com
digitalnishant.com
bluevibesgift.com
wowchershoo.co.uk
eudoriaofficial.online
ourcampaign2024.net
barlogcode.com
calmingscents.biz
thewaterfallproject.africa
www-1911.com
cigapp.online
wooddroppers.africa
casmiya.com
haruminailbar.com
drivermindset.com
kittysew.com
codinformer.com
carextra247.co.uk
hackldesign.com
jollyshopping.shop
ibufalari.com
cloudcapgear.com
afro.fitness
liverightseniorcareinc.com
imetmyselfinyou.com
easy-exchange.net
crowesnestvenue.com
bigszeieveryone.com
excavatorsmachines.com
39gaokk.com
cedarcreekmartinsville.com
lcllog.com
buylikeking.com
ag1elite.com
burnoutstudio.co.uk
aldafiq.com
foxdamold.com
doanses2022.click
bellanight.net
mouhc.online
carlosarenas.online
datifybase.com
allinahealthaetna.rsvp
alanmockler.com
jeevesalarm.com
fixmaster.africa
goxoasantander.com
austinmotorvillage.net
homespreadmechanics.com
irvinedigitalrealty.com
lacigalerouge.com
bjhybaobiao.com
channamphat.com
hotelmalabarresort.com
honstarnet.com
3dseal.online
heureka-health.ch
efefwonder.buzz
migswelders.com
777584.com
Signatures
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/984-85-0x0000000000400000-0x0000000001462000-memory.dmp formbook behavioral1/memory/984-95-0x0000000000400000-0x0000000001462000-memory.dmp formbook behavioral1/memory/1644-98-0x0000000000070000-0x000000000009F000-memory.dmp formbook behavioral1/memory/1644-100-0x0000000000070000-0x000000000009F000-memory.dmp formbook -
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
E-dekont.exeE-dekont.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe E-dekont.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe E-dekont.exe -
Loads dropped DLL 1 IoCs
Processes:
E-dekont.exepid process 1332 E-dekont.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 5 IoCs
Processes:
E-dekont.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Nonreprehensibly.Ber E-dekont.exe File opened for modification C:\Windows\SysWOW64\Agaver\Ngtelsers.ini E-dekont.exe File opened for modification C:\Windows\SysWOW64\Tilkmpendes\Saxofonen.ini E-dekont.exe File opened for modification C:\Windows\SysWOW64\Kbelyst\Intraselection\Strbemrkning23\Arcadianly.Blo132 E-dekont.exe File opened for modification C:\Windows\SysWOW64\Weeds\Vederstyggeligste211\Dybgang.Aur E-dekont.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
E-dekont.exepid process 984 E-dekont.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
E-dekont.exeE-dekont.exepid process 1332 E-dekont.exe 984 E-dekont.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
E-dekont.exeE-dekont.execscript.exedescription pid process target process PID 1332 set thread context of 984 1332 E-dekont.exe E-dekont.exe PID 984 set thread context of 1216 984 E-dekont.exe Explorer.EXE PID 1644 set thread context of 1216 1644 cscript.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
E-dekont.exedescription ioc process File created C:\Windows\Fonts\Underdrain\skatteskemaers\Shodden\Kartonnagefabrikken.lnk E-dekont.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
E-dekont.execscript.exepid process 984 E-dekont.exe 984 E-dekont.exe 1644 cscript.exe 1644 cscript.exe 1644 cscript.exe 1644 cscript.exe 1644 cscript.exe 1644 cscript.exe 1644 cscript.exe 1644 cscript.exe 1644 cscript.exe 1644 cscript.exe 1644 cscript.exe 1644 cscript.exe 1644 cscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1216 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
E-dekont.exeE-dekont.execscript.exepid process 1332 E-dekont.exe 984 E-dekont.exe 984 E-dekont.exe 984 E-dekont.exe 1644 cscript.exe 1644 cscript.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
E-dekont.exeExplorer.EXEcscript.exedescription pid process Token: SeDebugPrivilege 984 E-dekont.exe Token: SeShutdownPrivilege 1216 Explorer.EXE Token: SeDebugPrivilege 1644 cscript.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1216 Explorer.EXE 1216 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1216 Explorer.EXE 1216 Explorer.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
E-dekont.exeExplorer.EXEcscript.exedescription pid process target process PID 1332 wrote to memory of 984 1332 E-dekont.exe E-dekont.exe PID 1332 wrote to memory of 984 1332 E-dekont.exe E-dekont.exe PID 1332 wrote to memory of 984 1332 E-dekont.exe E-dekont.exe PID 1332 wrote to memory of 984 1332 E-dekont.exe E-dekont.exe PID 1332 wrote to memory of 984 1332 E-dekont.exe E-dekont.exe PID 1216 wrote to memory of 1644 1216 Explorer.EXE cscript.exe PID 1216 wrote to memory of 1644 1216 Explorer.EXE cscript.exe PID 1216 wrote to memory of 1644 1216 Explorer.EXE cscript.exe PID 1216 wrote to memory of 1644 1216 Explorer.EXE cscript.exe PID 1644 wrote to memory of 2000 1644 cscript.exe cmd.exe PID 1644 wrote to memory of 2000 1644 cscript.exe cmd.exe PID 1644 wrote to memory of 2000 1644 cscript.exe cmd.exe PID 1644 wrote to memory of 2000 1644 cscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\E-dekont.exe"C:\Users\Admin\AppData\Local\Temp\E-dekont.exe"2⤵
- Checks QEMU agent file
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\E-dekont.exe"C:\Users\Admin\AppData\Local\Temp\E-dekont.exe"3⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\E-dekont.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\DORME.iniFilesize
31B
MD53000f7f0f12b7139ea28160c52098e25
SHA19d032395f38d341881019b996e591160d542054b
SHA256467b09ff26622746d205628ae325ec9838461bc5fe741b3757bb39ddec87ecb1
SHA512a76a2f1e3686e2ffd03388ec7dbcd4afa6ae53ccd3aa40c6fbbf0c994eee5e2685d0c412f15ec4506c1175f5a84712e1a8b7ae32e6a0327e1ba47321a59e0ee2
-
\Users\Admin\AppData\Local\Temp\nso11FE.tmp\System.dllFilesize
12KB
MD5d968cb2b98b83c03a9f02dd9b8df97dc
SHA1d784c9b7a92dce58a5038beb62a48ff509e166a0
SHA256a4ec98011ef99e595912718c1a1bf1aa67bfc2192575729d42f559d01f67b95c
SHA5122ee41dc68f329a1519a8073ece7d746c9f3bf45d8ef3b915deb376af37e26074134af5f83c8af0fe0ab227f0d1acca9f37e5ca7ae37c46c3bcc0331fe5e2b97e
-
memory/984-91-0x0000000001470000-0x0000000005B67000-memory.dmpFilesize
71.0MB
-
memory/984-81-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/984-82-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/984-83-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/984-85-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/984-86-0x0000000001470000-0x0000000005B67000-memory.dmpFilesize
71.0MB
-
memory/984-95-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/984-88-0x0000000035D70000-0x0000000036073000-memory.dmpFilesize
3.0MB
-
memory/984-89-0x0000000035C40000-0x0000000035C54000-memory.dmpFilesize
80KB
-
memory/1216-90-0x0000000004CB0000-0x0000000004E1A000-memory.dmpFilesize
1.4MB
-
memory/1216-87-0x0000000000010000-0x0000000000020000-memory.dmpFilesize
64KB
-
memory/1216-103-0x0000000004030000-0x00000000040D1000-memory.dmpFilesize
644KB
-
memory/1216-104-0x0000000004CB0000-0x0000000004E1A000-memory.dmpFilesize
1.4MB
-
memory/1216-105-0x0000000004030000-0x00000000040D1000-memory.dmpFilesize
644KB
-
memory/1216-107-0x0000000004030000-0x00000000040D1000-memory.dmpFilesize
644KB
-
memory/1644-93-0x0000000000C50000-0x0000000000C72000-memory.dmpFilesize
136KB
-
memory/1644-92-0x0000000000C50000-0x0000000000C72000-memory.dmpFilesize
136KB
-
memory/1644-99-0x0000000002080000-0x0000000002383000-memory.dmpFilesize
3.0MB
-
memory/1644-98-0x0000000000070000-0x000000000009F000-memory.dmpFilesize
188KB
-
memory/1644-100-0x0000000000070000-0x000000000009F000-memory.dmpFilesize
188KB
-
memory/1644-102-0x0000000000910000-0x00000000009A3000-memory.dmpFilesize
588KB