Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
27-03-2023 10:28
Static task
static1
Behavioral task
behavioral1
Sample
E-DEKONT_pdf.exe
Resource
win7-20230220-en
General
-
Target
E-DEKONT_pdf.exe
-
Size
344KB
-
MD5
fe8637b7f28206897219305735fdc407
-
SHA1
9aaa5209476907a311d9905ab0566aadd833be3b
-
SHA256
28384833cb4f57932b5344a38245cc995941d7fcccc387a2ffa7f295c91108ac
-
SHA512
9539220c2bc089d627e0cbfb58233f538b0582cde4d9bce958693e97346b5904cbe84e2c75f8374d1b5de22a932bf69dd3976d529b58badb7bbf3ab3db4cd21f
-
SSDEEP
6144:H6+/tV8E/1E0OrEl4SrruvJp6SRaitECiNHITLVnxbSHl55HMlPLbQf:Pn8E/1EOl4aeJpFECy5Hl5WV8f
Malware Config
Extracted
formbook
4.1
mi94
realdigitalmarketing.co.uk
athle91.com
zetuinteriors.africa
jewelry2adore.biz
sneakersuomo.com
hotcoa.com
bestpetfinds.com
elatedfreedom.com
louisegoulet.com
licensescape.com
jenniferfalconerrealtor.com
xqan.net
textare.net
doctorlinkscsk.link
bizformspro.com
ameriealthcaritasfl.com
hanfengmeiye.com
anjin98.com
credit-cards-54889.com
dinero.news
naijastudy.africa
cursosweb22.online
furniture-61686.com
furniture-42269.com
emiu6696.com
herhustlenation.com
kevinjasperinc.africa
hear-aid-92727.com
goodlifeprojectofficial.com
freshteak.com
bellvaniamail.com
peterslawonline.com
analogfair.com
fornettobarbecues.com
6880365.com
couragetokingdom.com
luivix.online
3ay82.xyz
tmcgroup.africa
canadianbreederprogram.com
funtime28.online
customcarpentry.uk
anotherworldrecord.com
aux100000epices.com
edelman-production.com
honorproduct.com
danuzioneto.com
iltuosentiero.com
healthinsurancearena.com
hunterboots--canada.com
irestoreart.com
lapalmaaccesible.com
khbmfbank.africa
laxmi.digital
leqidt.tax
fluffyjet.online
chuckclouds.com
bril-kre-l25.buzz
centracul.online
legacyengravers.com
guesstheword.net
ded-morozvrn.online
lemonga.com
crrgbb.com
crosswalkconsulting.co.uk
Signatures
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1960-91-0x0000000000400000-0x0000000001462000-memory.dmp formbook behavioral1/memory/1960-99-0x0000000000400000-0x0000000001462000-memory.dmp formbook behavioral1/memory/628-103-0x0000000000080000-0x00000000000AF000-memory.dmp formbook behavioral1/memory/628-105-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
E-DEKONT_pdf.exeE-DEKONT_pdf.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe E-DEKONT_pdf.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe E-DEKONT_pdf.exe -
Loads dropped DLL 1 IoCs
Processes:
E-DEKONT_pdf.exepid process 2028 E-DEKONT_pdf.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
E-DEKONT_pdf.exepid process 1960 E-DEKONT_pdf.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
E-DEKONT_pdf.exeE-DEKONT_pdf.exepid process 2028 E-DEKONT_pdf.exe 1960 E-DEKONT_pdf.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
E-DEKONT_pdf.exeE-DEKONT_pdf.exeipconfig.exedescription pid process target process PID 2028 set thread context of 1960 2028 E-DEKONT_pdf.exe E-DEKONT_pdf.exe PID 1960 set thread context of 1260 1960 E-DEKONT_pdf.exe Explorer.EXE PID 628 set thread context of 1260 628 ipconfig.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
E-DEKONT_pdf.exedescription ioc process File opened for modification C:\Windows\Undualize\Stjdelenes73\Hattiesburg.Coh E-DEKONT_pdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 628 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
E-DEKONT_pdf.exeipconfig.exepid process 1960 E-DEKONT_pdf.exe 1960 E-DEKONT_pdf.exe 628 ipconfig.exe 628 ipconfig.exe 628 ipconfig.exe 628 ipconfig.exe 628 ipconfig.exe 628 ipconfig.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
E-DEKONT_pdf.exeE-DEKONT_pdf.exeipconfig.exepid process 2028 E-DEKONT_pdf.exe 1960 E-DEKONT_pdf.exe 1960 E-DEKONT_pdf.exe 1960 E-DEKONT_pdf.exe 628 ipconfig.exe 628 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
E-DEKONT_pdf.exeExplorer.EXEipconfig.exedescription pid process Token: SeDebugPrivilege 1960 E-DEKONT_pdf.exe Token: SeShutdownPrivilege 1260 Explorer.EXE Token: SeDebugPrivilege 628 ipconfig.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1260 Explorer.EXE 1260 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1260 Explorer.EXE 1260 Explorer.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
E-DEKONT_pdf.exeExplorer.EXEipconfig.exedescription pid process target process PID 2028 wrote to memory of 1960 2028 E-DEKONT_pdf.exe E-DEKONT_pdf.exe PID 2028 wrote to memory of 1960 2028 E-DEKONT_pdf.exe E-DEKONT_pdf.exe PID 2028 wrote to memory of 1960 2028 E-DEKONT_pdf.exe E-DEKONT_pdf.exe PID 2028 wrote to memory of 1960 2028 E-DEKONT_pdf.exe E-DEKONT_pdf.exe PID 2028 wrote to memory of 1960 2028 E-DEKONT_pdf.exe E-DEKONT_pdf.exe PID 1260 wrote to memory of 628 1260 Explorer.EXE ipconfig.exe PID 1260 wrote to memory of 628 1260 Explorer.EXE ipconfig.exe PID 1260 wrote to memory of 628 1260 Explorer.EXE ipconfig.exe PID 1260 wrote to memory of 628 1260 Explorer.EXE ipconfig.exe PID 628 wrote to memory of 832 628 ipconfig.exe cmd.exe PID 628 wrote to memory of 832 628 ipconfig.exe cmd.exe PID 628 wrote to memory of 832 628 ipconfig.exe cmd.exe PID 628 wrote to memory of 832 628 ipconfig.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\E-DEKONT_pdf.exe"C:\Users\Admin\AppData\Local\Temp\E-DEKONT_pdf.exe"2⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\E-DEKONT_pdf.exe"C:\Users\Admin\AppData\Local\Temp\E-DEKONT_pdf.exe"3⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\E-DEKONT_pdf.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\DORME.iniFilesize
31B
MD53000f7f0f12b7139ea28160c52098e25
SHA19d032395f38d341881019b996e591160d542054b
SHA256467b09ff26622746d205628ae325ec9838461bc5fe741b3757bb39ddec87ecb1
SHA512a76a2f1e3686e2ffd03388ec7dbcd4afa6ae53ccd3aa40c6fbbf0c994eee5e2685d0c412f15ec4506c1175f5a84712e1a8b7ae32e6a0327e1ba47321a59e0ee2
-
\Users\Admin\AppData\Local\Temp\nsj24C2.tmp\System.dllFilesize
11KB
MD5e23600029d1b09bdb1d422fb4e46f5a6
SHA15d64a2f6a257a98a689a3db9a087a0fd5f180096
SHA2567342b73593b3aa1b15e3731bfb1afd1961802a5c66343bac9a2c737ee94f4e38
SHA512c971f513142633ce0e6ec6a04c754a286da8016563dab368c3fac83aef81fa3e9df1003c4b63d00a46351a9d18eaa7ae7645caef172e5e1d6e29123ab864e7ac
-
memory/628-104-0x0000000002130000-0x0000000002433000-memory.dmpFilesize
3.0MB
-
memory/628-103-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/628-108-0x00000000004E0000-0x0000000000574000-memory.dmpFilesize
592KB
-
memory/628-105-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/628-97-0x0000000000B90000-0x0000000000B9A000-memory.dmpFilesize
40KB
-
memory/628-98-0x0000000000B90000-0x0000000000B9A000-memory.dmpFilesize
40KB
-
memory/1260-113-0x0000000006600000-0x000000000676A000-memory.dmpFilesize
1.4MB
-
memory/1260-110-0x0000000006600000-0x000000000676A000-memory.dmpFilesize
1.4MB
-
memory/1260-109-0x0000000006600000-0x000000000676A000-memory.dmpFilesize
1.4MB
-
memory/1260-95-0x0000000003FE0000-0x00000000040C5000-memory.dmpFilesize
916KB
-
memory/1960-93-0x00000000371A0000-0x00000000374A3000-memory.dmpFilesize
3.0MB
-
memory/1960-96-0x0000000001470000-0x0000000006DC6000-memory.dmpFilesize
89.3MB
-
memory/1960-99-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/1960-86-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/1960-94-0x0000000036C60000-0x0000000036C75000-memory.dmpFilesize
84KB
-
memory/1960-87-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/1960-92-0x0000000001470000-0x0000000006DC6000-memory.dmpFilesize
89.3MB
-
memory/1960-91-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/1960-89-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB