Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
22-11-2023 14:22
Static task
static1
Behavioral task
behavioral1
Sample
Dekont.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
Dekont.exe
Resource
win10v2004-20231025-en
General
-
Target
Dekont.exe
-
Size
580KB
-
MD5
d8b05157b3b2358b828ddf6a8c6ffb48
-
SHA1
719820b9e180b0424aed7c99539ddc1a6c06eedf
-
SHA256
a2a6c37a9c06dd99e8b897fa89981cdfc0517469fdc49d6f4be416669c4e6fb1
-
SHA512
2d2e18ab96fc2e6c7558843be53ad5b1dcf033021da1e46c0dc2b7df0938bdfc557dd8d606878142e2da23ecd0b1e24b9eced5b6e38fbfed45b7256a5e03787d
-
SSDEEP
12288:/q8oUlQ9c6U0bR6zcVFnAr96sVrPn7zkt+rGEbma9B1S:FQfhRFGAslnPxXma9B1S
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
Dekont.exepowershell.exepowershell.exepid process 1916 Dekont.exe 1916 Dekont.exe 1916 Dekont.exe 1916 Dekont.exe 1916 Dekont.exe 1916 Dekont.exe 1916 Dekont.exe 1916 Dekont.exe 1916 Dekont.exe 1916 Dekont.exe 1916 Dekont.exe 1916 Dekont.exe 1916 Dekont.exe 1704 powershell.exe 2088 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Dekont.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1916 Dekont.exe Token: SeDebugPrivilege 1704 powershell.exe Token: SeDebugPrivilege 2088 powershell.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
Dekont.exedescription pid process target process PID 1916 wrote to memory of 1704 1916 Dekont.exe powershell.exe PID 1916 wrote to memory of 1704 1916 Dekont.exe powershell.exe PID 1916 wrote to memory of 1704 1916 Dekont.exe powershell.exe PID 1916 wrote to memory of 1704 1916 Dekont.exe powershell.exe PID 1916 wrote to memory of 2088 1916 Dekont.exe powershell.exe PID 1916 wrote to memory of 2088 1916 Dekont.exe powershell.exe PID 1916 wrote to memory of 2088 1916 Dekont.exe powershell.exe PID 1916 wrote to memory of 2088 1916 Dekont.exe powershell.exe PID 1916 wrote to memory of 2740 1916 Dekont.exe schtasks.exe PID 1916 wrote to memory of 2740 1916 Dekont.exe schtasks.exe PID 1916 wrote to memory of 2740 1916 Dekont.exe schtasks.exe PID 1916 wrote to memory of 2740 1916 Dekont.exe schtasks.exe PID 1916 wrote to memory of 2920 1916 Dekont.exe Dekont.exe PID 1916 wrote to memory of 2920 1916 Dekont.exe Dekont.exe PID 1916 wrote to memory of 2920 1916 Dekont.exe Dekont.exe PID 1916 wrote to memory of 2920 1916 Dekont.exe Dekont.exe PID 1916 wrote to memory of 2712 1916 Dekont.exe Dekont.exe PID 1916 wrote to memory of 2712 1916 Dekont.exe Dekont.exe PID 1916 wrote to memory of 2712 1916 Dekont.exe Dekont.exe PID 1916 wrote to memory of 2712 1916 Dekont.exe Dekont.exe PID 1916 wrote to memory of 2460 1916 Dekont.exe Dekont.exe PID 1916 wrote to memory of 2460 1916 Dekont.exe Dekont.exe PID 1916 wrote to memory of 2460 1916 Dekont.exe Dekont.exe PID 1916 wrote to memory of 2460 1916 Dekont.exe Dekont.exe PID 1916 wrote to memory of 2720 1916 Dekont.exe Dekont.exe PID 1916 wrote to memory of 2720 1916 Dekont.exe Dekont.exe PID 1916 wrote to memory of 2720 1916 Dekont.exe Dekont.exe PID 1916 wrote to memory of 2720 1916 Dekont.exe Dekont.exe PID 1916 wrote to memory of 3040 1916 Dekont.exe Dekont.exe PID 1916 wrote to memory of 3040 1916 Dekont.exe Dekont.exe PID 1916 wrote to memory of 3040 1916 Dekont.exe Dekont.exe PID 1916 wrote to memory of 3040 1916 Dekont.exe Dekont.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Dekont.exe"C:\Users\Admin\AppData\Local\Temp\Dekont.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Dekont.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1704 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\nlkxCwAb.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2088 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nlkxCwAb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9FF7.tmp"2⤵
- Creates scheduled task(s)
PID:2740 -
C:\Users\Admin\AppData\Local\Temp\Dekont.exe"C:\Users\Admin\AppData\Local\Temp\Dekont.exe"2⤵PID:2920
-
C:\Users\Admin\AppData\Local\Temp\Dekont.exe"C:\Users\Admin\AppData\Local\Temp\Dekont.exe"2⤵PID:2712
-
C:\Users\Admin\AppData\Local\Temp\Dekont.exe"C:\Users\Admin\AppData\Local\Temp\Dekont.exe"2⤵PID:2460
-
C:\Users\Admin\AppData\Local\Temp\Dekont.exe"C:\Users\Admin\AppData\Local\Temp\Dekont.exe"2⤵PID:2720
-
C:\Users\Admin\AppData\Local\Temp\Dekont.exe"C:\Users\Admin\AppData\Local\Temp\Dekont.exe"2⤵PID:3040
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD56e59ff9e6c4c0780719f33c700dd048c
SHA175b3e380943fd0818f233963ec2e9c17292fd976
SHA2563976b15436410ce2e831fcaf25839b4dc3224756e2ad63ef48900edee994695e
SHA5123f16a9ec3565fbc701975648bb820af4cbd921a1af6ddb010e550d2140301f14696160b5c7facd20bcfc26942827df63dfdbb8a93a3f4978dfce5ef8f5c9f313
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\F5S57V3BTWGE3HZAZVZE.temp
Filesize7KB
MD5f3b9a5f81e4fe0776a2f140980a64232
SHA1176faa39442e67b7e185e84d9babf3c5bf1ebb02
SHA256150da0d15f7f50294f9cbd85848c78f905f4397b76097cd73c8681440fd659ff
SHA512088e7885915074953d9e6abaf86ea3902fe63739d99cee251f65580168599a919035e6703de6f318331bb6671002d8e3e3b04f8aec0a5ada4be61ba03e8a8a78
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5f3b9a5f81e4fe0776a2f140980a64232
SHA1176faa39442e67b7e185e84d9babf3c5bf1ebb02
SHA256150da0d15f7f50294f9cbd85848c78f905f4397b76097cd73c8681440fd659ff
SHA512088e7885915074953d9e6abaf86ea3902fe63739d99cee251f65580168599a919035e6703de6f318331bb6671002d8e3e3b04f8aec0a5ada4be61ba03e8a8a78