a2a6c37a9c06dd99e8b897fa89981cdfc0517469fdc49d6f4be416669c4e6fb1

General

Target

Dekont.exe
Size

580KB
MD5

d8b05157b3b2358b828ddf6a8c6ffb48
SHA1

719820b9e180b0424aed7c99539ddc1a6c06eedf
SHA256

a2a6c37a9c06dd99e8b897fa89981cdfc0517469fdc49d6f4be416669c4e6fb1
SHA512

2d2e18ab96fc2e6c7558843be53ad5b1dcf033021da1e46c0dc2b7df0938bdfc557dd8d606878142e2da23ecd0b1e24b9eced5b6e38fbfed45b7256a5e03787d
SSDEEP

12288:/q8oUlQ9c6U0bR6zcVFnAr96sVrPn7zkt+rGEbma9B1S:FQfhRFGAslnPxXma9B1S

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2740 schtasks.exe

pid	process
2740	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

Dekont.exepowershell.exepowershell.exe

pid	process
1916	Dekont.exe
1916	Dekont.exe
1916	Dekont.exe
1916	Dekont.exe
1916	Dekont.exe
1916	Dekont.exe
1916	Dekont.exe
1916	Dekont.exe
1916	Dekont.exe
1916	Dekont.exe
1916	Dekont.exe
1916	Dekont.exe
1916	Dekont.exe
1704	powershell.exe
2088	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Dekont.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1916 Dekont.exe
Token: SeDebugPrivilege 1704 powershell.exe
Token: SeDebugPrivilege 2088 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1916	Dekont.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

Dekont.exe

description	pid	process	target process
PID 1916 wrote to memory of 1704	1916	Dekont.exe	powershell.exe
PID 1916 wrote to memory of 1704	1916	Dekont.exe	powershell.exe
PID 1916 wrote to memory of 1704	1916	Dekont.exe	powershell.exe
PID 1916 wrote to memory of 1704	1916	Dekont.exe	powershell.exe
PID 1916 wrote to memory of 2088	1916	Dekont.exe	powershell.exe
PID 1916 wrote to memory of 2088	1916	Dekont.exe	powershell.exe
PID 1916 wrote to memory of 2088	1916	Dekont.exe	powershell.exe
PID 1916 wrote to memory of 2088	1916	Dekont.exe	powershell.exe
PID 1916 wrote to memory of 2740	1916	Dekont.exe	schtasks.exe
PID 1916 wrote to memory of 2740	1916	Dekont.exe	schtasks.exe
PID 1916 wrote to memory of 2740	1916	Dekont.exe	schtasks.exe
PID 1916 wrote to memory of 2740	1916	Dekont.exe	schtasks.exe
PID 1916 wrote to memory of 2920	1916	Dekont.exe	Dekont.exe
PID 1916 wrote to memory of 2920	1916	Dekont.exe	Dekont.exe
PID 1916 wrote to memory of 2920	1916	Dekont.exe	Dekont.exe
PID 1916 wrote to memory of 2920	1916	Dekont.exe	Dekont.exe
PID 1916 wrote to memory of 2712	1916	Dekont.exe	Dekont.exe
PID 1916 wrote to memory of 2712	1916	Dekont.exe	Dekont.exe
PID 1916 wrote to memory of 2712	1916	Dekont.exe	Dekont.exe
PID 1916 wrote to memory of 2712	1916	Dekont.exe	Dekont.exe
PID 1916 wrote to memory of 2460	1916	Dekont.exe	Dekont.exe
PID 1916 wrote to memory of 2460	1916	Dekont.exe	Dekont.exe
PID 1916 wrote to memory of 2460	1916	Dekont.exe	Dekont.exe
PID 1916 wrote to memory of 2460	1916	Dekont.exe	Dekont.exe
PID 1916 wrote to memory of 2720	1916	Dekont.exe	Dekont.exe
PID 1916 wrote to memory of 2720	1916	Dekont.exe	Dekont.exe
PID 1916 wrote to memory of 2720	1916	Dekont.exe	Dekont.exe
PID 1916 wrote to memory of 2720	1916	Dekont.exe	Dekont.exe
PID 1916 wrote to memory of 3040	1916	Dekont.exe	Dekont.exe
PID 1916 wrote to memory of 3040	1916	Dekont.exe	Dekont.exe
PID 1916 wrote to memory of 3040	1916	Dekont.exe	Dekont.exe
PID 1916 wrote to memory of 3040	1916	Dekont.exe	Dekont.exe

C:\Users\Admin\AppData\Local\Temp\Dekont.exe
"C:\Users\Admin\AppData\Local\Temp\Dekont.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Dekont.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\nlkxCwAb.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nlkxCwAb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9FF7.tmp"
2⤵
- Creates scheduled task(s)
PID:2740

C:\Users\Admin\AppData\Local\Temp\Dekont.exe
"C:\Users\Admin\AppData\Local\Temp\Dekont.exe"
2⤵
PID:2920

C:\Users\Admin\AppData\Local\Temp\Dekont.exe
"C:\Users\Admin\AppData\Local\Temp\Dekont.exe"
2⤵
PID:2712

C:\Users\Admin\AppData\Local\Temp\Dekont.exe
"C:\Users\Admin\AppData\Local\Temp\Dekont.exe"
2⤵
PID:2460

C:\Users\Admin\AppData\Local\Temp\Dekont.exe
"C:\Users\Admin\AppData\Local\Temp\Dekont.exe"
2⤵
PID:2720

C:\Users\Admin\AppData\Local\Temp\Dekont.exe
"C:\Users\Admin\AppData\Local\Temp\Dekont.exe"
2⤵
PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9FF7.tmp

Filesize
1KB

MD5
6e59ff9e6c4c0780719f33c700dd048c

SHA1
75b3e380943fd0818f233963ec2e9c17292fd976

SHA256
3976b15436410ce2e831fcaf25839b4dc3224756e2ad63ef48900edee994695e

SHA512
3f16a9ec3565fbc701975648bb820af4cbd921a1af6ddb010e550d2140301f14696160b5c7facd20bcfc26942827df63dfdbb8a93a3f4978dfce5ef8f5c9f313

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\F5S57V3BTWGE3HZAZVZE.temp

Filesize
7KB

MD5
f3b9a5f81e4fe0776a2f140980a64232

SHA1
176faa39442e67b7e185e84d9babf3c5bf1ebb02

SHA256
150da0d15f7f50294f9cbd85848c78f905f4397b76097cd73c8681440fd659ff

SHA512
088e7885915074953d9e6abaf86ea3902fe63739d99cee251f65580168599a919035e6703de6f318331bb6671002d8e3e3b04f8aec0a5ada4be61ba03e8a8a78

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f3b9a5f81e4fe0776a2f140980a64232

SHA1
176faa39442e67b7e185e84d9babf3c5bf1ebb02

SHA256
150da0d15f7f50294f9cbd85848c78f905f4397b76097cd73c8681440fd659ff

SHA512
088e7885915074953d9e6abaf86ea3902fe63739d99cee251f65580168599a919035e6703de6f318331bb6671002d8e3e3b04f8aec0a5ada4be61ba03e8a8a78

Download Submit
memory/1704-30-0x000000006E9D0000-0x000000006EF7B000-memory.dmp

Filesize
5.7MB

Download
memory/1704-28-0x000000006E9D0000-0x000000006EF7B000-memory.dmp

Filesize
5.7MB

Download
memory/1704-27-0x0000000002590000-0x00000000025D0000-memory.dmp

Filesize
256KB

Download
memory/1704-23-0x000000006E9D0000-0x000000006EF7B000-memory.dmp

Filesize
5.7MB

Download
memory/1916-5-0x0000000001E00000-0x0000000001E0A000-memory.dmp

Filesize
40KB

Download
memory/1916-4-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

Filesize
32KB

Download
memory/1916-6-0x0000000004FD0000-0x0000000005030000-memory.dmp

Filesize
384KB

Download
memory/1916-0-0x0000000000380000-0x0000000000416000-memory.dmp

Filesize
600KB

Download
memory/1916-20-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/1916-21-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/1916-1-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/1916-7-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/1916-2-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/1916-3-0x0000000000430000-0x0000000000442000-memory.dmp

Filesize
72KB

Download
memory/2088-26-0x0000000002730000-0x0000000002770000-memory.dmp

Filesize
256KB

Download
memory/2088-25-0x000000006E9D0000-0x000000006EF7B000-memory.dmp

Filesize
5.7MB

Download
memory/2088-24-0x0000000002730000-0x0000000002770000-memory.dmp

Filesize
256KB

Download
memory/2088-22-0x000000006E9D0000-0x000000006EF7B000-memory.dmp

Filesize
5.7MB

Download
memory/2088-29-0x000000006E9D0000-0x000000006EF7B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads