Overview

overview

10

Static

static

1

E-DEKONT_pdf.exe

windows7-x64

10

E-DEKONT_pdf.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    27-03-2023 10:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    E-DEKONT_pdf.exe

  • Size

    344KB

  • MD5

    fe8637b7f28206897219305735fdc407

  • SHA1

    9aaa5209476907a311d9905ab0566aadd833be3b

  • SHA256

    28384833cb4f57932b5344a38245cc995941d7fcccc387a2ffa7f295c91108ac

  • SHA512

    9539220c2bc089d627e0cbfb58233f538b0582cde4d9bce958693e97346b5904cbe84e2c75f8374d1b5de22a932bf69dd3976d529b58badb7bbf3ab3db4cd21f

  • SSDEEP

    6144:H6+/tV8E/1E0OrEl4SrruvJp6SRaitECiNHITLVnxbSHl55HMlPLbQf:Pn8E/1EOl4aeJpFECy5Hl5WV8f

Score
10/10
formbookmi94discoveryratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mi94

Decoy

realdigitalmarketing.co.uk

athle91.com

zetuinteriors.africa

jewelry2adore.biz

sneakersuomo.com

hotcoa.com

bestpetfinds.com

elatedfreedom.com

louisegoulet.com

licensescape.com

jenniferfalconerrealtor.com

xqan.net

textare.net

doctorlinkscsk.link

bizformspro.com

ameriealthcaritasfl.com

hanfengmeiye.com

anjin98.com

credit-cards-54889.com

dinero.news

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1260
    • C:\Users\Admin\AppData\Local\Temp\E-DEKONT_pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\E-DEKONT_pdf.exe"
      2⤵
      • Checks QEMU agent file
      • Loads dropped DLL
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Drops file in Windows directory
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2028
      • C:\Users\Admin\AppData\Local\Temp\E-DEKONT_pdf.exe
        "C:\Users\Admin\AppData\Local\Temp\E-DEKONT_pdf.exe"
        3⤵
        • Checks QEMU agent file
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1960
    • C:\Windows\SysWOW64\ipconfig.exe
      "C:\Windows\SysWOW64\ipconfig.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Gathers network information
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:628
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\E-DEKONT_pdf.exe"
        3⤵
          PID:832

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Command-Line Interface

    1
    T1059

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    3
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\DORME.ini
      Filesize

      31B

      MD5

      3000f7f0f12b7139ea28160c52098e25

      SHA1

      9d032395f38d341881019b996e591160d542054b

      SHA256

      467b09ff26622746d205628ae325ec9838461bc5fe741b3757bb39ddec87ecb1

      SHA512

      a76a2f1e3686e2ffd03388ec7dbcd4afa6ae53ccd3aa40c6fbbf0c994eee5e2685d0c412f15ec4506c1175f5a84712e1a8b7ae32e6a0327e1ba47321a59e0ee2

      Download Submit
    • \Users\Admin\AppData\Local\Temp\nsj24C2.tmp\System.dll
      Filesize

      11KB

      MD5

      e23600029d1b09bdb1d422fb4e46f5a6

      SHA1

      5d64a2f6a257a98a689a3db9a087a0fd5f180096

      SHA256

      7342b73593b3aa1b15e3731bfb1afd1961802a5c66343bac9a2c737ee94f4e38

      SHA512

      c971f513142633ce0e6ec6a04c754a286da8016563dab368c3fac83aef81fa3e9df1003c4b63d00a46351a9d18eaa7ae7645caef172e5e1d6e29123ab864e7ac

      Download Submit
    • memory/628-104-0x0000000002130000-0x0000000002433000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/628-103-0x0000000000080000-0x00000000000AF000-memory.dmp
      Filesize

      188KB

      Download
    • memory/628-108-0x00000000004E0000-0x0000000000574000-memory.dmp
      Filesize

      592KB

      Download
    • memory/628-105-0x0000000000080000-0x00000000000AF000-memory.dmp
      Filesize

      188KB

      Download
    • memory/628-97-0x0000000000B90000-0x0000000000B9A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/628-98-0x0000000000B90000-0x0000000000B9A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1260-113-0x0000000006600000-0x000000000676A000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/1260-110-0x0000000006600000-0x000000000676A000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/1260-109-0x0000000006600000-0x000000000676A000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/1260-95-0x0000000003FE0000-0x00000000040C5000-memory.dmp
      Filesize

      916KB

      Download
    • memory/1960-93-0x00000000371A0000-0x00000000374A3000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1960-96-0x0000000001470000-0x0000000006DC6000-memory.dmp
      Filesize

      89.3MB

      Download
    • memory/1960-99-0x0000000000400000-0x0000000001462000-memory.dmp
      Filesize

      16.4MB

      Download
    • memory/1960-86-0x0000000000400000-0x0000000001462000-memory.dmp
      Filesize

      16.4MB

      Download
    • memory/1960-94-0x0000000036C60000-0x0000000036C75000-memory.dmp
      Filesize

      84KB

      Download
    • memory/1960-87-0x0000000000400000-0x0000000001462000-memory.dmp
      Filesize

      16.4MB

      Download
    • memory/1960-92-0x0000000001470000-0x0000000006DC6000-memory.dmp
      Filesize

      89.3MB

      Download
    • memory/1960-91-0x0000000000400000-0x0000000001462000-memory.dmp
      Filesize

      16.4MB

      Download
    • memory/1960-89-0x0000000000400000-0x0000000001462000-memory.dmp
      Filesize

      16.4MB

      Download