Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
27-03-2023 10:28
Static task
static1
Behavioral task
behavioral1
Sample
E-DEKONT_pdf.exe
Resource
win7-20230220-en
General
-
Target
E-DEKONT_pdf.exe
-
Size
344KB
-
MD5
fe8637b7f28206897219305735fdc407
-
SHA1
9aaa5209476907a311d9905ab0566aadd833be3b
-
SHA256
28384833cb4f57932b5344a38245cc995941d7fcccc387a2ffa7f295c91108ac
-
SHA512
9539220c2bc089d627e0cbfb58233f538b0582cde4d9bce958693e97346b5904cbe84e2c75f8374d1b5de22a932bf69dd3976d529b58badb7bbf3ab3db4cd21f
-
SSDEEP
6144:H6+/tV8E/1E0OrEl4SrruvJp6SRaitECiNHITLVnxbSHl55HMlPLbQf:Pn8E/1EOl4aeJpFECy5Hl5WV8f
Malware Config
Extracted
formbook
4.1
mi94
realdigitalmarketing.co.uk
athle91.com
zetuinteriors.africa
jewelry2adore.biz
sneakersuomo.com
hotcoa.com
bestpetfinds.com
elatedfreedom.com
louisegoulet.com
licensescape.com
jenniferfalconerrealtor.com
xqan.net
textare.net
doctorlinkscsk.link
bizformspro.com
ameriealthcaritasfl.com
hanfengmeiye.com
anjin98.com
credit-cards-54889.com
dinero.news
naijastudy.africa
cursosweb22.online
furniture-61686.com
furniture-42269.com
emiu6696.com
herhustlenation.com
kevinjasperinc.africa
hear-aid-92727.com
goodlifeprojectofficial.com
freshteak.com
bellvaniamail.com
peterslawonline.com
analogfair.com
fornettobarbecues.com
6880365.com
couragetokingdom.com
luivix.online
3ay82.xyz
tmcgroup.africa
canadianbreederprogram.com
funtime28.online
customcarpentry.uk
anotherworldrecord.com
aux100000epices.com
edelman-production.com
honorproduct.com
danuzioneto.com
iltuosentiero.com
healthinsurancearena.com
hunterboots--canada.com
irestoreart.com
lapalmaaccesible.com
khbmfbank.africa
laxmi.digital
leqidt.tax
fluffyjet.online
chuckclouds.com
bril-kre-l25.buzz
centracul.online
legacyengravers.com
guesstheword.net
ded-morozvrn.online
lemonga.com
crrgbb.com
crosswalkconsulting.co.uk
Signatures
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4304-165-0x0000000000400000-0x0000000001654000-memory.dmp formbook behavioral2/memory/3496-174-0x0000000000890000-0x00000000008BF000-memory.dmp formbook behavioral2/memory/4304-175-0x0000000000400000-0x0000000001654000-memory.dmp formbook behavioral2/memory/3496-178-0x0000000000890000-0x00000000008BF000-memory.dmp formbook -
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
E-DEKONT_pdf.exeE-DEKONT_pdf.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe E-DEKONT_pdf.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe E-DEKONT_pdf.exe -
Loads dropped DLL 1 IoCs
Processes:
E-DEKONT_pdf.exepid process 1320 E-DEKONT_pdf.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
E-DEKONT_pdf.exepid process 4304 E-DEKONT_pdf.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
E-DEKONT_pdf.exeE-DEKONT_pdf.exepid process 1320 E-DEKONT_pdf.exe 4304 E-DEKONT_pdf.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
E-DEKONT_pdf.exeE-DEKONT_pdf.exeraserver.exedescription pid process target process PID 1320 set thread context of 4304 1320 E-DEKONT_pdf.exe E-DEKONT_pdf.exe PID 4304 set thread context of 3116 4304 E-DEKONT_pdf.exe Explorer.EXE PID 3496 set thread context of 3116 3496 raserver.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
E-DEKONT_pdf.exedescription ioc process File opened for modification C:\Windows\Undualize\Stjdelenes73\Hattiesburg.Coh E-DEKONT_pdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
E-DEKONT_pdf.exeraserver.exepid process 4304 E-DEKONT_pdf.exe 4304 E-DEKONT_pdf.exe 4304 E-DEKONT_pdf.exe 4304 E-DEKONT_pdf.exe 3496 raserver.exe 3496 raserver.exe 3496 raserver.exe 3496 raserver.exe 3496 raserver.exe 3496 raserver.exe 3496 raserver.exe 3496 raserver.exe 3496 raserver.exe 3496 raserver.exe 3496 raserver.exe 3496 raserver.exe 3496 raserver.exe 3496 raserver.exe 3496 raserver.exe 3496 raserver.exe 3496 raserver.exe 3496 raserver.exe 3496 raserver.exe 3496 raserver.exe 3496 raserver.exe 3496 raserver.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3116 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
E-DEKONT_pdf.exeE-DEKONT_pdf.exeraserver.exepid process 1320 E-DEKONT_pdf.exe 4304 E-DEKONT_pdf.exe 4304 E-DEKONT_pdf.exe 4304 E-DEKONT_pdf.exe 3496 raserver.exe 3496 raserver.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
E-DEKONT_pdf.exeExplorer.EXEraserver.exedescription pid process Token: SeDebugPrivilege 4304 E-DEKONT_pdf.exe Token: SeShutdownPrivilege 3116 Explorer.EXE Token: SeCreatePagefilePrivilege 3116 Explorer.EXE Token: SeShutdownPrivilege 3116 Explorer.EXE Token: SeCreatePagefilePrivilege 3116 Explorer.EXE Token: SeDebugPrivilege 3496 raserver.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
E-DEKONT_pdf.exeExplorer.EXEraserver.exedescription pid process target process PID 1320 wrote to memory of 4304 1320 E-DEKONT_pdf.exe E-DEKONT_pdf.exe PID 1320 wrote to memory of 4304 1320 E-DEKONT_pdf.exe E-DEKONT_pdf.exe PID 1320 wrote to memory of 4304 1320 E-DEKONT_pdf.exe E-DEKONT_pdf.exe PID 1320 wrote to memory of 4304 1320 E-DEKONT_pdf.exe E-DEKONT_pdf.exe PID 3116 wrote to memory of 3496 3116 Explorer.EXE raserver.exe PID 3116 wrote to memory of 3496 3116 Explorer.EXE raserver.exe PID 3116 wrote to memory of 3496 3116 Explorer.EXE raserver.exe PID 3496 wrote to memory of 452 3496 raserver.exe cmd.exe PID 3496 wrote to memory of 452 3496 raserver.exe cmd.exe PID 3496 wrote to memory of 452 3496 raserver.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\E-DEKONT_pdf.exe"C:\Users\Admin\AppData\Local\Temp\E-DEKONT_pdf.exe"2⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\E-DEKONT_pdf.exe"C:\Users\Admin\AppData\Local\Temp\E-DEKONT_pdf.exe"3⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\E-DEKONT_pdf.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nswBF2F.tmp\System.dllFilesize
11KB
MD5e23600029d1b09bdb1d422fb4e46f5a6
SHA15d64a2f6a257a98a689a3db9a087a0fd5f180096
SHA2567342b73593b3aa1b15e3731bfb1afd1961802a5c66343bac9a2c737ee94f4e38
SHA512c971f513142633ce0e6ec6a04c754a286da8016563dab368c3fac83aef81fa3e9df1003c4b63d00a46351a9d18eaa7ae7645caef172e5e1d6e29123ab864e7ac
-
C:\Users\Admin\AppData\Roaming\DORME.iniFilesize
31B
MD53000f7f0f12b7139ea28160c52098e25
SHA19d032395f38d341881019b996e591160d542054b
SHA256467b09ff26622746d205628ae325ec9838461bc5fe741b3757bb39ddec87ecb1
SHA512a76a2f1e3686e2ffd03388ec7dbcd4afa6ae53ccd3aa40c6fbbf0c994eee5e2685d0c412f15ec4506c1175f5a84712e1a8b7ae32e6a0327e1ba47321a59e0ee2
-
memory/3116-184-0x00000000083C0000-0x00000000084C0000-memory.dmpFilesize
1024KB
-
memory/3116-182-0x00000000083C0000-0x00000000084C0000-memory.dmpFilesize
1024KB
-
memory/3116-181-0x00000000083C0000-0x00000000084C0000-memory.dmpFilesize
1024KB
-
memory/3116-169-0x0000000008540000-0x000000000867B000-memory.dmpFilesize
1.2MB
-
memory/3496-176-0x0000000002870000-0x0000000002BBA000-memory.dmpFilesize
3.3MB
-
memory/3496-180-0x00000000025D0000-0x0000000002664000-memory.dmpFilesize
592KB
-
memory/3496-171-0x0000000000ED0000-0x0000000000EEF000-memory.dmpFilesize
124KB
-
memory/3496-173-0x0000000000ED0000-0x0000000000EEF000-memory.dmpFilesize
124KB
-
memory/3496-174-0x0000000000890000-0x00000000008BF000-memory.dmpFilesize
188KB
-
memory/3496-178-0x0000000000890000-0x00000000008BF000-memory.dmpFilesize
188KB
-
memory/4304-166-0x0000000001660000-0x0000000006FB6000-memory.dmpFilesize
89.3MB
-
memory/4304-175-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB
-
memory/4304-170-0x0000000001660000-0x0000000006FB6000-memory.dmpFilesize
89.3MB
-
memory/4304-168-0x0000000037250000-0x0000000037265000-memory.dmpFilesize
84KB
-
memory/4304-167-0x0000000037400000-0x000000003774A000-memory.dmpFilesize
3.3MB
-
memory/4304-165-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB
-
memory/4304-164-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB