Overview

overview

10

Static

static

1

E-DEKONT_pdf.exe

windows7-x64

10

E-DEKONT_pdf.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-03-2023 10:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    E-DEKONT_pdf.exe

  • Size

    344KB

  • MD5

    fe8637b7f28206897219305735fdc407

  • SHA1

    9aaa5209476907a311d9905ab0566aadd833be3b

  • SHA256

    28384833cb4f57932b5344a38245cc995941d7fcccc387a2ffa7f295c91108ac

  • SHA512

    9539220c2bc089d627e0cbfb58233f538b0582cde4d9bce958693e97346b5904cbe84e2c75f8374d1b5de22a932bf69dd3976d529b58badb7bbf3ab3db4cd21f

  • SSDEEP

    6144:H6+/tV8E/1E0OrEl4SrruvJp6SRaitECiNHITLVnxbSHl55HMlPLbQf:Pn8E/1EOl4aeJpFECy5Hl5WV8f

Score
10/10
formbookmi94discoveryratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mi94

Decoy

realdigitalmarketing.co.uk

athle91.com

zetuinteriors.africa

jewelry2adore.biz

sneakersuomo.com

hotcoa.com

bestpetfinds.com

elatedfreedom.com

louisegoulet.com

licensescape.com

jenniferfalconerrealtor.com

xqan.net

textare.net

doctorlinkscsk.link

bizformspro.com

ameriealthcaritasfl.com

hanfengmeiye.com

anjin98.com

credit-cards-54889.com

dinero.news

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3116
    • C:\Users\Admin\AppData\Local\Temp\E-DEKONT_pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\E-DEKONT_pdf.exe"
      2⤵
      • Checks QEMU agent file
      • Loads dropped DLL
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Drops file in Windows directory
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1320
      • C:\Users\Admin\AppData\Local\Temp\E-DEKONT_pdf.exe
        "C:\Users\Admin\AppData\Local\Temp\E-DEKONT_pdf.exe"
        3⤵
        • Checks QEMU agent file
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:4304
    • C:\Windows\SysWOW64\raserver.exe
      "C:\Windows\SysWOW64\raserver.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3496
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\E-DEKONT_pdf.exe"
        3⤵
          PID:452

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\nswBF2F.tmp\System.dll
      Filesize

      11KB

      MD5

      e23600029d1b09bdb1d422fb4e46f5a6

      SHA1

      5d64a2f6a257a98a689a3db9a087a0fd5f180096

      SHA256

      7342b73593b3aa1b15e3731bfb1afd1961802a5c66343bac9a2c737ee94f4e38

      SHA512

      c971f513142633ce0e6ec6a04c754a286da8016563dab368c3fac83aef81fa3e9df1003c4b63d00a46351a9d18eaa7ae7645caef172e5e1d6e29123ab864e7ac

      Download Submit
    • C:\Users\Admin\AppData\Roaming\DORME.ini
      Filesize

      31B

      MD5

      3000f7f0f12b7139ea28160c52098e25

      SHA1

      9d032395f38d341881019b996e591160d542054b

      SHA256

      467b09ff26622746d205628ae325ec9838461bc5fe741b3757bb39ddec87ecb1

      SHA512

      a76a2f1e3686e2ffd03388ec7dbcd4afa6ae53ccd3aa40c6fbbf0c994eee5e2685d0c412f15ec4506c1175f5a84712e1a8b7ae32e6a0327e1ba47321a59e0ee2

      Download Submit
    • memory/3116-184-0x00000000083C0000-0x00000000084C0000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/3116-182-0x00000000083C0000-0x00000000084C0000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/3116-181-0x00000000083C0000-0x00000000084C0000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/3116-169-0x0000000008540000-0x000000000867B000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/3496-176-0x0000000002870000-0x0000000002BBA000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/3496-180-0x00000000025D0000-0x0000000002664000-memory.dmp
      Filesize

      592KB

      Download
    • memory/3496-171-0x0000000000ED0000-0x0000000000EEF000-memory.dmp
      Filesize

      124KB

      Download
    • memory/3496-173-0x0000000000ED0000-0x0000000000EEF000-memory.dmp
      Filesize

      124KB

      Download
    • memory/3496-174-0x0000000000890000-0x00000000008BF000-memory.dmp
      Filesize

      188KB

      Download
    • memory/3496-178-0x0000000000890000-0x00000000008BF000-memory.dmp
      Filesize

      188KB

      Download
    • memory/4304-166-0x0000000001660000-0x0000000006FB6000-memory.dmp
      Filesize

      89.3MB

      Download
    • memory/4304-175-0x0000000000400000-0x0000000001654000-memory.dmp
      Filesize

      18.3MB

      Download
    • memory/4304-170-0x0000000001660000-0x0000000006FB6000-memory.dmp
      Filesize

      89.3MB

      Download
    • memory/4304-168-0x0000000037250000-0x0000000037265000-memory.dmp
      Filesize

      84KB

      Download
    • memory/4304-167-0x0000000037400000-0x000000003774A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/4304-165-0x0000000000400000-0x0000000001654000-memory.dmp
      Filesize

      18.3MB

      Download
    • memory/4304-164-0x0000000000400000-0x0000000001654000-memory.dmp
      Filesize

      18.3MB

      Download