54a4891d6753b4acaa07bb6c01aebcb44a0140ffc05ccdc53785a74365969585

General

Target

e-dekont.exe
Size

916KB
MD5

f16a453a7db95634f924bed9463d6b02
SHA1

b02be42a5d1d67c891cc30577a159f4fdd5fbf6e
SHA256

54a4891d6753b4acaa07bb6c01aebcb44a0140ffc05ccdc53785a74365969585
SHA512

bf5f5b5971a24e4e9f8b0e748bab1cdc81016f2f179781fc399b877b529be7392f671c840e3aedf13a0d60954083002a27bca29335815d2bf299a42c99f791b8
SSDEEP

24576:XKCcwQs06lgDAd6LpSqaDuaWJfy9JOJb:XKqQsJwAdaY45yu

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1948 set thread context of 2604	1948	e-dekont.exe	28
PID 2604 set thread context of 1172	2604	e-dekont.exe	21
PID 2604 set thread context of 2972	2604	e-dekont.exe	31
PID 2972 set thread context of 1172	2972	tasklist.exe	21

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
2972	tasklist.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2604	e-dekont.exe
2604	e-dekont.exe
2604	e-dekont.exe
2604	e-dekont.exe
2604	e-dekont.exe
2604	e-dekont.exe
2604	e-dekont.exe
2604	e-dekont.exe
2972	tasklist.exe
2972	tasklist.exe
2972	tasklist.exe
2972	tasklist.exe
2972	tasklist.exe
2972	tasklist.exe
2972	tasklist.exe
2972	tasklist.exe
2972	tasklist.exe
2972	tasklist.exe
2972	tasklist.exe
2972	tasklist.exe
2972	tasklist.exe
2972	tasklist.exe
2972	tasklist.exe
2972	tasklist.exe
2972	tasklist.exe
2972	tasklist.exe
2972	tasklist.exe
2972	tasklist.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2604	e-dekont.exe
1172	Explorer.EXE
1172	Explorer.EXE
2972	tasklist.exe
2972	tasklist.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 2604	1948	e-dekont.exe	28
PID 1948 wrote to memory of 2604	1948	e-dekont.exe	28
PID 1948 wrote to memory of 2604	1948	e-dekont.exe	28
PID 1948 wrote to memory of 2604	1948	e-dekont.exe	28
PID 1948 wrote to memory of 2604	1948	e-dekont.exe	28
PID 1948 wrote to memory of 2604	1948	e-dekont.exe	28
PID 1948 wrote to memory of 2604	1948	e-dekont.exe	28
PID 1172 wrote to memory of 2972	1172	Explorer.EXE	31
PID 1172 wrote to memory of 2972	1172	Explorer.EXE	31
PID 1172 wrote to memory of 2972	1172	Explorer.EXE	31
PID 1172 wrote to memory of 2972	1172	Explorer.EXE	31

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Users\Admin\AppData\Local\Temp\e-dekont.exe
  "C:\Users\Admin\AppData\Local\Temp\e-dekont.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Users\Admin\AppData\Local\Temp\e-dekont.exe
    "C:\Users\Admin\AppData\Local\Temp\e-dekont.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:2604
- C:\Windows\SysWOW64\tasklist.exe
  "C:\Windows\SysWOW64\tasklist.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Enumerates processes with tasklist
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

1

T1057

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1172-30-0x00000000098B0000-0x000000000AB0F000-memory.dmp

Filesize
18.4MB

Download
memory/1172-23-0x00000000098B0000-0x000000000AB0F000-memory.dmp

Filesize
18.4MB

Download
memory/1172-20-0x0000000003D90000-0x0000000003E90000-memory.dmp

Filesize
1024KB

Download
memory/1948-16-0x0000000074CD0000-0x00000000753BE000-memory.dmp

Filesize
6.9MB

Download
memory/1948-1-0x0000000074CD0000-0x00000000753BE000-memory.dmp

Filesize
6.9MB

Download
memory/1948-2-0x0000000004DA0000-0x0000000004DE0000-memory.dmp

Filesize
256KB

Download
memory/1948-3-0x0000000000350000-0x0000000000364000-memory.dmp

Filesize
80KB

Download
memory/1948-4-0x00000000003B0000-0x00000000003B8000-memory.dmp

Filesize
32KB

Download
memory/1948-5-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1948-6-0x0000000004CF0000-0x0000000004D76000-memory.dmp

Filesize
536KB

Download
memory/1948-0-0x0000000001250000-0x000000000133C000-memory.dmp

Filesize
944KB

Download
memory/1948-14-0x0000000074CD0000-0x00000000753BE000-memory.dmp

Filesize
6.9MB

Download
memory/2604-17-0x0000000000920000-0x0000000000C23000-memory.dmp

Filesize
3.0MB

Download
memory/2604-26-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2604-13-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2604-18-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2604-19-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2604-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2604-21-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2604-22-0x00000000002A0000-0x00000000002C1000-memory.dmp

Filesize
132KB

Download
memory/2604-9-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2604-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2604-15-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2972-27-0x0000000000080000-0x00000000000BB000-memory.dmp

Filesize
236KB

Download
memory/2972-28-0x00000000022B0000-0x00000000025B3000-memory.dmp

Filesize
3.0MB

Download
memory/2972-25-0x0000000000080000-0x00000000000BB000-memory.dmp

Filesize
236KB

Download
memory/2972-29-0x0000000002660000-0x0000000002700000-memory.dmp

Filesize
640KB

Download
memory/2972-24-0x0000000000080000-0x00000000000BB000-memory.dmp

Filesize
236KB

Download
memory/2972-31-0x0000000000080000-0x00000000000BB000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing