3f72928d0f49086a7a5f96d15e5e3eb0dac7a7927da3717bc6d90d576877c88e

General

Target

e-dekont.exe
Size

938KB
MD5

1c808f1d1595115996f6abc5e855ae35
SHA1

61bc2dffa9ed8d6d23768996f10625769659444a
SHA256

3f72928d0f49086a7a5f96d15e5e3eb0dac7a7927da3717bc6d90d576877c88e
SHA512

9e74e1323ac5964c873a9c0076dc21a2821621c33991a6f12524732b4e86aad84db8c340caddb5187ae61e160bfc4fc13edf40a25291080b191547a0347a15a6
SSDEEP

12288:h85rryO3vT8NrsBYj/Ghvn4LrTMRziamZcUswhBYC1C9ivI3UJB2gTc603:C5rG8vT8ddJLSziamyUfhf1CInrc603

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1688 set thread context of 2572	1688	e-dekont.exe	28
PID 2572 set thread context of 1380	2572	e-dekont.exe	7
PID 2572 set thread context of 3056	2572	e-dekont.exe	31
PID 3056 set thread context of 1380	3056	tasklist.exe	7

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
3056	tasklist.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2572	e-dekont.exe
2572	e-dekont.exe
2572	e-dekont.exe
2572	e-dekont.exe
2572	e-dekont.exe
2572	e-dekont.exe
2572	e-dekont.exe
2572	e-dekont.exe
3056	tasklist.exe
3056	tasklist.exe
3056	tasklist.exe
3056	tasklist.exe
3056	tasklist.exe
3056	tasklist.exe
3056	tasklist.exe
3056	tasklist.exe
3056	tasklist.exe
3056	tasklist.exe
3056	tasklist.exe
3056	tasklist.exe
3056	tasklist.exe
3056	tasklist.exe
3056	tasklist.exe
3056	tasklist.exe
3056	tasklist.exe
3056	tasklist.exe
3056	tasklist.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2572	e-dekont.exe
1380	Explorer.EXE
1380	Explorer.EXE
3056	tasklist.exe
3056	tasklist.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2572	1688	e-dekont.exe	28
PID 1688 wrote to memory of 2572	1688	e-dekont.exe	28
PID 1688 wrote to memory of 2572	1688	e-dekont.exe	28
PID 1688 wrote to memory of 2572	1688	e-dekont.exe	28
PID 1688 wrote to memory of 2572	1688	e-dekont.exe	28
PID 1688 wrote to memory of 2572	1688	e-dekont.exe	28
PID 1688 wrote to memory of 2572	1688	e-dekont.exe	28
PID 1380 wrote to memory of 3056	1380	Explorer.EXE	31
PID 1380 wrote to memory of 3056	1380	Explorer.EXE	31
PID 1380 wrote to memory of 3056	1380	Explorer.EXE	31
PID 1380 wrote to memory of 3056	1380	Explorer.EXE	31

C:\Users\Admin\AppData\Local\Temp\e-dekont.exe
"C:\Users\Admin\AppData\Local\Temp\e-dekont.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Users\Admin\AppData\Local\Temp\e-dekont.exe
  "C:\Users\Admin\AppData\Local\Temp\e-dekont.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2572

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Windows\SysWOW64\tasklist.exe
  "C:\Windows\SysWOW64\tasklist.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Enumerates processes with tasklist
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

1

T1057

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1380-29-0x0000000008C60000-0x000000000AEBE000-memory.dmp

Filesize
34.4MB

Download
memory/1380-21-0x0000000008C60000-0x000000000AEBE000-memory.dmp

Filesize
34.4MB

Download
memory/1380-20-0x0000000003A80000-0x0000000003B80000-memory.dmp

Filesize
1024KB

Download
memory/1688-0-0x0000000000810000-0x0000000000900000-memory.dmp

Filesize
960KB

Download
memory/1688-1-0x0000000073F60000-0x000000007464E000-memory.dmp

Filesize
6.9MB

Download
memory/1688-2-0x00000000048A0000-0x00000000048E0000-memory.dmp

Filesize
256KB

Download
memory/1688-3-0x0000000000920000-0x000000000093A000-memory.dmp

Filesize
104KB

Download
memory/1688-4-0x0000000000950000-0x000000000095E000-memory.dmp

Filesize
56KB

Download
memory/1688-5-0x0000000005C00000-0x0000000005C7E000-memory.dmp

Filesize
504KB

Download
memory/1688-6-0x0000000073F60000-0x000000007464E000-memory.dmp

Filesize
6.9MB

Download
memory/1688-7-0x00000000048A0000-0x00000000048E0000-memory.dmp

Filesize
256KB

Download
memory/1688-13-0x0000000073F60000-0x000000007464E000-memory.dmp

Filesize
6.9MB

Download
memory/2572-15-0x0000000000BF0000-0x0000000000EF3000-memory.dmp

Filesize
3.0MB

Download
memory/2572-24-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2572-9-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2572-16-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2572-17-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2572-19-0x00000000001A0000-0x00000000001C1000-memory.dmp

Filesize
132KB

Download
memory/2572-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2572-18-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2572-12-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2572-8-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2572-14-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2572-25-0x00000000001A0000-0x00000000001C1000-memory.dmp

Filesize
132KB

Download
memory/3056-22-0x0000000000080000-0x00000000000BB000-memory.dmp

Filesize
236KB

Download
memory/3056-26-0x0000000002410000-0x0000000002713000-memory.dmp

Filesize
3.0MB

Download
memory/3056-27-0x0000000000080000-0x00000000000BB000-memory.dmp

Filesize
236KB

Download
memory/3056-28-0x0000000000910000-0x00000000009B0000-memory.dmp

Filesize
640KB

Download
memory/3056-23-0x0000000000080000-0x00000000000BB000-memory.dmp

Filesize
236KB

Download
memory/3056-30-0x0000000000080000-0x00000000000BB000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing